Enumerating Services

We cannot enumerate every ports on every machines during an internal assessment (because of allotted time). We have to choose specific ports (smb, web ports, administrative ports, etc).

SMB

To make our life easier during exploitation and post-exploitation, machines with port 445 open must be enumerated.

sudo nmap -Pn -p 445 -iL targets_rfc1918.txt -oA targets_smb ;
cat targets_smb.gnmap | grep "445/open" | cut -d" " -f 2 > targets_smb.txt

Databases Ports

You can enumerate SQL services with:

sudo nmap -Pn -p 1433,3306,5432 -iL targets_rfc1918.txt -oA targets_sql ;
cat targets_sql.gnmap | grep "1433/open" | cut -d" " -f 2 > targets_sqlserver.txt ;
cat targets_sql.gnmap | grep "3306/open" | cut -d" " -f 2 > targets_mysql.txt ;
cat targets_sql.gnmap | grep "5432/open" | cut -d" " -f 2 > targets_postgresql.txt

Administrative Ports

It is interesting to enumerate administrative services:

sudo nmap -Pn -p 21,22,23,88,3389,5900 -iL targets_rfc1918.txt -oA targets_adm ;
cat targets_sql.gnmap | grep "21/open" | cut -d" " -f 2 > targets_ftp.txt ;
cat targets_sql.gnmap | grep "22/open" | cut -d" " -f 2 > targets_ssh.txt ;
cat targets_sql.gnmap | grep "23/open" | cut -d" " -f 2 > targets_telnet.txt ;
cat targets_sql.gnmap | grep "3389/open" | cut -d" " -f 2 > targets_rdp.txt ;
cat targets_sql.gnmap | grep "5900/open" | cut -d" " -f 2 > targets_vnc.txt

Web Ports

Enumerating web services is important to test for sensitive web applications exposure (administrative applications, vulnerable applications, etc).

sudo nmap -Pn -p 80,443,8080,8443,9006,7001,7002,8081,49153,10000 -iL targets_rfc1918.txt -oA targets_web

All these scans give us valuable information.

When a blacklist is provided by client, simply use:

• zmap:

  • --blacklist-file

• nmap:

  • --excludefile

Automating

This script automatize previous steps.

sudo nmap -Pn -p 445 -iL targets_rfc1918.txt -oA targets_smb ;
cat targets_smb.gnmap | grep "445/open" | cut -d" " -f 2 > targets_smb.txt ;
sudo nmap -Pn -p 1433,3306,5432 -iL targets_rfc1918.txt -oA targets_sql ;
cat targets_sql.gnmap | grep "1433/open" | cut -d" " -f 2 > targets_sqlserver.txt ;
cat targets_sql.gnmap | grep "3306/open" | cut -d" " -f 2 > targets_mysql.txt ;
cat targets_sql.gnmap | grep "5432/open" | cut -d" " -f 2 > targets_postgresql.txt ;
sudo nmap -Pn -p 21,22,23,88,3389,5900 -iL targets_rfc1918.txt -oA targets_adm ;
cat targets_adm.gnmap | grep "21/open" | cut -d" " -f 2 > targets_ftp.txt ;
cat targets_adm.gnmap | grep "22/open" | cut -d" " -f 2 > targets_ssh.txt ;
cat targets_adm.gnmap | grep "23/open" | cut -d" " -f 2 > targets_telnet.txt ;
cat targets_adm.gnmap | grep "3389/open" | cut -d" " -f 2 > targets_rdp.txt ;
cat targets_adm.gnmap | grep "5900/open" | cut -d" " -f 2 > targets_vnc.txt ;
sudo nmap -Pn -p 80,443,8080,8443,9006,7001,7002,8081,49153,10000 -iL targets_rfc1918.txt -oA targets_web