SMB and SMTP and SNMP Enumeration
SMB and SMTP enumeration with `nmap`
The security track record of the Server Message Block (SMB)268 protocol has been poor for many years due to its complex implementation and open nature. From unauthenticated SMB null sessions in Windows 2000 and XP, to a plethora of SMB bugs and vulnerabilities over the years, SMB has had its fair share of action.
NetBIOS service are listen on
TCP port 139as well as UDP portsSMB is
TCP 445NetBIOS is and independent session layer protocol service that allwo computers on local networks to communicate with each other
SMB Scanning with nmap
# Scanning with NSE Scripts </usr/share/nmap/scripts>
The SMB discovery script works only if SMBv1 is enabled on the target, which is not the default case on modern versions of Windows. However, plenty of legacy systems are still running SMBv1, and we have enabled this specific version on the Windows host to simulate such a scenario
smb-os-discovery module on the window 11 client
Nmap’s OS fingerprinting options we explored earlier, OS enumeration via NSE scripting provides extra information, such as the domain and other details related to Active Directory Domain Services
SMB enumeration in Window Environment
As an example, connected to the client01 VM, we can list all the shares running on dc01.
Scanning with `nbtscan` (More specialized tool)
The scan revealed two NetBIOS names belonging to two hosts. This kind of information can be used to further improve the context of the scanned hosts, as NetBIOS names are often very descriptive about the role of the host within the organization. This data can feed our informationgathering cycle by leading to further disclosures.
SMTP Enumeration
We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP)273 supports several interesting commands, such as VRFY and EXPN.
A VRFY request asks the server to
verify an email address,while EXPN asks
the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test.
SNMP Enumeration
SNMP is based on UDP, a simple, stateless protocol, and is therefore susceptible to IP spoofing and replay attacks. Additionally, the commonly used SNMP protocols 1, 2, and 2c offer no traffic encryption, meaning that SNMP information and credentials can be easily intercepted over a local network. Traditional SNMP protocols also have weak authentication schemes and are commonly left configured with default public and private community strings.
SNMPv3, which provides authentication and encryption, has been shipped to support only DES-56, proven to be a weak encryption scheme that can be easily brute-forced. A more recent SNMPv3 implementation supports the AES- 256 encryption scheme.
SNMP Enumeration with Nmap
SNMP Enumeration with `onesixtyone`
Alternatively, we can use a tool such as onesixtyone ,275 which will attempt a brute force attack against a list of IP addresses
First, we must build text file containing community string
Making list of ip address range we want to scan
Scanning SNMP with onesixtyone
Once we find SNMP services, we can start querying them for specific MIB data that might be interesting
We can probe and query SNMP values using a tool such as snmpwalk, provided we know the SNMP read-only community string, which in most cases is “public”.
This command enumerates the entire MIB tree using the
-coption to specify the community string, and-vto specify the SNMP version number as well as the-t10 option to increase the timeout period to 10 seconds:
To further practice what we’ve learned, let’s explore a few SNMP enumeration techniques against a Windows target. We’ll use the snmpwalk command, which can parse a specific branch of the MIB Tree called OID .
The following example enumerates
Last updated