27/03/2021

Enumeration
LECTURER: NGUYỄN THỊ THANH VÂN – FIT - HCMUTE

Contents

 Enumeration Concepts
 Techniques for Enumeration

26/03/2021 2

1
 27/03/2021

Steps of Hacking

27/03/2021 3

Enumeration Concepts

 Enumeration is the third phase of a penetration test.

 The ultimate purpose of enumeration is to get even more information
about the target system and things such as routing tables, users or
groups, etc.
 Enumeration is defined as the process of extracting user names,
machine names, network resources, shares and services from a
system.
 In the phase of Enumeration,
 An attacker initiates active connections with the target system.
 direct queries are generated to gain more information. These
information helps to identify the system attack points.
 Once attacker discovers attack points, it can gain unauthorized access
using this collected information to reach assets.

27/03/2021 4

2
 27/03/2021

Enumeration Concepts

 Information that is enumerated in this phase are:

 Routing Information
 SNMP Information
 DNS Information
 Machine Name
 User Information
 Group Information
 Application and Banners
 Network Sharing Information
 Network Resources

27/03/2021 5

Techniques for Enumeration

 Enumeration Using Email ID
 Extraction of information using Email ID can provide useful information
like username, domain name, etc.
 Enumeration using Default Password
 Every device and software has its default credentials and settings
 Some administrators keep using default passwords and settings. It became
so easy for an attacker to gain unauthorized access using default
credentials.
 Finding default settings, configuration and password of a device is not a
big deal.
 Enumeration through DNS Zone Transfer
 includes extracting information like locating DNS Server, DNS Records,
Other valuable network related information such as hostname, IP
address, username, etc.

26/03/2021 6

3
 27/03/2021

Techniques for Enumeration

 Enumeration using SNMP
 a process of gaining information through SNMP - SNMP is an application layer protocol. It
provides communication between managers and agents
 The attacker uses default community strings or guesses the string to extract information about
a device. SNMP protocol was developed to allow the manageability of devices by the
administrator, such as servers, routers, switches, workstations on an IP network.
 It allows the network administrators to manage network performance of a network, finds,
troubleshoots and solve network problems, design, and plan for network growth.
 The SNMP system is consisting of three elements:
 SNMP manager
 SNMP agents (managed node)
 Management Information Base (MIB)

 Brute Force Attack on Active Directory

 Active Directory (AD) provides centralized command and control of domain users, computers,
and network printers. It restricts the access to network resources only to the defined users and
computers.
 The AD is a big target, a greater source of sensitive information for an attacker. Brute force
attack to exploit, or generating queries to LDAP services are performed to gather information
such as username, address, credentials, privileges information, etc.

26/03/2021 7

Types for Enumeration

 how we start getting this information. We will have a look at protocols

that give us information we want
 NetBIOS Enumeration
 SNMP Enumeration
 LDAP Enumeration
 NTP Enumeration
 SMTP Enumeration
 DNS Zone Transfer Enumeration

27/03/2021 8

4
 27/03/2021

Services and Ports to Enumerate

26/03/2021 9

NetBIOS Enumeration
 NetBIOS allows the communication in between different applications running on
different systems within a local area network.
 NetBIOS service uses a unique 16-ASCII Character string in order to identify the
network devices over TCP/IP. The Initial 15 Characters are for identifying the device,
16th Character is to identify the service.
 NetBIOS over TCP (NetBT) uses the following TCP and UDP ports:
 UDP port 137 (name services)
 UDP port 138 (datagram services)
 TCP port 139 (session services)
 Using NetBIOS Enumeration, an attacker can discover: -
 List of Machines within a domain
 File Sharing
 Printer Sharing
 Username
 Group information
 Password
26/03/2021 Policies 10

