Enumeration is the very first key step to hack/pen Test any vulnerable Target.
In today’s blog, we are going to enumerate the Metasploitable 2 machine.For this, we are going to use some commands like Netdiscover, Nmap,rpcclient & enum4linux.
In this part of the Metasploitable 2 enumeration tutorial, we will be enumerating the running services, accounts and perform an open port scan. We will be using Nmap to scan the virtual machine for open ports and we will be fingerprinting the connected services.
I am using kali linux for Enumeration and my metasploitable IP is 192.168.138.129.
- To check the Available End devices in a network:
Netdiscover –r <IP Range>
This command will return all live host on the given IP range
- Nmap Scan:
With the help of Nmap, we will try to figure out open ports, running services and so on.
nmap -sS -p- [taget IP address]
When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535
The Nmap SYN scan is often called a stealthy scan which implies that it goes unnoticed. This is true for old firewalls, which only log full TCP connections, but not for modern firewalls which also log uncompleted TCP connections.
Nmap Service scan with OS detection
Nmap –sS –sV -O [target IP address]
You can also use the –A option instead of –O to enable OS Detection, version detection, script scanning and trace route all at once. This is not a stealthy way of scanning.
Nmap UDP scan
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.
While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP
nmap -sU <IP Address>
-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
Null scan (-sN)-Does not set any bits (TCP flag header is 0)
FIN scan (-sF)-Sets just the TCP FIN bit.
Xmas scan (-sX)-Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
- Metasploitable 2 user enumeration
Enumerating users with NMap
nmap –script smb-enum-users.nse –p 445 [target host]
- Enumerating user accounts through null sessions with rpcclient
Rpcclient is a Linux tool used for executing client side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. No username or password is needed to set-up the connection and therefore it is called a null session. The allowance of null sessions was enabled by default on legacy systems but has been disabled from Windows XP SP2 and Windows Server 2003. The connection uses port 445 which is an open port on out target host as we’ve seen in the results of the port scan.
rpcclient –U “” [target IP address]
rcpclient $> querydominfo
rcpclient $> enumdomusers
rcpclient $> queryuser [username]
- Enumeration with enum4linux
Enum4linux is used to enumerate Windows and Samba hosts and is written in Perl. The tool is basically a wrapper for smbclient, rpcclient, net and nmblookup.
enum4linux <Target IP>
To learn Ethical Hacking, Visit: http://www.azureskynet.com