Service Enumeration

Mostafa Elguerdawi
3 min readOct 8, 2023

Hello hackers I’m Mostafa Elguerdawi this will be the third write-up about Penetration Testing series, We will talk about service enumeration.

In last write-up we talked about Nmap Scanning to know open ports and live hosts.

After get an overview about open ports and running services we need to enumerate them to know if they are vulnerable to any kind of attacks by knows its version and OS they running on.

SMB Enumeration

  • SMB work on 139,445 ports(TCP port 139 is SMB over NetBios, TCP port 445 is SMB over IP).
  • SMB stand for Server Message Block.
  • SMB allows users to share their resources to other computers over the network.
  • There is 3 versions of SMB
  • SMB version 1
  • SMB version 2
  • SMB version 3

NMAP Scanning

nmap -Pn -sV -p139,445 -sC <Target-IP>
  • -Pn : to make nmap ignore ICMP packets.
  • -sV : to open services version.
  • -p : take specific ports to scan them
  • -sC : to make nmap test for default vulnerabilties.

We can enumerate using other tools like Smbclient, NMAP, Enum4Linux

  • smbclient -L \\\\<IP>\\ to list all avaliable shares.
  • nmap — script smb-enum-shares -p 139,445 IP
  • enum4linux -a $ip

Connecting To Shares

  • smbclient \\\\<IP>\\<Share>

Downloading multi files

smb: \> RECURSE ON
smb: \> PROMPT OFF
smb: \> mget *
# With smbclient

smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
# Downloads a file in quiet mode

smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*'
# download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work

Null session with rpcclient

Null Session is a connection on SMB but does not require authentication with a password.

rpcclient -U "" <ip>

# You will be asked for a password but leave it blank and press enter to continue.

Enumerating users with IPC$

if IPC$ share is enabled , and have anonymous access we can enumerate users through lookupsid.py

lookupsid.py anonymous@IP

Brute Force SMB

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb 

nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv

SNMP Enumeraion

  • SNMP works on port 161
  • The Simple Network Management Protocol is a protocol used in TCP/IP networks to collect and manage data for networks devices. SNMP operates in the application layer (layer 7 of the OSI model) and uses UDP port 161 to listen for requests.

SNMP managed networks have 3 components

  • A managed device (also referred to as a ‘node’) is a network device with the SNMP service enabled allowing unidirectional (read) or bidirectional (read/write) communication. Managed devices can be any networked device including servers, firewalls and routers.
  • Agent The agent is the software running on the managed device which is responsible for handling the communication. The agent translates device-specific configuration parameters into an SNMP format for the Network Management System.
  • Network Management System (NMS) The Network Management System is the software that is actually managing and monitoring networked devices. An SNMP managed network will always contain at least one NMS.
  • Snmpwalk : SNMPwalk is a great tool to query MIB values to retrieve information about managed devices, but, as a minimum, it requires a valid SNMP read-only community string.
snmpwalk -c public -v1 $ip

NFS Enumeration

  • similar to SMB because it allows access to files over a network.
  • Common ports used by NFS are port 111 and 2049 tcp/udp.
  • It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory.
rpcinfo -p <ip>

# If you get 111 and 2049 listed , shares are enable and we can mount them
  • if nfs is available, use showmount to view available mounting points
showmount -e $ip
  • you can then mount the file system with the mount command and interact with remote system
mount -t nfs $ip:/share /mnt/nfs

SMTP Enumeration

  • Simple Mail Transfer Protocol : is the service that is responsable to send and recive mails.
  • SMTP works on port 25
  • Main attacks are user enumeration and using an open relay to send spam.
  • Enumerate with nmap NSE
nmap 192.168.1.101 --script=smtp* -p 25

nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
  • Manual enumarate
telnet $ip 25
  • Command to check id user exists
VRFY $user
  • Brute Force
hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

--

--