5
 27/03/2021

NetBIOS Enumeration

 NetBIOS names are classified into the following types: -

 Unique
 Group
 Domain Name
 Internet Group
 Multihomed

26/03/2021 11

NetBIOS Enumeration Tool

 The nbstat
 a useful tool to display information about NetBIOS over TCP/IP statistics.
 It is also used to display information such as NetBIOS name tables, name cache,
and other information.
 Command using nbstat utility is shown below:
nbtstat.exe –a "NetBIOS name of the remote system."
nbtstat -A 192.168.1.10
 the nbstat command can be used along with several options
-a: With hostname, Display the NetBIOS name table, MAC address information.
-A: With IP Address, Display the NetBIOS name table, MAC address information.
-c: NetBIOS name cache information.
-n: the names registered locally by NetBIOS applications such as the server and redirector.
-r: a count of all resolved names by broadcast or the WINS server.
-s: NetBIOS sessions table and converts destination IP addresses to computer NetBIOS names.
-S Lists the current NetBIOS sessions, status, along with the IP address.
12
26/03/2021

6
 27/03/2021

Enumeration Tools

 Enumeration using SuperScan

 a free connect-based port scanning software designed to detect open
TCP and UDP ports on a target computer,
 determine which services are running on those ports, and run queries such
as whois, ping, ICMP traceroute, and Hostname lookups.
 Net View
 the utility that is used to display information about all shared resources of
remote host or workgroup
 Enumeration using SoftPerfect Network Scanner Tool
 a free multi-threaded IP, NetBIOS and SNMP scanner with a modern
interface and many advanced features.
 It is intended for both system administrators and general users interested in
computer security.

26/03/2021 13

SNMP Enumeration

 SNMP Enumeration (Simple Network Management Protocol) is a

technique of enumeration using most widely used network
management protocol SNMP.
 In SNMP Enumeration:
 user accounts and device information is targeted using SNMP.
 SNMP requires community string to authenticate the management
station.
 a different form in different versions of SNMP.
 Using the default community string, by guessing the community
string, attacker extracts the information such as Host, devices,
shares, network information and much more by gaining
unauthorized access

26/03/2021 14

7
 27/03/2021

SNMP Enumeration

26/03/2021 15

Simple Network Management Protocol

 Almost every single vendor supports SNMP.
 Process:
 Initially, SNMP deployment requires Management Station. Management
station collects the information regarding different aspects of network
devices.
 The second thing is configuration and software support by networking devices
itself. A configuration like the type of encryption and hashing running on
management station’s software must match with SNMP settings on devices.
 Technically three components are involved in deploying SNMP
 SNMP Manager: running on the management station to display the
collected information from networking devices in a nice and representable
manner. Commonly software are PRTG, Solarwinds, OPManager, etc.
 SNMP Agent: running on networking nodes whose different components
need to be monitored. Examples include CPU/RAM usage, interface status,
etc. UDP port number 161 is used for communication between SNMP agent and
SNMP manager.
 Management Information Base: MIB stands for Management Information Base
and is a collection of information organized hierarchically in a virtual
database. These are accessed using a protocol such as SNMP
26/03/2021 16

8
 27/03/2021

SNMP Enumeration Tools

 OpUtils
 a Network Monitoring and troubleshooting tool for network engineers.
 is powered by Manage Engines, support number of tools for Switch
Port & IP Address Management.
 helps network engineers to manage their devices and IP Address Space
with ease.
 performs network monitoring, detection of a rogue device intrusion,
bandwidth usage monitoring and more.
 SolarWinds Engineer’s Toolset
 a network administrator’s tool offers hundreds of networking tools for
detection and troubleshooting and network diagnostics.

26/03/2021 17

LDAP Enumeration

 The Lightweight Directory Access Protocol LDAP

 an open standard, Internet protocol.
 for accessing and maintaining distributed directory information services
in a hierarchical and logical structure. A directory service plays an
important role by allowing the sharing of information like user, system,
network, service, etc. throughout the network.
 LDAP provides a central place to store usernames and passwords.
 Applications and Services connect to the LDAP server to validate users.
The client initiates an LDAP session by sending an operation request to
Directory System Agent (DSA) using TCP port 389. Communication between
Client and Server uses Basic Encoding Rules (BER).

