Scanning & Enumeration
Table of contents
NetDiscover
sudo netdiscover -r 10.0.2.0/24
NMap
sudo nmap -T4 -p- -A 10.0.2.4
sudo nmap -T4 -sU 10.0.2.4
Nikto
nikto -h http://10.0.2.4
DirBuster
- Use GET requests only
- Go Faster
- wordlist: “/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt”
Metaspliot
- search for “smb/smb_version”
msfconsole // start metasploit
search smb_V // search for a module to find smb versions
use 0 // use the found module
info // get infos on how to use the module
set RHOST 10.0.2.4 // set the host (target)
run // run the module
smbclient
List smb services
smbclient -L \\\\10.0.2.4\\
Flags
-L : List services
Findings
2 shares found!
smbclient -L \\\\10.0.2.4\\ADMIN$
smbclient -L \\\\10.0.2.4\\IPC$
Sucess!!!
ls
Network access denied… damn
ssh
ssh 10.0.2.4
Unable to negotiate with 10.0.2.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
ssh 10.0.2.4 -oKexAlgorithms=+diffie-hellman-group1-sha1
Unable to negotiate with 10.0.2.4 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
After fix
The authenticity of host '10.0.2.4 (10.0.2.4)' can't be established.
RSA key fingerprint is SHA256:VDo/h/SG4A6H+WPH3LsQqw1jwjyseGYq9nLeRWPCY/A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.4' (RSA) to the list of known hosts.
kali@10.0.2.4's password:
No banner with further infos, sadly