4.

1  Enumeration Concepts
ENUMERATION  Enumeration Tools and Techniques

OVERVIEW
 The systematic process of querying a target’s servers and services for information
 The attacker utilizes information gathered during footprinting / reconnaissance to
know which devices and services to query
 We exploit normal server functionality and protocols to gain more information about
our target

We enumerate to find possible entry points into the target system!

 OS and service details
 Users and groups
 Email addresses and contact information
 Network resources
 Network shares
 Routing tables
 Audit and service settings
 SNMP and DNS information
 Machine names
 Applications and banners
 Enumeration should appear to the server as a normal client making legitimate
information requests
 Your enumeration test should focus on the information you need
 You want to avoid returning too much information that will clutter your results

 A combination of manual and automated testing will give the best results
netcat www.someserver.com 80

HTTP/1.1 200 OK – Server: Microsoft-IIS/6 – Expires: Tue, 17 Jan 2011

01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type:
text/html – Accept-Ranges: bytes – Last-Modified: Wed, 28 Dec 2010
15:32:21 GMT ETag: “b0aac0542e25c31:89d” Content-Length: 7369
NMAP ENUMERATION EXAMPLES
nmap -O 192.168.1.50
nmap -sV 192.168.1.20
HOST
nmap --script=smb-os-discovery <target>
ENUMERATION
EXAMPLES
RPCCLIENT ENUMERATION EXAMPLES
rpcclient <target IP> -U <username>
srvinfo
lookupnames administrator
HOST
lookupsids
ENUMERATION
EXAMPLES
rpcclient -U "" 192.168.1.20
METASPLOIT ENUMERATION EXAMPLE
use /auxiliary/scanner/smb/smb_lookupsid
set SMBUser moo
set SMBPass Pa22w0rd
set HOST
MinRID 1000
set MaxRID 1100
ENUMERATION
set RHOSTS 192.168.74.50
run EXAMPLES
SERVICES ENUMERATION TOOLS
SERVICES ENUMERATION TOOLS (CONT’D)
SERVICES ENUMERATION TOOLS (CONT’D)
SERVICES ENUMERATION TOOLS (CONT’D)

TCP 3268 Protocol: LDAP Tools: Same as for LDAP, but a different port
Service: MS Active Directory Comments: The Active Directory Global Catalog maintains a listing for all objects in
Global Catalog Service an entire Active Directory forest.
 4.2 SMB AND  NetBIOS
 SMB
NETBIOS  Null User

ENUMERATION  Tools
 Network Basic Input/Output System
 An API and Layer 5 protocol
 Allows applications to communicate over a local area network (LAN) with device
specific NetBIOS names
 1 - 15 alphanumeric characters (a hidden 16th character describes the name type)
 Special characters can only include: - . _ $ (dash, period, underscore, dollar sign)
 $ has special meaning (name or share exists but is hidden on the network)
 Only the dash is compatible with DNS naming conventions

 Used by Microsoft for simple LAN communications, name resolution and file
sharing
 Originally used by broadcast-based NetBEUI networking protocol
 Microsoft later made it a payload of TCP/IP (NetBIOS over TCP)
 TCP 137, 139; UDP 137, 138
Name NetBIOS Type Information Obtained
Code
<host name> <00> Unique Hostname
<domain> <00> Group Domain name
<host name> <03> Unique Messenger service running for that computer
<username> <03> Unique Messenger service running for that individual
logged-in user
<host name> <20> Unique Server service running
<domain> <1D> Group Master browser name for that subnet
<domain> <1B> Unique Domain master browser name, identifies PDC for
domain
 Microsoft file and print sharing protocol
 Microsoft Workstation Service (client) connects to a remote machine’s Server
Service (server)
 Also provides authenticated inter-process communication (IPC) among processes
running on remote computers
 A hidden network share, known as IPC share (ipc$), is used on Windows computers
 Facilitates communication between processes and remote computers
 Originally NetBIOS and SMB worked together:
 An SMB client uses the NetBIOS API to send an SMB command to an SMB server
 Listens for replies from the SMB server.
 An SMB server uses the NetBIOS API to listen for SMB commands from SMB clients
 Sends replies to the SMB client

 Since Windows 2000, SMB runs directly on TCP 445

 NetBIOS still exists for backward compatibility
 Linux/UNIX Samba server is a reverse-engineered SMBv1 File Server service
 It has the same vulnerabilities as the Windows original

