. Hope it will help your exam. Study Resources. At this point in time, if you can use anonymous sessions, then there are some very useful commands within the tool. We will also take advantage of null authentication enabled with rpcclient to enumerate usernames.. If this is successful, ping displays the corresponding hostname. 1. ftp 192.168.1.101 nc 192.168.1.101 21. (smbclient,rpcclient,nmblookup - Patched to fix issues with polenum, enum4linux, and restoring smbclient connection output. Breaking in involved many of the normal enumeration and privilege escalation techniques that are used against Windows machines, but some tweaks by the administrator made it more challenging to find out how to even begin. #rpcclient -U "" 192.168.1.2 ///when asked enter empty password #rpcclient $>srvinfo #rpcclient $>enumdomusers #rpcclient $>querydominfo #rpcclient $>getdompwinfo //password policy #rpcclient $>netshareenum #nmblookup -A 192.168.1.1 #rpcinfo -p <target> Enumerate using smbclinet: #smbclient -L //192.168.1.2 Enumerating Windows Domains with rpcclient through SocksProxy ... It can also read the NetBIOS name cache. rpcclient -U "" target // connect as blank user /nobody smbmap -u "" -p "" -d MYGROUP -H <target ip> == NetBIOS NullSession enumeration == # This feature exists to allow unauthenticated machines to obtain browse lists from other # Microsoft servers. Useful things to Install - Rowbot's PenTest Notes RPC (135) 1 rpcdump.py 10.11.1.121 -p 135 2 rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names 3 4 rpcmap.py ncacn_ip_tcp:10.11.1.121[135] Copied! Doing these VMs and creating write-ups should give a good amount of practice before I start with the actual PWK1 course. Enumeration and Gain access. NetBIOS enumeration and exploitation - Ivan's IT learning blog Kioptrix 4 The Kioptrix series consist of multiple beginner boot2root VMs with multiple ways to gain a root shell2. You can also use rpcclient to enumerate the share. This makes reading the data easier. SMB Server Enumeration - Hacker's In Flight Guide rpcclient>getdompwinfo SMTP http://blog.cobaltstrike.com/2013/10/03/email-delivery-what-pen-testers-should-know/ SMTP Enumeration Connect to port 25 using nc and use VRFY <username> for user existence HELO - This is the command that the client sends to the server to initiate a conversation. HACKTRONIAN - OSCP Resources We're told there's one public IP 10.130.40.70 and the rest of the organisation's machines are in the private IP subnet 172.30.111./24 accessible to 10.130.40.70 via IPSec. Brief@Fuse:~$ Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Machines Similar to OSCP. We can also use the ping command to detect the hostname of an SMB server or machine. Main Menu; by School . NB: Samba servers often seem to have RIDs in the range 3000-3050. 1 smbclient -L //10.10.10.3/ --option='client min protocol=NT1' 2 3 # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED" Copied! Start a Wireshark capture. It also includes the commands that I used on platforms such as Vulnhub and Hack the Box. I just left this as is and made a bigger cheatsheet on top of this, which is this site.