legal contact rss

privilege escalation

Run a port scan:

nmap -p80

Scanning for port 80, while not necessarily a guarantee, does help to find all the hosts on the target network that are running Web servers. In addition to the public Web server, there may be staging, development, backup, or internal Web servers that are insecure or offer private information. In addition, port 80 is likely to be open on the firewall because Web traffic generally passes over this port.

Nmap returns the IP address (X.X.X.03) of the target, potentially allowing to scan the related class C address space (X.X.X.x). But first you must verify the class associated with the IP address. A popular method for doing this is to consult the whois service for the domain:


If you’re unable to identify the class of the network (as was the case here), the entire class C will have to be scanned:

nmap -v -p 80 X.X.X.1-254

nmap -v -p 53 -sU X.X.X.1-254

nmap -v -p 53 -sT X.X.X.1-254

nmap -v -p 25 X.X.X.1-254

nmap -v -p 110 X.X.X.1-254

nmap -v -p 143 X.X.X.1-254

nmap -v -p 139 X.X.X.1-254

nmap -v -p 445 X.X.X.1-254

nmap -v -p 3389 X.X.X.1-254

nmap -v -p 6000 X.X.X.1-254

You don’t specify the protocol in the scan against port 80 (the Hyper-Text Transfer Protocol, or HTTP), because Nmap will default to TCP (Transmission Control Protocol), and there is little reason to scan for UDP (User Datagram Protocol) over this port. In successive scans against port 53 (the DNS port), the protocols UDP and TCP were specified. Over these ports, zone information is exchanged; in other words, the host name–to–IP address mappings for that zone are exchanged between DNS servers and routers. Although the DNS has primarily UDP traffic, it does switch to TCP if the traffic is larger than 512 bytes.

If DNS traffic is allowed through the firewall, a zone transfer might be possible. A zone transfer will be possible if the DNS allows transfers to unauthorized zones; however, many DNSs now block zone transfers except to specifically authorized IP addresses.

Also check ports 25 (SMTP), 110 (POP3), and 143 (IMAP) to identify the presence of eMail servers.

Check for ports 139,445, and 6000 are an effort to identify the operating system of the target. Ports 139 and 445 are typical Windows ports (for NT and 2000/XP, respectively), and port 6000 is a typical UNIX port (the X11 service). Identifying the target’s operating system is a large step in the direction of compromising the target because potential avenues of attack and known vulnerabilities can be explored.

To identify the operating system you can also run an nmap OS detection scan:

nmap -O -v -oversiondetect.txt X.X.X.1-254

Once you had identified port 25 (SMTP) as being open, attempt to identify the version of the application by making a Telnet connection to the port:

telnet target_IP_address 25

You can also tun netcat to grab application/service banner:

nc 25

The banner presented during the connection process will generally reveal all the information necessary. There are many applications for capturing application banners, including the freeware tools netcat, MingSweeper and Fport for Windows, BannerGrab and various banner grabbers at

5.3 Auditing Remote Desktop Passwords with NMAP and Ncrack

The Remote Desktop Protocol could be a possible way to break into a system during a penetration test.

Use Nmap to scan again the target network to check the hosts up and running and to put the in the specified ouput file only the IP address extracted from the results:

nmap -sP X.X.X.1-254 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' >> hosts_list.txt

Run a Nmap fast scan on the active hosts by using as target the hosts list generated by the previous command:

nmap -F –iL hosts_list.txt

We can also run additional scans as cross-checks to search for open RDP ports on the network and on active servers:

nmap -p 3389 X.X.X.1-254

nmap –v -F –iL hosts_list.txt -p 3389

Once we found Microsoft Terminal Services (ms-term-serv) running, we need to compile a list of valid usernames to brute-force the passwords in the following steps.

We can use some usernames wordlists such as those you can download from these sites:







or we can make use of social engineering to find the names of IT staff people for example on LinkedIn or on Facebook to guess the username based on the naming convention of the Company or based on the eMail addresses or, again, we can use Nmap to identify a SMB server in the target network:

nmap -v -p445 X.X.X.1-254

nmap -v –p U:137,T:139 X.X.X.1-254

nmap -sS -O X.X.X.1-254 -p 139,445

then to identify the SMB server informations by using the smb-os-discovery.nse NSE script:

nmap --script smb-os-discovery.nse -p445 X.X.X.1-254

nmap -sU -sS --script smb-os-discovery.nse -p U:137,T:139 X.X.X.1-254

nmblookup -A

smbclient //servername-dt/share -I <host> -N

and then to enumerate Windows users through SMB by using the smb-enum-users.nse NSE script:

nmap --script smb-enum-users.nse -p445 <host>

nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

So, in the end, let’s assume we have a users.txt text file with such kind of content:










We also need a wordlist.txt file containing a list of passwords one per line (as for the users.txt file): you can download password dictionaries and wordlists files from the links listed above.

Download the latest Ncrack version for your operating system and install it.

You can install binaries or you can compile it from sources on a Linux OS.

If you want to compile it from sources, then download the .tgz file from the above link, create the /usr/local/share/ncrack directory, move the compressed tarball into the directory, decompress it, access the subdirectory created by the tarball decompression, configure, compile and install Ncrack:

mkdir /usr/local/share/ncrack

tar -xzf ncrack-0.4ALPHA.tar.gz

cd ncrack-0.4ALPHA




dpkg -i ncrack_0.4ALPHA-1_i386.deb

Run Ncrack against the Terminal Server hosts (one at time) by passing to it the users.txt file and the wordlist.txt file (change the target IP address according to your environment):

ncrack -vv -U users.txt -P wordlist.txt,CL=1