 The systematic process of querying a target’s servers and services for information

4.1  Enumeration Concepts

 The attacker utilizes information gathered during footprinting / reconnaissance to
know which devices and services to query

ENUMERATION  Enumeration Tools and Techniques

 We exploit normal server functionality and protocols to gain more information about
our target

OVERVIEW
We enumerate to find possible entry points into the target system!

 OS and service details  Enumeration should appear to the server as a normal client making legitimate
information requests
 Users and groups
 Your enumeration test should focus on the information you need
 Email addresses and contact information
 You want to avoid returning too much information that will clutter your results
 Network resources
 A combination of manual and automated testing will give the best results
 Network shares
 Routing tables
 Audit and service settings
 SNMP and DNS information
 Machine names
 Applications and banners
 NMAP ENUMERATION EXAMPLES
netcat www.someserver.com 80 nmap -O 192.168.1.50
nmap -sV 192.168.1.20
HTTP/1.1 200 OK – Server: Microsoft-IIS/6 – Expires: Tue, 17 Jan 2011 HOST
nmap --script=smb-os-discovery <target>
01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type:
text/html – Accept-Ranges: bytes – Last-Modified: Wed, 28 Dec 2010 ENUMERATION
15:32:21 GMT ETag: “b0aac0542e25c31:89d” Content-Length: 7369
EXAMPLES

RPCCLIENT ENUMERATION EXAMPLES METASPLOIT ENUMERATION EXAMPLE

use /auxiliary/scanner/smb/smb_lookupsid
rpcclient <target IP> -U <username> set SMBUser moo
srvinfo set SMBPass Pa22w0rd
HOST
lookupnames administrator
lookupsids
set HOST
MinRID 1000
set MaxRID 1100
ENUMERATION ENUMERATION
set RHOSTS 192.168.74.50
EXAMPLES
rpcclient -U "" 192.168.1.20 run EXAMPLES
SERVICES ENUMERATION TOOLS SERVICES ENUMERATION TOOLS (CONT’D)

SERVICES ENUMERATION TOOLS (CONT’D) SERVICES ENUMERATION TOOLS (CONT’D)

TCP 3268 Protocol: LDAP Tools: Same as for LDAP, but a different port
Service: MS Active Directory Comments: The Active Directory Global Catalog maintains a listing for all objects in
Global Catalog Service an entire Active Directory forest.
  Network Basic Input/Output System
 An API and Layer 5 protocol

4.2 SMB AND  NetBIOS

 SMB
 Allows applications to communicate over a local area network (LAN) with device
specific NetBIOS names

NETBIOS  Null User

 1 - 15 alphanumeric characters (a hidden 16th character describes the name type)
 Special characters can only include: - . _ $ (dash, period, underscore, dollar sign)
 $ has special meaning (name or share exists but is hidden on the network)

ENUMERATION  Tools  Only the dash is compatible with DNS naming conventions

 Used by Microsoft for simple LAN communications, name resolution and file
sharing
 Originally used by broadcast-based NetBEUI networking protocol
 Microsoft later made it a payload of TCP/IP (NetBIOS over TCP)
 TCP 137, 139; UDP 137, 138

Name NetBIOS Type Information Obtained  Microsoft file and print sharing protocol
Code  Microsoft Workstation Service (client) connects to a remote machine’s Server
<host name> <00> Unique Hostname Service (server)
<domain> <00> Group Domain name  Also provides authenticated inter-process communication (IPC) among processes
<host name> <03> Unique Messenger service running for that computer running on remote computers
<username> <03> Unique Messenger service running for that individual  A hidden network share, known as IPC share (ipc$), is used on Windows computers
logged-in user  Facilitates communication between processes and remote computers
<host name> <20> Unique Server service running
<domain> <1D> Group Master browser name for that subnet
<domain> <1B> Unique Domain master browser name, identifies PDC for
domain
 Originally NetBIOS and SMB worked together:  You can use SMB to make NetBIOS calls to a Microsoft Server Service
 An SMB client uses the NetBIOS API to send an SMB command to an SMB server
 You can enumerate:
 Listens for replies from the SMB server.
 Computer names
 An SMB server uses the NetBIOS API to listen for SMB commands from SMB clients
 Share names
 Sends replies to the SMB client
 User names
 Since Windows 2000, SMB runs directly on TCP 445  Logon information

