Module IV

Enumeration
 Module outline
 What is Enumeration?
 Techniques for Enumeration
 Services and Ports to Enumerate
 Different enumerations
 NetBIOS Enumeration
 SNMP enumeration

 Linux/Windows enumeration
 Lightweight Directory Access Protocol (LDAP) Enumeration
 NTP enumeration

 DNS enumeration
 Enumeration Countermeasure
 What is Enumeration
 Enumeration is defined as the process of extracting user names, machine
names, network resources, shares and services from a the target system.

 In this phase, the attacker creates an active connection to the system and
performs directed queries to gain more information about the target.

 The gathered information is used to identify the vulnerabilities or weak

points in system security and tries to exploit in the System gaining phase..

 Attackers use extracted information to identify system attack points and

perform password attacks to gain unauthorized access to information
system resources.

 Enumeration techniques are conducted in an intranet environment.

 Cntd…
Types of information enumerated by intruders:

 Network Resource and shares

 Users and Groups

 Routing tables

 Auditing and Service settings

 Machine names

 Applications and banners

 SNMP and DNS details

 Cntd…
 Techniques for Enumeration

 Extracting user names using email ID's

 Extract information using the default password

 Brute Force Active Directory
 Extract user names using SNMP
 Extract user groups from Windows
 Extract information using DNS Zone transfer
 Techniques for Enumeration
The following are the different enumeration techniques:
1. Extract user names using email IDs: In general, every email ID contains two parts;
one is user name and the other is domain name. [email protected]
2. Extract information using the default passwords: Many online resources provide
lists of default passwords assigned by the manufacturer for their products. If users don't change
it, then attackers can enumerate their data.
3. Brute force Active Directory
 Microsoft Active Directory is vulnerable to a user name enumeration weakness at the time
of user-supplied input verification.
 This is the consequence of design error in the application. If the "logon hours" feature is
enabled, then attempts to the service authentication result in varying error messages.
 Attackers take this advantage and exploit the weakness to enumerate valid user names.
 If an attacker succeeds in revealing valid user names, then Attackers can conduct a brute-
force attack to reveal respective passwords.
 Techniques for Enumeration
4. Extract user names using SNMP

 Attackers can easily guess the "strings" using this SNMP API through which they
can extract required user names.

5. Extract user groups from Windows: These extract user accounts from specified
groups and store the results and also verify if the session accounts are in the group or not.

6. Extract information using DNS Zone Transfer

 DNS zone transfer reveals a lot of valuable information about the particular zone you
request.

 When a DNS zone transfer request is sent to the DNS server, the server transfers its
DNS records containing information such as DNS zone transfer.

 An attacker can get valuable topological information about a target's internal network
using DNS zone transfer.
 Services and Port to Enumerate
• TCP 53: DNS Zone transfer

• TCP 135: Microsoft RPC Endpoint Mapper

• TCP 137: NetBIOS Name Service

• TCP 139: NetBIOS session Service (SMB over NetBIOS)

• TCP 445: SMB over TCP (Direct Host)

• UDP 161: SNMP

• TCP/UDP 389: LDAP

• TCP/UDP 3368: Global Catalog Service

• TCP 25: Simple Mail Transfer Protocol (SMTP)

 Cntd…
 Enumerations depend on the services that the systems offer. They
can be:
 NetBIOS Enumeration

 SNMP enumeration

 Linux/Windows enumeration

 Lightweight Directory Access Protocol (LDAP) Enumeration

 NTP enumeration

 DNS enumeration
 NetBIOS Enumeration
 NetBIOS stands for Network Basic Input Output System.

 It Allows computer communication over a LAN and allows to share files

and printers.

 NetBIOS names are used to identify network devices over TCP/IP

(Windows).

 NetBIOS name is a unique 16 ASCII character string used to identify the

network devices over TCP/IP; 15 characters are used for the device name
and 16th character is reserved for the service or name record type.

 Attackers use the NetBIOS enumeration to obtain:

• List of computers that belong to a domain
• List of shares on the individual hosts on the network
• Policies and passwords
 Cntd…
 Commands and tools used:

 Nbtstat: command utility used to find protocol statistics,

NetBIOS name table and name cache details for local and
remote computer. Run nbtstat .exe -a<NetBIOS of remote machine>
 Netview: command line tool to identify shared resources on a
network.
 Nbtscan is a program for scanning IP networks for NetBIOS
name information.
 For each responded host it lists IP address, NetBIOS
computer name, logged-in user name and MAC address.
 Cntd…
 Hyena: it is GUI tool for managing and securing Microsoft OS.
 It shows shared resource and user logon names for Windows
servers and domain controllers.
 Enumerating User Accounts
 PsExec: it is a command-line tool lets you to execute processes on other
systems and console applications.

 PsFile: it is a command-line utility that shows a list of files on a system

that is opened remotely, and it also allows you to close opened files either
by name or by a file identifier.

