Networking Quickie: Simple Enumeration

After learning the basics of network scanning on monday, you can learn how to take these skills one step further with this quickie!

On Monday I showed you some basics of network scanning with nmap. I’m taking this further and show you how to make a simple enumeration on networks/ machines. Today I’ll catch up to those techniques, add in a couple more flags/ options which I will explain and show you some more tools. You can find more about this subject in the links at the end of the article.

We will work with a linux kali machine and a target running a web server. Doesn’t really bother us if it’s win or linux for this tutorial.

We will find out, that the target runs a webserver via nmap. Then we will find out about possible vulnerabilities.

And we will do this all in the command line. Because that’s how it’s properly done!

Step 1: Find out if the target runs a webserver.

As shown on mondays quickie you can see which ports are open for which services with nmap easily. Just use nmap <target>.

Today I show you how to enhance this command using flags. With this command you should get to know the target better.

nmap -T4 -sV -p- <target>

How is it enhanced?

  • -T4 sets the timing of the command to aggressive
  • -sV interrogates open ports for clues about the OS and Software it is running
  • -p- scans all ports instead of the default 1000 ports

You should now know if the server is running a webservice. Which we just assume it does, because I’m to busy right now to set up a new host with a webserver. So let’s just assume port 80 is open for http with an apache or something.

This command will take your simple enumeration further to the next step:

Step 2: Find web content | dirb

DIRB is a Web Content Scanner. The cool thing about this tool is, that it looks for existing and hidden web objects. You can also input own wordlist- files for this purpose and set a ton of flags. And it’s pretty easy to use:

dirb http://target

With this tool you can find content. Not vulnerabilities. You could find a directory called /wp-admin for example and know that it’s a wordpress site running.

Step 3: Find possible vulnerabilities | nikto

This tools tests a web server for about 6400 potetially dangerous files/CGIs. It checks for outdated versions of over 1250 servers and much more. However it’s not stealthy. You can clearly see it on the targets log. But you can test your own servers for vulnerabilities. Which is nice.

Since we know that port 80 is open we don’t need to configure it in the command (but we could ➡ find out how in the links below):

perl -h

This will scan the target and give an output similar to this:

simple enumeration nikto

And now we have a simple enumeration of a machine:

We know which ports are open, what services are running, what files/ directories exists and even the vulnerabilities of those!

More usefull links