Lec4 Enumaration
Lec4 Enumaration
OVERVIEW
We enumerate to find possible entry points into the target system!
OS and service details Enumeration should appear to the server as a normal client making legitimate
information requests
Users and groups
Your enumeration test should focus on the information you need
Email addresses and contact information
You want to avoid returning too much information that will clutter your results
Network resources
A combination of manual and automated testing will give the best results
Network shares
Routing tables
Audit and service settings
SNMP and DNS information
Machine names
Applications and banners
NMAP ENUMERATION EXAMPLES
netcat www.someserver.com 80 nmap -O 192.168.1.50
nmap -sV 192.168.1.20
HTTP/1.1 200 OK – Server: Microsoft-IIS/6 – Expires: Tue, 17 Jan 2011 HOST
nmap --script=smb-os-discovery <target>
01:41:33 GMT Date: Mon, 16 Jan 2011 01:41:33 GMT Content-Type:
text/html – Accept-Ranges: bytes – Last-Modified: Wed, 28 Dec 2010 ENUMERATION
15:32:21 GMT ETag: “b0aac0542e25c31:89d” Content-Length: 7369
EXAMPLES
TCP 3268 Protocol: LDAP Tools: Same as for LDAP, but a different port
Service: MS Active Directory Comments: The Active Directory Global Catalog maintains a listing for all objects in
Global Catalog Service an entire Active Directory forest.
Network Basic Input/Output System
An API and Layer 5 protocol
ENUMERATION Tools Only the dash is compatible with DNS naming conventions
Used by Microsoft for simple LAN communications, name resolution and file
sharing
Originally used by broadcast-based NetBEUI networking protocol
Microsoft later made it a payload of TCP/IP (NetBIOS over TCP)
TCP 137, 139; UDP 137, 138
Name NetBIOS Type Information Obtained Microsoft file and print sharing protocol
Code Microsoft Workstation Service (client) connects to a remote machine’s Server
<host name> <00> Unique Hostname Service (server)
<domain> <00> Group Domain name Also provides authenticated inter-process communication (IPC) among processes
<host name> <03> Unique Messenger service running for that computer running on remote computers
<username> <03> Unique Messenger service running for that individual A hidden network share, known as IPC share (ipc$), is used on Windows computers
logged-in user Facilitates communication between processes and remote computers
<host name> <20> Unique Server service running
<domain> <1D> Group Master browser name for that subnet
<domain> <1B> Unique Domain master browser name, identifies PDC for
domain
Originally NetBIOS and SMB worked together: You can use SMB to make NetBIOS calls to a Microsoft Server Service
An SMB client uses the NetBIOS API to send an SMB command to an SMB server
You can enumerate:
Listens for replies from the SMB server.
Computer names
An SMB server uses the NetBIOS API to listen for SMB commands from SMB clients
Share names
Sends replies to the SMB client
User names
Since Windows 2000, SMB runs directly on TCP 445 Logon information
NetBIOS still exists for backward compatibility Password policy and hashes
NetBIOS computer and domain names
Linux/UNIX Samba server is a reverse-engineered SMBv1 File Server service
Active Directory domain and forest names
It has the same vulnerabilities as the Windows original
FQDNs
System time
NetBIOS and SMB have a long
history of vulnerabilities
A null user is a pseudo account that has no username and password Windows utility
Was initially used by Windows systems to “log in” to each other to trade network Displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables for local and
browse lists remote computers, and the NetBIOS name cache
For decades, the null session was an exploit that took advantage of the null user
nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [-s]
net use \\<IP ADDRESS>\IPC$ "" /user: [-S] [Interval]
Mapping a drive to the IPC$ process then allows you to enumerate a lot of
information via NetBIOS and SMB
Has 19 sub commands for enumerating information via NetBIOS
Runs on Linux
Enumerates NetBIOS information from Windows and Linux SAMBA
-A all
-U get userlist
-M get machine list
-N get namelist dump (different from -U and-M)
-S get sharelist
-P get password policy information
-G get group and member list
A connection-based TCP port scanner, pinger, and hostname resolver NetBIOS Enumerator
Support for unlimited IP ranges NSAuditor Network Security Auditor
Host detection by multiple ICMP methods Includes more than 45 network tools and utilities for network security auditing, network
scanning, network monitoring, etc.
