Sniffing out a Target¶
When beginning a penetration test, gathering information about the target is crucial. This process, known as reconnaissance, helps identify potential vulnerabilities and entry points. Here are some common techniques and tools used for reconnaissance on Windows systems:
Using fping
Using nmap
Use tools like Nmap to scan the target network for open ports and services. This helps identify which services are running and potentially exploitable.
OS Fingerprinting: Determine the operating system of the target machine using tools like Nmap or Xprobe2. This information can help tailor your attack strategies.
Service Enumeration: Identify and enumerate services running on the target machine. Tools like Netcat, Telnet, or specific service enumeration tools (e.g., SMBEnum for SMB services) can be useful.
Vulnerability Scanning: Using the -sC option in Nmap enables the default scripts, which can help identify common vulnerabilities and misconfigurations on the target system.
NetExec
NetExec (a.k.a nxc) is a network service exploitation tool that helps automate assessing the security of large networks.
Host Discovery¶
nxc smb 10.10.10.0/24
SMB 10.10.10.12 445 MEEREEN [*] Windows 10 / Server 2016 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 10.10.10.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 10.10.10.23 445 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Anonymous Access (SMB)¶
Check for anonymous access to services like SMB, FTP, or databases. This can provide valuable information without needing credentials.
nxc smb 10.10.10.23 -u 'a' -p '' --shares
SMB 10.10.10.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.10.10.23 445 BRAAVOS [+] essos.local\a: (Guest)
SMB 10.10.10.23 445 BRAAVOS [*] Enumerated shares
SMB 10.10.10.23 445 BRAAVOS Share Permissions Remark
SMB 10.10.10.23 445 BRAAVOS ----- ----------- ------
SMB 10.10.10.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.10.10.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.10.10.23 445 BRAAVOS C$ Default share
SMB 10.10.10.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.10.10.23 445 BRAAVOS IPC$ Remote IPC
SMB 10.10.10.23 445 BRAAVOS public Basic Read share for all domain users
Anonymous Access (FTP)¶
nxc ftp 10.1.98.83 -u '' -p ''
FTP 10.1.98.83 21 10.1.98.83 [*] Banner: (vsFTPd 3.0.5)
FTP 10.1.98.83 21 10.1.98.83 [+] : - Anonymous Login!
nxc ftp 10.1.98.83 -u '' -p '' --ls
FTP 10.1.98.83 21 10.1.98.83 [*] Banner: (vsFTPd 3.0.5)
FTP 10.1.98.83 21 10.1.98.83 [+] : - Anonymous Login!
FTP 10.1.98.83 21 10.1.98.83 [*] Directory Listing
FTP 10.1.98.83 21 10.1.98.83 -rw-r--r-- 10 0 202 Sep 21 00:04 pwlist.txt
nxc ftp 10.1.98.83 -u '' -p '' --get pwlist.txt
FTP 10.1.98.83 21 10.1.98.83 [*] Banner: (vsFTPd 3.0.5)
FTP 10.1.98.83 21 10.1.98.83 [+] : - Anonymous Login!
FTP 10.1.98.83 21 10.1.98.83 [+] Downloaded: pwlist.txt