NetBIOS and SMB have a long

history of vulnerabilities
 You can use SMB to make NetBIOS calls to a Microsoft Server Service
 You can enumerate:
 Computer names
 Share names
 User names
 Logon information
 Password policy and hashes
 NetBIOS computer and domain names
 Active Directory domain and forest names
 FQDNs
 System time
 A null user is a pseudo account that has no username and password
 Was initially used by Windows systems to “log in” to each other to trade network
browse lists
 For decades, the null session was an exploit that took advantage of the null user

net use \\<IP ADDRESS>\IPC$ "" /user:

 Mapping a drive to the IPC$ process then allows you to enumerate a lot of
information via NetBIOS and SMB
 Windows utility
 Displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables for local and
remote computers, and the NetBIOS name cache

nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s]
[-S] [Interval]
 Has 19 sub commands for enumerating information via NetBIOS
 Runs on Linux
 Enumerates NetBIOS information from Windows and Linux SAMBA
 -A all
 -U get userlist
 -M get machine list
 -N get namelist dump (different from -U and-M)
 -S get sharelist
 -P get password policy information
 -G get group and member list
 A connection-based TCP port scanner, pinger, and hostname resolver
 Support for unlimited IP ranges
 Host detection by multiple ICMP methods
 TCP SYN and UDP scanning
 Simple HTML report generation
 Source port scanning
 Hostname resolving
 Banner grabbing
 Windows host enumeration
 NetBIOS Enumerator
 NSAuditor Network Security Auditor
 Includes more than 45 network tools and utilities for network security auditing, network
scanning, network monitoring, etc.
 Hyena
 A GUI application for managing and security Microsoft operating systems
 Shows shares
 User logon name for Windows servers and domain controller
 Displays graphical representation of Microsoft Terminal Services, Microsoft Windows
Network, Web Client Network, etc.
 Winfingerprint
 Shows operating system, enumerates users, groups, SIDs, transports, session, services,
service pack and hotfix level, date and time, disks, and open TCP/UDP ports
 4.3 FILE  FTP

TRANSFER  TFTP
 NFS
ENUMERATION
 A common, clear text file sharing protocol
 Interactive
 Has commands to list files and directories, upload and download files
 TCP 21 (commands)
 TCP 20 or random port (data transfer)

 An FTP server can be configured to:

 Authenticate a user
 Allow anonymous connections

 You can use the FTP protocol to enumerate

Commands

Data
 Firewall is on the
client side

The server tries to initiate the data connection, which the client’s firewall blocks
 Data

The client initiates the data connection, which the client’s firewall allows
 You can use FTP commands to enumerate information from an FTP
server:
 Accounts
 Passwords
 Anonymous login capabilities
 Port scanning other targets
 Netcat
 Banner grab from an FTP server

 Nmap scripts
 ftp-anon – Checks if an FTP server allows anonymous logins.
 ftp-brute – Performs brute-force password auditing against FTP servers.
 ftp-bounce – Checks to see if an FTP server allows port scanning using the FTP bounce
method.
 ftp-user-enum
 Tool for enumerating OS-level user accounts via the ftp service
 Works against the default Solaris in.ftpd and GNU inetutils ftpd
 FTP’s “Little Brother”
 No authentication
 Clear text
 UDP 69
 Non-interactive
 No browsing the server directory
 You must know the name of the file you want to download / upload

 Typically used to upload/download OS and config files for networking devices

 You can try downloading a configuration file by its default name

TFTP.exe <host> GET startup-config

 You can try to download configuration files stored on a TFTP server
 The service has no way to authenticate connections or enforce authorization

 Nmap has a script that will try to download files by supplying a list of file names
nmap -sU -p 69 --script tftp-enum.nse
--script-args tftp-enum.filelist=customlist.txt <host>

Making an unauthorized connection to a TFTP server is

still unauthorized access!!
 The file sharing system for Linux/Unix
 Clients can “mount” (connect to) a share
 Tools to enumerate NFS include:
 rpcinfo (part of Linux rpcbind)
sudo apt install rpcbind
 rpcscan (written in Python, available on GitHub)
 SuperEnum (written in Python, available on GitHub)

