Service Enumeration

21: FTP

FTP (File Transfer Protocol) operates over TCP Port 21 and is commonly used to enable file sharing between a server and client(s). It's also frequently leveraged for transferring files to and from web server directories. Metasploit offers several auxiliary modules to gather information from FTP servers and conduct brute-force attacks.

FTP authentication typically requires a valid username and password. However, misconfigured servers may allow anonymous login, presenting a potential security risk.

msfconsole
workspace -a ftp_enum

# Perform Port Scan
search portscan
use auxiliary/scanner/portscan/tcp

# Search for FTP-related auxiliary modules
search type:auxiliary name:ftp

ftp_version # To identify the FTP server version.
ftp_login # Requires user and password files for brute-force attempts (note: brute-force attacks can be slow).
ftp/anonymous # To check if anonymous login is enabled.

22: SSH

SSH (Secure Shell) is a remote administration protocol that provides encrypted communication and is the successor to Telnet. It is commonly used for remote access to servers and systems. By default, SSH runs on TCP port 22, though it can be configured to use any open TCP port. Metasploit's auxiliary (aux) modules can be used to enumerate the SSH version and perform brute-force attacks to identify passwords, potentially granting remote access to the target system

ssh_version # Enumerates the SSH server version.
ssh_login # Attempts to brute force SSH login credentials.
ssh_login_pubkey # Attempts to log in using SSH public key authentication.
ssh_enumusers # Enumerates valid usernames on the SSH server.

Note: Although Metasploit offers these modules, manual methods and other tools may provide better results in some cases.

25: SMTP

SMTP (Simple Mail Transfer Protocol) is a communication protocol used for transmitting emails. By default, it uses TCP port 25, but can also be configured to run on TCP ports 465 and 587. Using Metasploit's auxiliary (aux) modules, we can enumerate the SMTP server version and user accounts on the target system.

smtp_version # Enumerates the version of the SMTP server.
smtp_enum # Enumerates valid user accounts on the SMTP server.

Scenario

How can you identify the SMTP server, enumerate users, check supported commands, and send emails (including fake emails) using various tools such as Nmap, Netcat, Telnet, smtp-user-enum, and Metasploit?

# What is the SMTP server name and banner?
nmap -Pn -sS -sV --script banner [domain]
# Nmap's -sS conducts a TCP SYN scan, and -sV detects service versions. The --script banner retrieves the SMTP banner, which often includes the server name and version.

# How do you connect to the SMTP service using netcat and retrieve the hostname of the server?
nc [domain] 25
#Netcat (nc) allows direct interaction with services. By connecting to port 25 (SMTP), you can retrieve the server's hostname through its response.

# Does the user “admin” exist on the server machine?
VRFY admin@[domain]
# VRFY is an SMTP command to verify if the email user exists. A positive response (e.g., 252) indicates the user exists.

# Does the user “commander” exist on the server machine?
VRFY commander@[domain]
# A 550 response code means the user does not exist on the server.

# What commands can be used to check the supported commands/capabilities?
telnet [domain] 25
HELO [X]
EHLO [X]
# The EHLO command provides extended SMTP (ESMTP) capabilities after connecting to the SMTP server via Telnet.

# How many common usernames from a dictionary exist on the server?
smtp-user-enum -U /usr/share/commix/src/txt/usernames.txt -t [domain]
# The smtp-user-enum tool attempts to enumerate valid usernames on the SMTP server based on a dictionary file.

# How many common usernames from the Metasploit wordlist exist on the server?
msfconsole -q
use auxiliary/scanner/smtp/smtp_enum
set RHOSTS [domain]
exploit
# Metasploit’s smtp_enum module scans the SMTP server for valid users using a predefined wordlist.

# How can you connect to the SMTP service using Telnet and send a fake mail to the root user?
telnet [domain] 25
HELO attacker.xyz
mail from: admin@attacker.xyz
rcpt to: root@openmailbox.xyz
data
Subject: Hi Root
Hello,
This is a fake mail sent using telnet command.
From,  
Admin
.
# Telnet allows manual sending of emails by interacting with the SMTP service, crafting a fake message using the mail from and rcpt to commands.

# How can you send a fake mail to the root user using the sendemail command?
sendemail -f admin@attacker.xyz -t root@openmailbox.xyz -s demo.ine.local -u Fakemail -m "Hi root, a fake from admin" -o tls=no
# The sendemail command sends an email from a specified source to a target recipient, simulating a fake message without TLS.