 NetBIOS still exists for backward compatibility  Password policy and hashes
 NetBIOS computer and domain names
 Linux/UNIX Samba server is a reverse-engineered SMBv1 File Server service
 Active Directory domain and forest names
 It has the same vulnerabilities as the Windows original
 FQDNs
 System time
NetBIOS and SMB have a long
history of vulnerabilities

 A null user is a pseudo account that has no username and password
 Was initially used by Windows systems to “log in” to each other to trade network
browse lists
 For decades, the null session was an exploit that took advantage of the null user
net use \\<IP ADDRESS>\IPC$ "" /user:
 Windows utility
 Displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables for local and
remote computers, and the NetBIOS name cache
nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s]
[-S] [Interval]

 Mapping a drive to the IPC$ process then allows you to enumerate a lot of
information via NetBIOS and SMB
 Has 19 sub commands for enumerating information via NetBIOS
 Runs on Linux
 Enumerates NetBIOS information from Windows and Linux SAMBA
 -A all
 -U get userlist
 -M get machine list
 -N get namelist dump (different from -U and-M)
 -S get sharelist
 -P get password policy information
 -G get group and member list
 A connection-based TCP port scanner, pinger, and hostname resolver  NetBIOS Enumerator
 Support for unlimited IP ranges  NSAuditor Network Security Auditor
 Host detection by multiple ICMP methods  Includes more than 45 network tools and utilities for network security auditing, network
scanning, network monitoring, etc.
 TCP SYN and UDP scanning
 Simple HTML report generation  Hyena
 Source port scanning  A GUI application for managing and security Microsoft operating systems
 Shows shares
 Hostname resolving
 User logon name for Windows servers and domain controller
 Banner grabbing
 Displays graphical representation of Microsoft Terminal Services, Microsoft Windows
 Windows host enumeration Network, Web Client Network, etc.
 Winfingerprint
 Shows operating system, enumerates users, groups, SIDs, transports, session, services,
service pack and hotfix level, date and time, disks, and open TCP/UDP ports

 A common, clear text file sharing protocol

4.3 FILE  FTP
 Interactive
 Has commands to list files and directories, upload and download files

TRANSFER  TFTP
 NFS
 TCP 21 (commands)
 TCP 20 or random port (data transfer)

ENUMERATION  An FTP server can be configured to:

 Authenticate a user
 Allow anonymous connections

 You can use the FTP protocol to enumerate

 Firewall is on the
client side
Commands

Data

The server tries to initiate the data connection, which the client’s firewall blocks

Data
 You can use FTP commands to enumerate information from an FTP
server:
 Accounts
 Passwords
 Anonymous login capabilities
 Port scanning other targets

The client initiates the data connection, which the client’s firewall allows
 Netcat  FTP’s “Little Brother”
 Banner grab from an FTP server  No authentication
 Clear text
 UDP 69
 Non-interactive
 No browsing the server directory
 Nmap scripts  You must know the name of the file you want to download / upload
 ftp-anon – Checks if an FTP server allows anonymous logins.
 Typically used to upload/download OS and config files for networking devices
 ftp-brute – Performs brute-force password auditing against FTP servers.
 You can try downloading a configuration file by its default name
 ftp-bounce – Checks to see if an FTP server allows port scanning using the FTP bounce
method.
TFTP.exe <host> GET startup-config
 ftp-user-enum
 Tool for enumerating OS-level user accounts via the ftp service
 Works against the default Solaris in.ftpd and GNU inetutils ftpd

 You can try to download configuration files stored on a TFTP server

 The service has no way to authenticate connections or enforce authorization
 The file sharing system for Linux/Unix
 Clients can “mount” (connect to) a share
 Nmap has a script that will try to download files by supplying a list of file names  Tools to enumerate NFS include:
nmap -sU -p 69 --script tftp-enum.nse  rpcinfo (part of Linux rpcbind)
--script-args tftp-enum.filelist=customlist.txt <host> sudo apt install rpcbind
 rpcscan (written in Python, available on GitHub)
 SuperEnum (written in Python, available on GitHub)

