Enumeration

- Enumeration involves attacker creating active connection with target system and performing directed
queries to gain more information about the target.
- Attackers use the extracted information to identify points for a system attack and perform password attacks
to gain unauthorized access to information system resources.
- Enumeration techniques are conducted in an intranet environment.

Techniques for Enumeration

 Extract username using email IDs: Every email id contains 2 parts username and domain name.
 Extract information using default password: Users often ignore recommendations to change the default
passwords provided by manufacturer or developer of a product. This eases an attacker’s task of enumerating
and exploiting the target.
 Brute force active directory: Microsoft Active Directory is susceptible to username enumeration at the time
of user supplied input verification. This is a design error in the Microsoft Active Directory implementation. If
a user enables the “logon hours” feature, then all the attempts at service authentication result in different
error messages. Attackers take advantage of this to enumerate valid usernames. An attacker who succeeds
in extracting valid usernames can conduct a brute-force attack to crack the respective passwords.
 Extract information using DNS Zone Transfer: A network administrator can use DNS zone transfer to
replicate DNS data across several DNS servers or back up DNS files. For this purpose, the administrator needs
to execute a specific zone-transfer request to the name server. If the name server permits zone transfer, it
will convert all the DNS names and IP addresses hosted by that server to ASCII text.
If the network administrators did not configure the DNS server properly, the DNS zone transfer can be an
effective method to obtain information about the organization’s network. This information may include lists
of all named hosts, sub-zones, and related IP addresses. A user can perform DNS zone transfer using
nslookup and dig commands.
 Extract user groups from Windows: To extract user groups from Windows, the attacker should have a
registered ID as a user in the Active Directory. The attacker can then extract information from groups in
which the user is a member by using the Windows interface or command-line method.
 Extract usernames using SNMP: Attackers can easily guess read-only or read-write community strings by
using the SNMP application programming interface(API) to extract username.

Services and port to Enumerate

Port Services
TCP/UDP 53 Domain name service (DNS) zone transfer
TCP/UDP 135 Microsoft RPC Endpoint Mapper
TCP 139 NetBIOS Session Service (SMB over NetBIOS)
UDP 137 NetBIOS Name Service (NBNS)
TCP UDP 445 SMB over TCP (Direct Host)
UDP 161 Simple Network Management Protocol (SNMP)
TCP/UDL 389 Lightweight Directory Access Protocol (LDAP)
TCP 2049 Network File System (NFS)
TCP 25 Simple Mail Transfer Protocol
TCP/UDP 162 SNMP Trap
UDP 500 ISAKMP/Internet Key Exchange (IKE)
TCP 22 Secure Shell (SSH)

 TCP/UDP 53: DNS Zone Transfer

- DNS clients send DNS messages to DNS servers listening on UDP port 53.
- If the DNS message size exceeds the default size of UDP (512 octets), the response contains only the
data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response.
 - The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the
DNS server uses UDP as a default protocol.
- In the case of lengthy queries for which UDP fails, TCP is used as a failover solution.
- Malware such as ADM worm and Bonk Trojan uses port 53 to exploit vulnerabilities within DNS servers,
helping intruders launch attacks.

 TCP/UDP 135: Microsoft RPC Endpoint Mapper Source

- The RPC Endpoint Mapper enables RPC clients to determine the port number currently assigned to a
specific RPC service.
- There is a flaw in the part of RPC that exchanges messages over TCP/IP. The incorrect handling of
malformed messages causes failure. This affects the RPC Endpoint Mapper, which listens on TCP/IP port
135.
- This vulnerability could allow an attacker to send RPC messages to the RPC Endpoint Mapper process on
a server to launch a denial-of-service (DoS) attack.

 UDP 137: NetBIOS Name Service (NBNS)

- NBNS, also known as the Windows Internet Name Service (WINS).
- NetBIOS name servers maintain a database of the NetBIOS names for hosts and the corresponding IP
address the host is using.
- Attackers usually attack the name service first. Typically, NBNS uses UDP 137 as its transport protocol. It
can also use TCP 137 as its transport protocol for a few operations, though this might never occur in
practice.

 TCP 139: NetBIOS Session Service (SMB over NetBIOS)

- TCP 139 is used to transfer files over a network. Systems use this port for both null-session
establishment as well as file and printer sharing.
- An improperly configured TCP 139 port can allow an intruder to gain unauthorized access to critical
system files or the complete file system, resulting in data theft or other malicious activities.

 TCP/UDP 445: SMB over TCP (Direct Host)

- Windows supports file-and printer-sharing traffic using the SMB protocol directly hosted on TCP.
- In earlier OSs, SMB traffic required the NetBIOS over TCP (NBT) protocol to work on TCP/IP transport.
- Directly hosted SMB uses port 445 (TCP and UDP) instead of NetBIOS.

 UDP 161: Simple Network Management Protocol (SNMP)

- SNMP is widely used in network management systems to monitor network-attached devices such as
routers, switches, firewalls, printers, and servers.
- It consists of a manager and agents.
- The agent receives requests on port 161 from the managers and responds to the managers on port 162.

 TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)

- LDAP is a protocol for accessing and maintaining distributed directory information services over an IP
network.
- By default, LDAP uses TCP or UDP as its transport protocol over port 389.
 TCP 2049: Network File System (NFS)
- NFS protocol is used to mount file systems on a remote host over a network, and users can interact with
the file systems as if they are mounted locally.
- NFS servers listen to its client systems on TCP port 2049.
- If NFS services are not properly configured, then attackers may exploit the NFS protocol to gain control
over a remote system, perform privilege escalation, inject backdoors or malware on a remote host, etc.
 TCP 25: Simple Mail Transfer Protocol (SMTP)
 - SMTP is a TCP/IP mail delivery protocol. It transfers email across the Internet and across local networks.
It runs on the connection-oriented service provided by TCP and uses the well-known port number 25.
 TCP/UDP 162: SNMP Trap
- An SNMP trap uses TCP/UDP port 162 to send notifications such as optional variable bindings and the
sysUpTime value from an agent to a manager.

NetBIOS Enumeration
 A NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP;
fifteen characters are used for the device name, and the sixteenth character is reserved for the service or
name record type.

Attackers use the NetBIOS enumeration to obtain

- The list of computers that belong to a domain

- List of shares of individual hosts in the network
- Policies and password

Note: NetBIOS name resolution is not supported by Microsoft for IPv6.

NetBIOS
Name Type Information Obtained
Code
<hostname Uniqu
<00> Hostname
> e
<domain> <00> Group Domain name
<hostname Uniqu
<03> Messenger service running for the computer
> e
Uniqu
<username> <03> Messenger service running for logged in user
e
<hostname Uniqu
<20> Server Service running
> e
<domain> <1D> Group Master browser name for the subnet
Domain master browser name, which identifies
Uniqu
<domain> <18> the primary domain controller (PDC) for the
e
domain
<domain> <1E> Group Browser service elections

 Nbtstat Utility
- Nbtstat is a Windows utility that helps in troubleshooting NETBIOS name resolution problems.
- The nbtstat command removes and corrects preloaded entries using several case-sensitive switches.
- Attackers use Nbtstat to enumerate information such as NetBIOS over TCP/IP (NetBT) protocol statistics,
NetBIOS name tables for both local and remote computers, and the NetBIOS name cache.
- The syntax of the nbtstat command is as follows:
nbtstat [-a RemoteName] [-A IP Address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [Interval]