 You can use the NFS client to enumerate shares on the network
On the file server:
1. Add a line in the /etc/exports file to allow anyone on the subnet to read/write to
the share:
/home/srvshare 192.168.1.0/24(rw,sync)
2. Run a command to export all shares listed in /etc/exports:
exportfs -a
3. Start the NFS server process:
/etc/init.d/nfs-kernel-server start
On the client:
mkdir /home/fromserver
sudo mount -t nfs <server IP>:/home/srvshare /home/fromserver
  Overview
4.4 WMI  Namespace

ENUMERATION  Querying
 Tools
 The Microsoft implementation of Web-Based Enterprise Management (WBEM)
 A standard technology for accessing management information in an enterprise
environment
 Uses the Common Information Model (CIM) industry standard to represent systems,
applications, networks, devices, and other managed components
 Capable of obtaining management data from remote systems
 Uses DCOM (TCP 135) to make these connections
 WMI organizes its classes in a hierarchical namespace
 Conceptually similar to a folder structure

 root/cimv2 is the default namespace

 It contains 277 classes for computer hardware and configuration
 Win32_BIOS
 Win32_BootConfiguration
 Win32_ComputerSystem
 Win32_ComputerSystemEvent
 Win32_ComputerSystemProcessor
 Win32_CurrentTime
 Win32_DeviceSettings
 Win32_DiskPartition
 Win32_Group
 Win32_GroupUser
 Win32_IP4RouteTable
 Win32_LogicalDisk
 Win32_LogonSession
 Win32_NetworkAdapterConfiguration
 Win32_NetworkClient
 Win32_NetworkConnection
 Win32_NTDomain
 Win32_NTLogEvent
 Win32_OperatingSystem
 Win32_Process
 Win32_Processor
 Win32_Registry
 Win32_ScheduledJob
 Win32_SecurityDescriptor
 Win32_Service
 Win32_Share
 Win32_StartupCommand
 Win32_SystemAccount
 Win32_SystemBIOS
 Win32_SystemUsers
 Win32_UserAccount
 Win32_UserInDomain
 Get-CimClass
 Returns all WMI classes

 Get-CimInstance -ClassName <name> Get-CimClass replaces

 Returns information about a particular class the obsolete Get-
 E.g. Get-CimInstance –ClassName Win32_Processor WMIObject cmdlet
 Get-CimInstance ‘*<string>*’
 Returns all classes that have “processor” in the name
 E.g. Get-CimInstance ‘*processor*’
PowerShell is not case
 Get-CimInstance <class> | ft sensitive
 Output results in table format
 E.g. Get-CimInstance Win32_process | ft

 Get-CimInstance <class> | ft -autosize

 Output results in table format, automatically resizing columns as needed

 Get-CimInstance <class> | fl
 Output results in list format
 WMI Query Language
 A subset of ANSI SQL
 Basic syntax:
 Select <property> from <WMI-class>

 Examples:
 Select * from Win32_Bios
 Select Name from Win32_Bios
 Select name, version from Win32_Bios

 Can be used in PowerShell, other scripts, and custom apps

 Sometimes has better performance than equivalent PowerShell cmdlets
 Queries might also be more complex than the equivalent cmdlet
Enumeration Exploit
 Solarwinds Free WMI Monitor GitHub:
 WMI Explorer (CodePlex)  WmiSploit

 WMI Explorer (Marc van  SharpStrike

Orsouw)  WMEye
 Hyena  Power
 PowerShell Metasploit:
 exploit/windows/local/wmi
 auxiliary/scanner/smb/impacket/wmiexec
 exploits/windows/local/wmi_persistence
  SNMP

4.5 SNMP  OIDs

 MIB
ENUMERATION  Tools
 Used to centrally monitor devices on a network
 An SNMP manager polls agents for information
 Polling is done round-robin style, on a regular interval (every few minutes)
 Manager is software on a server or workstation
 Agent is small software installed or built into a device OS

 The manager uses a Management Information Base (MIB) to know what types of
information an agent can provide
 A MIB is a set of counters (Object IDs) relevant to the device
 SNMP has several versions that are still in use
 v1, v2, v2c all communicate in clear text
 v3 is encrypted
 Not all devices support v3

 Both the manager and agent are configured with a simple authentication mechanism called
the “community string”
 Simple text string
 An agent will only respond to a manager that has the same community string
 There are two default community strings:
 “Public” – for read-only queries
 “Private” – for read/write communications
 Many administrators do not change the default community strings

