Footprinting

Intro

information gathering using active (scans) and passive (use of third-party providers) methods.

Enumeration Mythology

![[enum-method33.png]]

Infrastructure Based Enumeration

Domain Information

passively gathering information to understand the company better.

getting first impression of its presence on the internet using their SSL certificate

another source to find more subdomains is crt.sh

# output results in JSON format from crt.sh
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq .

# filter results by unique subdomain
curl -s https://crt.sh/\?q\=inlanefreight.com\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u

# identify hosts direct accessible from the internet
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

Shodan can be used to find devices and systems permanently connected to the internet

for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done

for i in $(cat ip-addresses.txt);do shodan host $i;done

see all available DNS records

dig any inlanefreight.com

Cloud Resources

# ip lookup
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f1,4;done

cloud storage can be found in DNS; During IP lookup, its possible to find an IP that belongs to cloud service

using google dorks we can find cloud storages using inurl:amazonaws.com intext:companyname for AWS and inurl:blob.core.windows.net intext:companyname for Azure

webpage source codes can also have mentions

domain.glass can tell us about the company’s infrastructure

GrayHatWarfare can do different searches, discover cloud storages, files and SSH keys

Staff

employees can be identified on business networks like Linkedin, Xing, etc

from job posts we can tell what technologies the company uses (Java, MySQL, Flask, etc)

from employee profile, we can get linked sites to personal projects, github page, etc

from technical employees profiles we can also get infrastructure and technology the company is likely using

Host Based Enumeration

FTP

FTP runs on application layer

for FTP connection, client & server establish channel through port 21 - client sends commands to server & the server returns status code - then participants establish data channel on port 20

• FTP can be in active and passive mode
  • in active, when client establishes connection it also informs the server via which client side port the server can transmit the response (less secure because client has to open ports)
  • in passive, the server announces a port through which the client can establish the data channel

TFTP

TFTP (Trivial FTP) is simpler than FTP, uses UDP instead of TCP and doesn’t require user authentication

most used FTP server on Linux distros is vsFTPd and config can be found in /etc/vsftpd.conf- some settings are predefined by default

Dangerous settings

anonymous_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
no_anon_password=YES
anon_root=/home/username/ftp
write_enable=YES

Anonymous Login / Status / Detailed Output

# anonymous login
ftp 10.129.14.136

# overview of server's settings
status

# show us more information
debug
trace

Footprinting

# list nmap ftp scripts 
find / -type f -name ftp* 2>/dev/null | grep scripts

# nmap scan using version scan (-sV), aggressive scan (-A), and the default script scan (-sC)
sudo nmap -sV -p21 -sC -A 10.129.14.136

# service interaction
nc -nv 10.129.14.136 21
telnet 10.129.14.136 21

# ftp server with TLS/SSL
openssl s_client -connect 10.129.14.136:21 -starttls ftp

SMB

is a client-server protocol for sharing files, printers and other network resources for Windows system

Samba

an alternative implementation of SMB for Unix operating systems which uses the Common Internet File System (CIFS) network protocol

Default Configuration

default configuration can be found at /etc/samba/smb.conf

cat /etc/samba/smb.conf | grep -v "#\|\;" 

Dangerous Settings

browseable = yes
read only = no
writable = yes
guest ok = yes
enable privileges = yes
create mask = 0777
directory mask = 0777
logon script = script.sh
magic script = script.sh
magic output = script.out

SMBClient

# list shares
smbclient -N -L //10.129.14.128

# connect to share
smbclient //10.129.14.128/notes

# download from share
get prep-prod.txt 

# !<cmd> to execute local system commands
!ls

# on smb server to see status
smbstatus

Footprinting

sudo nmap 10.129.14.128 -sV -sC -p139,445

# we can use tools like rpcclient to perform MS-RPC functions
rpcclient -U "" 10.129.14.128

# rpcclient - enum
srvinfo
enumdomains
querydominfo
netshareenumall
netsharegetinfo <share>
enumdomusers
queryuser <RID>

# rpcclient - user enum
enumdomusers
queryuser 0x3e9

#rpcclient - group info
querygroup 0x201

# brute force user RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done

# alternative to to bruteforcing - Impacket script samrdump.py
samrdump.py 10.129.14.128

# info we obtained from rpc client can be obtained using:
# SMBMap and CrackMapExec
smbmap -H 10.129.14.128

crackmapexec smb 10.129.14.128 --shares -u '' -p ''

# older tool, enum4linux
# automates many of the queries, but not all
./enum4linux-ng.py 10.129.14.128 -A

NFS

has the same purpose of SMB for Linux and Unix systems

the protocol has no authentication or authorization; instead RPC protocol is used for authentication and authorization is derived from file system information

most common authentication is via UNIX UID/GID and group memberships

/etc/exports contains a table of physical filesystems on an NFS server; it also contains examples of configuring NFS shares

Dangerous Settings

rw
insecure
nohide
no_root_squash

Footprinting

sudo nmap 10.129.14.128 -p111,2049 -sV -sC

# nmap with NFS scripts
sudo nmap --script nfs* 10.129.14.128 -sV -p111,2049

# show avaialable NFS shares
showmount -e 10.129.14.128

# create empty folder to mount the share
# mount share to folder
mkdir target-NFS
sudo mount -t nfs 10.129.14.128:/ ./target-NFS/ -o nolock
cd target-NFS
tree .

