Wednesday, 1 November 2017

SMB / Netbios Enumeration

SMB / Netbios
# Search for SMB services (open ports only reported)
nmap -p139,445 a.a.a.a-b --open

# Specific nbt span
nbtscan a.a.a.a-b

SMB Null Session 
This is valid for Windows machines before 2003 Server and XP
rpcclient -U "" a.a.a.a
Password: <leave empty>
> srvinfo
... (server info)
> enumdomusers
... (users defined on server)
> getdompwinfo
... (password policy info)

enum4linux
enum4linux -v a.a.a.a

nmap using 'nse'
# Enumerate SMB users
nmap -p139,445 --script smb-enum-users a.a.a.a

# Check for SMB Vunerabilities
nmap -p139,445 --script smb-check-vulns --script-args=unsafe=1 a.a.a.a


SNMP Enumeration

SNMP Enumeration
# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b

onesixtyone
# Use the 161 tool
# community is a file which contains a list of community strings eg
public
private
manager
# ips is a file which contains a list of ip addresses.  It can be generated easily using
for ip in (seq 50 100); do
echo a.a.a.$ip >> ips
done
# Now invoke the onesixtyone tool with these files
onesixtyone -c community -i ips

snmpwalk
# Use snmpwalk to get the values of each leaf of the snmp server using community string 'public' and version 1
snmpwalk -c public -v1 a.a.a.a

# Search for a particular MiB value
snmpwalk -c public -v1 a.a.a.a 1.2.3.4.5.6.7.8.9

snmpenum



snmpcheck



SMTP Enumeration

SMTP Enumeration
# Scan for open port 25
nmap -sT -p 25 --open a.a.a.a-b


# Connect to an SMTP server
nc -nv a.a.a.a 25
220 ... server details
# Verify that a user exists.
> VRFY ******
250 ... ******


where a.a.a.a-b is an ip range such as 192.168.1.100-150

nmap & Port Scanning

# ICMP / ping sweep
nmap -sn a.a.a.a-b

# Output to a grepable file
nmap -sn a.a.a.a-b -oG nmap-ping-sweep.txt
grep Up nmap-ping-sweep.txt

# Specific port scan
nmap -p 22 a.a.a.a-b -oG nmap-ssh-scan.txt


Port Scanning
# Connect scan
nmap -sT a.a.a.a-b

# Syn / half open scan
nmap -sS a.a.a.a-b

# Syn scan on the top 100 ports
nmap -sS --top-ports 100 a.a.a.a-b

# ACK scan
nmap -sA --top-ports 100 a.a.a.a-b

# SNMP scan for open 161 ports
nmap -sU -p 161 --open a.a.a.a-b

# Banner grabbing
nmap -sV a.a.a.a-b

# Operating system fingerprinting
nmap -O a.a.a.a-b

# Comprehensive scan
nmap -A a.a.a.a-b

nse = nmap scripting engine

where a.a.a.a-b is an ip range such as 192.168.1.100-150


Thursday, 14 September 2017

Using hping3

A quick cheat sheet for using hping3 for port scanning,

-c 1      Only send one request per port (c = count)
-v        Verbose, show response for each port
-1        Sends a ping request (ICMP echo request) This number one not letter ell
-2        Send as UDP packet
-S        Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A        Send an ACK packet
-F        Send packet with a FIN flag
-8 1-500  Scan a range of ports equivalent of --span
-p 80     Scan a particular port

Examples

Send one request with a half-open scan to port 80
> hping3 -c 1 -S <www.website.somewhere> -p 80
HPING <www.website.somewhere> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms

--- <www.website.somewhere> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss


Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
  445 microsoft-d: .S..A...  64 33955 65535    46
  139 netbios-ssn: .S..A...  64 46756 65535    46
  135 loc-srv    : .S..A...  64 47780 65535    46
 3389              .S..A...  64 58947 65535    46

All replies received. Done.
Not responding ports:

Flags
The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.

Tuesday, 6 June 2017

Spring Sleuth

Sleuth is used to trace calls in a microservices environment. It creates a trace-id over the whole interactions and a span-id between each call.  For example, there is a call from a client to a microservice to load information for a customer id.  First is the call to the customer service, then the recent orders and accounts services.  All these calls would share the same trace-id but between each one is a different span-id.  To turn on sleuth just add the following dependencies into the pom.  You'll also need to add an application name.

spring.application.name=My Server

Maven


<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-sleuth</artifactId>
    <version>1.2.0.RELEASE</version>
</dependency>

The trace and span ids will now be created and can be seen in the headers.

To log this and make it useful though is one thing but there is a graphical tool which makes this very easy.

Zipkin

Zipkin can be configured so that all Sleuth output is sent there and it allows a view of the interactions so that the times and services called can be seen.  To configure and use zipkin just add another dependency,

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-sleuth-zipkin</artifactId>
    <version>1.2.0.RELEASE</version>
</dependency>

By default everything is logged to localhost:9411 but this can be changed by adding a property

spring.zipkin.baseurl=http://zipkin:9411/

Docker

If you are running with docker you'll need to add a zipkin image into the compose file,

      
  zipkin:
    image: openzipkin/zipkin
    networks:
      - my-network
    hostname: zipkin
    ports:
      - "9411:9411"




Tuesday, 18 April 2017

Docker crib sheet

Here are a list of commands that are useful for docker, docker-machine and docker-compose

Listings

// See what docker containers are running
docker ps

// See which images exist
docker images
docker image ls

// See which networks exist (usually created as part of docker-compose)
docker network ls

// See which volumes exist
docker volume ls

Removing Images and Containers

// List the images and then remove one using the image id
docker rmi <image_id>

// List the containers and remove one using the container id
docker rm <container_id>

// Remove a volume
docker volume rm <volume_id>

// Remove a network
docker network rm <network_id>

Starting and stopping

// Start a particular image and routing 1234 on localhost to 5678 on the docker image.  For a web application you'll need to expose the application server port such as 8080 eg -p 8080:8080
// After running this it'll show up on a docker ps as a container running this image
docker run -p 1234:5678 <image_id>

// Start an image in 'detached' mode to keep the output quiet
docker run -d -p 1234:5678 <image_id>

// View the logs of the docker container running a particular image
docker logs <container_id>

// Stop a particular container
docker stop <container_id>

// Attach a shell to a running docker container
docker exec -it <container_id> "/bin/bash"

// Start with an environment variable
docker run -d -e MY_ENVIRONMENT_VAR=bob <image_id>

Other useful commands

// See what resources are currently being used
docker stats

// Grab the logs from a docker machine
dockers logs <container_id> > output.log

// Copy a file from a docker image to the local machine
docker cp <container_id>:<container file path> <local path>
docker cp ab34d4532e78:/tmp/log.txt ./

docker-machine

// Useful where the host machine doesn't support natively such as anything pre windows 10

// Get the ip of the docker-machine, usually 192.168.99.100
docker-machine ip