 SNMP Ports:
 UDP 161 - Manager queries and agent replies
 UDP 162 – Agents “raise traps” (send pre-configured alerts) to the manager
 Managed Device
 Router, switch, hub, firewall, computer, server service (DHCP, DNS, etc.) printer, IoT
device
 Agent
 Software installed on managed device
 Responds to the NMS

 Network Management System (NMS)

 Typically software installed on a dedicated computer
 Represents a single “question” an SMNP manager can ask an agent
 Identifies a very specific, unique counter on a device
 Has a corresponding name and data type
 When queried by manager, agent will return a value
 A collection of OIDs stored in a text file
 A set of questions that an SNMP manager can ask a device regarding its status
 Standardized vendor-neutral MIBs define functionality common to all devices of the
same type
 The manufacturer creates additional MIBs specific to their products
 An agent might use multiple MIBs to monitor one device
 Most SNMP managers have MIBs already installed
 Vendor-neutral MIBs
 Vendor-specific MIBs for popular products
 All OIDs, regardless of manufacturer, are part of a
global hierarchy
 Each OID is unique
 The SNMP manager must know what MIBs the agent
is using
 At least know a starting OID to query
 The manager can then repeatedly issue a “get-next”
command
 The agent will provide information about successive
OIDs
 The manager does not need to OIDs for every single
counter on the device
 SNMP is a good target for enumeration
 Often the defaults are not changed:
 Community strings
 Encryption levels

 Most versions use clear-text communications

 Microsoft devices don’t even support the encrypted version
 You might be able to sniff community strings and manager-agent communications

 Many SNMP management tools include a feature to discover all the MIBs installed on
the agents
 You can also “walk” the MIB
 Start at a single common OID
 Repeatedly ask the device to “get-next” until it runs out of OIDs to report on
 Network devices  IP and MAC addresses
 Hosts  ARP tables
 Users and groups  Routing tables
 Services  VLANs
 Installed software  Port and interface status
 Network shares  Network traffic
 Device configurations  and much, much more
 Solar Winds Engineer’s Toolset  OpUtils
 Nmap NSE scripts  OIDVIEW SNMP MIB Browser
 There are 12 for snmp
 iReasoning MIB Browser
 Metasploit snmp auxiliary
 SNScan
modules
 SoftPerfect Network Scanner
 Snmpwalk
 SNMP Informant
 Snmpget
 Net-SNMP
 SNMP Scanner
 NSauditor Network Security
 Getif
 Spiceworks
 Observium
 Snmpget and snmpwalk
have the same syntax. Both
 snmpget Windows and Linux use
 Query a single OID these commands.
 snmpwalk
 Query an entire MIB starting from a particular OID

snmpget [options] [community string] [host name/address] [OID]

$ snmpget -v 2c 127.0.0.1 -c public .1.3.6.1.2.1.1.5.0

SNMPv2-MIB::sysName.0 = STRING: centos7

$ snmpget -v 2c 127.0.0.1 -c public sysName.0

SNMPv2-MIB::sysName.0 = STRING: centos7
 4.6 LDAP
 LDAP
 X.500

ENUMERATION  Tools
 The search and edit protocol for X.500-style directory service databases
 TCP 389
 Secure LDAP TCP 636
 Clear text by default
 Can be used to obtain a list of every object in the directory service database including:
 User, Group, and Computer accounts
 User department and contact information
 Group membership
 Network resource information

 Directory Service Examples:

 Microsoft Active Directory Domain Services
 Novell eDirectory
 Open Software Foundation DCE Directory
 Active Directory Users and Computers
 Softerra LDAP Administrator
 LDP.exe
 Metasploit auxiliary module ldap_hashdump
 Nmap NSE scripts for ldap
 JXplorer (available on www.jxplorer.org)
 Responder (available on GitHub)
 This example queries an LDAP server out of eth0,
forcing an LM hashing downgrade with verbose
output
./Responder.py -I eth0 -rPv -I <server IP>
  DNS

4.7 DNS  Tools

 NSLookup
ENUMERATION  DIG
 Query a DNS server for its records:
 A, AAAA
 NS
 MX
 CNAME
 PTR
 SOA

