—nslookup
By typing nslookup and entering the shell we can change record types
Set type=mx
Set type=aaaa
Server 8.8.8.8 change your name server
—NBIOS
windows machines listen on TCP/139 this can be probed for
-MAC address
-Domain name
-File Shares
-User Groups
on linux(kali) we use nbtstat -v -h 192.168.1.2
on windows NBIOUS Emnumerator has a gui and option to add credentials
—JXplorer
Download the active directory filesystem if you have domain admin rights
—SMTP
SMTP is a good way to identify username, you can telnet into port 25
and run commands like verify email address
Kali has some tools which give you more options like a list to check
sudo apt-get install smpt-user-enum
smtp-user-enum -M VRFY -u tom@tpg.com.au -t mail.tpg.com.au
ismtp can be used to spoof mail
ismtp -m -i bob@tpg.com.au -s bob@tpg.com.au -S BOB -r xxxxx@hotmail.com -R KALI -h smtp.telstra.com
—NTP
You can get IP addresses of clients and servers for older versions on NTP
nmap -sU -p:123 —script=mon-list
—SNMP
By default SNMP uses private and public community strings
You can see usernames, interfaces, shares,proccesses, software installed and listening ports
msfconsole
use auxiliary/scanner/snmp/snmp_enum
set RHOST 192.168.1.2
Set community private
solarwinds can poll interfaces
snmpwalk can show all the OID
snmpwalk -c private -Ib -v 2c 192.168.1.2 | more
SNMP Get usernames
use auxiliary/scanner/snmp/snmp_enumusers
—DHCP Exhaustion
Each VLAN has a default gateway servicing DHCP
Using the DORA Method we can request all the IP Addresses in the pool
Yersinia is the tool used in KALI to take up all the free IP Addresses
To Mitigate against DHCP Exhaustion we use port security to limit the number of MAC
addresses on each port
Once you have taken all the free IP Addresses then you can stand up a new DHCP
Server to perform a MAN In the middle attack.