MetaSploitable 2 Enumeration

BURST · 13-12-2017, 07:51 AM

Enumeration is the very first key step to hack/pen Test any vulnerable Target.

In todays blog, we are going to enumerate theMetasploitable 2machine.Forthis, we are going to use some commands like Netdiscover, Nmap,rpcclient& enum4linux.

In this part of the Metasploitable 2 enumerationtutorial, we will be enumerating the running services, accounts and perform an open port scan. We will be using Nmap to scan the virtual machine for open ports and we will be fingerprinting the connected services.

I am using kali linux for Enumeration and my metasploitableIPis 192.168.138.129.

To check the Available End devices in a network:

Netdiscover r <IP Range>

This command will return all live host on the given IP range

Nmap Scan:

With the help of Nmap, we will try to figure out open ports, running services and so on.

nmap -sS -p- [taget IP address]

When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535

The Nmap SYN scan is often called a stealthy scan which implies that it goes unnoticed. This is true for old firewalls, which only log full TCP connections, but not for modern firewalls which also log uncompleted TCP connections.

[Image: manish-bhardwaj-nmap-ss.png?w=900]

Nmap Service scan with OS detection

Nmap sS sV -O [target IP address]

[Image: manish-bhardwaj-nmap-o.png?w=900]

You can also use the A option instead of O to enable OS Detection, version detection, script scanning and trace route all at once. This is not a stealthy way of scanning.

Nmap UDP scan

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.

While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP

nmap -sU<IP Address>

-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)

Null scan (-sN)-Does not set any bits (TCP flag header is 0)

FIN scan (-sF)-Sets just the TCP FIN bit.

Xmas scan (-sX)-Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

Metasploitable 2 user enumeration

Enumerating users with NMap

nmap script smb-enum-users.nse p 445 [target host]

[Image: manish-bhardwaj-nmap-enum.png?w=900]

Enumerating user accounts through null sessions with rpcclient

Rpcclient is a Linux tool used for executing client side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. No username or password is needed to set-up the connection and therefore it is called a null session. The allowance of null sessions was enabled by default onlegacy systems but has been disabled from Windows XP SP2and Windows Server 2003.The connection uses port 445 which is an open port on out target host as weve seen in the results of the port scan.

rpcclient U ? [target IP address]

[Image: manish-bhardwaj-rpcclient-1.png?w=900]

rcpclient $> querydominfo

[Image: manish-bhardwaj-rpcclient-domain-query1.png?w=900]

rcpclient $> enumdomusers

[Image: manish-bhardwaj-rpcclient-domain-query2.png?w=900]

rcpclient $> queryuser [username]

[Image: manish-bhardwaj-rpcclient-domain-query3.png?w=900]

Enumeration with enum4linux

Enum4linux is used to enumerate Windows and Samba hosts and is written in Perl. The tool is basically a wrapper for smbclient, rpcclient, net and nmblookup.

enum4linux <Target IP>

[Image: manish-bhardwaj-enum4linux.png?w=900]

[Image: manish-bhardwaj-enum4linux-2.png?w=900]

[Image: manish-bhardwaj-enum4linux-3.png?w=900]

MetaSploitable 2 Enumeration

Submitted by BURST, 13-12-2017, 07:51 AM, Thread ID: 64969