The ls command is missing, which is a basic utility in Unix-like systems.
The nautilus command is also not found, and attempting to install it resulted in further issues.
Shell Problem:
When attempting to switch to csh (C shell), the command is also unavailable.
This indicates that the shell environment is not properly configured or essential packages are missing.
General Package/System Issues:
The server might be in a minimal installation state or lacks critical tools and utilities.
It’s possible that the PATH environment variable is misconfigured, leading to the inability to locate standard system commands.
Dependency or Corruption:
If the server was recently updated or reconfigured, there may have been issues with the package manager or repository settings, leading to missing binaries.
Solution
Check PATH:
Run echo $PATH to verify if the environment paths are set correctly.
Typically, it should include paths like /bin, /usr/bin, /sbin, /usr/sbin.
You have physical access to the machine or virtual console if using a virtual server.
The system is running Ubuntu or a similar Linux distribution.
Step 1: Reboot the System and Access GRUB
Restart your machine and hold down the Shift key as it boots up. This will bring up the GRUB bootloader menu. If GRUB doesn’t appear, it may be hidden by default, so make sure to press the Shift key early during the boot sequence.
Step 2: Enter Recovery Mode
In the GRUB menu, use the arrow keys to highlight the Ubuntu boot option.
Press e to edit the selected boot entry.
Find the line that begins with linux and ends with ro quiet splash. Continue the line with:
rw init=/bin/bash
This modification will boot the system with read/write permissions and open a Bash shell.
Step 3: Boot into Root Shell
After editing the GRUB entry, press Ctrl + X or F10 to boot with the modified settings. This will boot into a root shell without asking for a password.
Step 4: Reset the Admin Password
At the root prompt, type the following command to reset the admin password (replace username with your actual admin username):
passwd username
You will be prompted to enter a new password. Type the new password and confirm it when asked.
Important Note: Ensure the password meets the system’s complexity requirements (e.g., minimum length, special characters).
Step 5: Remount the Filesystem as Read-Only
Before rebooting the system, remount the filesystem as read-only to avoid filesystem corruption. Run the following command:
mount -o remount,ro /
Step 6: Reboot the System
Now reboot the system by typing:
reboot
Your system will restart, and you should now be able to log in with the newly reset admin password. If you are unable to reboot, can just reset the system.
Enumeration is the process of extracting usernames, machine names, network resources, shares, and services from a system or network. In the enumeration phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target.
Target Information
Network resources
Network shares
Routing tables
Audit and service settings
SNMP and FQDN
Machine Names
Users and Groups
Applications and banners
Techniques for Enumeration
Extract usernames using email IDs
Extract information using default passwords
Brute force active directory
Extract information using DNS Zone transfer
Extract user groups
Extract usernames from SNMP
Services and Ports to Enumerate
DNS Zone Transfer
TCP/UDP 53
MS RPC Endpoint Mapper
TCP/UDP 135
NetBIOS Name Service
UDP 137
NetBIOS Session Service
TCP 139
SMB over TCP
TCP 445
NFS
TCP 2049
LDAP
TCP/UDP 389
SNMP
UDP 161
SMTP
TCP 25
SNMP Trap
TCP/UDP 162
IKE (Internet Key Exchange)
UDP 500
SSH
TCP 22
SIP (Session Initiation Protocol)
TCP/UDP 5060
RPC port mapper service
TCP/UDP 111
FTP
TCP 21
Telnet
TCP 23
TFTP
UDP 69
Border Gateway Protocol
TCP 179
Printer
TCP 9100
NetBIOS Enumeration : UDP 137, UDP 138, TCP 139
Attackers use NetBIOS enumeration to obtain the following: – The list of computers that belong to a domain – The list of shares on the individual hosts in a network – Policies and passwords
nbstat Utility
nbtstat -a <ip address> nbtstat -c
Tools
NetBIOS Enumerator – NetBIOS names, usernames, Domain names and MAC address NMAP – nmap -sV -v –script nbstat.nse <target ip> – NetBIOS and MAC address Others : Global Network Inventory, Advance IP scanner, Hyena, Nsauditor Network Security Auditor
Enumerating User Account
Enumerating user accounts using the PsTools suite helps to control and manage remote systems from the command line
Enumerating Shared Resources
Net View list of all the shared resources of a remote host or workgroup – net view \\<computername> – net view /domain:<domain name>
SNMP consist of a manager and an agent. Agents are embedded on every network device, manager is installed on a separate computer
SNMP holds 2 password to access and configure SNMP agent from the management station – Read community string: Public – Read/Write community string: Private
Attackers use these default community strings to extract info
Can extract info of network resources, host, routers, devices and shares and network info like ARP tables, routing tables and traffic
Communication process between manager and agent
Management Information Base (MIB) info that can be retrieved
DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts
HOSTMIB.MIB: Monitors and manages host resources
LNMIB2.MIB: Contains object types for workstation and server services
MIB_II.MIB: Manages TCP/IP-based Internet using a simple architecture and system
WINS.MIB: For the Windows Internet Name Service {WINS)
Manager X uses GetRequest to send a request for active session
Agent Y receives the msg and verifies if the community string is present on its MIB, checks request against list of access permissions and verifies the source IP
if agent does not find the community string or access permission Y MIB database, send authentication failure trap to trap destination Z
In Y the master agent component of the SNMP agent calls the appropriate extension agent to retrieve the requested session info from the MIB
In Y using info retrieved from extension agent, SNMP service forms a return message that contains the requested info and destination IP of SNMP manager X
Y sends the response to X
Tools
SnmpWalk – scan numerous SNMP nodes and identify a set of variables that are available for accessing the target network
NFS – Network File System – centralization of data
Attackers can gather into, exported directories, list of clients connected, IP address and shared data.
