学习日记5

DNS Enumeration

interacting with a DNS server

        host -t mx megacorpone.com  

Automating lookups

Forward lookup brute force

list.txt:

        ftp

        mail

        owa

        proxy

        router

批处理：

        for ip in $(cat [list.txt]);

        do host $ip.[megacorpone.com];

        done

执行：

        Host ftp.megacorpone.com not found: 3(NXDOMAIN)
        mail.megacorpone.com has address 51.222.169.212
        Host owa.megacorpone.com not found: 3(NXDOMAIN)
        Host proxy.megacorpone.com not found: 3(NXDOMAIN)
        router.megacorpone.com has address 51.222.169.214

        apt install seclists

Reverse lookup brute force

批处理：

        for i in $(seq [50 100]);

        do host [38.100.193].$i;

        done | grep -v "not found"

执行结果：
66.193.100.38.in-addr.arpa domain name pointer syslog.megacorpone.com.
69.193.100.38.in-addr.arpa domain name pointer beta.megacorpone.com.
70.193.100.38.in-addr.arpa domain name pointer ns1.megacorpone.com.
72.193.100.38.in-addr.arpa domain name pointer admin.megacorpone.com.
73.193.100.38.in-addr.arpa domain name pointer mail2.megacorpone.com.
76.193.100.38.in-addr.arpa domain name pointer www.megacorpone.com.
77.193.100.38.in-addr.arpa domain name pointer vpn.megacorpone.com.
80.193.100.38.in-addr.arpa domain name pointer ns2.megacorpone.com.
84.193.100.38.in-addr.arpa domain name pointer mail.megacorpone.com.
85.193.100.38.in-addr.arpa domain name pointer snmp.megacorpone.com.
89.193.100.38.in-addr.arpa domain name pointer siem.megacorpone.com.
90.193.100.38.in-addr.arpa domain name pointer ns3.megacorpone.com.
91.193.100.38.in-addr.arpa domain name pointer router.megacorpone.com.

DNS  zone transfers

        # host -t ns megacorpone.com
        megacorpone.com name server ns1.megacorpone.com.
        megacorpone.com name server ns3.megacorpone.com.
        megacorpone.com name server ns2.megacorpone.com.

批处理：

        #!/bin/bash
        #Simple Zone Transfer Bash Script
        # $1 is the first argument given after the bash script
        # Check if argument was given, if not ,print usage
        if [ -z "$1" ]; then
                echo "[*] Simple Zone Script"
                echo "[*] Usage : $0 <doamin name>"
        exit 0
        fi
        # if argument was given, identify the DNS servers for the domain
        for server in $(host -t ns $1 | cut -d " " -f4);
        do
                #For each of these servers, attempt a zone transfer
                host -l $1 $server |grep "has address"
        done

Relevant tool in kali linux

DNS recon

        dnsrecon -d megacorpone.com -D ~/list.txt -t brt

dnsenum

        dnsenum zonetransfer.me

Port scanning

TCP/UDP scanning

用wireshark查看连接过程：

        tcp

        nc -nvv -w 1 -z [ip] [port]

        udp

        nc -nv -u -z -w 1 [ip] [port]

NMAP

Accountablility for out tranffic

        iptables -I INPUT 1 -s [ip] -j ACCEPT

        iptables -I OUTPUT1 -d [ip] -j ACCEPT

        iptables -Z

# nmap -p 1-65535 192.168.20.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-03 16:56 CST
Nmap scan report for 192.168.20.128
Host is up (0.0035s latency).
Not shown: 65526 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
445/tcp  open  microsoft-ds
5001/tcp open  commplex-link
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
MAC Address: 00:0C:29:D9:C0:92 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 8.46 seconds
 

iptables -vn -L 

iptables -Z  

nmap -p 1-65535 192.168.20.128

iptables -vn -L 

Stealth/SYN scanning

just send syn，可提升速度

        nmap -sS 192.168.20.128 

TCP connect scanning

        nmap -sT 192.168.20.128 

UDP scanning

        nmap -sU 192.168.20.128

Network sweeping

        nmap -sn 192.168.20.1-254

        nmap -sn -v 192.168.20.1-254

        nmap -sn -v 192.168.20.1-254 -oG ping-sweep.txt

-sn                                                          Ping扫描-禁用端口扫描

-v                                                           信息详细级别

-oG                                                        输出

        grep Up ping-sweep.txt |cut -d " " -f 2 | head

web

        nmap -p 80 192.168.20.1-254 -oG web-sweep.txt

常用端口扫描：

        nmap -sT -A --top-ports=20 192.168.20.128 -oG top-port-sweep.txt

OS fingerprinting

        nmap -O 192.168.20.128

Banner grabbing /service enumeration

        nmap -sV -sT 192.168.20.128

Nmap ScriptingEngine(NSE)

