eJPT Junior Penetration Tester
ShopAuthorPatreonHTB Pro Labs
eCPPTv2 Certified Professional Penetration Tester
eCPPTv2 Certified Professional Penetration Tester
  • 🍕eCPPTv2 Study
  • Author
  • Certification
    • 🟢Exam Description
    • Register
  • RFS Tips
    • 🟢Before the Exam
    • 🟢Prepare your Setup
    • 🟢Questions?
    • 🎓Learn more... Get eCPPTv2
    • 🟢Start Hacking
  • Reports
    • PwnDoc Documentation
    • 🟢Templates
  • Methodology
    • 🟢To Scan a Network
    • 🟢To Attack a Linux Machine
    • 🟢To Attack a Windows Machine
    • 🟠Linux Privilege Escalation
    • Windows Privilege Escalation
    • Linux Post Exploitation
    • Windows Post Exploitation
    • Pivoting Methodology
  • Web Tools
    • Why these Tools
    • Rev Shells
    • MD5 Crack
    • CyberChef
    • SecLists
    • WADcoms
    • LOLBAS
    • GTFOBins
  • Network Security
    • Information Gathering
      • Intro
      • Passive / Active
      • OSINT
      • Social Media
      • Infrastructure
      • DNS
        • NSlookup
        • Dig
        • fierce
        • DNSenum
        • DNSmap
        • DNSrecon
      • Host Discovery
        • Fping
        • Hping
        • Nmap
      • Maltego
      • Foca
      • Breach Data
    • Scanning
      • Intro
      • Wireshark
        • Promiscuous Interface
        • 🟢Filters
        • Colors
        • Follow Stream
      • Scan Types
      • 🟢Hping3
      • Nmap
      • 💚eCPPTv2 - Firewall IDS Evasion
    • 🟢Enumeration
    • Sniffing & MitM Attacks
      • Passive
      • Active
      • MiTM
        • Local to Remote
        • DHCP Spoofing
        • LLMNR Poisoning
        • NBT-NS Poisoning
      • Tools
        • Dsniff
        • Wireshark
        • TCPDump
        • Ethercap
    • Exploitation
    • Post Exploitation
    • Social Engineering
    • Anonymity
  • Linux Exploitation
    • Introduction
    • Information Gathering
      • Remote Enumeration
        • Enum NFS
        • rpcbind
        • SMB
        • SMTP
      • Local Enumeration
        • Network Info
        • System Info
    • Exploitation over the Network
      • Samba
        • UserMap CVE-2007-2447
        • SymLink Directory Traversal
        • SambaCry CVE-2017-7494
        • Writeable Share to RCE
      • PHP CGI
      • Ruby DRB RMI port 8787
      • JAVA RMI Registry - port 1099
      • Exploiting Java Deserialization
      • TomCat
      • Password Spray Attack
      • Shellshock
      • Heartbleed
    • Post Exploitation
      • Intro
      • msfconsole scripts
      • Privilege Escalation
        • Docker
          • Unix Sockets Exploitation
        • Restricted Shells
        • Cracking Shadow File
        • 🟢Dump Memory Credentials
        • 🟢Dump SWAP Credentials
        • 🟢Shared Object Libraries
        • Kernel Exploits
          • Dirty Cow
          • Stack Clash
          • DCCP
          • Race Condition
          • msfconsole
      • Lateral Movement
        • Samba
          • Dump Samba Secrets
        • SSH
          • SSH Hijacking
          • Steal SSH credentials
        • VPNPivot
        • Dump Firefox Credentials
        • Sniffing
      • Data Exfiltration
      • Maintaining Access
        • HTTPS
        • Reverse Shells
        • Custom Services
  • Metasploit
    • Notes
    • 🟢Detect Live Hosts with Metasploit
    • 🟢Port Scanning with Metasploit
    • Network Services Scanning
    • Payloads
    • Exploitation with Metasploit
    • Post Exploitation with Metasploit
  • System Security
    • Page 5
  • Web App Security
    • Best Academy
    • HTTP
      • Basics
      • Encoding
      • Same Origin
      • Cookies
      • Sessions
      • Web Proxies
    • Enumerating
      • Infrastructure
      • Mapping Application
    • Tools
    • XSS
      • Free Courses
      • XSS Types
      • Attack Types
    • SQL Injection
    • CMSs
  • Powershell for Pentesters
    • Page 2
  • Wi-Fi Security
    • Page 6
  • Commands Notes
    • 🟢Information Gathering
    • 🟢Host Discovery
    • 🟢Scanning
    • 🟢Enumeration
    • 🟢MSFVenom
  • Pivoting
    • Tips
    • Socks4 vs Socks5
    • Pivoting Techniques
    • Meterpreter
    • SSH
    • Proxy Chains
    • 🟢Chisel
    • Socat
  • Buffer OverFlow
    • Tips for Bof in eCPPTv2
    • Computerphile - Buffer Overflow
    • The Cyber Mentor - BoF
  • 🟢TryHackMe Rooms
    • 🟢Privilege Escalation
      • LazyAdmin
      • LinuxPrivEsc
      • Empline
      • Windows 10 Privesc
    • 🟢Pivoting
      • Wreath Network
      • VulnNetInternal
    • 🟢Buffer Overflow
      • Gatekeeper
      • Buffer Overflow Prep
    • 🟢Metasploit
      • RP Metasploit
      • Metasploit Intro
  • Community Exam Tips
    • Exploits
    • Shells
    • PrivEsc
    • Report
    • BoF
    • Wordlists
    • 🟢Articles - Exam Reviews
    • 🟢Videos - Exam Reviews
  • Free Courses
    • Page 1
  • Paid Courses
    • Page 3
  • After Exam
    • Page 4
Powered by GitBook
On this page
  • NetBIOS and Null Session
  • SNMP Enumeration
  • SNMP and Metaespoit
  • NFS Enumeration
  • Mount