 PsKill: it is a command utility that can kill processes on remote systems

and terminate processes on the local computer.

 PsList: it is a command-line tool that administrators use to view

information about process CPU and memory information or thread
statistics.
 Cntd…

 PsLoggedOn: it is used to displays local and remote logged users.

 PsLogList: The default behavior is to show the contents of the System

Event Log on the local computer.

 PsPasswd: it is a tool that enables the administrator to change the

administrator password as a part of standard security practice.

 PsShutdown: it is a command-line tool that allows you to remotely shut

down the PC in networks.

 Enumerate Systems Using Default passwords

 Devices like switches, hubs, routers, access points might still be

enabled with a "default password“.

 Attackers gain unauthorized access to the organization computer
network and information resources by using default and common
passwords.
 " Not only network devices but also a few local and online
applications have built-in default passwords.
 Ex: admin/admin or Username/Pwd
 Simple Network Management
Protocol(
 It is an application SNMP)
layer protocol )Enumeration
which uses UDP protocol to maintain
and manage network devices on an IP network.

 It is a process of enumerating user accounts and devices on a target system

using SNMP.

 SNMP consists of a manager and an agent; agents are embedded on every

network device, and the manager is installed on a separate computer.

 SNMP holds two passwords to access and configure the SNMP agent.

 Read community string: It is public by default, allows to view the

device or system configuration

 Read/write community string: It is private by default, allows to edit or

alter configuration on the device.
 Cntd…
 Attacker uses these default community strings to extract information about a
device.

 Attackers enumerate SNMP to extract information about network resources

such as :
 hosts,
 routers,
 Hub, and
 shares, etc.

 and network information such as:

 ARP tables,
 routing tables,
 traffic statistics,
 device specific information, etc.
 Cntd…
 It consists of three major components:
1.Managed Device: it is a device or a host (technically known as a node)
which has the SNMP service enabled.
These devices could be routers, switches, hubs, bridges, computers etc.
2.Agent: An agent can be thought of as a piece of software that runs on a managed
device.
 Its primary job is to convert the information into SNMP compatible format for
the smooth management of the network using SNMP protocol.

3.Network Management System (NMS): These are the software systems

that are used for monitoring of the network devices.
 Management Information Base(MIB): is a virtual database containing a formal
description of all the network objects that can be managed using SNMP.
Cntd…
 Cntd…
 Some popular tools
 OpUtils:
 Its integrated set of tools helps network engineers to monitor, diagnose,
and troubleshoot their IT resources- http://www.manageengine.com
 You can monitor the availability,
 other activities of critical devices,
 detect unauthorized network access, and
 manage IP addresses.
 It allows you to create a custom SNMP tools through which you can
monitor Management Information Base (MIB) nodes.
 Cntd…
 SolarWinds
 best SNMP enumeration tool - www.solarwinds.com
 IP Network Browser performs network discovery on a single subnet or
a range of subnets using Internet Control Message Protocol (ICMP)
and SNMP.
 It scans
 a single IP,
 IP address range, or subnet and
 displays network devices discovered in real time,
 providing immediate access to detailed information about the
devices on network.
 command line tools: SNMP-WALK, SNMP-CHECK.
 SNMP countermeasures
 The simplest is remove or disable SNMP agents on hosts agent or
turn off the SNMP service.
 If shutting off SNMP is not an option, then change the default
'public' community name.
 Block port 161 at all perimeter network access devices
 Use SNMPv3 (more secure).
 Access to null session pipes, null session shares, and IPsec filtering
should also be restricted.
 Do not install the management and monitoring Windows component
unless it is required.
 UNIX/Linux Enumération
 UNIX/Linux Enumération Command
 Finger: Enumerates the user and the host.
 Enables you to view the user's home directory, login time, idle times,
office location, and the last time they both received or read mail.
[root$] finger -1 0target.hackme.com
 rpcinfo: Helps to enumerate Remote Procedure Call protocol
 RPC protocol allows applications to communicate over the network
[root] rpcinfo -p 19x.16x.xxx.xx
 Rpcclient: Using rpcclient, we can enumerate user names on Linux and
OS [root $] rpcclient $> netshareenum
 Showmount: Finds the shared directories on the machine
[root $] showmount -e 19x.l6x. xxx.xx
 Cntd…

 Linux Enumeration Tool: Enum41inux

 It is a tool that allows you to enumerate information from samba, as
well as Windows systems.
 Features:

• Listing of Group Membership Information

• Share Enumeration

• Detecting if host is in a Workgroup or a Domain

• Identifying the remote Operating System

• Password Policy Retrieval (using polenum)

 Lightweight Directory Access Protocol (LDAP)

