Pentesting with G0tD4un1k

I had presented this slide deck during null meet at Pune sometime back.

SNMP has been my personal favourite protocol when it comes to enumeration. It stands for Simple Network Management Protocol. Ironically this is often mis-configured by many network administrators. On the top of it - the commonly used versions of SNMP i.e. 1,2 and 2c does not provide encryption thus making it possible to sniff the configuration and credentials. SNMP is based on UDP and thus is also vulnerable to spoofing and replay attacks. Many network devices support Read and Write of configurations over SNMP Private keys. Scanning for SNMP open ports using nmap: nmap -sU --open -p 161 <ip range> -oG snmp.txt This will give you targets that have SNMP running. It is important to understand and note the SNMP version your target is using. If the community string is incorrect, the device simply discards the request and does not respond. Note: SNMP Community strings are used only by devices which support SNMPv1 and SNMPv2c protocol. SNMPv3 uses username/password authentication, al...

SMB is very useful for extracting valuable information about your target. SMB runs on 139 and 445 ports. SMB has had a poor security track since long and has been favourite of attackers to gather information about the target system. Unauthenticated NULL sessions in windows 200 and XP are also due to SMB vulnerabilities. ok, so if you have a range of target IPs (e.g. 192.168.10.100 to 192.168.10.254) where you want to search for SMB then: nmap -n -p 139,445 -oG SMBHOSTS.txt 192.168.10.100-254 There are specific tools as well that makes the job more easier: nbtscan -r <iprange> NULL session: Null sessions functionality can be abused by attackers to gain plethora of information like password policy users usernames group names machine names etc. a useful tool for null session enumeration and gathering information out of this is: enum4linux usage: enum4linux -a <ip> Note: null sessions exist in only SMB 1. This is patched by Microsoft in subsequent SMB releases. SMB can also be...

DNS - Domain Name System is often a very rich source of information when doing Active Information Gathering. Enumerating the DNS involves interacting with the DNS server to gather information about Forward and Reverse lookup. You may have to sometimes Brute force the Forwad and Reverse lookups to gather required information. One may also attempt to do a Zone Transfer. If you are not familiar with the terminology in DNS I recommend grab a system admin book and have a nice read. This is really important before you  attempt information gathering during your penetration test. Kali has some very good tools to make your job easier: [1] DNSRecon - This is an excellent script written in Python. Usage: dnsrecon -d <domain name> -t axfr In the above example the zone transfer failed. [2] DNSENUM (automatically attempts Zone Transfer as well) usage: dnsenum <domain name> Here as well the zone transfer has failed indicating the system is configured good. The idea was to let you k...