Service Enumeration

In this chapter, we’ll focus on exploiting networks by starting with network enumeration techniques and examining some of the most commonly vulnerable services and processes. These vulnerabilities often serve as entry points for attackers, and understanding them is crucial for effective penetration testing.

---

1. Network Enumeration Techniques

• Definition: Enumeration is the process of discovering and cataloging devices, services, and resources within a network. The goal is to identify targets and gather information that might aid in exploitation.

• Importance: Enumeration provides detailed insights into a network's structure and running services, often revealing valuable details about users, shares, and system configurations.

• Common Enumeration Techniques:

  • Port Scanning: Identifies open ports and associated services using tools like Nmap or Masscan. This helps determine which services are exposed and may be exploitable.

    • Examples:

      • Nmap: nmap -sV -p 1-65535 <target_IP> (to scan for open ports and service versions).

      • Masscan: masscan -p1-65535 <target_IP> (for high-speed port scanning).

  • Service and Version Detection: Identifies service versions running on open ports, helping detect outdated or vulnerable software versions.

  • Banner Grabbing: Extracts system and service information from network banners using tools like Netcat, Telnet, or Nmap.

    • Example: nc <target_IP> <open_port> (to capture a banner for a specific service).

  • SNMP Enumeration: Uses the Simple Network Management Protocol (SNMP) to gather data on network devices. Often misconfigured, SNMP can reveal sensitive details like system uptime, network configurations, and device information.

  • Network Share Enumeration: Discovers shared folders and network resources that may expose sensitive information.

    • Example Tools: SMBclient, Enum4Linux, and Smbmap are commonly used for exploring SMB shares on Windows systems.

  • DNS Enumeration: Maps out domain and subdomain structures, which can reveal internal network architecture and potential access points

---

20 Commonly Vulnerable Network Services and Processes

1. SMB (Server Message Block)

• Vulnerabilities: SMBv1 vulnerabilities like EternalBlue; weak permissions.

• Exploitation Tools: Metasploit, EternalBlue exploit.

• Detection Command: nmap -p445 --script smb-vuln* <target_IP>

2. FTP (File Transfer Protocol)

• Vulnerabilities: Anonymous access, plaintext credentials.

• Exploitation Tools: Hydra, Wireshark.

• Detection Command: nmap -p21 --script ftp* <target_IP>

3. Telnet

• Vulnerabilities: Plaintext transmission, weak/default credentials.

• Exploitation Tools: Hydra, Wireshark.

• Detection Command: nmap -p23 <target_IP>

4. DNS (Domain Name System)

• Vulnerabilities: Zone transfer, DNS cache poisoning.

• Exploitation Tools: dnsenum, dnsrecon.

• Detection Command: dig axfr @<DNS_server_IP> <target_domain>

5. RDP (Remote Desktop Protocol)

• Vulnerabilities: Weak credentials, MITM attacks.

• Exploitation Tools: Metasploit modules, rdp-check.

• Detection Command: nmap -p3389 <target_IP>

6. SSH (Secure Shell)

• Vulnerabilities: Weak credentials, misconfigured permissions.

• Exploitation Tools: Hydra, Ncrack.

• Detection Command: nmap -p22 <target_IP>

7. SNMP (Simple Network Management Protocol)

• Vulnerabilities: Default community strings, info leakage.

• Exploitation Tools: snmpwalk, onesixtyone.

• Detection Command: nmap -p161 --script snmp* <target_IP>

8. HTTP (Hypertext Transfer Protocol)

• Vulnerabilities: Directory traversal, outdated software.

• Exploitation Tools: Nikto, Burp Suite.

• Detection Command: nmap -p80,8080 --script http* <target_IP>

9. HTTPS (HTTP Secure)

• Vulnerabilities: Weak SSL/TLS configurations, expired certificates.

• Exploitation Tools: SSLScan, SSL Labs’ SSL Test.

• Detection Command: nmap -p443 --script ssl* <target_IP>

10. LDAP (Lightweight Directory Access Protocol)

• Vulnerabilities: Weak credentials, misconfigurations.

• Exploitation Tools: ldapsearch, Nmap.

• Detection Command: nmap -p389,636 <target_IP>

11. NTP (Network Time Protocol)

• Vulnerabilities: Amplification attacks, DDoS reflection.

• Exploitation Tools: NTP Amplification scripts, Metasploit.

• Detection Command: nmap -p123 --script ntp* <target_IP>

12. SMTP (Simple Mail Transfer Protocol)

• Vulnerabilities: Open relay, spoofing, weak credentials.

• Exploitation Tools: Hydra, Telnet.

• Detection Command: nmap -p25 --script smtp* <target_IP>

13. POP3 (Post Office Protocol 3)

• Vulnerabilities: Plaintext credentials, buffer overflow.

• Exploitation Tools: Hydra for brute-forcing, Wireshark.

• Detection Command: nmap -p110 --script pop3* <target_IP>

14. IMAP (Internet Message Access Protocol)

• Vulnerabilities: Plaintext credentials, information leakage.

• Exploitation Tools: Hydra, Nmap.

• Detection Command: nmap -p143 --script imap* <target_IP>

15. MySQL

• Vulnerabilities: Default credentials, SQL injection.

• Exploitation Tools: SQLmap, Hydra.

• Detection Command: nmap -p3306 --script mysql* <target_IP>

16. Oracle DB

• Vulnerabilities: Weak passwords, SQL injection.

• Exploitation Tools: ODAT (Oracle Database Attacking Tool), Metasploit.

