Footprinting (Just Do Formatting)
Last updated
Last updated
Enumeration is the most critical phase of any penetration testing process. It is also dynamic, meaning there isn’t a static step-by-step guide to follow. However, the diagram below provides a general idea of the enumeration process.
One common starting point is examining the SSL certificate of a company's main website, which may reveal useful information. Tools like crt.sh can help uncover various subdomains.
Google Dorking is another useful technique for discovering valuable information such as files, subdomains, and cloud resources.
2 Tools that can help automate the process are https://domain.glass/ and https://grayhatwarfare.com/.
Finally finding out company employees can help understand the infrastructure of a company. For example, reading job postings can help identfy what technologies are used. The recon process can be done also on the employees which can open another attack vector.
Identifying company employees can offer insights into the company’s infrastructure. For example, analyzing job postings may reveal the technologies in use. Reconnaissance on employees can also expose new attack vectors.
In this module popular protocols that will most likely be encountered in a penetration test will be examined.
File Transfer Protocol is a protocol that's used to transfer files, it operates on TCP ports 21 (Control) and 20 (Data). FTP is considered a clear-text protocol which means it can be sniffed and there are different commands and status codes for it.
Trivial File Transfer Protocol (TFTP) is a simpler version of FTP, it uses UDP and doesn't provide user authentication.
There are many FTP servers that are avaliable, one of the most common on linux based distributions is vsFTPd. The vsFTPd config file can be found is located in /etc/vsftpd.conf
Nmap can be used to footprint FTP using many of the avaliable scripts.
Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.
SMB was originally developed by Microsoft for Windows systems but then Samba which is an implementation of Common Internet File System (CIFS) network protocol which is a dialect of SMB was released as an alternative for Linux/Unix systems.
Tools like rpcclient can help us enumrate an smb server.
Other tools that automate the whole enumration process for smb servers include:
smbmap
CrackMapExec
enum4linux-ng
Network File System (NFS) is a network file system developed by Sun Microsystems and has the same purpose as SMB. Its purpose is to access file systems over a network as if they were local.
NFS uses a completely different protocol from SMB meaning that NFS clients cannot communicate directly with SMB servers.
DNS is a system for resolving computer names into IP addresses, and it does not have a central database.
There exist multiple DNS servers with different purposes. There is also different DNS records each with their own purpose and use.
DNS is mainly unencrypted. However, there are some solutions now for encrypting DNS queries.
DNS can be used to enumrate new attack vectors like other subdomains or IP Addresses. Attacks like zone transfer can also be tried.
Tools like dnsenum can be used to automate the enumration on a DNS.
The Simple Mail Transfer Protocol (SMTP) is a protocol for sending emails in an IP network. It can be used between an email client and an outgoing mail server or between two SMTP servers. SMTP is often combined with the IMAP or POP3 protocols, which can fetch emails and send emails.
SMTP works unencrypted without further measures and transmits all commands, data, or authentication information in plain text. To bypass the issues that might occur because of this, ESMTP which uses TLS was developed.
IMAP is a network protocol for the online management of emails on a remote server. The protocol is client-server-based and allows synchronization of a local email client with the mailbox on the server, providing a kind of network file system for emails.
POP3, on the other hand, does not have the same functionality as IMAP, and it only provides listing, retrieving, and deleting emails as functions at the email server.
Simple Network Management Protocol (SNMP) was created to monitor network devices. In addition, this protocol can also be used to handle configuration tasks and change settings remotely.
For the SNMP client and server to exchange the respective values, the available SNMP objects must have unique addresses known on both sides.
To ensure that SNMP access works across manufacturers and with different client-server combinations, the Management Information Base (MIB) was created. MIB is an independent format for storing device information. A MIB is a text file in which all queryable SNMP objects of a device are listed in a standardized tree hierarchy.
An OID represents a node in a hierarchical namespace. A sequence of numbers uniquely identifies each node, allowing the node's position in the tree to be determined. The longer the chain, the more specific the information. Many nodes in the OID tree contain nothing except references to those below them.
SNMPv1 has no built-in authentication mechanism, meaning anyone accessing the network can read and modify network data. Another main flaw of SNMPv1 is that it does not support encryption, meaning that all data is sent in plain text and can be easily intercepted.
Regarding security, SNMPv2 is on par with SNMPv1 and has been extended with additional functions from the party-based SNMP no longer in use.
The security has been increased enormously for SNMPv3 by security features such as authentication using username and password and transmission encryption (via pre-shared key) of the data.
For footprinting SNMP, we can use tools like snmpwalk, onesixtyone, and braa. Snmpwalk is used to query the OIDs with their information. Onesixtyone can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator.
MySQL is an open-source SQL relational database management system developed and supported by Oracle.
Microsoft SQL (MSSQL) is Microsoft's SQL-based relational database management system which is closed source and was initially written to run on Windows operating systems.
MSSQL has default system databases that can help us understand the structure of all the databases that may be hosted on a target server.
master
The Oracle Transparent Network Substrate (TNS) server is a communication protocol that facilitates communication between Oracle databases and applications over networks.
Each database or service has a unique entry in the tnsnames.ora file, containing the necessary information for clients to connect to the service.
Oracle Database Attacking Tool (ODAT) is an open-source penetration testing tool written in Python and designed to enumerate and exploit vulnerabilities in Oracle databases.
In Oracle RDBMS, a System Identifier (SID) is a unique name that identifies a particular database instance. It can have multiple instances, each with its own System ID.
Intelligent Platform Management Interface (IPMI) is a set of standardized specifications for hardware-based host management systems used for system management and monitoring.
It acts as an autonomous subsystem and works independently of the host's BIOS, CPU, firmware, and underlying operating system.
During internal penetration tests, we often find BMCs where the administrators have not changed the default password.
Secure Shell (SSH) enables two computers to establish an encrypted and direct connection within a possibly insecure network on the standard port TCP 22.
One of the tools we can use to fingerprint the SSH server is ssh-audit
Rsync is a fast and efficient tool for locally and remotely copying files. It can be used to copy files locally on a given machine and to/from remote hosts.
R-Services are a suite of services hosted to enable remote access or issue commands between Unix hosts over TCP/IP.
R-services were the de facto standard for remote access between Unix operating systems until they were replaced by the Secure Shell (SSH) protocols and commands due to inherent security flaws built into them.
The Remote Desktop Protocol (RDP) is a protocol developed by Microsoft for remote access to a computer running the Windows operating system.
RDP-Sec-Check is a script that can be used to test for RDP security misconfigurations.
Even though RDP is mainly a Windows protocol, tools like xfreerdp, rdesktop, or Remmina can be used on Linux to interact with RDP.
The Windows Remote Management (WinRM) is a simple Windows integrated remote management protocol based on the command line.
Evil-winrm is a tool that can be used to test WinRM.
Windows Management Instrumentation (WMI) is Microsoft's implementation and also an extension of the Common Information Model (CIM), core functionality of the standardized Web-Based Enterprise Management (WBEM) for the Windows platform.
WMI allows read and write access to almost all settings on Windows systems.
wmiexec.py from the Impacket toolkit can be used for testing this protocol.
