NEPHACK
BASIC NETWORK ENUMERATION USING METASPLOIT
1. NETWORK DISCOVERY
Network Enumeration is the discovery of hosts/devices on a network. Network Enumeration tends to use overt discovery protocols such as ICMP and SNMP to gather information. It may also scan various ports on remote hosts for looking for well known services in an attempt to further identify the function of a remote host
DB_NMAP
Using the ‘db_nmap’ command to run an Nmap against the target network will save scan results automatically in the database.
Once the nmap scan is completed we can query the database for hosts discovered using hosts command.
Once the nmap scan is completed we can query the database for services that are running on different hosts using services command.
2. SMB VERSION SCANNING
Now that we have determined which hosts are available on the network, we can attempt to determine which operating systems, service pack they are running. This will help us narrow down our attacks to target a specific system and will stop us from wasting time on those that aren’t vulnerable to a particular exploit.
Since there are few systems in our scan that have port 445 open, we will use the ‘smb_version’ module to determine which version of Windows is running on a target and which Samba version is on a Linux host.
​
SMB (server message block) is a common file sharing protocol in windows. SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. One section of the SMB protocol specifically deals with access to filesystems, such that clients may make requests to a file server; but some other sections of the SMB protocol specialize in inter-process communication (IPC). The Inter-Process Communication (IPC) share, or ipc$, is a network share on computers running Microsoft Windows. This virtual share is used to facilitate communication between processes and computers over SMB, often to exchange data between computers that have been authenticated.
SMB_VERSION Module
smb_version is a auxiliary scanning module and can be quickly located using search smb_version
smb_version detection module displays OS, version information about each system that are specified on RHOSTS.
Once smb_version scanning module is completed. Run hosts command to display the more information about the target hosts.
Some of the services queries that can speed up your network discovery process. Below we are querying to find service name called domain which is up and running on the target.
-s [ service name ] -u [ up ] -R [ IP address of target ]
We are querying to find target hosts with port 445 open on the target network.
ARP SWEEP
ARP (address resolution protocol) is a protocol used by the internet protocol (IP) specially IPv4, to map IP network address to the hardware addresses used by the a data link protocol.
When you try to ping an IP address on your local network, say 192.168.1.1, your system has to turn the IP address 192.168.1.1 into a MAC address. This involves using ARP to resolve the address, hence its name. Systems keep an ARP look-up table where they store information about what IP addresses are associated with what MAC addresses. When trying to send a packet to an IP address, the system will first consult this table to see if it already knows the MAC address. If there is a value cached, ARP is not used. If the IP address is not found in the ARP table, the system will then send a broadcast packet to the network using the ARP protocol to ask "who has 192.168.1.1". Because it is a broadcast packet, it is sent to a special MAC address that causes all machines on the network to receive it. Any machine with the requested IP address will reply with an ARP packet that says "I am 192.168.1.1", and this includes the MAC address which can receive packets for that IP.
Using the auxiliary/scanner/discover/arp_sweep module to enumerate alive hosts in local network using ARP requests, the result will be saved automatically in the database.
Once the module completed the sweep it will then store the information into the database which can be queried using hosts command. As you can see it has populated mac address field and found new device 21.1.2.1
3. NETWORK ROUTE MAPPING
Network route mapping is very important if you are doing the pen testing remotely and this enables a pentester to find out ingress and egress IP address, network hops and devices in between the attack box and the target.
Ping
Network route can be mapped using simple command like ping if the ICMP is allowed through the routing devices. Ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It measures the round-trip time for messages sent from the originating host to a destination computer that are echoed back to the source. Ping operates by sending Internet Control Message Protocol (ICMP) Echo Request packets to the target host and waiting for an ICMP Echo Reply. The program reports errors, packet loss, and a statistical summary of the results, typically including the minimum, maximum, the mean round-trip times, and standard deviation of the mean.