• Detection Command: nmap -p1521 --script oracle* <target_IP>

17. VNC (Virtual Network Computing)

• Vulnerabilities: Weak/no authentication, plaintext transmission.

• Exploitation Tools: Ncrack, Hydra.

• Detection Command: nmap -p5900 <target_IP>

18. Kerberos

• Vulnerabilities: Weak encryption, ticket granting issues.

• Exploitation Tools: Kerbrute, Hashcat.

• Detection Command: nmap -p88 <target_IP>

19. RPC (Remote Procedure Call)

• Vulnerabilities: Portmap misconfigurations, DDoS vectors.

• Exploitation Tools: Metasploit modules, rpcclient.

• Detection Command: nmap -p111 --script rpcinfo <target_IP>

20. MSSQL (Microsoft SQL Server)

• Vulnerabilities: Weak credentials, SQL injection.

• Exploitation Tools: SQLmap, Metasploit.

• Detection Command: nmap -p1433 --script ms-sql* <target_IP>

Certainly! Here’s a list of 20 additional commonly targeted network services and protocols, each with unique vulnerabilities. This expanded list will help cover a broader range of potential entry points in network security.

---

20 Additional Vulnerable Network Services and Processes

1. NFS (Network File System)

• Vulnerabilities: Misconfigured file permissions, unauthorized access.

• Exploitation Tools: Metasploit, Nmap scripts.

• Detection Command: nmap -p2049 --script nfs* <target_IP>

2. RPCBind

• Vulnerabilities: Portmapper exploits, unauthorized remote procedure calls.

• Exploitation Tools: rpcclient, Metasploit.

• Detection Command: nmap -p111 --script rpc* <target_IP>

3. RMI (Remote Method Invocation)

• Vulnerabilities: Insecure deserialization, code execution.

• Exploitation Tools: JexBoss, Metasploit.

• Detection Command: nmap -p1099 <target_IP>

4. mDNS (Multicast DNS)

• Vulnerabilities: Amplification attacks, information leakage.

• Exploitation Tools: Nmap scripts, Scapy.

• Detection Command: nmap -p5353 <target_IP>

5. ISAKMP/IKE (Internet Key Exchange)

• Vulnerabilities: Weak encryption configurations, info leakage.

• Exploitation Tools: IKEScan, Metasploit.

• Detection Command: nmap -p500 --script ike* <target_IP>

6. Syslog

• Vulnerabilities: Data interception, log injection.

• Exploitation Tools: Wireshark, Logtamper.

• Detection Command: nmap -p514 <target_IP>

7. NetBIOS

• Vulnerabilities: SMB relay, unauthorized information disclosure.

• Exploitation Tools: NBTScan, Responder.

• Detection Command: nmap -p137,138 <target_IP>

8. Docker API

• Vulnerabilities: Open API ports, unauthorized access.

• Exploitation Tools: Docker Exploit Scripts, Nmap.

• Detection Command: nmap -p2375 <target_IP>

9. CIFS (Common Internet File System)

• Vulnerabilities: Misconfigured shares, info leakage.

• Exploitation Tools: smbclient, Metasploit.

• Detection Command: nmap -p445 --script smb* <target_IP>

10. HTTP Proxy

• Vulnerabilities: Open proxies, abuse for anonymous traffic.

• Exploitation Tools: Burp Suite, Metasploit.

• Detection Command: nmap -p8080 --script http-proxy <target_IP>

11. WMI (Windows Management Instrumentation)

• Vulnerabilities: Credential exposure, lateral movement.

• Exploitation Tools: CrackMapExec, Metasploit.

• Detection Command: wmic /node:<target_IP>

12. RPC over HTTP

• Vulnerabilities: Authentication bypass, data leakage.

• Exploitation Tools: Burp Suite, Metasploit.

• Detection Command: nmap -p593 <target_IP>

13. Modbus

• Vulnerabilities: Lack of authentication, command injection.

• Exploitation Tools: Scapy, Nmap.

• Detection Command: nmap -p502 --script modbus* <target_IP>

14. BGP (Border Gateway Protocol)

• Vulnerabilities: Route hijacking, data redirection.

• Exploitation Tools: BGP Hijack Scripts, Scapy.

• Detection Command: BGP queries with Scapy or Exabgp.

15. Kubernetes API

• Vulnerabilities: Open ports, privilege escalation.

• Exploitation Tools: kubectl, Metasploit.

• Detection Command: nmap -p6443 <target_IP>

16. DICOM (Digital Imaging and Communications in Medicine)

• Vulnerabilities: Unencrypted data, unauthorized access.

• Exploitation Tools: DICOM Exploit Scripts, Metasploit.

• Detection Command: nmap -p104 --script dicom* <target_IP>

17. Memcached

• Vulnerabilities: Amplification attacks, data leakage.

• Exploitation Tools: Memcrashed, Metasploit.

• Detection Command: nmap -p11211 <target_IP>

18. Redis

• Vulnerabilities: Default port exposure, unauthorized access.

• Exploitation Tools: Redis Exploit Scripts, Metasploit.

• Detection Command: nmap -p6379 <target_IP>

19. Cassandra

• Vulnerabilities: Weak access controls, information exposure.

• Exploitation Tools: Cassandra Exploit Scripts, Metasploit.

• Detection Command: nmap -p9042 <target_IP>

20. CoAP (Constrained Application Protocol)

• Vulnerabilities: Amplification attacks, data interception.

• Exploitation Tools: Scapy, CoAP Exploits.

• Detection Command: nmap -p5683 <target_IP>

---

---