🟢Enumeration

NetBIOS and Null Session

nmap -sS -p 135 <target>

Probes NetBIOS info of machine:

nbtscan -v <target>

Displays system shares information:

nmblookup -A <target>

Lists all shared shares of target:

smbclient -L <target>

Enumerates information on target Windows system (shares, users, etc):

enum4linux -a <target>

Attempts to access a shared resources with no credentials (null session):

smbclient \\\\<target>\\<share> -N

Attempt to connect to RPC service with no credentials:

rpcclient -N -U "" <target>

Attempts to bruteforce SMB credentials with nmap:

nmap --script=smb-brute <target>

SNMP Enumeration

Enumerates SNMP info of the given target:

snmpwalk -c <c_string> -v <version> <target>

Attempts to brute force SNMP community string:

nmap -sU -p 161 --script=snmp-brute <target>

Enumerate users:

nmap -sU -p 161 --script snmp-win32-users <target>

Lists all SNMP-related nmap scripts:

ls -l /usr/share/nmap/script | grep -i snmp

Obtains SNMP info at specified OID:

snmpwalk -c <c_string> -v <version> <target> <OID>

Changes the SNMP information at specified OID:

snmpset -c <c_string> -v <version> <target> <OID> <value_type> <value>

Onesixtyone brute force:

echo public > community
echo private >> community
echo manager >> community
onesixtyone -c community <target>

Enumerate system processes:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.1.6.0

Enumerate running programs:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.4.2.1.2

Enumerate processes path:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.4.2.1.4

Enumerate storage units:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.2.3.1.4

Enumerate software name:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.6.3.1.2

Enumerate user accounts:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.4.1.77.1.2.25

Enumerate tcp local ports:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.6.13.1.3

SNMP and Metaespoit

msf > use auxiliary/scanner/snmp/snmp_login
msf > set PASSWORD public
msf > set RHOSTS file:snmp.txt
msf > set THREADS 25
msf > set VERBOSE false
msf > set VERSION 2c
msf > run

NFS Enumeration

Discover rpcbind:

$ sudo nmap -sV --script rpcinfo 10.10.13.37 -p111

Run Nmap scripts:

$ sudo nmap -sV --script 'nfs*' 10.10.13.37 -p2049

Mount

$ showmount -e 10.10.13.37
$ sudo mount -v -t nfs -o vers=3 -o nolock -o user=snovvcrash,pass='Passw0rd!' 10.10.13.37:/home /mnt/nfs

https://resources.infosecinstitute.com/exploiting-nfs-share/resources.infosecinstitute.com

PreviousScanning NextMSFVenom

Last updated 2 years ago

Was this helpful?