Making an unauthorized connection to a TFTP server is  You can use the NFS client to enumerate shares on the network
still unauthorized access!!
 On the file server:
1. Add a line in the /etc/exports file to allow anyone on the subnet to read/write to
the share:
/home/srvshare 192.168.1.0/24(rw,sync)
2. Run a command to export all shares listed in /etc/exports:
exportfs -a
3. Start the NFS server process:
/etc/init.d/nfs-kernel-server start
On the client:
mkdir /home/fromserver
sudo mount -t nfs <server IP>:/home/srvshare /home/fromserver

 The Microsoft implementation of Web-Based Enterprise Management (WBEM)

 A standard technology for accessing management information in an enterprise
 Overview
4.4 WMI  Namespace
environment
 Uses the Common Information Model (CIM) industry standard to represent systems,

ENUMERATION  Querying applications, networks, devices, and other managed components

 Capable of obtaining management data from remote systems
 Tools
 Uses DCOM (TCP 135) to make these connections
  Win32_BIOS  Win32_NTDomain
 WMI organizes its classes in a hierarchical namespace
 Win32_BootConfiguration  Win32_NTLogEvent
 Conceptually similar to a folder structure
 Win32_ComputerSystem  Win32_OperatingSystem
 root/cimv2 is the default namespace  Win32_ComputerSystemEvent  Win32_Process
 Win32_ComputerSystemProcessor  Win32_Processor
 It contains 277 classes for computer hardware and configuration
 Win32_CurrentTime  Win32_Registry
 Win32_DeviceSettings  Win32_ScheduledJob
 Win32_DiskPartition  Win32_SecurityDescriptor
 Win32_Group  Win32_Service
 Win32_GroupUser  Win32_Share
 Win32_IP4RouteTable  Win32_StartupCommand
 Win32_LogicalDisk  Win32_SystemAccount
 Win32_LogonSession  Win32_SystemBIOS
 Win32_NetworkAdapterConfiguration  Win32_SystemUsers
 Win32_NetworkClient  Win32_UserAccount
 Win32_NetworkConnection  Win32_UserInDomain

 Get-CimClass
 Returns all WMI classes  WMI Query Language
 Get-CimInstance -ClassName <name> Get-CimClass replaces
 A subset of ANSI SQL
 Returns information about a particular class the obsolete Get-
 E.g. Get-CimInstance –ClassName Win32_Processor WMIObject cmdlet  Basic syntax:
 Select <property> from <WMI-class>
 Get-CimInstance ‘*<string>*’
 Returns all classes that have “processor” in the name  Examples:
 E.g. Get-CimInstance ‘*processor*’  Select * from Win32_Bios
PowerShell is not case
 Get-CimInstance <class> | ft sensitive  Select Name from Win32_Bios
 Output results in table format  Select name, version from Win32_Bios
 E.g. Get-CimInstance Win32_process | ft
 Can be used in PowerShell, other scripts, and custom apps
 Get-CimInstance <class> | ft -autosize
 Output results in table format, automatically resizing columns as needed  Sometimes has better performance than equivalent PowerShell cmdlets
 Queries might also be more complex than the equivalent cmdlet
 Get-CimInstance <class> | fl
 Output results in list format
Enumeration Exploit
 Solarwinds Free WMI Monitor GitHub:
 WMI Explorer (CodePlex)  WmiSploit

 WMI Explorer (Marc van  SharpStrike

Orsouw)  WMEye
 Hyena  Power
 PowerShell Metasploit:
 exploit/windows/local/wmi
 auxiliary/scanner/smb/impacket/wmiexec
 exploits/windows/local/wmi_persistence

 Used to centrally monitor devices on a network

 SNMP  An SNMP manager polls agents for information

4.5 SNMP  OIDs

 Polling is done round-robin style, on a regular interval (every few minutes)
 Manager is software on a server or workstation
 MIB
ENUMERATION
 Agent is small software installed or built into a device OS

 Tools  The manager uses a Management Information Base (MIB) to know what types of
information an agent can provide
 A MIB is a set of counters (Object IDs) relevant to the device
  SNMP has several versions that are still in use
 v1, v2, v2c all communicate in clear text
 v3 is encrypted
 Not all devices support v3

 Both the manager and agent are configured with a simple authentication mechanism called
the “community string”
 Simple text string
 An agent will only respond to a manager that has the same community string
 There are two default community strings:
 “Public” – for read-only queries
 “Private” – for read/write communications
 Many administrators do not change the default community strings