TCP SYN and UDP scanning
Simple HTML report generation Hyena
Source port scanning A GUI application for managing and security Microsoft operating systems
Shows shares
Hostname resolving
User logon name for Windows servers and domain controller
Banner grabbing
Displays graphical representation of Microsoft Terminal Services, Microsoft Windows
Windows host enumeration Network, Web Client Network, etc.
Winfingerprint
Shows operating system, enumerates users, groups, SIDs, transports, session, services,
service pack and hotfix level, date and time, disks, and open TCP/UDP ports
TRANSFER TFTP
NFS
TCP 21 (commands)
TCP 20 or random port (data transfer)
Data
The server tries to initiate the data connection, which the client’s firewall blocks
Data
You can use FTP commands to enumerate information from an FTP
server:
Accounts
Passwords
Anonymous login capabilities
Port scanning other targets
The client initiates the data connection, which the client’s firewall allows
Netcat FTP’s “Little Brother”
Banner grab from an FTP server No authentication
Clear text
UDP 69
Non-interactive
No browsing the server directory
Nmap scripts You must know the name of the file you want to download / upload
ftp-anon – Checks if an FTP server allows anonymous logins.
Typically used to upload/download OS and config files for networking devices
ftp-brute – Performs brute-force password auditing against FTP servers.
You can try downloading a configuration file by its default name
ftp-bounce – Checks to see if an FTP server allows port scanning using the FTP bounce
method.
TFTP.exe <host> GET startup-config
ftp-user-enum
Tool for enumerating OS-level user accounts via the ftp service
Works against the default Solaris in.ftpd and GNU inetutils ftpd
Making an unauthorized connection to a TFTP server is You can use the NFS client to enumerate shares on the network
still unauthorized access!!
On the file server:
1. Add a line in the /etc/exports file to allow anyone on the subnet to read/write to
the share:
/home/srvshare 192.168.1.0/24(rw,sync)
2. Run a command to export all shares listed in /etc/exports:
exportfs -a
3. Start the NFS server process:
/etc/init.d/nfs-kernel-server start
On the client:
mkdir /home/fromserver
sudo mount -t nfs <server IP>:/home/srvshare /home/fromserver
Get-CimClass
Returns all WMI classes WMI Query Language
Get-CimInstance -ClassName <name> Get-CimClass replaces
A subset of ANSI SQL
Returns information about a particular class the obsolete Get-
E.g. Get-CimInstance –ClassName Win32_Processor WMIObject cmdlet Basic syntax:
Select <property> from <WMI-class>
Get-CimInstance ‘*<string>*’
Returns all classes that have “processor” in the name Examples:
E.g. Get-CimInstance ‘*processor*’ Select * from Win32_Bios
PowerShell is not case
Get-CimInstance <class> | ft sensitive Select Name from Win32_Bios
Output results in table format Select name, version from Win32_Bios
E.g. Get-CimInstance Win32_process | ft
Can be used in PowerShell, other scripts, and custom apps
Get-CimInstance <class> | ft -autosize
Output results in table format, automatically resizing columns as needed Sometimes has better performance than equivalent PowerShell cmdlets
Queries might also be more complex than the equivalent cmdlet
Get-CimInstance <class> | fl
Output results in list format
Enumeration Exploit
Solarwinds Free WMI Monitor GitHub:
WMI Explorer (CodePlex) WmiSploit
Tools The manager uses a Management Information Base (MIB) to know what types of
information an agent can provide
A MIB is a set of counters (Object IDs) relevant to the device
SNMP has several versions that are still in use
v1, v2, v2c all communicate in clear text
v3 is encrypted
Not all devices support v3
Both the manager and agent are configured with a simple authentication mechanism called
the “community string”
Simple text string
An agent will only respond to a manager that has the same community string
There are two default community strings:
“Public” – for read-only queries
“Private” – for read/write communications
Many administrators do not change the default community strings
SNMP Ports:
UDP 161 - Manager queries and agent replies
UDP 162 – Agents “raise traps” (send pre-configured alerts) to the manager
Hosts ARP tables Nmap NSE scripts OIDVIEW SNMP MIB Browser
There are 12 for snmp
iReasoning MIB Browser
Users and groups Routing tables
Metasploit snmp auxiliary
SNScan
Services VLANs modules
SoftPerfect Network Scanner
Installed software Port and interface status Snmpwalk
SNMP Informant
Snmpget
Network shares Network traffic
Net-SNMP
SNMP Scanner
Device configurations and much, much more NSauditor Network Security
Getif
Spiceworks
Observium
4.6 LDAP
LDAP
Clear text by default
X.500