Was this helpful?

  1. Commands Notes

Enumeration

NetBIOS and Null Session

nmap -sS -p 135 <target>

Probes NetBIOS info of machine:

nbtscan -v <target>

Displays system shares information:

nmblookup -A <target>

Lists all shared shares of target:

smbclient -L <target>

Enumerates information on target Windows system (shares, users, etc):

enum4linux -a <target>

Attempts to access a shared resources with no credentials (null session):

smbclient \\\\<target>\\<share> -N

Attempt to connect to RPC service with no credentials:

rpcclient -N -U "" <target>

Attempts to bruteforce SMB credentials with nmap:

nmap --script=smb-brute <target>

SNMP Enumeration

Enumerates SNMP info of the given target:

snmpwalk -c <c_string> -v <version> <target>

Attempts to brute force SNMP community string:

nmap -sU -p 161 --script=snmp-brute <target>

Enumerate users:

nmap -sU -p 161 --script snmp-win32-users <target>

Lists all SNMP-related nmap scripts:

ls -l /usr/share/nmap/script | grep -i snmp

Obtains SNMP info at specified OID:

snmpwalk -c <c_string> -v <version> <target> <OID>

Changes the SNMP information at specified OID:

snmpset -c <c_string> -v <version> <target> <OID> <value_type> <value>

Onesixtyone brute force:

echo public > community
echo private >> community
echo manager >> community
onesixtyone -c community <target>

Enumerate system processes:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.1.6.0

Enumerate running programs:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.4.2.1.2

Enumerate processes path:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.4.2.1.4

Enumerate storage units:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.2.3.1.4

Enumerate software name:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.25.6.3.1.2

Enumerate user accounts:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.4.1.77.1.2.25

Enumerate tcp local ports:

snmpwalk -c <community string> -<version> <target> 1.3.6.1.2.1.6.13.1.3

SNMP and Metaespoit

msf > use auxiliary/scanner/snmp/snmp_login
msf > set PASSWORD public
msf > set RHOSTS file:snmp.txt
msf > set THREADS 25
msf > set VERBOSE false
msf > set VERSION 2c
msf > run

NFS Enumeration

Discover rpcbind:

$ sudo nmap -sV --script rpcinfo 10.10.13.37 -p111

Run Nmap scripts:

$ sudo nmap -sV --script 'nfs*' 10.10.13.37 -p2049

Mount

$ showmount -e 10.10.13.37
$ sudo mount -v -t nfs -o vers=3 -o nolock -o user=snovvcrash,pass='Passw0rd!' 10.10.13.37:/home /mnt/nfs
PreviousScanningNextMSFVenom

Last updated 2 years ago

Was this helpful?

🟢
LogoExploiting NFS share [updated 2021] - Infosec ResourcesInfosec Resources