 SNMP Ports:
 UDP 161 - Manager queries and agent replies
 UDP 162 – Agents “raise traps” (send pre-configured alerts) to the manager

 Represents a single “question” an SMNP manager can ask an agent

 Managed Device  Identifies a very specific, unique counter on a device
 Router, switch, hub, firewall, computer, server service (DHCP, DNS, etc.) printer, IoT
device  Has a corresponding name and data type

 Agent  When queried by manager, agent will return a value

 Software installed on managed device
 Responds to the NMS

 Network Management System (NMS)

 Typically software installed on a dedicated computer
 A collection of OIDs stored in a text file
 A set of questions that an SNMP manager can ask a device regarding its status
 Standardized vendor-neutral MIBs define functionality common to all devices of the
same type
 The manufacturer creates additional MIBs specific to their products
 An agent might use multiple MIBs to monitor one device
 Most SNMP managers have MIBs already installed
 Vendor-neutral MIBs
 Vendor-specific MIBs for popular products

 SNMP is a good target for enumeration

 All OIDs, regardless of manufacturer, are part of a
global hierarchy  Often the defaults are not changed:
 Community strings
 Each OID is unique
 Encryption levels
 The SNMP manager must know what MIBs the agent
is using  Most versions use clear-text communications
 At least know a starting OID to query  Microsoft devices don’t even support the encrypted version
 The manager can then repeatedly issue a “get-next”  You might be able to sniff community strings and manager-agent communications
command
 The agent will provide information about successive  Many SNMP management tools include a feature to discover all the MIBs installed on
OIDs the agents
 The manager does not need to OIDs for every single
 You can also “walk” the MIB
counter on the device
 Start at a single common OID
 Repeatedly ask the device to “get-next” until it runs out of OIDs to report on
 Network devices  IP and MAC addresses  Solar Winds Engineer’s Toolset  OpUtils

 Hosts  ARP tables  Nmap NSE scripts  OIDVIEW SNMP MIB Browser
 There are 12 for snmp
 iReasoning MIB Browser
 Users and groups  Routing tables
 Metasploit snmp auxiliary
 SNScan
 Services  VLANs modules
 SoftPerfect Network Scanner
 Installed software  Port and interface status  Snmpwalk
 SNMP Informant
 Snmpget
 Network shares  Network traffic
 Net-SNMP
 SNMP Scanner
 Device configurations  and much, much more  NSauditor Network Security
 Getif
 Spiceworks
 Observium

Snmpget and snmpwalk

have the same syntax. Both
 snmpget Windows and Linux use
 Query a single OID these commands.
 snmpwalk
 Query an entire MIB starting from a particular OID

snmpget [options] [community string] [host name/address] [OID]

$ snmpget -v 2c 127.0.0.1 -c public .1.3.6.1.2.1.1.5.0

SNMPv2-MIB::sysName.0 = STRING: centos7

$ snmpget -v 2c 127.0.0.1 -c public sysName.0

SNMPv2-MIB::sysName.0 = STRING: centos7
  The search and edit protocol for X.500-style directory service databases
 TCP 389
 Secure LDAP TCP 636

4.6 LDAP
 LDAP
 Clear text by default
 X.500
 Can be used to obtain a list of every object in the directory service database including:

ENUMERATION  Tools  User, Group, and Computer accounts

 User department and contact information
 Group membership
 Network resource information

 Directory Service Examples:

 Microsoft Active Directory Domain Services
 Novell eDirectory
 Open Software Foundation DCE Directory

 Active Directory Users and Computers

 Softerra LDAP Administrator
 LDP.exe
 Metasploit auxiliary module ldap_hashdump
 Nmap NSE scripts for ldap
 JXplorer (available on www.jxplorer.org)
 Responder (available on GitHub)
 This example queries an LDAP server out of eth0,
forcing an LM hashing downgrade with verbose
output
./Responder.py -I eth0 -rPv -I <server IP>
  DNS

4.7 DNS  Tools

 NSLookup
ENUMERATION  DIG

 Query a DNS server for its records:

 A, AAAA  Dig
 NS  Fierce
 MX
 CNAME  Nslookup
 PTR  Host
 SOA
 dnsrecon.py
 Obtain individual records or “zone transfer” the entire database file
 Exploit DNS AXFR (all transfer) vulnerability  dnsenum.pl
 Some DNS servers will transfer their entire zone to any requestor without requiring
authentication  Metasploit auxiliary module dns_enum
 This saves the attacker time  Nmap NSE script dns-brute
 You can also just manually request all the various record types and end up with the same
content  SecurityTrails advanced DNS enumeration
 nslist.net
 iplist.net

 Microsoft tool for querying DNS nslookup example.com

 nslookup [-option] [name | -] [server]
nslookup -type=ns example.com
 You can also install on Linux
 sudo apt install dns-utils nslookup -type=soa example.com
 sudo dnf install bind-utils
nslookup -query=mx example.com
 Depends on the existence of a reverse lookup zone to work properly
nslookup -type=any example.com
nslookup example.com ns1.nsexample.com
nslookup 10.20.30.40
nslookup -type=ptr 96.96.136.185.in-addr.arpa
  *Nix tool for querying DNS
 You can also install (slightly older version) on Windows
 Syntax:

dig Hostname

dig DomaiNameHere

dig @DNS-server-name Hostname

dig @DNS-server-name IPAddress

dig @DNS-server-name Hostname|IPAddress type

dig www.example.com A  Try a zone transfer by guessing the domain that the server is authoritative for:

dig 74.125.236.167 dig axfr @<DNS_IP> <DOMAIN>

dig +short example.com MX

 Try to perform a zone transfer against every authoritative name server
dig +short example.com TXT  If it doesn’t work, launch a dictionary attack:
dig +short example.com NS fierce --domain <DOMAIN> --dns-servers <DNS_IP>
dig example.com ANY
  What do you see in this exhibit?

 The hacker used DIG to

successfully transfer the zone and
enumerate the hosts
 AXFR domain.com
4.8  Email

SMTP  SMTP
 Tools
ENUMERATION
 Mail Server
Client Acme.com
 ACME client uses SMTP to send email  Simple Mail Transfer Protocol (SMTP) has three built-in commands
message to email server for acme.com SMTP
 VRFY – validates that an email address actually exists for a user

 Local email server performs DNS lookup to  EXPN – request or expand a mailing list into individual recipients
find MX record and IP address (A/AAAA  RCPT TO – Specifies the actual recipient(s)
DNS SMTP
record) of email server for example.com
 As an attacker, you can use the SMTP commands manually to enumerate valid email
 Acme.com email server uses SMTP to
Internet
addresses
deliver message to example.com email
server
SMTP
 Example.com email server puts message Client

into example.com client mailbox

POP
IMAP
HTTP

 Example.com client later retrieves message Mailbox

Database
using POP3, IMAP4, HTTP, or even RPC
Mail Server
Example.com

 telnet
 netcat telnet <email server> 25
vrfy [email protected]
 NetScanTool Pro
 smtp-user-enum If you receive a message code 250,251,252:
The server has accepted the request and the user account is valid
 smtp_user_enum.py
 Kali iSMTP If you receive a message code 550:
The user account is invalid
 Metasploit auxiliary module smtp_enum
 nmap NSE script smtp-enum-users
telnet mail.example.com 25
ehlo example.com
mail from: [email protected]
Send interactively, 1. In Kali Linux, create a list of possible email addresses and save to your
rcpt to: [email protected], [email protected]
one line at a time
data Desktop as user.txt
2. Open Metasploit Framework
Subject: My Telnet Test Email
3. In the Metasploit console enter these commands:
Hello,
use auxiliary/scanner/smtp/smtp_enum
This is an email sent by using the telnet command.
set rhosts <email server IP>
Your friend,
set rport 25
Me Send all at once, pressing set USER_FILE /root/Desktop/user.txt
<Enter>.<Enter> to finish exploit
.

q Press q to quit session

 Supply a list of usernames and verify if they exist:

Verify that [email protected] is a valid email address:

smtp-user-enum -M VRFY -D example.com -u moo -t <email server IP>

 Verify that email addresses supplied in the email.txt list actually exist
ismtp -h <email-server-IP>:25 -e /root/Desktop/email.txt
4.9 REMOTE  Telnet