Can be used to obtain a list of every object in the directory service database including:
dig Hostname
dig DomaiNameHere
dig www.example.com A Try a zone transfer by guessing the domain that the server is authoritative for:
SMTP SMTP
Tools
ENUMERATION
Mail Server
Client Acme.com
ACME client uses SMTP to send email Simple Mail Transfer Protocol (SMTP) has three built-in commands
message to email server for acme.com SMTP
VRFY – validates that an email address actually exists for a user
Local email server performs DNS lookup to EXPN – request or expand a mailing list into individual recipients
find MX record and IP address (A/AAAA RCPT TO – Specifies the actual recipient(s)
DNS SMTP
record) of email server for example.com
As an attacker, you can use the SMTP commands manually to enumerate valid email
Acme.com email server uses SMTP to
Internet
addresses
deliver message to example.com email
server
SMTP
Example.com email server puts message Client
telnet
netcat telnet <email server> 25
vrfy [email protected]
NetScanTool Pro
smtp-user-enum If you receive a message code 250,251,252:
The server has accepted the request and the user account is valid
smtp_user_enum.py
Kali iSMTP If you receive a message code 550:
The user account is invalid
Metasploit auxiliary module smtp_enum
nmap NSE script smtp-enum-users
telnet mail.example.com 25
ehlo example.com
mail from: [email protected]
Send interactively, 1. In Kali Linux, create a list of possible email addresses and save to your
rcpt to: [email protected], [email protected]
one line at a time
data Desktop as user.txt
2. Open Metasploit Framework
Subject: My Telnet Test Email
3. In the Metasploit console enter these commands:
Hello,
use auxiliary/scanner/smtp/smtp_enum
This is an email sent by using the telnet command.
set rhosts <email server IP>
Your friend,
set rport 25
Me Send all at once, pressing set USER_FILE /root/Desktop/user.txt
<Enter>.<Enter> to finish exploit
.
CONNECTION SSH
RPC
ENUMERATION
TCP 23 TCP 22
Used to obtain a command prompt of the remote host Secure replacement for telnet
Can also be used to banner grab Client and server exchange public keys to create a session key
telnet <target> <port>
Includes Secure FTP (SFTP) and Secure Copy (SCP)
nmap has several telnet enumeration scripts Login syntax = ssh <username>@<hostname>
Run all nmap telnet scripts against a target:
nmap -n -sV -Pn --script "*telnet* and safe" -p 23 <target> Some SSH implementations have default usernames and passwords
Example: jailbroken iPhone SSH service uses root / alpine
Brute force password via telnet
Nmap –script telnet-brute <target> Nmap, Metasploit and Searchsploit have various tools for SSH enumeration and
exploitation
Use nmap to determine if a host is running an SSH service
1. Use nmap to determine if a host is running an SSH service
2. Use nmap to query the version of SSH nmap <target>
3. Use a Metasploit module to enumerate SSH users
4. Check the Kali searchsploit module to see if an enumeration (or other) exploit
exists for the SSH service
5. Search for nmap scripts related to SSH enumeration
Run default nmap scripts to query the version of SSH Use nmap scripts to enumerate users, brute force logins, obtain keys,etc.
rpcinfo
TCP 135
Make a connection to an RPC server and receive information about that server
Used by Windows processes to make requests of each other over the network
rpcclient
Enumerate and manage domain and SAM users and SIDs, groups, shares, domain info,
privileges and more
Will attempt to connect via null session
If this is unsuccessful a username and password must be supplied
srvinfo
lookupnames administrator
lookupsids
enumdomusers
The simplest way to start website enumeration
View the HTML source of a web page
Usernames and passwords
Attempt to open a browser to popular directory names
Email addresses and contact information Note the HTTP response code:
404 = "Not Found“
Domain names, host names and IP addresses
403 = "Forbidden“
Links and URLs 402 = "Payment Required“
401 = "Unauthorized" (Must authenticate first)
Technologies used by the organizations 200 = "OK“
Using Telnet Some websites are deliberately configured to use non-standard ports
telnet 192.168.10.100 8000 nmap -sV can detect this
After making the connection, press Ctrl+] to break, then enter quit
nmap –PN –sT –sV –p0-65535 <target>
Using Netcat
echo -en "GET / HTTP/1.0\n\n\n"| nc www.comptia.org 80 | grep Server
Metasploit has 281 web scanning modules including:
nmap --script=http-enum <target>
auxiliary/scanner/http/apache_userdir_enum
nmap --script=http-drupal-enum <target>
auxiliary/scanner/http/tomcat_enum
nmap -–script=http-php-version <target>
auxiliary/scanner/http/chromecast_webserver
nmap --script=http-webdav-scan <target>
auxiliary/scanner/http/brute_dirs.