/usr/shear/nmap/scripts

        nmap 192.168.20.128 --script=smb-os-discovery
        nmap --script=dns-zone-transfer -p 53 192.168.20.128

masscan

        masscan -p80 192.168.20.0/24 --rate=1000 --router-ip 192.168.20.255

smb enumeration

scanning for the netbios serivse

NetBIOS

        nmap -v -p 138,445 192.168.20.1-254 -oG smb.txt 

        nbtscan -r 192.168.20.0/24  

nmap SMB NSE scripts

# ls -1 /usr/share/nmap/scripts/smb*
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-services.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-flood.nse
/usr/share/nmap/scripts/smb-ls.nse
/usr/share/nmap/scripts/smb-mbenum.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
/usr/share/nmap/scripts/smb-print-text.nse
/usr/share/nmap/scripts/smb-protocols.nse
/usr/share/nmap/scripts/smb-psexec.nse
/usr/share/nmap/scripts/smb-security-mode.nse
/usr/share/nmap/scripts/smb-server-stats.nse
/usr/share/nmap/scripts/smb-system-info.nse
/usr/share/nmap/scripts/smb-vuln-conficker.nse
/usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
/usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
/usr/share/nmap/scripts/smb-vuln-ms06-025.nse
/usr/share/nmap/scripts/smb-vuln-ms07-029.nse
/usr/share/nmap/scripts/smb-vuln-ms08-067.nse
/usr/share/nmap/scripts/smb-vuln-ms10-054.nse
/usr/share/nmap/scripts/smb-vuln-ms10-061.nse
/usr/share/nmap/scripts/smb-vuln-ms17-010.nse
/usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
/usr/share/nmap/scripts/smb-vuln-webexec.nse
/usr/share/nmap/scripts/smb-webexec-exploit.nse
 

        nmap -v -p 139,445 --script=smb-os-discovery 192.168.20.128

NFS enumeration

Scanning for NFS shares

        nmap -sV -p 111 --script=rpcinfo 192.168.20.1-254

        ls -l /usr/share/nmap/scripts/nfs*
        nmap -p 111 --script nfs* 192.168.20.128 

        mkdir home

        mount -o nolock 192.168.20.128:/home ~/home/

alter user to uid 1014

        adduser ped

        sed -i -e 's/1003/1014/g' /etc/passwd

        grep ped /etc/passwd

        su ped

        id

SMTP enumeration

        nc -nv 192.168.20.128

        VRFY root

        

#!/usr/bin/python

import socker

import sys

if len(sys.argv) != 2:

        print "Usage:vrfy.py <username>"

        sys.exit(0)

#Create a Socker

s = socker.socker(socker.AF_INET, socket.SOCK_STREAM)

# Connect to the Server

connect = s.connect(('192.168.20.128',25))

 #Receive the banner

banner = s.recv(1024)

print banner

#VRFY a user

s.send('VRFY'+sys.argv[1]+ '\r\n')

result = s.recv(1024) 

print result

#Close the socker

s.close()     

        chmod +x vrfy.py

        ./vrfy.py root

SNMP enumeration

the SNMP MIB tree

scan

        nmap -sU --open -p 161 192.168.20.1-254 -oG open-snmp.txt

        echo public > community

        echo private >> community

        echo manager >> community

        for ip in $(seq 1 254); do echo 192.168.20.$ip; done > ips 

        onesixtyone -c community -i ips

windows snmp enumeration example

        snmpwalk -c public -v1 -t 10 192.168.20.128

        -v1        version1
        -t 10        time span 10 minite

enumeration of windows user