2 - Service Scanning

# `Nmap` - "network mapper" utility ```bash nmap ip_addr #scans ip for 1000 most common ports nmap -sC ip_addr #scans with common/default scripts nmap -sv ip_addr #scans for services versions nmap -p- ip_addr #scans all 65535 TCP ports nmap --script <script_name> -p<port> ip_addr #runs specified scripts ``` - `-sC` option also returns server header and title pages --- # OSINT - Google version info from `nmap` scan for CVE, vulns, and release dates --- # Banner Grabbing ```bash nc -nv ip_addr <port> #uses netcat to grab banner for servce at specified ip & port nmap -sV --script=banner -p21 ip_addr/24 #uses nmap to grab banner for all FTP servers on the specified subnet ``` --- # Service specific info ## FTP - "file transfer protocol" - commonly hosted on port 21 ```bash nmap -sC -sV -p21 ip_addr #enumerates FTP ftp -p ip_addr #connects to FTP server with a sub-shell ``` ### FTP Interactive Commands within sub-shell | **Command** | Descrption | | ------------- | ---------------------------------------- | | `ls` | list files/directories on remote host | | `cd <dir>` | change working directory on remote host | | `dele <file>` | deletes a file on remote host | | `pwd` | prints working directory on remote host | | `get <file>` | copy file from remote host to local host | | `put <file>` | copy file from local host to remote host | | `quit` | quits ftp session | ## SMB - "server message block" - commonly hosted on port 445 ```bash nmap --script smb-os-discovery.nse -p445 ip_addr #runs an NSE (nmap scripting engine) script against SMB for enumeration purposes nmap -A -p445 ip_addr #aggresssive scan with OS detection, version detection, scripting scanning, and traceroute against SMB smbclient -N -L \\\\ip_addr #-N option supresses login prompt and -L option lists SMB shares smbclient \\\\ip_addr\\users #attempts to connect to users SMB share as a guest in a sub-shell smbclient -U user_name \\\\ip_addr\\user #attempts to connect to SMB share as specified user ``` - for example, if smb enumeration reveals that Windows 7 is being run, the target may be susceptible to the Eternal Blue vuln ### SMB Interactive Commands within sub-shell | **Command** | **Description** | | ---------------- | -------------------------------------------------------- | | `ls` | List files/directories. | | `cd <dir>` | Change directory. | | `get <file>` | Download a file. | | `put <file>` | Upload a file. | | `mget <pattern>` | Download multiple files (e.g., `mget *.txt`). | | `mput <pattern>` | Upload multiple files. | | `rm <file>` | Delete a file. | | `mkdir <dir>` | Create a directory. | | `rmdir <dir>` | Delete a directory. | | `pwd` | Print current directory. | | `recurse` | Toggle recursive mode for `mget`/`mput`. | | `mask <filter>` | Set a file filter (e.g., `mask *.docx`). | | `tar` | Create/extract tar backups (e.g., `tar c backup.tar *`). | | `exit` | Quit smbclient. | ### `smbclient` options | **Option** | **Description** | | ------------------- | ----------------------------------------------------------------------------- | | `-U <user>[%pass]` | Username and password (e.g., `-U admin%Password123`). | | `-W <domain>` | Workgroup/domain name (default: `WORKGROUP`). | | `-I <IP>` | Server IP address (bypasses DNS). | | `-p <port>` | Custom port (default: 445 for SMB over TCP/IP). | | `-N` | No password prompt (use with empty or guest access). | | `-E` | Hide password prompt output. | | `-c <command>` | Execute a command non-interactively (e.g., `-c 'ls'`). | | `-A <creds-file>` | Load credentials from a file (format: `username = admin`, `password = pass`). | | `-m <max-protocol>` | Set max SMB protocol (e.g., `-m SMB3`). | | `-d <debug-level>` | Debug verbosity (0-10). | ## SNMP - "simple network mgmt protocol" - commonly hosted on ports 161/162 - SNMP v1 and v2c are vulnerable b/c plaintext community strings can be used for access - SNMP v3 uses encryption and proper authentication ```bash snmpwalk -v 2c -c public ip_addr 1.3.6.1.2.1.1.5.0 #attempts to access SNMP device with community string snmpwalk -v 2c -c private #tests for a response onesixtyone -c dict.txt ip_addre #attempts to brute force community string with a dictionay file of common strings ```