MetaSploitable 2 Enumeration

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Enumeration is the very first key step to hack/pen Test any vulnerable Target.
In today’s blog, we are going to enumerate the Metasploitable 2 machine.For this, we are going to use some commands like Netdiscover, Nmap,rpcclient & enum4linux.
In this part of the Metasploitable 2 enumeration tutorial, we will be enumerating the running services, accounts and perform an open port scan. We will be using Nmap to scan the virtual machine for open ports and we will be fingerprinting the connected services.
I am using kali linux for Enumeration and my metasploitable IP is

  • To check the Available End devices in a network:
Netdiscover –r <IP Range>

This command will return all live host on the given IP range

  • Nmap Scan: 

With the help of Nmap, we will try to figure out open ports, running services and so on.

nmap -sS -p- [taget IP address]

When you start a SYN scan (and any other port scan) from NMap without specifying the port range then NMap will scan only the first 1.000 ports which are considered the most important ports instead of all 65.535 ports. To scan all ports you have to use the -p- flag. The Nmap SYN scan command uses the -sS flag as used in the following command to SYN scan port 1 to port 65.535
The Nmap SYN scan is often called a stealthy scan which implies that it goes unnoticed. This is true for old firewalls, which only log full TCP connections, but not for modern firewalls which also log uncompleted TCP connections.
Manish Bhardwaj nmap ss.PNG
Nmap Service scan with OS detection

Nmap –sS –sV -O [target IP address]

Manish Bhardwaj nmap O.PNG
You can also use the –A option instead of –O to enable OS Detection, version detection, script scanning and trace route all at once. This is not a stealthy way of scanning.
Nmap UDP scan
UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.
While most popular services on the Internet run over the TCP protocol, UDP services are widely deployed. DNS, SNMP, and DHCP

nmap -sU <IP Address>

-sN; -sF; -sX (TCP NULL, FIN, and Xmas scans)
Null scan (-sN)-Does not set any bits (TCP flag header is 0)
FIN scan (-sF)-Sets just the TCP FIN bit.
Xmas scan (-sX)-Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

  • Metasploitable 2 user enumeration

Enumerating users with NMap

nmap –script smb-enum-users.nse –p 445 [target host]

Manish Bhardwaj nmap enum .PNG

  • Enumerating user accounts through null sessions with rpcclient

Rpcclient is a Linux tool used for executing client side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. No username or password is needed to set-up the connection and therefore it is called a null session. The allowance of null sessions was enabled by default on legacy systems but has been disabled from Windows XP SP2 and Windows Server 2003. The connection uses port 445 which is an open port on out target host as we’ve seen in the results of the port scan.

rpcclient –U “” [target IP address]

Manish Bhardwaj RPCclient 1.PNG

rcpclient $> querydominfo

Manish Bhardwaj RPCclient domain query1.PNG

rcpclient $> enumdomusers

Manish Bhardwaj RPCclient domain query2.PNG

rcpclient $> queryuser [username]

Manish Bhardwaj RPCclient domain query3.PNG

  • Enumeration with enum4linux

Enum4linux is used to enumerate Windows and Samba hosts and is written in Perl. The tool is basically a wrapper for smbclient, rpcclient, net and nmblookup.

enum4linux <Target IP>

Manish Bhardwaj enum4linux .PNG
Manish Bhardwaj enum4linux 2.PNG
Manish Bhardwaj enum4linux 3.PNG
To learn Ethical Hacking, Visit:
Happy Learning:)

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Leave a Comment

Your email address will not be published.

Scroll to Top