eJPT - 1.3 Enumeration

HmadHmad
5 min read

Table of contents

Auxiliary Modules

The first step is to start up Metasploit and run a basic Nmap scan:

service postgresql start
msfconsole
workspace -a (name)
db_status

Useful commands to know about Metasploit to navigate:

hosts
services
db_nmap
search
use
show options
run
exploit
sessions
background
back
creds
loot

We can use auxiliary modules to do port scanning within Metasploit. It is used to perform scanning, discovery, and fuzzing. We can do TCP & UDP port scanning as well as enumerating services on those ports. Can also be used to discover hosts and perform port scanning on a different network subnet after we have obtained initial access on a target system.

You cannot pair these modules with payloads as they have nothing to do with exploitation. These modules can be used during the information gathering and post exploitation phases.

To explain this briefly, using Nmap, we can do information gathering on target 1. Once we have gained access to this system, we may find that there are other systems available via target 1, such as target 2. Now, we can't run Nmap here unless we install it on target 1 which is not recommended. This is where these auxiliary modules come in as we can perform a port scan on target 1 using target 2. We may also not have target 2's IP address or it may be not connected to the internet, therefore preventing us from using Nmap or scanning it from our device.

An example command within an auxiliary module:

search portscan
use (number of module)
set RHOSTS (target ip)

Auxiliary modules that are useful to know:

  • portscan

  • udp_sweep

Service Enumeration

FTP

FTP stands for the file transfer protocol. Normally on port 21 and is used to facilitate file sharing between a server and clients. Also frequently used to facilitate file sharing to and from the directory of a web server.

FTP authentication utilizes a username and password combination. However, in some cases, an improperly configured FTP server will allow anonymous login. We can use multiple auxiliary modules to enumerate information as well as perform brute-force attacks on an FTP server.

If you don't have a specific username or password to use with the brute-force option. Some very useful and comprehensive lists within Metasploit can be found here:

/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Some useful auxiliary FTP modules:

  • ftp_version

  • ftp_login

  • ftp/anonymous

SMB

SMB stands for Server Message Block is a network file sharing protocol that is used to facilitate the sharing of files and peripherals between computers on a local network (LAN). It uses port 445. On Linux, it's called SAMBA. We can use auxiliary modules to enumerate SMB shares, the version, users, and perform a brute-force attack in order to verify usernames and passwords.

A useful tip within Metasploit is to set a global variable to be the target IP, to prevent having to remember it or continually paste it.

setg RHOSTS (target ip)

Some useful auxiliary FTP modules:

  • smb_version

  • smb_enumusers

  • smb_enumshares

  • smb_login

For example, you can use the command to list out the SMB shares and the next one to gain access:

smbclient -L \\\\ip\\ -U admin
smbclient \\\\ip\\public -U admin

Web Server

A web server is software that is used to serve website data on the web. They utilize HTTP for communication between the client and the webserver. It is on port 80 while HTTPS is on 443. Popular webservers include Apache, Nginx, and Microsoft IIS. We can use auxiliary modules to enumerate the webserver version, HTTP header and brute-force directories.

Some useful auxiliary HTTP modules:

  • http_version

  • http_header

  • http_put

  • robots_txt

  • dir_scanner

  • dir_listing

  • files_dir

  • http_login

  • apache_userdir_enum

  • brute_dirs

MySQL

It's an open-source relational database management system. It is typically used to store records, customer data, and is most commonly used to store web application data. It utilizes port 3306 by default but it can be hosted on any other open TCP port. We can use auxiliary modules to find out the version, perform brute-force attacks and identify passwords.

Some useful auxiliary MySQL modules:

  • mysql_version

  • mysql_login

  • mysql_enum

  • mysql_sql

  • mysql_schemadump

To then open the database outside the Metasploit framework once credentials have been found:

mysql -h (target ip) -u (username) -p

SSH

SSH (Secure Shell) is a remote administration protocol that offers encryption and is the successor to Telnet. It is typically used for remote access to servers and systems. It uses port 22 by default but can be configured to run on any port. We can use auxiliary modules to enumerate the version of SSH as well as perform brute-force attacks to identify passwords to exploit it.

If a target has been configured to use passwords for encryption, then we use the ssh_login module. If it has been configured to use a public and private key for encryption, then we use the ssh_login_pubkey module.

Some useful auxiliary SSH modules:

  • ssh_version

  • ssh_login

  • ssh_enumusers

SMTP

SMTP stands for Simple Mail Transfer Protocol. It uses port 25 by default but can be configured to run on 465 and 587 if it has SSL/TLS running. We can use auxiliary modules to enumerate the version of SMTP and user accounts on the target system.

Some useful auxiliary SMTP modules:

  • smtp_version

  • smtp_enum

That’s it for this section. Next one up is the CTF or skill check that iNE has put up.

— Hmad

0
Subscribe to my newsletter

Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ejpt#enumerationmetasploit

Written by

Hmad
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.