How to get on the Box¶
sudo nmap -p- --min-rate 10000 -T5 -sS -oA nmap/allports -v $IP
This will run nmap on all ports with a very high rate (only recommended for training boxes), runs in very aggressive move (-T5 waits 0.3 seconds, -T0 waits 5 minutes, -T3 is default), runs in SynAck scan (-sS SynAck, -sT default normal connection) adds verbose output (-v) and writes the result in all formats (-oA) to nmap/allports.
sudo nmap -sC -vV -oA nmap/$BOXNAME -p $OPEN,$PORTS -v $IP
This will run nmap on the open ports like 22,80 with sC (run default scripts, list here), sV (enumerate versions), adds verbose output (-v) and writes the result in all formats (-oA) to nmap/$BOXNAME.
If SMB was found (139,445) an enum4linux $IP -a scan could reveal more information.
Enumerate smb shares with nmap:
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse $IP
List shares
smbclient -U Anonymous -L $IP
Access the share without mount:
smbclient //$IP/share -U Anonymous
For NFS this is the way to go:
Easy way to show all mounts of a host: showmount -e $IP
Enumerate nfs shares with nmap:
# rpcbind port required
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount $IP
mkdir dir
sudo mount -t nfs $IP:/share ./dir -nolock
Check if the victim can access the attacker:
attacker: sudo tcpdump ip proto \\icmp -i tun0
victim: ping $IP -c 1