General Protocol Enumeration


            

                
Enum4Linux

                
Enum4Linux is a tool that can be used to enumerate the protocols that are used to communicate with a target. It is a "passive" tool that can be used with any target.

                
Usage:

                enum4linux -S -u 192.168.0.1
                
-S: specifies "shares" (SMB)

                
-u: is url (IP)

                
Cheat sheet: https://highon.coffee/blog/enum4linux-cheat-sheet/

            

            

            

                
Nmap

                
NMAP is a network mapping tool designed to show hosts andtheir corresponding network/device information accross subnets. Refer to the man page man nmap for all flags available

                
Usage:

                nmap -sV -O -vv -T3 -p 0-10000 192.168.0.1
                
-sV: specifies version detection

                
-O: specifies OS detection

                
-vv: specifies verbose output (very verbose)

                
-T3: specifies the speed of the scan

                
-p: specifies port list/port range (-p- for all ports)

                
The ip can also be given a CIDR, to indicate a subnet, you can also separate IPs and IPs with subnets with commas

                nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.0.1
                
-p: specifies ports

                
--script is the built-in or external script for nmap to use, in this case the smb-enum-shares and smb-ennum-users scripts to get SMB information

                
A full list of built-in NMAP scripts can be found here

                
You can output nmap in several formats.
 -oN for normal output
 -oX for XML output (metasploit!)
 -oG for Grepable output

                
Some other important flags:

                
                
By default, a privileged user executes -sS, and a non-privileged user executes -sT

            

            

            

                
Dnsenum

                
Download

                
Dnsenum is a tool that can be used to enumerate DNS information on a target

                
Usage:

                dnsenum 192.168.0.1
            

            

            

                
Dig

                
Dig is a tool that can be used to enumerate DNS information on a target

                
Usage:

                dig 192.168.0.1 AAAA   
                
- AAAA: can be any DNS type to lookup (Ex. A, MX, CNAMe, etc.)

            

            

            

                
RPCClient

                
RPCClient is a tool used for enumerating network shares and gathering smb information

                
Usage:

                rpcclient -U "" -N 192.168.0.1
                
-U: specifies username

                
-N: specifies "No password"

                
Once RPCClient is running, you can use several commands to gain information about the target

                
Example:

                
enumdomusers - Shows the domain users

                
enumdomgroups - Shows the domain groups

                
queryuser username - Shows the user and their SID

                
? - Shows the list of commands