Table of Contents:
It’s simple, just try to enumerate each service with different tools so that it can be confirmed that the information given by the tools is correct and never be dependent on one tool. Learn the Logics, Not Tools.
Major services to focus on:
- SMB (139,445)
- FTP (21)
- SSH (22)
- HTTP (80)
- MySQL (3306)
You can use Nmap scripts to enumerate services. Check out Nmap website for the list of script names or the scripts.db OR /usr/share/nmap/scripts file in your local machine.
nmap -p<servicePortNo> --script <scripts> --script-args <arg1>=<val1>,<arg2>=<val2> <IP>
NOTE: Nmap uses - (hyphen) character to seperate two words in script names.
You can use MsfConsole Auxiliary modules for service enumeration.
msfconsole> search type:auxiliary <serviceName>
NOTE: Metasploit uses _ (underscore) character to seperate two words in module names.
- smbmap
- smbclient
- rpcclient
- enum4linux (powerful tool)
- nmblookup
You can use Netcat at any port to grab a service banner or check the behaviour of the service running on that port. Sometimes, any unknown port can run a bind shell and that won’t show any service version by Nmap so use Netcat to connect back to that port.
It is recommended to use the HYDRA tool for brute-forcing.
hydra -l <username> -P <passlist> <IP> <serviceName>
WinRM (5985/5986) service brute-forcing doesn’t supported by hydra. Use CRACKMAPEXEC instead.
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
Brute-forcing can be done through Nmap & MsfConsole
Nmap has the naming-convention for brute-forcing scripts: -brute for example: smb-brute, ssh-brute e.t.c.
MsfConsole has the naming-convention for brute-forcing modules: _login for example: smb_login, ssh_login e.t.c.