CONNECTION  SSH
 RPC
ENUMERATION

 TCP 23  TCP 22
 Used to obtain a command prompt of the remote host  Secure replacement for telnet
 Can also be used to banner grab  Client and server exchange public keys to create a session key
telnet <target> <port>
 Includes Secure FTP (SFTP) and Secure Copy (SCP)
 nmap has several telnet enumeration scripts  Login syntax = ssh <username>@<hostname>
 Run all nmap telnet scripts against a target:
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <target>  Some SSH implementations have default usernames and passwords
 Example: jailbroken iPhone SSH service uses root / alpine
 Brute force password via telnet
Nmap –script telnet-brute <target>  Nmap, Metasploit and Searchsploit have various tools for SSH enumeration and
exploitation
 Use nmap to determine if a host is running an SSH service
1. Use nmap to determine if a host is running an SSH service
2. Use nmap to query the version of SSH nmap <target>
3. Use a Metasploit module to enumerate SSH users
4. Check the Kali searchsploit module to see if an enumeration (or other) exploit
exists for the SSH service
5. Search for nmap scripts related to SSH enumeration

Run default nmap scripts to query the version of SSH Use nmap scripts to enumerate users, brute force logins, obtain keys,etc.

nmap -sC -sV <IP> ls /usr/share/nmap/scripts/ | grep ssh

Use Metasploit modules to enumerate SSH users or login information Use the Kali searchsploit module to search for version-specific exploits
search ssh_enumusers
searchsploit openssh
search ssh_login

 rpcinfo
 TCP 135
 Make a connection to an RPC server and receive information about that server
 Used by Windows processes to make requests of each other over the network
 rpcclient
 Enumerate and manage domain and SAM users and SIDs, groups, shares, domain info,
privileges and more
 Will attempt to connect via null session
 If this is unsuccessful a username and password must be supplied

 Nmap script msrpc-enum

 Queries an MSRPC endpoint mapper for a list of mapped services
 Displays the gathered information
Command Interface Description
Command Interface Description
queryuser SAMR Retrieve user information.
Look up SIDs to usernames (RID
querygroup SAMR Retrieve group information. lookupsids LSARPC
cycling).
querydominfo SAMR Retrieve domain information.
lsaaddacctrights LSARPC Add rights to a user account.
enumdomusers SAMR Enumerate domain users.
lsaremoveacctrights LSARPC Remove rights from a user account.
enumdomgroups SAMR Enumerate domain groups.
createdomuser SAMR Create a domain user. dsroledominfo LSARPC-DS Get primary domain information.
deletedomuser SAMR Delete a domain user. Enumerate trusted domains within an AD
dsenumdomtrusts LSARPC-DS
lookupnames LSARPC Look up usernames to SID values. forest

SAMR = Security Account Manager (SAM) Remote Protocol

LSARPC = Local Security Authority (Domain Policy) Remote Protocol

4.10 WEBSITE  Overview

 Methods

rpcclient -U "" 192.168.1.20

ENUMERATION  Tools

srvinfo
lookupnames administrator
lookupsids
enumdomusers
  The simplest way to start website enumeration
 View the HTML source of a web page
 Usernames and passwords
 Attempt to open a browser to popular directory names
 Email addresses and contact information  Note the HTTP response code:
 404 = "Not Found“
 Domain names, host names and IP addresses
 403 = "Forbidden“
 Links and URLs  402 = "Payment Required“
 401 = "Unauthorized" (Must authenticate first)
 Technologies used by the organizations  200 = "OK“

 Directories that don't return a 404 exist

 Employee, customer and other confidential information
 http://www.example.tld/admin (401)
 Internal resources
 http://www.example.tld/content (402)
 Potential vectors for attack  http://www.example.tld/cgi-bin (403)
 http://www.example.tld/test (404)
 http://www.example.tld/logs (200)

Using Telnet  Some websites are deliberately configured to use non-standard ports
telnet 192.168.10.100 8000  nmap -sV can detect this
After making the connection, press Ctrl+] to break, then enter quit
nmap –PN –sT –sV –p0-65535 <target>
Using Netcat
echo -en "GET / HTTP/1.0\n\n\n"| nc www.comptia.org 80 | grep Server
 Metasploit has 281 web scanning modules including:
 nmap --script=http-enum <target>
 auxiliary/scanner/http/apache_userdir_enum
 nmap --script=http-drupal-enum <target>
 auxiliary/scanner/http/tomcat_enum
 nmap -–script=http-php-version <target>
 auxiliary/scanner/http/chromecast_webserver
 nmap --script=http-webdav-scan <target>
 auxiliary/scanner/http/brute_dirs.
 nmap --script=http-wordpress-enum <target>
 auxiliary/scanner/http/dir_listing
 auxiliary/scanner/http/dir_scanner
 auxiliary/scanner/http/http_version
 auxiliary/scanner/http/wordpress_login_enum

