Hey, Mia and Celina, I need your expert advice! I’ve started playing Hack The Box recently, but I’m struggling with enumeration, even on the Easy machines.
Oh, cool, Aoi! You’ve joined the HTB club! Enumeration can be tricky at first, for sure. We’ve all been there.
Exactly. Enumeration, the process of gathering information about a system, is crucial. What methods have you been trying?
Well, I’ve been using nmap for port scanning, then gobuster or nikto on open ports… and, you know, trying things manually. But it takes forever, and I rarely find anything useful. Are there better, more efficient ways or tools I should be using?
You bet there are! I had the same problem when I started. But once I learned about a few handy tools, things got way easier. I use them in CTFs all the time, too.
I also use a variety of tools for enumeration in my own work. The right tool, used correctly, can make a huge difference in the amount of information you gather. Today, I’m happy to share some of my favorite tools and show you exactly how to use them.
Awesome! Thanks so much! Please teach me!
1. nmap: The Essential (and Powerful) Port Scanner
First up, you gotta know nmap inside and out! It’s not just for port scanning. The -sV option gets you version info, and -sC runs default scripts, which can reveal a ton of info.
Whoa, really? I thought nmap was just for port scanning! I’ll try -sV and -sC right away! … (A few moments later) … Wow! I’m seeing so much more information than before!
Nmap scan report for <TARGET IP> (<TARGET HOSTNAME>)
Host is up (0.030s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open mysql MySQL 5.7.31-0ubuntu0.18.04.1
... (Output Truncated) ...It’s not just showing open ports, but also the service and version! And there’s extra info from the scripts, like _http-title!
Excellent observation, Aoi! nmap is an incredibly powerful tool. To be even more thorough, it’s important to scan all ports using the -p– option.
nmap -sV -sC -p- -oA nmap_scan <TARGET IP>This scans all 65535 ports. Sometimes, services are hidden on uncommon ports. And don’t forget UDP scanning (-sU)!
nmap -sU -p 161,53 <TARGET IP>
PORT STATE SERVICE
53/udp open|filtered domain
161/udp open|filtered snmpopen|filtered means there was a response, but we cannot make a definate conclusion because of firewall.
All ports and UDP scanning… I haven’t been doing that!
I often do a quick scan first (using the -F option) to get a general idea, and then follow up with a more detailed scan. Saves time!
That’s a great time-saving technique. Also, nmap has a powerful scripting engine (NSE). You can use the –script option to run specific scripts. Use –script help to see a list of available scripts.
2. gobuster/ffuf: Supercharging Web Directory/File Enumeration
If you’re dealing with a web-based machine, gobuster and ffuf are must-haves! They’re tools for brute-forcing directories and files.
I’ve used gobuster, but it can be slow sometimes… I’ve heard of ffuf, but haven’t tried it.
ffuf is super fast! And it gives you more control than gobuster. For example, here’s how you might use it:
ffuf -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50 -e .php,.html -fc 404This command uses the wordlist at /usr/share/seclists/Discovery/Web-Content/common.txt to replace the FUZZ part of http:///FUZZ, looking for files with .php and .html extensions. Plus, it filters out any responses with a 404 status code.
Wow, that’s a lot of control! What does the output look like?
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/ ,\_\/\ \ ,__\
\ \ \_/ \ \ \_/\ \ \/\ \ \ \ \_/
\ \_\ \ \_\ \ \_\ \ \_\
\/_/ \/_/ \/_/ \/_/
v1.5.0
________________________________________________
:: Method : GET
:: URL : http://<TARGET IP>/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .php .html
:: Follow redirects : false
:: Calibration mode : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 404
________________________________________________
index.html [Status: 200, Size: 10701, Words: 1000, Lines: 200]
admin [Status: 301, Size: 314, Words: 20, Lines: 10]
uploads [Status: 301, Size: 314, Words: 20, Lines: 10]
... (Output Truncated) ...That’s really clear! It shows the status code, size, word count, and even the number of lines!
gobuster is a good tool as well, but ffuf offers greater flexibility. With both tools, using the right wordlist is key. Repositories like SecLists are your best friend.