Web Server Enum: 80,443: HTTP, HTTPS

A web server is software that serves website data on the web, using HTTP to facilitate communication between clients and the server. HTTP, an application layer protocol, uses TCP port 80 for communication. Using Metasploit’s auxiliary (aux) modules, we can enumerate the web server version, HTTP headers, brute force directories, and more. Examples of web servers include Apache, NGINX, and Microsoft IIS.

http_version # Enumerates the HTTP version of the web server.
http_header # Extracts HTTP headers from the web server.
robots_txt # Retrieves and analyzes the robots.txt file.
http_login # Attempts to brute force web login credentials.
apache_userdir_enum # Enumerates user directories on Apache servers.
http_put # Tests if the HTTP PUT method is enabled on the server.
dir_listing # Identifies if directory listing is enabled.
brute_dirs # Brute forces directories on the web server.
dir_scanner # Scans and identifies directories on the web server.
files_dir # Enumerates files in directories on the web server.

Note: Metasploit is not mandatory for web server enumeration; manual techniques or other tools may yield better results.

445: SMB

Server Message Block (SMB) is a protocol for network file sharing, primarily using port 445, with earlier implementations running over NetBIOS on port 139. It's used for sharing files and peripherals on local networks (LAN), and its Linux implementation is called SAMBA, enabling Linux and Windows systems to share resources.

# Using Metasploit, you can enumerate SMB services with auxiliary modules:

smb_version # Identifies the SMB version running on the target.
smb_enumusers # Enumerates user accounts on the SMB service.
smb_enumshares # Lists shared directories on the target.
smb_login # Attempts to brute-force login credentials for the SMB service.
# Setting up global variables
setg RHOSTS [IP]
# Additionally, SMB clients can be used to manually enumerate:
smbclient -L \\[target_ip]\ -U admin # to list available shares.
smbclient \\[target_ip]\public -U admin # to access the "public" share.

Scenario

How can you perform a comprehensive reconnaissance on a SAMBA server to identify its open TCP and UDP ports, workgroup name, exact version using Nmap and Metasploit, NetBIOS computer name, and determine whether anonymous connections (null sessions) are allowed using smbclient and rpcclient?

# What are the default TCP ports used by smbd? 
# Use Nmap to scan the target machine for active SMB services.
nmap -Pn -sV -sS [IP]

# What are the default UDP ports used by nmbd?
# Use Nmap with UDP scanning options to identify the open UDP ports related to NetBIOS services.
# The default UDP ports for nmbd will be revealed in the scan, typically related to NetBIOS services.
nmap -Pn -sV -sU [IP]

# What is the workgroup name of the SAMBA server?
Nmap can reveal the workgroup name by scanning SMB services.

# How can you find the exact version of the SAMBA server using Nmap?
# The exact version of the SAMBA server will be displayed by the smb-os-discovery script.
nmap --script smb-os-discovery -p 445 [IP]

# How can you find the SAMBA server version using the Metasploit module?
# The version of the SAMBA server is revealed in the output of the Metasploit smb_version module.
msfconsole -q
use auxiliary/scanner/smb/smb_version
set RHOSTS [IP]
exploit

# What is the NetBIOS computer name of the SAMBA server (using Nmap)?
# The NetBIOS name of the SAMBA server will be provided in the Nmap script output.
nmap --script smb-os-discovery -p 445 [IP]

# How can you find the NetBIOS computer name using nmblookup?
# The NetBIOS computer name will be displayed by nmblookup.
nmblookup -A [IP]

# How can you check if anonymous connections (null sessions) are allowed on the SAMBA server using smbclient?
smbclient -L demo.ine.local -N
# If shares are displayed without a password, it indicates that anonymous connections are allowed.

# How can you check for anonymous connections (null sessions) using rpcclient?
rpcclient -U '' -N [IP]
# If rpcclient returns information without requiring credentials, anonymous connections are permitted.

3306: MySQL

MySQL is an open-source relational database management system (RDBMS) based on SQL. It is commonly used to store web application data and customer records. By default, MySQL uses TCP port 3306, though it can run on any open TCP port. Metasploit’s auxiliary (aux) modules can be used to enumerate MySQL versions, perform brute-force attacks to identify passwords, execute SQL queries, and more.

mysql_version # Enumerates the MySQL server version.
mysql_login # Attempts to brute force MySQL login credentials.
mysql_enum # Gathers information from MySQL databases (e.g., users, databases).
mysql_sql # Executes custom SQL queries on the MySQL server.
mysql_file_enum # Enumerates files and directories on the MySQL server.
mysql_hashdump # Dumps password hashes from the MySQL server.
mysql_schemadump # Dumps the schema of databases from the MySQL server.
mysql_writable_dirs # Identifies writable directories on the MySQL server.

Note: While Metasploit provides useful tools, manual techniques or other tools may sometimes yield better results.

Last updated