WRITE THE UNIX CODE FOR EACH STEP PLEASE

Activity 1 DNS Enumeration.

1) This lab is an exploratory lab in the use of Enumeration

2) The ultimate goal is to locate servers we can extract useful information such as email address

for spear fishing attack, user name for database access etc. We will use SMB Enumeration to

assist us.

3) Use your UWF credentials to log into the cyberrange.uwf.edu.

4) Use Dig to get IP range of our attach domain cyber.

uwf.edu

a) The command dig is a tool for querying DNS nameservers for information about host

addresses, mail exchanges, nameservers, and related information.

b) dig (domain information groper) as discussed in Chapter 2, is a flexible tool for

interrogating DNS name servers. It performs DNS lookups and displays the answers that

are returned from the name server(s) that were queried.

c) Dig h is the help command for dig.

i) Pay attention to the switch that allows you to specific a type of dns lookup

ii) Look for the type of dns look up that allows zone transfers.

iii) Remember type axfr

d) Note the servers you find in this domain. There may be some additional servers from the

previous lab.

5) Use the information received from dig and other resources available including nmaps help

and text book to complete the following table. This table is for your use in the lab only it

doesnt need to be turned in. It should be the same as the table created from the previous lab.

The table is populated with sample very inaccurate data. The process you might follow is:

a) Retrieve the active servers IP addresses in cyber.uwf.edu network:

b) Retrieve the open ports and services running on these active servers:

c) Based on the results what is the purpose of each server:

d) What Operating systems are probably running on each of these servers? If nmap cannot

determine the OS review the nmap man pages to see if nmap can make a guess.

e) The table below can be used for your notes, you dont need to turn in the table but will

need to use the results of your search.

f) Remember to scan a group of address you can use the formats 132.54.0.100-120 or

132.54.10-13,100-120 or 132.54.10, 13, 120.

Table

IP Address

Open ports

Port services

Servers Purpose

......

6) SMB Enumeration

a) SMB - A protocol for sharing files, printers, serial ports, and communications

abstractions such as named pipes and mail connections between computers

b) Check for SMB services using nmap and the ports used for SMB (139 and 445) on the

172.16.250.subnet.

i) To scan a group of address format is 132.54.0.100-120 or 132.54.10-13,100-120 or

132.54.10, 13, 120 .

ii) To scan group of ports, use the format p 10-100 or p 24,345

c) As it may be easier to read the output in a file, you can use the oG switch and an file

name to port output to a grep readable file or you can use standard out redirection.

d) From the above you can see which server may use SMB using that server. There may be

more than one.

e) List all the servers by IP which may be SMB servers.

f) Enum4linux is a tool for enumerating information. It can provide information such as

i) User listing

ii) Listing of group membership information

g) Share enumeration

h) Enum4linux doesnt have man pages but does provide a help page similar to a man page,

think about putting this help output in a file you can use for reference.

i) As with most tools there are many switches

(1) Look for one that provides

(a) all simple enumeration

(b) Users

(c) NOTE: Some servers may not allow smb enumeration, remember the

discussion about Null-Session.

ii) This provides a lot of data, so you may want to direct it to a file.

iii) Review the file, search for user and service info

iv) What does enum4linux do?

v) What useful information is available in the file? Remember this may only be a piece

of the puzzle.

i) There are almost always alternate ways to obtain information. See below.

j) There are prewritten nmap scripts located at usr/share/nmap/scripts on Kali. These

scripts provide prewritten scans.

k) Review all the scripts and then use a filter with the ls command to find only files for smb.

NOTE: Some servers may not allow smb enumeration, remember the discussion

about Null-Session.

l) Scan a different server from the one you used enum4linux on.

m) Using the format in nmap script= run some of the more interesting scripts

to see what you get, remember the focus of the lab. Again, you may want to direct this to

a file,

n) Try scripts that provide user, share and OS info.

i) Do all servers that use SMB allow access? If any of the SMB server dont allow

emumeration, What do you think are the reason?

ii) What users are available on this system that allows SMB enumeration?

iii) What shares are available?

iv) What is the OS of this system?

7) SMTP Enumeration

a) SMTP servers are misconfigured all the time and so is a good place to get information

b) SMTP support many interesting commands:

i)

IBM SMTP C

o

mmands Site

ii) ehlo provides you a list of commands a server supports

iii) VRFY ask the server to verify email address, however this generally requires a fully

qualified address, such as

jdoe@google.com

c) Locate the mail server on our network and use netcat (

nc nv port)

or telnet

to create a session with it. telnet works just as netcat as you need to provide the server IP

and the port.

d) List what services the server supports and try to verify any users email address from user

information you have gathered from previous section of the lab. Try an fake name.

What are the results?