Gathering

Network And
Host
Information
CHAPTER 3
TOPICS
3.1 Trace enumeration using tools
3.2 Trace scanning to the target
 3.1
Trace enumeration
using tools
Enumeration and
Purpose
Enumeration is the follow-on step once
scanning is complete and is used to
identify computer names, usernames,
and shares.
It also refers to actively querying or
connecting to a target system to
acquire this information.
Enumeration and
Purpose
The objective of enumeration is to
identify a user account or system
account for potential use in hacking the
target system.
It isn’t necessary to find a system
administrator account, because most
account privileges can be escalated to
allow the account more access than was
previously granted.
 Information to be
collected during the
enumeration stage
a. Usernames
b. Machine Names
c. Network Resources
d. Services
Services and Ports
of Interest
Services and Ports
of Interest
Services and Ports
of Interest
Services and Ports
of Interest
Services and Ports
of Interest
 Unix/Linux
enumeration
 Finger
Finger command is used in Linux and Unix-like system
to check the information of any currently logged in
users from the terminal.
It is a command-line utility that can provide users login
time, tty (name), idle time, home directory, shell name,
etc.
finger command which is useful for identifying a user
on target finger server.
Finger
Finger
Finger
 rpcinfo
command
Reports the status of Remote
Procedure Call (RPC) servers.
rpcinfo command
The rpcinfo command makes an RPC call to an RPC
server and reports the status of the server.
For instance, this command reports whether the
server is ready and waiting or not available.
The program parameter can be either a name or a
number.
If you specify a version, the rpcinfo command
attempts to call that version of the specified
program.
Otherwise, the rpcinfo command attempts to find all
the registered version numbers for the program you
specify by calling version 0 (zero) and then attempts
to call each registered version.
rpcinfo command
rpcinfo command
 showmount
Displays a list of all clients that have remotely
mounted file systems.
The showmount command displays a list of all
clients that have remotely mounted a file
system from a specified machine in
the Host parameter.
This information is maintained by
the mountd daemon on the Host parameter.
This information is saved in the /etc/rmtab file
in case the server crashes.
The default value for the Host parameter is the
value returned by the hostname command.
showmount
showmount
 NTP
Enumeration
The NTP enumeration is a protocol
for synchronizing time across your
network, this is especially
important when utilizing Directory
Services.
 NTP
Enumeration
TThrough NTP enumeration you can
gather information such as lists of hosts
connected to NTP server, IP addresses,
system names, and OSs running on the
client system in a network. All this
information can be enumerated by
querying NTP server.
 NTP
Enumeration
NTP enumeration is important because
in a network environment, you can find
other primary servers that help the
hosts to update their times and you can
do it without authenticating the system.
 NTP
Enumeration
Attacker queries NTP server to gather
valuable information such as:
List of hosts connected to NTP server
Clients IP addresses in a network,
their system names, and OSs
Internal IPs can also be obtained if
the NTP server is in the DMZ,
NTP Enumeration
Commands
 SMTP
Enumeration
SMTP Enumeration
SMTP stands for Simple Mail Transfer
Protocol.
As the name implies, it is used to send
email.
It uses port 25 by default.
If you ever sent an email, you have
definitely used SMTP.
SMTP servers talk with other SMTP
servers to deliver the email to the
intended recipient.
SMTP Enumeration
SMTP server can only understand simple
text commands.
Sender of the mail communicates with a
mail receiver by issuing these command
strings and supplying necessary data.
SMTP Enumeration
1. HELO – sent by a client to introduce itself.
2. EHLO – another way of client introducing itself to server
3. HELP – used to see all commands.
4. RCPT – to identify message recipients.
5. DATA – sent by a client to initiate data transfer.
6. VRFY – verify if the mailbox exists.
7. QUIT – to end the session.
 3.2 Trace
Scanning to
the Target
 Scanning
Scanning involves taking the information
discovered during reconnaissance and
using it to examine the network.
Tools that a hacker may employ during the
scanning phase can include dialers, port
scanners, network mappers, sweepers, and
vulnerability scanners.
Hackers are seeking any information that
can help them perpetrate attack such as
computer names, IP addresses, and user
accounts.
 Types of Scanning
1. Port 2.Network
Scanning Scanning
3.Vulnerability
Scanning
 Port Scanning
Process of identifying open and available TCP/IP ports
on a system.
Port-scanning tools enable a hacker to learn about the
services available on a given system.
Each service or application on a machine is associated
with a well-known port number.
For example, a port-scanning tool that identifies port
80 as open indicates a web server is running on that
system.
Hackers need to be familiar with well-known port
numbers.
 Network Scanning
Procedure for identifying active hosts on a network,
either to attack them or as a network security assessment.
Hosts are identified by their individual IP addresses.
Network-scanning tools attempt to identify all the live or
responding hosts on the network and their corresponding
IP addresses.
Vulnerability Scanning
The process of proactively identifying the vulnerabilities
of computer systems on a network.
Generally, a vulnerability scanner first identifies the
operating system and version number, including service
packs that may be installed.
Then, the vulnerability scanner identifies weaknesses or
vulnerabilities in the operating system.
During the later attack phase, a hacker can exploit those
weaknesses in order to gain access to the system.
 Scanning
Methodology
Scanning Methodology
a. Check for the live system
b. Check the status of ports
c. Service identification
d. Banner grabbing / OS fingerprinting
e. Vulnerability scanning
f. Draw network diagrams of vulnerable hosts
a. Check for the live system
The CEH scanning methodology starts with checking for
systems that are live on the network, meaning that they
respond to probes or connection requests.
The simplest way to determine whether systems are live is to
perform a ping sweep of the IP address range.
All systems that respond with a ping reply are considered live
on the network.
a. Check for the live system
Internet Control Message Protocol (ICMP) scanning is the
process of sending an ICMP request or ping to all hosts on
the network to determine which ones are up and
responding to pings.
Pinger, Friendly Pinger, and WS_Ping_Pro are all tools that
perform ICMP queries.
b. Check the status of ports
The process of port scanning involves probing each port on
a host to determine which ports are open.
Port scanning generally yields more valuable information
than a ping sweep about the host and vulnerabilities on the
system
 c. Service identification
It’s usually performed using the same tools as port scanning.
By identifying open ports, a hacker can usually also identify
the services associated with that port number.
By identifying open ports, a hacker can usually also
identify the services associated with that port number.
 d. Banner grabbing / OS
fingerprinting
The process of fingerprinting allows the hacker to identify
particularly vulnerable or high value targets on the network.
Hackers are looking for the easiest way to gain access to a
system or network.
Banner grabbing is the process of opening a connection and
reading the banner or response sent by the application.
d. Banner grabbing / OS
fingerprinting
Many e-mail, FTP, and web servers will respond to a telnet
connection with the name and version of the software.
The aids a hacker in fingerprinting the OS and application
software.
For example, a Microsoft Exchange e-mail server would only
be installed on Windows OS.
e. Vulnerability scanning
Vulnerability scanning is an inspection of the potential points
of exploit on a computer or network to identify security
holes.
A vulnerability scan detects and classifies system weaknesses
in computers, networks and communications equipment and
predicts the effectiveness of countermeasures.
f. Draw network diagrams of
vulnerable hosts
Drawing a network diagram of vulnerable hosts—is a must.
A number of network-management tools can assist you with
this step.
Such tools are generally used to manage network devices
but can be turned against security administrators by
enterprising hackers.
SolarWinds Toolset, Queso, Harris Stat, and Cheops are all
network-management tools that can be used for operating
system detection, network diagram mapping, listing services
running n a network, generalized port scanning,
Thank You