 Enumeration Techniques:  Subdomain Enumeration:  Hidden Objects Enumeration:

 Google Dorks  Wfuzz  DirBuster
 Word lists  WPScan  Dirb
 Brute Forcing  Amass  dirsearch.py
 Third party services  Assetfinder  GoBuster
 SSL Certificates  SubBrute  Ffuf
 DNS Zone Transfer  SubExtractor  feroxbuster
 Subfinder
 Web Technologies Used:  Sublist3r
 Whatweb  PureDns
 Wappalyzer
 Netcraft
 IDServe
  Network Time Protocol (NTP) is used to synchronize clocks of network devices
 NTP
4.11 OTHER  VoIP
 UDP 123
 Can maintain time to within 10 milliseconds over the public Internet

ENUMERATION  IPSEC
 IPv6
 Attackers query NTP for
 List of hosts connected to NTP server

TYPES  BGP
 Clients IP addresses, system names, and operating systems
 Internal IP addresses can be acquired if the NTP server is on the DMZ

Active Directory clients use Windows Time (not NTP) to synchronize their clocks to the domain
The Active Directory PDC Emulator domain controller is the time source for the domain.
It can synchronize to other sources via NTP.

 NTP Time Server Monitor

 Ntpdate
 Query a time server  NTP Server Scanner
ntpdate -q pool.ntp.org  Nmap

 Ntptrace  Wireshark
 Traces a chain of NTP servers back to the primary source  AtomSync
ntptrace
 NTPQuery
 Ntpdc  PresenTense NTP Auditor
 Monitors operation of the NTP server
 PresenTense Time Server
 This example requests the last 600 clients that connected to the NTP time server:
ntpdc -n –c monlist <IP or hostname of time server>  PersenTense Time Client
 NTP Time Server Monitor
 LAN Time Analyser
 VoIP uses SIP (Session Initiation Protocol) to manage voice and video calls over IP
 TCP 5060 - Clear Text Discover target VoIP information through:
 TCP 5061 - SIP-TLS (encrypted)  Google search and Shodan for public information
 Data is carried by:  Nmap and Sipvicious to map the internal VoIP network
 Real-time Transport Protocol (RTP) UDP 5004
 Wireshark to identify SIP users
 and Real-time Transport Control Protocol (RTCP UDP 5005)
 Job sites that list knowledge of a specific VoIP system as a skills requirement
 VoIP enumeration provides sensitive information such as:
 VoIP gateway (connects SIP system to PSTN)
 IP-PBX systems (routes calls inside the VoIP network) Search for the following information:
 client software  The public IP of the server
 user phone extensions
 The VoIP network / infrastructure
 This information can be used to launch various VoIP attacks such as:  Devices connected to the VoIP network, their open ports, and running services
 DoS, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet
Telephony, VoIP phishing, etc.  Users information (extension, the device information, and logs)
 Information about the VoIP server (model, vendor, OS, ports, etc.)

Google Dork Description  A SIP auditing tool used to scan for and enumerate SIP devices and accounts
inurl:/voice/advanced/ intitle:Linksys SPA configuration Finds the Linksys VoIP router  Sends SIP INVITE or OPTION packets looking for responses from live hosts
configuration page  Logs the results to a file

inurl:”NetworkConfiguration” cisco Find the Cisco phone details  Attacks include:

 SIP flood, RTP flood, SIP enumeration, Digest leak, RTP Bleed and RTP inject, fuzzing
inurl:”ccmuser/logon.asp” Find Cisco call manager
intitle:asterisk.management.portal web-access Finds the Asterisk web mgmt portal

inurl:8080 intitle:”login” intext:”UserLogin” “English” VoIP login portals

intitle:” SPA Configuration” Search Linksys phones

Note: Asterisk is a popular open source IP PBX


root@kali:~# svmap 192.168.1.0/24 -v
INFO:ImaFly:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:ImaFly:Looks like we received a SIP request from 192.168.1.20:5060
INFO:ImaFly ip:Looks like we received a SIP request from 192.168.1.21:5060
INFO:ImaFly:Looks like we received a SIP request from 192.168.1.22:5060
 IPSEC VPNs are digitally signed and optionally encrypted using DES, 3DES or AES
 You can use nmap or other scanners to identify IPSEC VPN servers
 Internet Key Exchange (IKE) is the handshake protocol used at the start of an IPSEC
session
 You can also use ike-scan and psk-crack to try to capture and crack an IKE pre-
shared key hash