26/03/2021 18

9
 27/03/2021

LDAP Enumeration Tool

 Jxplorer: www.jxplorer.org
 LDAP Admin Tool: www.ldapsoft.com
 LDAP Account Manager: www.ldap-account-manager.org
 Active Directory Explorer: technet.microsoft.com
 LDAP Administration Tool: sourceforge.net
 LDAP Search: securityexploded.com
 Active Directory Domain Services Management Pack:
www.microsoft.com
 LDAP Browser/Editor: www.novell.com

26/03/2021 19

NTP Enumeration

 Network Time Protocol (NTP)

 Network Time Protocol used in a network to synchronize the clocks
across the hosts and network devices.
 an important protocol, as directory services, network devices and host
rely on clock settings for login purposes and logging to keep a record of
events.
 NTP helps in correlating events by the time system logs are received by
Syslog servers.
 NTP uses UDP port number 123, and its whole communication is based on
coordinated universal time (UTC).

26/03/2021 20

10
 27/03/2021

NTP Enumeration Tools

 Nmap
 NTP server Scanner
 Wireshark
 NTPQuery

26/03/2021 21

SMTP Enumeration

 SMTP Enumeration: extract information about the target SMTP.

 SMTP - Simple Mail Transfer Protocol:
 ensures the mail communication between Email servers and recipients
over Internet port 25.
 one of the popular TCP/IP protocol widely used by most of the email
servers now defined in RFC 821.
 SMTP Enumeration Technique
 SMTP server responses for these commands such as VRFY, RCPT TO, and
EXPN are different.
 By inspecting and comparing the responses for valid and invalid users
through interacting the SMTP server via telnet, valid users can be
determined.

26/03/2021 22

11
 27/03/2021

SMTP Enumeration Tool

 NetScan Tool Pro

 SMTP-user-enum
 Telnet

26/03/2021 23

DNS Zone Transfer Enumeration

 DNS Zone Transfer Enumeration:

 attacker find the target's TCP port 53, as TCP port 53 is used by DNS and
Zone transfer uses this port by default.
 Using port scanning techniques, you can find if the port is open.
 DNS Zone Transfer - the process that is performed by DNS
 DNS passes a copy containing database records to another DNS
server.
 DNS Zone transfer process provides support for resolving queries, as
more than one DNS server can respond to the queries.
 Consider a scenario in which both primary and secondary DNS Servers are
responding to the queries. Secondary DNS server gets the DNS records
copy to update the information in its database
 DNS Zone Transfer using nslookup command

26/03/2021 24

12
 27/03/2021

Enumeration Countermeasures

 Some actions in using:

 advance security techniques,
 advanced security softwares,
 updated versions of protocols,
 strong security policies,
 unique, and difficult password,
 strong encrypted communication between client and server,
 disabling unnecessary ports, protocols, sharing and
 default enabled services can prevent from enumeration at a certain level.

26/03/2021 25

Lab 1: Services Enumeration using Nmap

 consider a network 10.10.10.0/24 where different devices are
running
 enumerate services, ports and operating system information using
nmap utility with Kali Linux
nmap –sP 10.10.10.0/24
 Ping Sweep on the subnet to check live host and other basic
information, ex 10.10.10.12
nmap –sU -p 10.10.10.12
 perform a Stealthy scan on target host 10.10.10.12
nmap –sS 10.10.10.12 to
 Operating System & Version scanning on target host 10.10.10.12
nmap –sSV -O 10.10.10.12

26/03/2021 26

13
 27/03/2021

Lab 2: Enumeration using SuperScan

26/03/2021 27

Lab 3: SoftPerfect Network Scanner

26/03/2021 28

14
 27/03/2021

Q&A

26/03/2021 29

15