nmap --script=http-wordpress-enum <target>
auxiliary/scanner/http/dir_listing
auxiliary/scanner/http/dir_scanner
auxiliary/scanner/http/http_version
auxiliary/scanner/http/wordpress_login_enum
ENUMERATION IPSEC
IPv6
Attackers query NTP for
List of hosts connected to NTP server
TYPES BGP
Clients IP addresses, system names, and operating systems
Internal IP addresses can be acquired if the NTP server is on the DMZ
Active Directory clients use Windows Time (not NTP) to synchronize their clocks to the domain
The Active Directory PDC Emulator domain controller is the time source for the domain.
It can synchronize to other sources via NTP.
Ntptrace Wireshark
Traces a chain of NTP servers back to the primary source AtomSync
ntptrace
NTPQuery
Ntpdc PresenTense NTP Auditor
Monitors operation of the NTP server
PresenTense Time Server
This example requests the last 600 clients that connected to the NTP time server:
ntpdc -n –c monlist <IP or hostname of time server> PersenTense Time Client
NTP Time Server Monitor
LAN Time Analyser
VoIP uses SIP (Session Initiation Protocol) to manage voice and video calls over IP
TCP 5060 - Clear Text Discover target VoIP information through:
TCP 5061 - SIP-TLS (encrypted) Google search and Shodan for public information
Data is carried by: Nmap and Sipvicious to map the internal VoIP network
Real-time Transport Protocol (RTP) UDP 5004
Wireshark to identify SIP users
and Real-time Transport Control Protocol (RTCP UDP 5005)
Job sites that list knowledge of a specific VoIP system as a skills requirement
VoIP enumeration provides sensitive information such as:
VoIP gateway (connects SIP system to PSTN)
IP-PBX systems (routes calls inside the VoIP network) Search for the following information:
client software The public IP of the server
user phone extensions
The VoIP network / infrastructure
This information can be used to launch various VoIP attacks such as: Devices connected to the VoIP network, their open ports, and running services
DoS, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet
Telephony, VoIP phishing, etc. Users information (extension, the device information, and logs)
Information about the VoIP server (model, vendor, OS, ports, etc.)
Google Dork Description A SIP auditing tool used to scan for and enumerate SIP devices and accounts
inurl:/voice/advanced/ intitle:Linksys SPA configuration Finds the Linksys VoIP router Sends SIP INVITE or OPTION packets looking for responses from live hosts
configuration page Logs the results to a file
A command-line tool that uses the IKE protocol to discover, fingerprint and test Attempts to crack IKE Aggressive Mode pre-shared keys
IPsec VPN servers Keys must have been previously gathered using ike-scan with the --pskcrack option
Found 1 domain name, 1 unique ipv4 and 2 unique ipv6 addresses for example.com.
Border Gateway Protocol (BGP) is the routing protocol used on the Internet
Organizations use BGP
ISPs use BGP to choose Internet routes
BGP has slow convergence IANA assigns AS numbers to RIRs
An entire Autonomous Systems is treated as a “hop” RIRs allocate numbers to ISPs and large organizations so that they can
Traffic between Internet-based networks is controlled by using BGP and manage their IP router networks and upstream connections.
autonomous system (AS) numbers You can use whois and HE BGP Toolkit to enumerate:
An organization’s AS numbers and IP addresses (referred to as “prefixes”)
whois -a "nintendo*"
4.12 When possible, use protocols that are encrypted, rather than clear text
ENUMERATION Countermeasures
Disable NetBIOS and SMBv1
Change the SNMP community string
COUNTER- Review
Disallow DNS zone transfers to unknown servers
Maintain separate DNS servers for internal and public records (split DNS)
MEASURES AND Consider disabling VRFY and EXPN commands on your email server
REVIEW
Use file system and share permissions to restrict access to sensitive content
Perform your own enumeration to see what types of information an attacker can obtain
Remediate when possible
INTRO TO
Enumeration is the systematic process of querying a target’s servers and services for
ETHICAL
information
Enumeration should appear to the server as a normal client making legitimate
HACKING
information requests
You can enumerate information about the OS, its services, users and groups, network
REVIEW
information, machine names, configuration settings, installed apps and service
banners