showmount -e <Target IP>
Tools
RPCScan – communicates with RPC services and checks misconfigurations of NFS shares – python3 rpc-scan.py <Target IP> –rpc
SuperEnum – script that does basic enumeration of any open port
SMTP and DNS Enumeration : TCP 25, TCP/UDP 53
SMTP 3 built in commands – VRFY – Validates users EXPN – Shows the actual delivery addresses of aliases and mailing lists RCPT TO- Defines the recipients of a message
SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users, based on which we can determine valid users on the SMTP server
Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server
Metasploit – contains SMTP enumeration module, allow attackers to connect to the target SMTP server and enumerate usernames using a predefined wordlists
NetScan Tools Pro – email generator tool tests the process of sending an email via the SMTP server
smtp-user-enum – OS-level user account on Solaris via SMTP service, inspect responsed to VRFY, EXPN and RCPT TO command
DNS If the target DNS server allows zone transfers, then attackers use this technique to obtain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, etc. assigned within a target domain
Tools
Linux DNS zone transfer using dig command – dig ns <target domain> Windows DNS zone transfer using nslookup – nslookup, set querytype=soa, <target domain> DNSRecon – checks aall NS records of the target domain for zone transfers.
DNS Cache Snooping – DNS cache snooping is a DNS enumeration technique whereby an attacker queries the DNS server for a specific cached DNS record
None-recursive Method – Attackers send a non-recursive query by setting a recursion desired bit in the query. dig @ <IP adddress of DNS> <Target domain> A +norecurse, NOERROR means accepted but not cached
Recursive Method – dig @ <IP adddress of DNS> <Target domain> A +recurse, a high TTL values means that the record is not in the cache
DNSSEC Zone Walking – DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured
Tools
Tools perform zone enumeration on NSEC and NSEC3 record files
LDNS – enumerates the DNSSEC zone and obtain results on the DNS records
DNSRecon – enumerating DNS records such as A, AAAA, and CNAME.
IPsec provides data security by employing various components such as Encapsulating Security Payload (ESP), Authentication Header (AH), and Internet Key Exchange (IKE) to secure communication between VPN endpoints
Implemented technology for both gateway-to-gateway (LAN-to-LAN) and host-to-gateway (remote access) enterprise VPN solutions.
nmap -sU -p 500 <target IP>
ike-scan – discovering IKE hosts, fingerprint, transform enumeration, user enumeration, pre-shared key cracking
VoIP gateway/servers, IP-PBX systems, client software, (softphones)/VolP phones, User-agent IP addresses, and user extensions
VoIP attacks, such as Denial-of-Service (DoS), Session Hijacking, Caller ID spoofing, eavesdropping, Spamming over Internet Telephony (SPIT), and VoIP phishing (Vishing)
svmap – identifies SIP and PBX servers on a target network.
Metasploit – SIP enumerator to scan numeric/extensions of VoIP phones
RPC Enumeration : Port Mapper Service TCP/UDP 111
RPC allow clients and servers to communicate in distributed client/server programs
Identify any vulnerable services on this service ports
nmap -A <Target IP 10.10.1.0/24>
NetScanPro Tools – port 111
Unix/Linux User Enumeration
rusers – displays a list of users who are logged on to the remote machines or machines on LAN
rwho – displays a list ofusers who are logged on to the LAN
finger – displays info about system users – login name, real name, terminal name, idle time, login time..
CY - Technical Memory extension 