 It is protocol used toEnumeration

access directory listings within Active
Directory for accessing distributed directory services.
 LDAP tends to be tied into the Domain Name System to allow
integrated quick lookups and fast resolution of queries.
 Uses TCP port 389
 Information is transmitted between the client and the server using
Basic Encoding Rules (BER)
 Attacker queries LDAP service to gather information such as valid
user names, addresses, departmental details, etc.
 Cntd…
 Tools: There are many LDAP enumeration tools that can be used to access
the directory listings within Active Directory or from other directory
services.
 Using these tools attackers can enumerate information such as valid user
names, addresses, departmental details, etc. from different LDAP servers.
 Softerra LDAP Administrator- http://www.ldapadministrator.com
 Softerra LDAP Administrator is a LDAP administration tool that allows
you to work with LDAP servers.
 Jxplorer - http://www.jxplorer.org/
 LDAP Admin Tool : http://www.ldapsoft.com
 LDAP Account Manager: http://www.ldap-account-manager.org
 LDAP countermeasures

 Use Basic authentication to limit access to known users only.

 By default, LDAP traffic is transmitted unsecured; use Secure

Sockets Layer (SSL) technology to encrypt the traffic.

 Select a username different from your email address and

enable account lockout.

Note. Secure Sockets Layer (SSL) is a standard security

technology for establishing an encrypted link between a server
and a client.
 Network Time Protocol (NTP) Enumeration
 It is a protocol for synchronizing time across network computer.
 It utilizes UDP port 123.
 This enumeration can gather information lists of hosts connected to
NTP server, IP addresses, system names, and OSs running on the client
system in a network.
 Tools

 NTP Suite: This is important because in a network environment, you

can find other primary servers.

 It is used for querying the NTP server to get desired information from
the NTP.

 This command-line tool includes. ntptrace © ntpdc © ntpq

 Simple Mail Transport Protocol (SMTP) Enumeration
 It is used to send email messages as opposed to POP3 or IMAP which
can be used to both send and receive messages.
 It generally runs on port 25.
 This enumeration allows us to determine valid users on the SMTP
server.
 This is done with the help built-in SMTP commands, they are
 VRFY - This command is used for validating users.
 EXPN - This command tells the actual delivery address of aliases and mailing
lists.
 RCPT TO - It defines the recipients of the message.

 Attackers can directly interact with SMTP via telnet quick and collects list
of valid users on the SMTP server.
 Cntd…
 Tool:
 NestScanTools Pro: SMTP Email Generator tool allows you to test the
process of sending an email message through an SMTP server.
 You can extract all the common email header parameters including
confirm/urgent flags.
 You can log the email session to the log file and then view the log file
showing the communications between NetScanTools Pro and the
SMTP server.
 NetScanTool Pro's Email Relay Testing Tool allows you to perform
relay test by communicating with an SMTP server.
 The report includes a log of the communications between
NetScanTools Pro and the target SMTP server.
 SMTP countermeasures

 Configure SMTP server either to ignore email messages to

unknown recipients.

 Don’t include information like open mail relay systems being

used, Internal IP address or host information.

 Disable open relay feature Ignore emails to unknown recipients

by configuring SMTP servers.

Note. An open mail relay is a Simple Mail Transfer Protocol (SMTP) server
configured in such a way that it allows anyone on the Internet to send e-mail
through it.
 DNS Enumeration
DNS Zone Transfer Enumeration Using NSLookup
 It is a process of locating the DNS server and the records of a target
network.

 An attacker can gather valuable network information such as:

 DNS server names,

 hostnames,

 machine names,

 user names, and

 IP addresses of the potential targets, etc.

 In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of

the entire zone file for a domain from a DNS server.
 Enumeration Countermeasures
 Configure all name servers not to send DNS zone transfers to unreliable
hosts.

 Check the publicly accessible DNS server's DNS zone files and ensure
that the IP addresses in these files are not referenced by non-public
hostnames.

 Make sure that the DNS zone files do not contain HINFO(records specifies
the host / server's type of CPU and operating system) or any other records.

 Provide standard network administration contact details in Network

Information Center Databases. This helps to avoid war-dialing or social
engineering attacks.

 Prune DNS zone files to prevent revealing unnecessary information

 Summary
 Enumeration is defined as the process of extracting user names, machine names,
network resources, shares, and services from a system.
 Simple Network Management Protocol (SNMP) is a TCP/IP protocol used for
remote monitoring and managing hosts, routers, and other devices on a network.
 ‫ב‬MIB is a virtual database containing formal description of all the network
objects that can be managed using SNMP.
 Devices like switches, hubs, and routers might still be enabled with a "default
password“ that enables an attacker to gain unauthorized access to the
organization computer network.
 Attacker queries LDAP service to gather information such as valid user names,
addresses, departmental details, etc. that can be further used to perform attacks.
 Network Time Protocol (NTP) is designed to synchronize clocks of networked computers.
 Thank you !!!
End of Module IV
????