# we can get access by creating the same usernames, group names, UIDs and GUIDs in our system to view and modify the files
# list content with username and group names
ls -l mnt/nfs/
# list contents with uids and guids
ls -n mnt/nfs/

# unmount
cd ..
sudo umount ./target-NFS

# if root_sqauash is set we cannot edit even as root

DNS

• is used to resolve domain names to IP addresses
• types of DNS servers:
  • DNS root server
  • Authoritative name server
  • Non-authoritative name server
  • Caching server
  • Forwarding server
  • Resolver

• DNS queries are unencrypted by default but can be encrypted using DoT, DoH or DNSCrypt network protocol
• it stores information about services associated with the domain like mail server, etc
• different DNS records are used for DNS queries:

  • A	Returns an IPv4 address of the requested domain as a result.
    AAAA	Returns an IPv6 address of the requested domain.
    MX	Returns the responsible mail servers as a result.
    NS	Returns the DNS servers (nameservers) of the domain.
    TXT	This record can contain various information.
    CNAME	This record serves as an alias for another domain name
    PTR	The PTR record works the other way around (reverse lookup). It converts IP addresses into valid domain names.
    SOA	Provides information about the corresponding DNS zone and email address of the administrative contact.

• all DNS servers work with 3 different types of config files:

  1. local DNS configuration files
  2. zone files
  3. reverse name resolution files

• Bind9 server is often used on Linux based distros; the local config file named.conf is divided into:

  • named.conf.local
  • named.conf.options
  • named.conf.log

• zones are divided into individual files and is used to describe a zone completely; found in /etc/bind/db.domain.com

• reverse name resolution zone files are used for PTR records to map IP address to FQDN; found in /etc/bind/db.10.129.14

• dangerous settings:

  • allow-query
  • allow-recursion
  • allow-transfer
  • zone-statistics

Footprinting

# query NS using specific DNS server with @
dig ns inlanefreight.htb @10.129.14.128

# query version
dig CH TXT version.bind 10.129.120.85

# query all records
dig any inlanefreight.htb @10.129.14.128

# AXFR zone transfer 
dig axfr inlanefreight.htb @10.129.14.128

# AXFR zone transfer - internal
dig axfr internal.inlanefreight.htb @10.129.14.128

# subdomain brute force
for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

# enumerate subdomains using DNSEnum
dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

SMTP

• Simple Mail Transfer Protocol is a protocol for sending emails; used between an email client and an outgoing server or between two SMTP servers

• is often combined with IMAP or POP3 protocols

• its unencrypted and transmits all data in plaintext and uses port 25

• newer SMTP servers which are ESMTP are encrypted with SSL/TLS and use port 465 or 587; use AUTH PLAIN for authentication

• mail workflow:
  Client (MUA)➞Submission Agent (MSA)➞Open Relay (MTA) ➞Mail Delivery Agent (MDA) ➞ Mailbox (POP3/IMAP)

• default config can be found in /etc/postfix/main.cf

• interacting with an SMTP server:

# connect to a server
telnet 10.129.14.128 25

# init a session
HELO mail1.inlanefreight.htb

# VRFY can be used to enumerate users
# server may issue code 252 and cofirm existence of user that doesn't exist
VRFY root
VRFY username

# send an email
MAIL FROM: <cry0l1t3@inlanefreight.htb>

RCPT TO: <mrb3n@inlanefreight.htb> NOTIFY=success,failure


DATA

From: <cry0l1t3@inlanefreight.htb>
To: <mrb3n@inlanefreight.htb>
Subject: DB
Date: Tue, 28 Sept 2021 16:32:51 +0200
Hey man, I am trying to access our XY-DB but the creds dont work. 
Did you make any changes there?

# terminate session
QUIT

• dangerous settings:
  • open relay config: mynetworks = 0.0.0.0/0 - the server can send fake emails and init communicaton between multiple parties; can also spoof an email and read it

Footprinting

# default nmap script includes smtp-commands
sudo nmap 10.129.14.128 -sC -sV -p25

# to identify the SMTP target as open relay
sudo nmap 10.129.14.128 -p25 --script smtp-open-relay

IMAP / POP3

• Internet Message Access Protocol (IMAP) is used to access emails from a mail server; it allows online management of emails and supports folder structures
• Post Office Protocol (POP3) only provides listing, retrieving and deleting emails as function
• IMAP is unencrypted by default and uses port 143; can be encrypted with SSL/TLS on port 143 or 993
• dangerous settings:
  • auth_debug
  • auth_debug_passwords
  • auth_verbose
  • auth_verbose_passwords
  • auth_anonymous_username

Footprinting

• ports 110 and 995 are used by default for POP3, and ports 143 and 993 for IMAP; higher ports (993 and 995) use TLS/SSL

sudo nmap 10.129.14.128 -sV -p110,143,993,995 -sC

# login to the mail server with credentials
curl -k 'imaps://10.129.14.128' --user user:p4ssw0rd

# with verbose, to see version of TLS, SSL certificate, banner, and version of the mail server
curl -k 'imaps://10.129.14.128' --user cry0l1t3:1234 -v


# we can use openssl or ncat to ineract with IMAP or POP3 over SSL
openssl s_client -connect 10.129.14.128:pop3s

openssl s_client -connect 10.129.14.128:imaps

SNMP

MySQL

MSSQL

Orcale TNS

IPMI