 Obtain individual records or “zone transfer” the entire database file

 Exploit DNS AXFR (all transfer) vulnerability
 Some DNS servers will transfer their entire zone to any requestor without requiring
authentication
 This saves the attacker time
 You can also just manually request all the various record types and end up with the same
content
 Dig
 Fierce
 Nslookup
 Host
 dnsrecon.py
 dnsenum.pl
 Metasploit auxiliary module dns_enum
 Nmap NSE script dns-brute
 SecurityTrails advanced DNS enumeration
 nslist.net
 iplist.net
 Microsoft tool for querying DNS
 nslookup [-option] [name | -] [server]

 You can also install on Linux

 sudo apt install dns-utils
 sudo dnf install bind-utils

 Depends on the existence of a reverse lookup zone to work properly

nslookup example.com
nslookup -type=ns example.com
nslookup -type=soa example.com
nslookup -query=mx example.com
nslookup -type=any example.com
nslookup example.com ns1.nsexample.com
nslookup 10.20.30.40
nslookup -type=ptr 96.96.136.185.in-addr.arpa
 *Nix tool for querying DNS
 You can also install (slightly older version) on Windows
 Syntax:

dig Hostname

dig DomaiNameHere

dig @DNS-server-name Hostname

dig @DNS-server-name IPAddress

dig @DNS-server-name Hostname|IPAddress type

dig www.example.com A
dig 74.125.236.167
dig +short example.com MX
dig +short example.com TXT
dig +short example.com NS
dig example.com ANY
 Try a zone transfer by guessing the domain that the server is authoritative for:
dig axfr @<DNS_IP> <DOMAIN>

 Try to perform a zone transfer against every authoritative name server

 If it doesn’t work, launch a dictionary attack:

fierce --domain <DOMAIN> --dns-servers <DNS_IP>

 What do you see in this exhibit?
 The hacker used DIG to
successfully transfer the zone and
enumerate the hosts
 AXFR domain.com
 4.8  Email

SMTP  SMTP
 Tools
ENUMERATION
 Mail Server
Client Acme.com
 ACME client uses SMTP to send email
message to email server for acme.com SMTP

 Local email server performs DNS lookup to

find MX record and IP address (A/AAAA DNS SMTP
record) of email server for example.com
 Acme.com email server uses SMTP to
Internet
deliver message to example.com email
server
SMTP
 Example.com email server puts message Client

into example.com client mailbox

POP
IMAP
HTTP

 Example.com client later retrieves message Mailbox

Database
using POP3, IMAP4, HTTP, or even RPC
Mail Server
Example.com
 Simple Mail Transfer Protocol (SMTP) has three built-in commands
 VRFY – validates that an email address actually exists for a user
 EXPN – request or expand a mailing list into individual recipients
 RCPT TO – Specifies the actual recipient(s)

 As an attacker, you can use the SMTP commands manually to enumerate valid email
addresses
 telnet
 netcat
 NetScanTool Pro
 smtp-user-enum
 smtp_user_enum.py
 Kali iSMTP
 Metasploit auxiliary module smtp_enum
 nmap NSE script smtp-enum-users
telnet <email server> 25
vrfy [email protected]

If you receive a message code 250,251,252:

The server has accepted the request and the user account is valid

If you receive a message code 550:

The user account is invalid
telnet mail.example.com 25
ehlo example.com
mail from: [email protected]
Send interactively,
rcpt to: [email protected], [email protected]
one line at a time
data

Subject: My Telnet Test Email

Hello,
This is an email sent by using the telnet command.
Your friend,
Me Send all at once, pressing
<Enter>.<Enter> to finish
.

q Press q to quit session

1. In Kali Linux, create a list of possible email addresses and save to your
Desktop as user.txt
2. Open Metasploit Framework
3. In the Metasploit console enter these commands:

use auxiliary/scanner/smtp/smtp_enum
set rhosts <email server IP>
set rport 25
set USER_FILE /root/Desktop/user.txt
exploit
Verify that [email protected] is a valid email address:

smtp-user-enum -M VRFY -D example.com -u moo -t <email server IP>

 Supply a list of usernames and verify if they exist:
 Verify that email addresses supplied in the email.txt list actually exist
ismtp -h <email-server-IP>:25 -e /root/Desktop/email.txt
 4.9 REMOTE  Telnet