3. Nikto: Web Server Vulnerability Scanning
I know the name nikto, but I haven’t really used it much…
nikto checks for web server misconfigurations, outdated software, and various vulnerabilities. It’s a good idea to run it just in case – you might find something unexpected.
nikto performs comprehensive checks, but keep in mind that it can produce false positives. Don’t blindly trust the results; verify each finding.
What kind of output does it give?
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: <TARGET IP>
+ Target Hostname: <TARGET IP>
+ Target Port: 80
+ Start Time: 2023-10-27 14:30:00 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.38). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
... (Output Truncated) ...I see… It tells you things like “X-Frame-Options header is not present” and “X-XSS-Protection header is not defined.”
Exactly. These indicate potential security weaknesses. Using tools like WhatWeb in conjunction with nikto can provide even more detailed information.
4. enum4linux/smbmap: Windows File Share (SMB) Enumeration
When I’m facing a Windows machine, I always feel lost. I don’t know where to start.
For Windows, enum4linux and smbmap are super useful! They can grab info about SMB shares, user lists, and more.
enum4linux enumerates information from Samba, and smbmap checks access permissions on SMB shares. It is a good practice to try connecting with a null session.
Null session…?
It means trying to connect without a username and password. Sometimes it works! With smbmap, you can try it like this:
smbmap -H <TARGET IP> -u guest -p ""And the output looks like this:
[+] IP: <TARGET IP>:445 Name: <TARGET HOSTNAME>
Disk Permissions
---- -----------
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
print$ NO ACCESS
Users READ, WRITEIPC$ is READ ONLY!
You can get even more detailed information with enum4linux
enum4linux -a <TARGET IP>
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 27 15:00:00 2023
==========================
| Target Information |
==========================
Target ........... <TARGET IP>
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
... (Output Truncated) ...
============================================
| Users on <TARGET IP> |
============================================
index: 0x1 RID: 0x3e9 acb: 0x00000010 Account: Administrator Name: built-in account for administering the computer/domain Desc:
index: 0x2 RID: 0x3ea acb: 0x00000010 Account: Guest Name: built-in account for guest access to the computer/domain Desc:
... (Output Truncated) ...
user:[htbuser] rid:[0x3e8]
... (Output Truncated) ...
============================================
| Share Enumeration on <TARGET IP> |
============================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC Remote IPC
... (Output Truncated) ...Based on this information, you can use tools like crackmapexec for further investigation.
And if you suspect a web application might be vulnerable to SQL injection, sqlmap is your best friend!
sqlmap! I’ve heard of it, but I’ve never used it…
For example, you can use it like this:
sqlmap -u "http://<TARGET IP>/page.php?id=1" --dbsThis command tests the URL http:///page.php?id=1 for SQL injection vulnerabilities, and if it finds any, it’ll list the databases.
[INFO] testing connection to the target URL
... (Output Truncated) ...
[INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29, PHP 7.2
back-end DBMS: MySQL >= 5.0.12
[INFO] fetching database names
[INFO] retrieved: information_schema
[INFO] retrieved: mydatabase
... (Output Truncated) ...
available databases [2]:
[*] information_schema
[*] mydatabasesqlmap is extremely powerful, but it can also cause serious damage if misused. Only use it on environments where you have explicit permission. If you need to test a POST request, save the request in a file and specify it with the -r option.
sqlmap -r request.txt --level=5 --risk=3 --cookie="PHPSESSID=xxxxxxxxxxxxxxxxxxxxxxxxxxxx"request.txt Content
POST /vuln.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
param1=val1¶m2=val2Wow, this is amazing! I’ve learned so much about different tools, how to use them, and what the output looks like! I used to feel like I was just poking around in the dark, but now I feel like I can enumerate much more efficiently.
enumeration is a critical skill for any security engineer. I hope you’ll use what you’ve learned today to continue improving your skills.