NMAP
nmap -sn 10.0.0.0/24
nmap -A -oA nmap
nmap -v -sT -p-
nmap -sV -sC -v -A -p- nmap -sT -sV -A -O -v -p 1–65535
nmap -sV -sC -v -oA output nmap -p- -v
SMB
Port 139 and 445- SMB/Samba shares Samba is a service that enables the user to share files with other machines works the same as a command line FTP client, may browse files without even having credentials
smbclient --list smbclient -L
nmap --script=smb-check-vulns.nse -p445
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse
root@kali:~# smbclient -L -U username -p 445
smbclient \\\ShareName smbclient \\\ShareName -U john
enum4linux -a 192.168.1.120
nmblookup -A 192.168.1.102 smbclient -L <server_name> -I 192.168.1.105
rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient
nmap --script "vuln" -p139,445
SMTP
nc 25 VRFY root
nmap -script smtp-commands.nse
Port 111 - RPC
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
rpcbind -p rpcinfo –p x.x.x.x
locate rpc.nse nmap --script rpcinfo.nse -p 111
NFS
locate nfs.nse nmap --script nfs-showmount.nse
mkdir /tmp/nfs /sbin/mount.nfs :/home/box /tmp/nfs