CONNECTION  SSH
 RPC
ENUMERATION
 TCP 23
 Used to obtain a command prompt of the remote host
 Can also be used to banner grab
telnet <target> <port>
 nmap has several telnet enumeration scripts
 Run all nmap telnet scripts against a target:
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <target>
 Brute force password via telnet
Nmap –script telnet-brute <target>
 TCP 22
 Secure replacement for telnet
 Client and server exchange public keys to create a session key
 Includes Secure FTP (SFTP) and Secure Copy (SCP)
 Login syntax = ssh <username>@<hostname>

 Some SSH implementations have default usernames and passwords

 Example: jailbroken iPhone SSH service uses root / alpine

 Nmap, Metasploit and Searchsploit have various tools for SSH enumeration and
exploitation
1. Use nmap to determine if a host is running an SSH service
2. Use nmap to query the version of SSH
3. Use a Metasploit module to enumerate SSH users
4. Check the Kali searchsploit module to see if an enumeration (or other) exploit
exists for the SSH service
5. Search for nmap scripts related to SSH enumeration
Use nmap to determine if a host is running an SSH service

nmap <target>
Run default nmap scripts to query the version of SSH

nmap -sC -sV <IP>

Use nmap scripts to enumerate users, brute force logins, obtain keys,etc.

ls /usr/share/nmap/scripts/ | grep ssh

Use Metasploit modules to enumerate SSH users or login information
search ssh_enumusers
search ssh_login
Use the Kali searchsploit module to search for version-specific exploits

searchsploit openssh
 TCP 135
 Used by Windows processes to make requests of each other over the network
 rpcinfo
 Make a connection to an RPC server and receive information about that server

 rpcclient
 Enumerate and manage domain and SAM users and SIDs, groups, shares, domain info,
privileges and more
 Will attempt to connect via null session
 If this is unsuccessful a username and password must be supplied

 Nmap script msrpc-enum

 Queries an MSRPC endpoint mapper for a list of mapped services
 Displays the gathered information
Command Interface Description
queryuser SAMR Retrieve user information.
querygroup SAMR Retrieve group information.
querydominfo SAMR Retrieve domain information.
enumdomusers SAMR Enumerate domain users.
enumdomgroups SAMR Enumerate domain groups.
createdomuser SAMR Create a domain user.
deletedomuser SAMR Delete a domain user.
lookupnames LSARPC Look up usernames to SID values.

SAMR = Security Account Manager (SAM) Remote Protocol

LSARPC = Local Security Authority (Domain Policy) Remote Protocol
Command Interface Description
Look up SIDs to usernames (RID
lookupsids LSARPC
cycling).
lsaaddacctrights LSARPC Add rights to a user account.
lsaremoveacctrights LSARPC Remove rights from a user account.
dsroledominfo LSARPC-DS Get primary domain information.
Enumerate trusted domains within an AD
dsenumdomtrusts LSARPC-DS
forest
rpcclient -U "" 192.168.1.20

srvinfo
lookupnames administrator
lookupsids
enumdomusers
 4.10 WEBSITE  Overview
 Methods
ENUMERATION  Tools
 Usernames and passwords
 Email addresses and contact information
 Domain names, host names and IP addresses
 Links and URLs
 Technologies used by the organizations
 Employee, customer and other confidential information
 Internal resources
 Potential vectors for attack
 The simplest way to start website enumeration
 View the HTML source of a web page
 Attempt to open a browser to popular directory names
 Note the HTTP response code:
 404 = "Not Found“
 403 = "Forbidden“
 402 = "Payment Required“
 401 = "Unauthorized" (Must authenticate first)
 200 = "OK“

 Directories that don't return a 404 exist

 http://www.example.tld/admin (401)
 http://www.example.tld/content (402)
 http://www.example.tld/cgi-bin (403)
 http://www.example.tld/test (404)
 http://www.example.tld/logs (200)
Using Telnet
telnet 192.168.10.100 8000
After making the connection, press Ctrl+] to break, then enter quit

