Common Service Enumeration
This is the methodology I use to do my approach against CTF machines when I'm playing on platforms like Hack the Box or Try Hack Me, etc.
TCP/IP Port Scanning
TCP/IP port scanning is used to discover which ports are open or closed on a remote host and is almost always the first thing I do. Once an effective scan is run, I should have the data needed to continue on to basic service enumerations.
My Default Nmap Run
This is very effective for CTF'ing, but may be too loud for something like threat emulation:
sudo nmap -sC -sV -vvv -T4 -Pn [IP]
This runs safe scripts, software version fingerprinting, 3x verbosity (to allow newly discovered ports to pop up before the full report is ready), time 4 to prevent the app from having to adjust and rescan over slow networks, and the last bit disables ICMP discovery, which is needless in most CTF situations.
Again, this is a pretty loud scan (the scripts and version scanning are well signatured by most security products), and it's also pretty aggressive, so you may not want to use this in situations like threat emulation, or for "gentler" uses of port scanning.
I'll cover Nmap in more detail elsewhere. This is just an icebreaker on the topic.
Manual scanning with netcat
A very basic TCP connect scan can be done with netcat:
nc -nvv -z -w 1 [IP] {0..100}
The example above would scan ports 0-100. Adding -u
to the mix should make it a basic UDP scan. This is much more primitive than anything nmap can do, but for living off the land purposes, it could be useful. For further fingerprinting of the target device, you'd need to manually do things like banner grabbing.
TCP 53: DNS
DNS is the system which translates IP addresses into human readable domain names. Learning to abuse it can be useful for things like subdomain discovery and similar.
Types of DNS records
- NS: Name Server records. This is the DNS server that hosts the domain.
- A: The host record. The IP associated with the name.
- AAAA: IPv6 host record.
- MX: Mail exchange. This is a list of associated mail servers for the domain.
- PTR: Pointer record. This is used for reverse lookups. If a single IP hosts multiple domains, PTR is used to discover domains associated with it.
- CNAME: Canonical name record.
- TXT: Text records. Arbitrary extra information. It's simply what it says on the tin: a text record.
DNS Record Enumeration
DNS records can be useful for providing OSINT and other features.
Manually on Linux
We use the host command like so:
host -t [record type] [domain]
We can use some basic shell scripting to put this together to enumerate subdomains:
for i in $(cat [wordlist]); do host $i.[domain].[tld]; done
There are other/better ways to do this with tools like FFUF, but I'll cover that in a different article. This is useful again for living off the land and simply deep-dive educational purposes. It's very good to do things manually like this as it forces you to understand how things work.
Manually on Windows
We use nslookup
:
nslookup -type=[record type] [domain] [name server IP (optional)]
I'm not familiar enough with batch scripting to be able to make something cool to enumerate subdomains with. Ss64.com could be a good resource to look into on this point.
DNSenum
This tool brute tries to enumerate basic info about a domain.
dnsenum [domain]
The the Kali documentation on it for more. I don't really use it much except as something to throw at the wall if I'm stuck.
DNSRecon
This will enumerate basic records for [domain]
dnsrecon -d [domain] -t std
We can bruteforce subdomains like this:
dnsrecon -d [domain] -D [wordlist] -t brt
Again, this is simply a tool I'm documenting to be thorough. I usually brute subdomains using FFUF
Dig
Really simple trick I use often before resorting to bruteforce:
dig any victim.com @[nameserver IP]
This can reveal subdomains of "victim.com
".
TCP 139/445: SMB
SMB is the protocol used by Windows for file sharing. In itself, it runs over port 445, but often has a concomitant NetBIOS name system running on TCP 139 for backwards compatibility from before SMB worked over TCP/IP.
There's not much more to do without credentials on SMB than to list shares and probe for null session logons in my experience. Of course, you should also run scripts to determine the version, as many versions of SMB have had critical vulnerabilities that have known exploits, e.g. EternalBlue, etc.
Listing shares:
smbclient -L [IP]
Connecting to a share:
smbclient \\\\[IP]\\[share]
TCP 22: SSH
SSH is a common encrypted protocol for remote shells.
In most cases, all you can do if you see it is either try online password attacks, or else use credentials to log in. If you have arbitrary file read from some other vector, you may be able to grab RSA keys for SSH, but really, SSH is rarely the initial access vector in itself.
TCP 25: SMTP
Simple Mail Transfer Protocol is the protocol used to send email from mail server to mail server.
Verifying Usernames
We can use raw SMTP commands to verify email accounts. We'll start by making a TCP connection to the server:
nc -nv [IP] 25
Then we issue the SMTP VRFY
command:
VRFY [username]
On Windows
In a living off the land situation on Windows, we'll need to install Telnet, which means we'll also need admin on that device:
dism /online /Enable-Feature /FeatureName:TelnetClient
Then we connect to the server via Telnet:
telnet [IP] 25
From here, you do the same thing with the VRFY
as under Linux.
SNMP
Don't get it confused with SMTP (I know the acronyms can look similar)! This is Simple Network Management Protocol, which maintains data about network devices.
A simple way to enumerate some information with it is as follows:
snmpwalk -c [community string] -v[1-3] -t 7 [IP]
The "community string" is more or less SMTP's version of a password. Failing it will trip IDS detections as a failed logon in many cases. -v
is referring to the version of the protocol in use (higher versions are able to be encrypted and are thus less able to be attacked) and -t
refers to the timeout for the connection attempt.
I've rarely had to use SNMP doing CTFs, so I'd really reference something like Hacktricks or a similar external reference like that for more on it.