Wednesday, 1 November 2017

SMB / Netbios Enumeration

SMB / Netbios
# Search for SMB services (open ports only reported)
nmap -p139,445 a.a.a.a-b --open

# Specific nbt span
nbtscan a.a.a.a-b

SMB Null Session 
This is valid for Windows machines before 2003 Server and XP
rpcclient -U "" a.a.a.a
Password: <leave empty>
> srvinfo
... (server info)
> enumdomusers
... (users defined on server)
> getdompwinfo
... (password policy info)

enum4linux -v a.a.a.a

nmap using 'nse'
# Enumerate SMB users
nmap -p139,445 --script smb-enum-users a.a.a.a

# Check for SMB Vunerabilities
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 a.a.a.a

SNMP Enumeration

SNMP Enumeration
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b

# Use the 161 tool
# community is a file which contains a list of community strings eg
# ips is a file which contains a list of ip addresses.  It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips

# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a

# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a



SMTP Enumeration

SMTP Enumeration
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b

# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******

where a.a.a.a-b is an ip range such as

nmap & Port Scanning

# ICMP / ping sweep
nmap -sn a.a.a.a-b

# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt

# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt

Port Scanning
# Connect scan
nmap -sT a.a.a.a-b

# Syn / half open scan
nmap -sS a.a.a.a-b

# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b

# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b

# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b

# Banner grabbing
nmap -sV a.a.a.a-b

# Operating system fingerprinting
nmap -O a.a.a.a-b

# Comprehensive scan
nmap -A a.a.a.a-b

nse = nmap scripting engine

where a.a.a.a-b is an ip range such as

Thursday, 14 September 2017

Using hping3

A quick cheat sheet for using hping3 for port scanning,

-c 1      Only send one request per port (c = count)
-v        Verbose, show response for each port
-1        Sends a ping request (ICMP echo request) This number one not letter ell
-2        Send as UDP packet
-S        Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A        Send an ACK packet
-F        Send packet with a FIN flag
-8 1-500  Scan a range of ports equivalent of --span
-p 80     Scan a particular port


Send one request with a half-open scan to port 80
> hping3 -c 1 -S <> -p 80
HPING <> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms

--- <> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss

Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
|port| serv name |  flags  |ttl| id  | win | len |
  445 microsoft-d: .S..A...  64 33955 65535    46
  139 netbios-ssn: .S..A...  64 46756 65535    46
  135 loc-srv    : .S..A...  64 47780 65535    46
 3389              .S..A...  64 58947 65535    46

All replies received. Done.
Not responding ports:

The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.

Tuesday, 6 June 2017

Spring Sleuth

Sleuth is used to trace calls in a microservices environment. It creates a trace-id over the whole interactions and a span-id between each call.  For example, there is a call from a client to a microservice to load information for a customer id.  First is the call to the customer service, then the recent orders and accounts services.  All these calls would share the same trace-id but between each one is a different span-id.  To turn on sleuth just add the following dependencies into the pom.  You'll also need to add an application name. Server



The trace and span ids will now be created and can be seen in the headers.

To log this and make it useful though is one thing but there is a graphical tool which makes this very easy.


Zipkin can be configured so that all Sleuth output is sent there and it allows a view of the interactions so that the times and services called can be seen.  To configure and use zipkin just add another dependency,


By default everything is logged to localhost:9411 but this can be changed by adding a property



If you are running with docker you'll need to add a zipkin image into the compose file,

    image: openzipkin/zipkin
      - my-network
    hostname: zipkin
      - "9411:9411"

Tuesday, 18 April 2017

Docker crib sheet

Here are a list of commands that are useful for docker, docker-machine and docker-compose


// See what docker containers are running
docker ps

// See which images exist
docker images
docker image ls

// See which networks exist (usually created as part of docker-compose)
docker network ls

// See which volumes exist
docker volume ls

Removing Images and Containers

// List the images and then remove one using the image id
docker rmi <image_id>

// List the containers and remove one using the container id
docker rm <container_id>

// Remove a volume
docker volume rm <volume_id>

// Remove a network
docker network rm <network_id>

Starting and stopping

// Start a particular image and routing 1234 on localhost to 5678 on the docker image.  For a web application you'll need to expose the application server port such as 8080 eg -p 8080:8080
// After running this it'll show up on a docker ps as a container running this image
docker run -p 1234:5678 <image_id>

// Start an image in 'detached' mode to keep the output quiet
docker run -d -p 1234:5678 <image_id>

// View the logs of the docker container running a particular image
docker logs <container_id>

// Stop a particular container
docker stop <container_id>

// Attach a shell to a running docker container
docker exec -it <container_id> "/bin/bash"

// Start with an environment variable
docker run -d -e MY_ENVIRONMENT_VAR=bob <image_id>

Other useful commands

// See what resources are currently being used
docker stats

// Grab the logs from a docker machine
dockers logs <container_id> > output.log

// Copy a file from a docker image to the local machine
docker cp <container_id>:<container file path> <local path>
docker cp ab34d4532e78:/tmp/log.txt ./


// Useful where the host machine doesn't support natively such as anything pre windows 10

// Get the ip of the docker-machine, usually
docker-machine ip