Using Netcat
echo -en "GET / HTTP/1.0\n\n\n"| nc www.comptia.org 80 | grep Server
 Some websites are deliberately configured to use non-standard ports
 nmap -sV can detect this

nmap –PN –sT –sV –p0-65535 <target>

 nmap --script=http-enum <target>
 nmap --script=http-drupal-enum <target>
 nmap -–script=http-php-version <target>
 nmap --script=http-webdav-scan <target>
 nmap --script=http-wordpress-enum <target>
Metasploit has 281 web scanning modules including:
 auxiliary/scanner/http/apache_userdir_enum
 auxiliary/scanner/http/tomcat_enum
 auxiliary/scanner/http/chromecast_webserver
 auxiliary/scanner/http/brute_dirs.
 auxiliary/scanner/http/dir_listing
 auxiliary/scanner/http/dir_scanner
 auxiliary/scanner/http/http_version
 auxiliary/scanner/http/wordpress_login_enum
 Enumeration Techniques:  Subdomain Enumeration:  Hidden Objects Enumeration:
 Google Dorks  Wfuzz  DirBuster
 Word lists  WPScan  Dirb
 Brute Forcing  Amass  dirsearch.py
 Third party services  Assetfinder  GoBuster
 SSL Certificates  SubBrute  Ffuf
 DNS Zone Transfer  SubExtractor  feroxbuster
 Subfinder
 Web Technologies Used:  Sublist3r
 Whatweb  PureDns
 Wappalyzer
 Netcraft
 IDServe
  NTP
4.11 OTHER  VoIP

ENUMERATION  IPSEC
 IPv6
TYPES  BGP
 Network Time Protocol (NTP) is used to synchronize clocks of network devices
 UDP 123
 Can maintain time to within 10 milliseconds over the public Internet
 Attackers query NTP for
 List of hosts connected to NTP server
 Clients IP addresses, system names, and operating systems
 Internal IP addresses can be acquired if the NTP server is on the DMZ

Active Directory clients use Windows Time (not NTP) to synchronize their clocks to the domain
The Active Directory PDC Emulator domain controller is the time source for the domain.
It can synchronize to other sources via NTP.
 Ntpdate
 Query a time server
ntpdate -q pool.ntp.org
 Ntptrace
 Traces a chain of NTP servers back to the primary source
ntptrace
 Ntpdc
 Monitors operation of the NTP server
 This example requests the last 600 clients that connected to the NTP time server:
ntpdc -n –c monlist <IP or hostname of time server>
 NTP Time Server Monitor
 NTP Server Scanner
 Nmap
 Wireshark
 AtomSync
 NTPQuery
 PresenTense NTP Auditor
 PresenTense Time Server
 PersenTense Time Client
 NTP Time Server Monitor
 LAN Time Analyser
 VoIP uses SIP (Session Initiation Protocol) to manage voice and video calls over IP
 TCP 5060 - Clear Text
 TCP 5061 - SIP-TLS (encrypted)

 Data is carried by:

 Real-time Transport Protocol (RTP) UDP 5004
 and Real-time Transport Control Protocol (RTCP UDP 5005)

 VoIP enumeration provides sensitive information such as:

 VoIP gateway (connects SIP system to PSTN)
 IP-PBX systems (routes calls inside the VoIP network)
 client software
 user phone extensions

 This information can be used to launch various VoIP attacks such as:
 DoS, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet
Telephony, VoIP phishing, etc.
Discover target VoIP information through:
 Google search and Shodan for public information
 Nmap and Sipvicious to map the internal VoIP network
 Wireshark to identify SIP users
 Job sites that list knowledge of a specific VoIP system as a skills requirement

Search for the following information:

 The public IP of the server
 The VoIP network / infrastructure
 Devices connected to the VoIP network, their open ports, and running services
 Users information (extension, the device information, and logs)
 Information about the VoIP server (model, vendor, OS, ports, etc.)
Google Dork Description
inurl:/voice/advanced/ intitle:Linksys SPA configuration Finds the Linksys VoIP router
configuration page
inurl:”NetworkConfiguration” cisco Find the Cisco phone details

inurl:”ccmuser/logon.asp” Find Cisco call manager

intitle:asterisk.management.portal web-access Finds the Asterisk web mgmt portal

inurl:8080 intitle:”login” intext:”UserLogin” “English” VoIP login portals

intitle:” SPA Configuration” Search Linksys phones

Note: Asterisk is a popular open source IP PBX

 A SIP auditing tool used to scan for and enumerate SIP devices and accounts
 Sends SIP INVITE or OPTION packets looking for responses from live hosts
 Logs the results to a file

 Attacks include:
 SIP flood, RTP flood, SIP enumeration, Digest leak, RTP Bleed and RTP inject, fuzzing
root@kali:~# svmap 192.168.1.0/24 -v