 A command-line tool that uses the IKE protocol to discover, fingerprint and test  Attempts to crack IKE Aggressive Mode pre-shared keys
IPsec VPN servers  Keys must have been previously gathered using ike-scan with the --pskcrack option

 Can do two things:  Can work in dictionary or brute-force mode

 Determine which hosts are running IKE
 This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.
 Determine which IKE implementation the hosts are using
 Done by recording the times of the IKE response packets from the target hosts and comparing the
observed retransmission backoff pattern against known patterns.
 Can identify VPNs from manufacturers including Checkpoint, Cisco, Microsoft, Nortel, and
Watchguard
 You can identify IPv6 servers through DNS grinding # dnsdict6 -4 -t 16 example.com
Starting enumerating example.com. - creating 16 threads for 798 words...
 DNS grinding is a dictionary attack using a list of possible host names
Estimated time to completion: 1 to 1 minute
 Uses AAAA requests

 Grinding tools include:

Detected openDNS, this might increase performance
 dnsdict6
Warning: wildcard domain configured
 dnsrevenum6
*.example.com. ->2606:2800:220:1:248:1893:25c8:1946
 These are part of the thc-ipv6 tool suite
sudo apt install thc-ipv6 Warning: wildcard domain configured (2nd test)
www.example.com. ->2606:2800:220:1:248:1893:25c8:2033
www.example.com. -> 93.184.216.34

Found 1 domain name, 1 unique ipv4 and 2 unique ipv6 addresses for example.com.

 Border Gateway Protocol (BGP) is the routing protocol used on the Internet
 ISPs use BGP to choose Internet routes
 BGP has slow convergence
 An entire Autonomous Systems is treated as a “hop”
 Traffic between Internet-based networks is controlled by using BGP and
autonomous system (AS) numbers
 Organizations use BGP
 IANA assigns AS numbers to RIRs
 RIRs allocate numbers to ISPs and large organizations so that they can
manage their IP router networks and upstream connections.
 You can use whois and HE BGP Toolkit to enumerate:
 An organization’s AS numbers and IP addresses (referred to as “prefixes”)

 Knowing IP addresses gives you targets to scan

 Whois query reveals netblocks and AS numbers for the company Nintendo

whois -a "nintendo*"

Nintendo Of America inc. NINTENDO-COM (NET-205-166-76-0-1)

205.166.76.0 - 205.166.76.255
NINTENDO HEADQUARTERS 1 NINTENDOHEADQUARTERS1 (NET-70-89-123-72-1)
70.89.123.72 - 70.89.123.79

Nintendo Of America inc. (AS11278) NINTENDO 11278

4.12  When possible, use protocols that are encrypted, rather than clear text

ENUMERATION  Countermeasures
 Disable NetBIOS and SMBv1
 Change the SNMP community string

COUNTER-  Review
 Disallow DNS zone transfers to unknown servers
 Maintain separate DNS servers for internal and public records (split DNS)

MEASURES AND  Consider disabling VRFY and EXPN commands on your email server

REVIEW
 Use file system and share permissions to restrict access to sensitive content
 Perform your own enumeration to see what types of information an attacker can obtain
 Remediate when possible
 INTRO TO
 Enumeration is the systematic process of querying a target’s servers and services for

ETHICAL
information
 Enumeration should appear to the server as a normal client making legitimate


HACKING
information requests
You can enumerate information about the OS, its services, users and groups, network

REVIEW
information, machine names, configuration settings, installed apps and service
banners

 Many network protocols can be used for enumeration including:

 NetBIOS/SMB, FTP/TFTP, NFS
 SNMP
 Telnet, SSH, RPC
 SMTP
 HTTP, DNS,
 LDAP, SQL, NTP
 IPSEC, IPv6, SIP, BGP and others