Default Community Strings
> public
> private
> cisco
>> cable-docsis
>> ILMI
MIB enumeration
> Windows NT
>> .1.3.6.1.2.1.1.5 Hostnames
>> .1.3.6.1.4.1.77.1.4.2 Domain Name
>> .1.3.6.1.4.1.77.1.2.25 Usernames
>> .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
>> .1.3.6.1.4.1....
Score: 0
NetBIOS enumeration
> Enum
>> enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
> Null Session
>> net use \\192.168.1.1\ipc$ "" /u:""
>>> net view \\ip_address
>>> Dumpsec ( http://www.systemtools.com/download/dumpacl.zip )
&g...
Score: 0
NTP Enumeration
> ntpdc -c monlist IP_ADDRESS
> ntpdc -c sysinfo IP_ADDRESS
> ntpq
>> host
>> hostname
>> ntpversion
>> readlist
>> version
Examine configuration files
> ntp.conf...
Score: 0
rpcdump.py ( http://oss.coresecurity.com/impacket/rpcdump.py )
> rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
rpcinfo
> rpcinfo [options] IP_Addres...
Score: 0
User enumeration
> finger 'a b c d e f g h' @example.com
> finger admin@example.com
> finger user@example.com
> finger 0@example.com
> finger .@example.com
> finger **@example.com
> finger test@example.com
> finger @example.com
Command execution
> finger "|/bin/id@example.com"
&g...
Score: 0
TFTP Enumeration
> tftp ip_address PUT local_file
> tftp ip_address GET conf.txt (or other files)
> Solarwinds TFTP server
> tftp – i <IP> GET /etc/passwd (old Solaris)
TFTP Bruteforcing
> TFTP bruteforcer
> Cisco-Torch...
Score: 0
Fingerprint server/ service
> host
>> host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
> nslookup
>> n...
Score: 0
Fingerprint server
> telnet ip_address 25 (banner grab)
Mail Server Testing
> Enumerate users
>> VRFY username (verifies if username exists - enumeration of accounts)
>> EXPN username (verifies if username is valid - enumeration of accounts)
> Mail Spoof Test
>> HELO anything MAIL FROM: spoofed_address RCPT...
Score: 0
Fingerprint server
> telnet ip_address
>> Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat ...
Score: 0
Fingerprint server
> telnet ip_address 22 (banner grab)
> scanssh
>> scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
Password guessing
> ssh root@ip_address
> guess-who
>> ./b -l username -h ip_address -p 22 -2 < password_file_location
> Hydra brute force
> brutessh
> Ruby SSH Br...
Score: 0