Hello friends!! Today you will learn how penetrate a
network for enumerating any information of a system once it is compromised by
any attacker.
Requirement
Attacker: Kali
Linux
Targets:
Windows operating system
Open Kali Linux terminal and type msfconsole in order to load metasploit
framework. Now you need to compromise
victim’s machine once to achieve any type of session either metrepreter or
shell and to do so you can read our previous article from here.
Now to make Post Exploitation, we will need an Administrator
Privileged shell, which can be found here.
Get Information about Network
Cards
We can enumerate information about the Network Interface
Cards using the systeminfo command.
Information can be extracted:
Number of NIC Cards, Manufacturer of NIC Cards, Model,
Type (Wireless or LAN).
Command:
systeminfo | findstr Network
From given below image you can observe 2 Network Interface
Cards is installed.
Get MAC Address
Arp or Address Resolution Protocol converts the maps the IP
Address to the MAC Address of the Devices. Using the arp command we can enumerate the mac addresses of other systems in
the same network as the victim’s system.
Here we are using [-a] to get the list of all the entries of arp
cache.
Command: arp
-a
From given below image you can see the stored Mac address of arp
table.
Get DNS Cache
We can enumerate DNS Resolver cache using the ipconfig command.
DNS Resolver is a temporary database, maintained by the operating
system. It contains records of all the recent visits or the attempted visits to
websites and other internet domains.
Here we are using [/displaydns] to display the complete dns cache.
Command: ipconfig
/displaydns
From given below image you can observer following output is contains:
Record
Name: Name with which the DNS query was initiated
Record
Type: It is a number to represent the IPv4 or IPv6 address (1 is for
IPv4 and 28 is for IPv6)
Time To
Live: Time in seconds after which cache entry will expire
Data
Length: Length of the data in bytes, IPv4 has 4 bytes and IPv6 has 16
bytes
A/AAAA
Record: A is the Address of IPv4 and AAAA is the address of IPv6 (Four A
because the address is four times in size as compared to IPv4)
Display
all the Connections and Listening Ports on a System
While penetration
testing a Remote PC, knowledge of all the connections and listening ports along
with the Process id is essential so that we can migrate session if needed
This can be done using
netstat command
Here we are using
following options with netstat command:
[-a] to display all
connections and listening ports
[-n] to display address
and port number numerically
[-o] to display the
Process ID
Syntax/Example: netstat -ano
Display
All the TCP Connections
To enumerate all the
TCP connections, we will use netstat command. Here we are using following
options with netstat command:
[-a] to display all
connections and listening ports
[-n] to display addresses
and port numbers in numeric form
We are going to use
findstr command to filter out the Connections which mentions TCP.
Command: netstat -na | findstr TCP
From give below image
you can observe that all state of TCP connection i.e. Listening, Established and Close
Wait on their respective Port number.
Display
All the UDP Connections
To enumerate all the
UDP connections, we will use netstat command. Here we are using following
options with netstat command:
[-a] to display all
connections and listening ports
[-n] to display addresses
and port numbers in numeric form
We are going to use
findstr command to filter out the Connections which mentions UDP.
Syntax/Example: netstat -na | find "UDP"
Similarly From give
below image you can observe that all state of UDP connection on their
respective Port numbers is left blank
*:* which means no UDP connection established.
Display
All the Established Connections
While penetration
testing a Remote PC, knowledge of all Established connections and listening
ports is also essential. This can be done using netstat command.
Here we are using
following options with netstat command:
[-n] to display addresses
and port numbers in numeric form
[-a] to display all
connections and listening ports
We are going to use
find command to filter out the Connections which mentions Established.
Command: netstat -na | find "ESTABLISHED"
From given below image
you can observe that it shown established TCP connection through between source
IP source Port and destination IP and destination Port.
Display
the Routing Tables
While penetration
testing a Remote PC, knowledge of Routing Tables is essential because Routing
tables are used to generate the information about the routes which were chosen
by the routing algorithm as preferred routes for packet forwarding and it gives
info about the netmask and gateways too.
It contains the Interface List, IPv4 Route Table,
Persistent Routes, IPv6 Route Table.
This can be done using
netstat command
Here we are using
following options with netstat command:
[-n] to display addresses
and port numbers in numeric form
[-r] to display the
routing table
Command: netstat –nr
Get
Executables Which Created Connections.
While penetration
testing a Remote PC, knowledge of all executable
involved in creating each connection, all connections and listening ports,
addresses and port numbers in numerical form, owning process ID is very
essential because it gives the attacker information about the connections, port
numbers as well as Process ID.
This can be done using
netstat command
Here we are using
following options with netstat command:
[-b] to displays the
executable involved in creating each connection or listening port
[-a] to display all
connections and listening ports
[-n] to display addresses
and port numbers in numeric form
[-o] to display the owning
process ID associated with each connection
Command: netstat –bano
From given below image
you can observe that it is showing name of running service on a particular
port.
Get All the Adapters
We can enumerate all the adapters connected to the victim’s system
by using ipconfig command.
As the output of ipconfig command is very vast so we will use the
findstr command to filter out the specific result about the adapters.
Command: ipconfig |
findstr adapter
Get All the Addresses
We can enumerate all the address including IPv4 and IPv6 by using
ipconfig command.
As the output of ipconfig command is very vast so we will use the
findstr command to filter out the specific result about the address.
Command: ipconfig |
findstr Address
Get the Basic Config Details
We can get the Basic Network Configuration on the Victim’s System
and the Network in which the Victim is connected to through the ipconfig
command.
[/all] is used
to extract all the ipconfig information
Syntax:
ipconfig /all
Victim System is connected to a Wi-Fi so it properties can be
viewed below
Things to
enumerate:
Adapter Name, Model, Type, MAC Address, IPv4 Address, IPv6
Address, Subnet Mask, DHCP Server, Default Gateway and much more.
Ping Sweep
Ping Sweep is a networking technique to get a range of active
terminals on the network.
IP Addresses from which we get a reply are active, rest are not.
Command: for /L %i in (100,1,225) do ping
192.168.1.%i | findstr TTL
From given below image you observe the result of multiple Ping
response in a network using Ping command loop.
UDP statistics
In order to obtain statistics for established UDP
connection we can execute given command which describe information of UDP
traffic send or received.
Command: netstat -s -p udp
[-s] denotes
statics option
[-p] denotes
protocols
From given below image you can observe that it showing
details such as datagrams received, received error and etc.
TCP statistics
In order to obtain statistics for established TCP
connection we can execute given command which describe information of TCP
traffic send or received.
Command: netstat -s -p TCP
[-s] denotes
statics option
[-p] denotes
protocols
From given below image you can observe that it showing
details such as segment received, failed attempted, Reset connection and etc.
Display Connections Sorted by
Port
Options Used:
[-a]: To
Display all active TCP connections and UDP ports on which
[-n]: Addresses
and Port Numbers are displayed numerically
[-o]: Display
Connections with process IDs
We are using findstr to sort result for 443 Ports
Command:
netstat -ano | findstr 443
From given below image you can observe that it has shown TCP
connection state only for port 443.
0 comments:
Post a Comment