Cityscape
Girl
logo

Fundamentals of Penetration Testing

Mapping the attack surface (Enumeration)

Medium
45 min

The start-up of the scenario lab takes a while, so you can start it from the bottom of the page now and read the module in the meantime.

Initial mapping of network hosts and ports with Nmap, RPC and SMB

Start by scanning the network with nmap. You can use the following options, for example:

  • -O: Attempt to identify the operating system
  • -sS: Use SYN scanning
  • -sV: Try to identify network services
  • 10.0.0.0/24: Company network IP range (addresses 10.0.0.0-10.0.0.255).

In addition, perform a lightweight UDP scan but for the sake of time, only target port 137. In a real client case, you would allocate time, get comfortable, and scan all ports.

Notes with CherryTree

Your Kali Linux workstation has a program called CherryTree installed. You can use it for taking notes during the scenario. Open CherryTree, create a new node called "Enumeration" and inside it, create a new node called "Nmap" and copy-paste the results of Nmap from the terminal to the node.

Decoding Nmap results

The results reveal two interesting targets, 10.0.0.2 (dc1.evilcorp.local) and 10.0.0.3 (iis.evilcorp.local).

DC1 is clearly a domain controller and IIS1 is a web server.

On the DC1 server, several ports typical for the Windows environment are open. In this scenario, the following are relevant:

135/tcp, 593/tcp: epmapper

MS-RPC

MSRPC (Microsoft Remote Procedure Call) is a protocol developed by Microsoft that enables communication between applications on different computers.

For example, a Windows server could offer a TCP port at 49502 called "Remote Procedure Call" (RPC), which could have a name like "Addition", and then it could be used by connecting to the port and calling a function that is then executed on that server.

Epmapper

RPC typically uses such "dynamic" (varying) ports in the range of 49152-65535 to provide remote procedure calls. In order for the party using the service to know when a specific service is available from where, a type of directory is needed where one can ask "which port might this AddTogether service be found?".

And this service is about gates 135 and 593. Epmapper (MS-RPC EndPoint Mapper) is a network service that listens on TCP gates 135 and 593. The difference is that gate 593 provides the protocol over HTTP. The protocol is the same.

Eli epmapper works as a resolver for MSRPC services. This means that when an application wants to connect to an MSRPC service, it sends a query to the RPC endpoint mapper port. The RPC endpoint mapper port then responds to the query by indicating on which TCP port the respective MSRPC service is connected.

impacket-rpcdump

Your workstation contains a tool called "impacket-rpcdump" with which you can try to fetch RPC services listed by the epmapper from a Windows server.

If you look at the same with Wireshark, you will notice TCP traffic to port 135, which Wireshark has identified as DCE/RPC Endpoint Mapper traffic.


And the answer:

RPC also works over SMB

The RPC service is not always found on a dynamic TCP port. The service can also be found behind a named pipe with which communication can be done using the SMB protocol, in which case ports 139 and 445 would be used.

139/tcp, 445/tcp: SMB

SMB (Server Message Block) is a protocol widely used in Windows environments, primarily used for three purposes:

  • For sharing files
  • For printer sharing
  • Using pipes (IPC, Inter Process Communication) for inter-process communication.

SMB operates directly over TCP port 445.

The SMB protocol is also accessible from TCP port 139, where the protocol is served using NBT (NetBIOS over TCP/IP). NetBIOS is an old protocol that is available for SMB mainly for the purpose of supporting very old devices on the network, such as Windows XP machines, for example. However, it is enabled by default when SMB is also enabled.

137/udp, NetBIOS Name Service

NetBIOS name service is a protocol used for identifying computer network names. It is part of the older Windows network environment, but still enabled by default on newer Windows servers. The NetBIOS name service allows computers to be identified by their NetBIOS names, which can be up to 15 characters long.

nbtscan

The NetBIOS name service can also be used to investigate Windows networks. Your workstation has a tool called "nbtscan" that sends NetBIOS name queries to all the desired IP addresses and outputs the responses in a table.

Again, if we look at it with Wireshark, we can see UDP traffic to port 137, which Wireshark correctly identifies as NetBIOS name service NBSTAT queries. NBSTAT sort of means "introduce yourself".

3389/tcp, RDP

TCP port 3389 on RDP (Remote Desktop) is the remote desktop protocol. We will connect to this port at the end of the course when we do hardening.

80/tcp, HTTP

Port 80 is typically used for HTTP service. In this case, nmap has identified an IIS (Internet Information Services) web server, which is Microsoft's HTTP server.

Exercises

Do an nmap scan as described. What is the version of IIS on the IIS-server (10.0.0.3)?

Lab

Evilcorp - Scenario 1

This is a scenario, please do not unnecessarily close it within the same course area (Scenario 1) so that you do not lose your progress. Please add time if necessary. It may take a few minutes for the scenario to start, please wait patiently.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.