Skip to content

Latest commit

 

History

History
76 lines (50 loc) · 2.34 KB

service-enumeration.md

File metadata and controls

76 lines (50 loc) · 2.34 KB

Service Enumeration

Table of Contents:

It’s simple, just try to enumerate each service with different tools so that it can be confirmed that the information given by the tools is correct and never be dependent on one tool. Learn the Logics, Not Tools.

Major services to focus on:

  1. SMB (139,445)
  2. FTP (21)
  3. SSH (22)
  4. HTTP (80)
  5. MySQL (3306)

Using Nmap

You can use Nmap scripts to enumerate services. Check out Nmap website for the list of script names or the scripts.db OR /usr/share/nmap/scripts file in your local machine.

nmap -p<servicePortNo> --script <scripts> --script-args <arg1>=<val1>,<arg2>=<val2> <IP>

NOTE: Nmap uses - (hyphen) character to seperate two words in script names.

Using MsfConsole

You can use MsfConsole Auxiliary modules for service enumeration.

msfconsole> search type:auxiliary <serviceName>

NOTE: Metasploit uses _ (underscore) character to seperate two words in module names.

Using Stand-Alone Tools

Tools for SMB

  • smbmap
  • smbclient
  • rpcclient
  • enum4linux (powerful tool)
  • nmblookup

Netcat

You can use Netcat at any port to grab a service banner or check the behaviour of the service running on that port. Sometimes, any unknown port can run a bind shell and that won’t show any service version by Nmap so use Netcat to connect back to that port.

Brute-Forcing any service

It is recommended to use the HYDRA tool for brute-forcing.

hydra -l <username> -P <passlist> <IP> <serviceName>

WinRM (5985/5986) service brute-forcing doesn’t supported by hydra. Use CRACKMAPEXEC instead.

crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt

Brute-forcing can be done through Nmap & MsfConsole

Nmap has the naming-convention for brute-forcing scripts: -brute for example: smb-brute, ssh-brute e.t.c.

MsfConsole has the naming-convention for brute-forcing modules: _login for example: smb_login, ssh_login e.t.c.