Skip to content

Latest commit

 

History

History
90 lines (64 loc) · 1.36 KB

3.2-Windows-Reconnaissance.md

File metadata and controls

90 lines (64 loc) · 1.36 KB

Pre-Intrusion phase (Windows)

Enumeration

query NetBIOS names

nmblookup -A 192.168.1.102

RPC

Rpcbind can help us look for NFS-shares

list services running RPC

rpcbind -p <ip>
locate *rpc*.nse
nmap --script rpcinfo.nse <ip> -p 111

Connect with a null-session (only works for older windows servers)

rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumalsgroups domain
rpcclient $> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john

SMB

Samba is a service to share files with other machines

smbclient -L <ip>
smbclient --list <ip>

enumerate shares and OS discovery

nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse

check smb vulnerable

nmap --script=smb-check-vulns.nse <ip> -p 445

connect to shares

smbclient -L <ip>\\ShareName -U <username> -p 445

SMTP

nc <ip> 25
VRFY root

check SMTP vunerable

nmap -script smtp-commands.nse <ip>

NFS

cat /etc/exports

enumerating mountable shares

showmount -e <ip>
locate *nfs*.nse
nmap --script nfs-showmount.nse <ip>