Module 7 ( Active Info Gathering)
Last updated
Last updated
What is DNS
interacring with a DNS Tracffic
A :
Maps a hostname ot an ip , "for worf" lookup/zone
PTR :
Maps an ip to a hostname , "reverse" lookup/zone
CNAME :
Maps an alias hostname to an A record hostname
MX :
contain the names of the servers resposible for handling email for the domain
Brute force Nslookup
host -t A <hostname>
can see admin.megacorpone.com but I will try to brute force hacktor.megacorpone.com
Make Script to brute force sub using bash Script :
And can Make Brute Force all (A,AAAA,PTR,MX)
DNS Zone Transfers
Full dump of the zone files.
host -i <domain name> <dns server address>
Automate Tools
DNSRecon => dnsrecon -d megacorpone.com -t axfr
Dnsrecon brute force
DNSEnum => dnsenum <domain name>
Other tools
fierce - DNSdumpster - Dnsmap - Metagoofil - foca - maltego - Dmitry - Recon-ng
TCP / UDP Scanning
TCP
UDP
Three way Handshake
Ex :
clint => nc nvlp 1234
Attcker => nc -nvv -w 192.168.1.1 1234-1236
Port Scanning Wth nmap
Accountability for Our Traffic
TCP Connect Scanning
How check FW With out any Soc team catch U
use sudo command beacuse can change low level Traffic
Ex : sudo nmap 192.168.1.4 -p 25 -sT
-sT=> Connect Scanning
-sS=> SYN Scanning
-sA=> ACK Scanning
-sF=> Fen Scanning
UDP Scanning
Banner Grabbing/Service Enumeration
-sV => Service Scanning
make scanning to show NetBOIS
How can show file use -v => verbose
With Passweord Protected ON
With Passweord Protected OFF
Nmap NSE Secipting SMB
RCP Protocol
in first using nmap to scan rpc default run in port 111
OK i will try use NSE rpcinfo
rpcinfo tool use to information about rpc
step 2 using showmount tool
all Files and dir can pwd in my machine
to get all info how ?
SMTP Enumeration
Scanning for the SMTP Service
VRFY Users manual & auto
Nmap
Metasploit
in first using nmap to scan SMTP default run in port 25
Using NMAP
Simple Network Management Protocol
Management information Baise (MIB) Object identifier (OID)
To ensure that SNMP access works across manufacturers and with different client-server combinations, the Management Information Base (MIB) was created. MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy. It contains at least one Object Identifier (OID), which, in addition to the necessary unique address and a name, also provides information about the type, access rights, and a description of the respective object MIB files are written in the Abstract Syntax Notation One (ASN.1) based ASCII text format. The MIBs do not contain data, but they explain where to find which information and what it looks like, which returns values for the specific OID, or which data type is used.
Object Identifiers (OIDs) play a crucial role. These unique identifiers are designed to manage objects within a Management Information Base (MIB).
1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7
Here is a breakdown of this address.
1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”
3 – this is called ORG and it is used to specify the organization that built the device.
6 – this is the dod or the Department of Defense which is the organization that established the Internet first.
1 – this is the value of the internet to denote that all communications will happen through the Internet.
4 – this value determines that this device is made by a private organization, not a government one.
1 – this value denotes that an enterprise or a business entity makes the device.
Moving on to the next set of numbers.
1452 – gives the name of the organization that manufactured this device.
1 – Explain the type of device. In this case, it is an alarm clock.
2 – determines that this device is a remote terminal unit.
The rest of the values give specific information about the device.
5 – denotes a discrete alarm point.
1 – specific point in the device
3 – port
21 – address of the port
1 – display for the port
4 – point number
7 – state of the point
SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).
Copy
SNMP also uses port 162/UDP for traps. These are data packets sent from the SNMP server to the client without being explicitly requested.
There are 2 important versions of SNMP:
SNMPv1: Main one, it is still the most frequent, the authentication is based on a string (community string) that travels in plain text (all the information travels in plain text). Version 2 and 2c send the traffic in plain text also and uses a community string as authentication.
SNMPv3: Uses a better authentication form and the information travels encrypted using (a dictionary attack could be performed but would be much harder to find the correct creds than in SNMPv1 and v2).
step 1
go in windows machine turn on SNMP service Turn on windows Feature
run .\services.msc
161/udp open | filtered && 162/udp trap open | filtered
ok i will use snmpbulkwalk
If you know a valid community string, you can access the data using SNMPWalk or SNMP-Check:
ex snmp-check
snmp-shell
OR
