Scanning & Enumeration

Table of contents

NetDiscover

sudo netdiscover -r 10.0.2.0/24

NetDiscover results

NMap

sudo nmap -T4 -p- -A 10.0.2.4

nmap tcp scan

sudo nmap -T4 -sU 10.0.2.4 

nmap upd scan

Nikto

nikto -h http://10.0.2.4

nikto results

DirBuster

  • Use GET requests only
  • Go Faster
  • wordlist: “/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt”

alt

Metaspliot

  • search for “smb/smb_version”
msfconsole          // start metasploit
search smb_V        // search for a module to find smb versions
use 0               // use the found module
info                // get infos on how to use the module
set RHOST 10.0.2.4  // set the host (target)
run                 // run the module

msfc 1 msfc 2

smbclient

List smb services

smbclient -L \\\\10.0.2.4\\

Flags

-L : List services

Findings

smb 1

2 shares found!

smbclient -L \\\\10.0.2.4\\ADMIN$

smb 2

smbclient -L \\\\10.0.2.4\\IPC$

Sucess!!!

ls

smb 3

Network access denied… damn

ssh

ssh 10.0.2.4
Unable to negotiate with 10.0.2.4 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
ssh 10.0.2.4 -oKexAlgorithms=+diffie-hellman-group1-sha1
Unable to negotiate with 10.0.2.4 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

alt

After fix

The authenticity of host '10.0.2.4 (10.0.2.4)' can't be established.
RSA key fingerprint is SHA256:VDo/h/SG4A6H+WPH3LsQqw1jwjyseGYq9nLeRWPCY/A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.2.4' (RSA) to the list of known hosts.
kali@10.0.2.4's password: 

No banner with further infos, sadly