HOWTO use NMAP for OS Discovery and SMB Enumeration

If you run this command.

root@kali:~# nmap -A 10.11.1.220

The -A Option use several features, including OS Detection, Version Detection, Script scanning and trace route.

Chatbot AI and Voice AI | Ads by QUE.com - Boost your Marketing.

For help, type man nmap

NMAP SMB Enumeration

root@kali:~# nmap -p139,445 10.11.1.200-254 –open

Starting Nmap 6.47 ( http://nmap.org ) at 2016-07-21 10:10 EDT
Nmap scan report for 10.11.1.202
Host is up (0.040s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:89:1F:9B (VMware)

Nmap scan report for 10.11.1.218
Host is up (0.045s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:89:53:4B (VMware)

Nmap scan report for 10.11.1.220
Host is up (0.045s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:89:78:7F (VMware)

Nmap scan report for 10.11.1.223
Host is up (0.044s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:89:72:AE (VMware)

Nmap scan report for 10.11.1.227
Host is up (0.044s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:89:33:B2 (VMware)

Nmap scan report for 10.11.1.229
Host is up (0.039s latency).
Not shown: 1 filtered port
PORT STATE SERVICE
139/tcp open netbios-ssn
MAC Address: 00:50:56:89:2D:FF (VMware)

Nmap scan report for 10.11.1.230
Host is up (0.042s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:50:56:89:14:2B (VMware)

Nmap done: 55 IP addresses (19 hosts up) scanned in 28.10 seconds

To give you a quick mapping of IP addresses to netbios server name. Use the nbtscan command as shown below.

root@kali:~# nbtscan 10.11.1.200-254
Doing NBT name scan for addresses from 10.11.1.200-254

IP address NetBIOS Name Server User MAC address
——————————————————————————
10.11.1.202 ORACLE <server> ORACLE 00:50:56:89:1f:9b
10.11.1.227 JD <server> JD 00:50:56:89:33:b2
10.11.1.229 MAIL <server> MAIL 00:50:56:89:2d:ff
10.11.1.220 MASTER <server> <unknown> 00:50:56:89:78:7f
10.11.1.221 SLAVE <server> <unknown> 00:50:56:89:5e:d2
10.11.1.230 KEVIN <server> <unknown> 00:50:56:89:14:2b
10.11.1.223 JEFF <server> <unknown> 00:50:56:89:72:ae
10.11.1.218 OBSERVER <server> <unknown> 00:50:56:89:53:4b

Null Session

root@kali:~# rpcclient -U “” 10.11.1.220
Enter ‘s password:
rpcclient $> srvinfo
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

rpcclient $> enumdomusers; will diplay list of users but I was not able to show it here ACCESS DENIED.

Using Enum4Linux will make your life easier, run this command against your test Windows server.

root@kali:~# enum4linux -v 10.11.1.220
[V] Dependent program “nmblookup” found in /usr/bin/nmblookup
[V] Dependent program “net” found in /usr/bin/net
[V] Dependent program “rpcclient” found in /usr/bin/rpcclient
[V] Dependent program “smbclient” found in /usr/bin/smbclient
[V] Dependent program “polenum” found in /usr/bin/polenum
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jul 21 10:30:55 2016

==========================
| Target Information |
==========================
Target ……….. 10.11.1.220
RID Range …….. 500-550,1000-1050
Username ……… ”
Password ……… ”
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

Let’s check if this server is vulnerable or require a service patch.

root@kali:~# nmap -p 139,445 –script=smb-check-vulns –script-args=unsafe=1 10.11.1.229

Starting Nmap 6.47 ( http://nmap.org ) at 2016-07-21 10:38 EDT
Nmap scan report for 10.11.1.229
Host is up (0.042s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds
MAC Address: 00:50:56:89:2D:FF (VMware)

Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

Nmap done: 1 IP address (1 host up) scanned in 87.36 seconds

The result give you information about the server security patch and vulnerability information. In this example, the server is missing a security patch MS08-067 making it available for compromise.

Continue reading other HOWTO using NMAP