INFO:ImaFly:trying to get self ip .. might take a while

INFO:root:start your engines
INFO:ImaFly:Looks like we received a SIP request from 192.168.1.20:5060
INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21:5060
INFO:ImaFly:Looks like we received a SIP request from 192.168.1.22:5060
 IPSEC VPNs are digitally signed and optionally encrypted using DES, 3DES or AES
 You can use nmap or other scanners to identify IPSEC VPN servers
 Internet Key Exchange (IKE) is the handshake protocol used at the start of an IPSEC
session
 You can also use ike-scan and psk-crack to try to capture and crack an IKE pre-
shared key hash
 A command-line tool that uses the IKE protocol to discover, fingerprint and test
IPsec VPN servers
 Can do two things:
 Determine which hosts are running IKE
 This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
 Determine which IKE implementation the hosts are using
 Done by recording the times of the IKE response packets from the target hosts and comparing the
observed retransmission backoff pattern against known patterns.
 Can identify VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and
Watchguard
 Attempts to crack IKE Aggressive Mode pre-shared keys
 Keys must have been previously gathered using ike-scan with the --pskcrack option

 Can work in dictionary or brute-force mode

 You can identify IPv6 servers through DNS grinding
 DNS grinding is a dictionary attack using a list of possible host names
 Uses AAAA requests

 Grinding tools include:

 dnsdict6
 dnsrevenum6
 These are part of the thc-ipv6 tool suite
sudo apt install thc-ipv6
# dnsdict6 -4 -t 16 example.com
Starting enumerating example.com. - creating 16 threads for 798 words...
Estimated time to completion: 1 to 1 minute

Detected openDNS, this might increase performance

Warning: wildcard domain configured
*.example.com. ->2606:2800:220:1:248:1893:25c8:1946
Warning: wildcard domain configured (2nd test)
www.example.com. ->2606:2800:220:1:248:1893:25c8:2033
www.example.com. -> 93.184.216.34

Found 1 domain name, 1 unique ipv4 and 2 unique ipv6 addresses for example.com.
 Border Gateway Protocol (BGP) is the routing protocol used on the Internet
 ISPs use BGP to choose Internet routes
 BGP has slow convergence
 An entire Autonomous Systems is treated as a “hop”

 Traffic between Internet-based networks is controlled by using BGP and

autonomous system (AS) numbers
 Organizations use BGP
 IANA assigns AS numbers to RIRs
 RIRs allocate numbers to ISPs and large organizations so that they can
manage their IP router networks and upstream connections.
 You can use whois and HE BGP Toolkit to enumerate:
 An organization’s AS numbers and IP addresses (referred to as “prefixes”)

 Knowing IP addresses gives you targets to scan

 Whois query reveals netblocks and AS numbers for the company Nintendo

whois -a "nintendo*"

Nintendo Of America inc. NINTENDO-COM (NET-205-166-76-0-1)

205.166.76.0 - 205.166.76.255
NINTENDO HEADQUARTERS 1 NINTENDOHEADQUARTERS1 (NET-70-89-123-72-1)
70.89.123.72 - 70.89.123.79

Nintendo Of America inc. (AS11278) NINTENDO 11278

 4.12
ENUMERATION  Countermeasures
COUNTER-  Review

MEASURES AND
REVIEW
 When possible, use protocols that are encrypted, rather than clear text
 Disable NetBIOS and SMBv1
 Change the SNMP community string
 Disallow DNS zone transfers to unknown servers
 Maintain separate DNS servers for internal and public records (split DNS)
 Consider disabling VRFY and EXPN commands on your email server
 Use file system and share permissions to restrict access to sensitive content
 Perform your own enumeration to see what types of information an attacker can obtain
 Remediate when possible
 INTRO TO
 Enumeration is the systematic process of querying a target’s servers and services for

ETHICAL
information
 Enumeration should appear to the server as a normal client making legitimate


HACKING
information requests
You can enumerate information about the OS, its services, users and groups, network

REVIEW
information, machine names, configuration settings, installed apps and service
banners

 Many network protocols can be used for enumeration including:

 NetBIOS/SMB, FTP/TFTP, NFS
 SNMP
 Telnet, SSH, RPC
 SMTP
 HTTP, DNS,
 LDAP, SQL, NTP
 IPSEC, IPv6, SIP, BGP and others