Penetration Testing with Kali Linux OffSec
|
|
net view \\dc01 /all
Shared resources at \\dc01 Share name Type Used as Comment ------------------------------------------------------------------------------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share The command completed successfully. Listing 77 - Running ‘net view’ to list remote shares By providing the /all keyword, we can list the administrative shares ending with the dollar sign. 6.3.5 SMTP Enumeration We can also gather information about a host or network from vulnerable mail servers. The Simple Mail Transport Protocol (SMTP) 273 supports several interesting commands, such as VRFY and EXPN . A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which is useful information during a penetration test. Consider the following example: kali@kali:~$ nc -nv 192.168.50.8 25 (UNKNOWN) [192.168.50.8] 25 (smtp) open 220 mail ESMTP Postfix (Ubuntu) VRFY root 252 2.0.0 root VRFY idontexist 272 (Microsoft, 2022), https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain- services-overview 273 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 156 550 5.1.1 table ^C Listing 78 - Using nc to validate SMTP users We can observe how the success and error messages differ. The SMTP server readily verifies that the user exists. This procedure can be used to help guess valid usernames in an automated fashion. Next, let’s consider the following Python script, which opens a TCP socket, connects to the SMTP server, and issues a VRFY command for a given username: #!/usr/bin/python import socket import sys if len(sys.argv) != 3: print("Usage: vrfy.py sys.exit(0) # Create a Socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Connect to the Server ip = sys.argv[2] connect = s.connect((ip,25)) # Receive the banner banner = s.recv(1024) print(banner) # VRFY a user user = (sys.argv[1]).encode() s.send(b'VRFY ' + user + b'\r\n') result = s.recv(1024) print(result) # Close the socket s.close() Listing 79 - Using Python to script the SMTP user enumeration We can run the script by providing the username to be tested as a first argument and the target IP as a second argument. kali@kali:~/Desktop$ Yüklə Dostları ilə paylaş:
|