WIXLIB

Ethical Hacking v10Module 4 Enumeration

Enumeration

Goals Describe enumeration List information obtained fromenumeration Describe enumeration types andtechniques List enumeration countermeasures

Module 4.0 Enumeration 4.1 Enumeration Concepts4.2 NetBIOS Enumeration4.3 SNMP Enumeration4.4 LDAP Enumeration4.5 NTP Enumeration4.6 SMTP and DNS Enumeration4.7 Enumeration Countermeasures4.8 Enumeration Pen Testing

4.1EnumerationConcepts What is Enumeration Techniques for Enumeration Service and Port to Enumerate

What is Enumeration? Network enumeration is a process that involves gathering informationabout a network including hosts, connected devices, usernames,group information and related data Using protocols like ICMP and SNMP, network enumeration gives abetter view of an organization’s network for either protection orhacking purposes An attacker creates an active connection to a system and sendsqueries to gather information regarding the target The attacker then uses the extracted information to identify attackareas and password attacks to gain unauthorized access toinformation system resources

Information Enumerated Network resources Network shares Routing tables Audit and service settings SNMP and DNS information Machine names Users and groups Applications and banners

Techniques for Enumeration Extract usernames using email IDs and/or SNMP Extract information using default passwords Extract Active Directory data using brute force Extract Information using DNS zone transfer

Nmap Enumeration Example

Services and Ports to Enumerate Simple Mail Transfer Protocol (SMTP) – TCP port 25DNS Zone Transfers – TCP/UDP port 53Microsoft RPC Endpoint Mapper – TCP/UDP port 135NetBIOS Name Service (NBNS) – UDP port 137NetBIOS Session Service (SMB over NetBIOS) – TCP port 139Simple Network Management Protocol (SNMP) – UDP port 161SNMP Trap – TCP/UDP port 162Lightweight Directory Access Protocol (LDAP) – TCP/UDP 389SMB over TCP (Direct Host) – TCP/UDP port 445Global Catalog Service – TCP/UDP 3268

4.2EnumerationTechniquesand Tools

nmap nmap -O 192.168.1.50 nmap -sV 192.168.1.20 nmap --script smb-os-discovery target rpcclientHostEnumerationExamples rpcclient target IP -U username srvinfolookupnames administratorlookupsids rpcclient -U "" 192.168.1.20 Metasploit usesetsetsetsetset/auxiliary/scanner/smb/smb lookupsidSMBUser mooSMBPass Pa22w0rdMinRID 1000MaxRID 1100RHOSTS 192.168.74.50

Service and Application EnumerationServices required by default processes and by installed software

Service and Application Enumeration (cont’d)Services required by default processes and by installed software

Service and Application Enumeration (cont’d)Services required by default processes and by installed software

Service and Application Enumeration (cont’d)Services required by default processes and by installed software

4.3 NetBIOSEnumeration

NetBIOS Names A unique 16 ASCII character string used to identify network devicesover TCP/IP 15 characters are the device name 16th character is reserved for the service or name record typeNameNetBIOS Code TypeInformation Obtained host name 00 UniqueHostname domain 00 GroupDomain name host name 03 UniqueMessenger service running for that computer username 03 UniqueMessenger service running for that individual logged-inuser host name 20 UniqueServer service running domain 1D GroupMaster browser name for that subnet domain 1B UniqueDomain master browser name, identifies PDC for domain

NetBIOS Enumeration Attackers use NetBIOS enumeration to obtain: List of computers in the domain List of shares on hosts and network Policies and passwords Note: NetBIOS name resolution is not supported by Microsoft forIPv6

SuperScan Enumeration SuperScan is a connection-based TCP port scanner, pinger, andhostname resolver Support for unlimited IP rangesHost detection by multiple ICMP methodsTCP SYN and UDP scanningSimple HTML report generationSource port scanningHostname resolvingBanner grabbingWindows host enumeration

More NetBIOS Enumeration Tools Nbtstat Windows utility that displays NetBIOS over TCP/IP protocol statistics, NetBIOS nametables for local and remote computers, and the NetBIOS name cache Hyena A GUI application for managing and security Microsoft operating systemsShows sharesUser logon name for Windows servers and domain controllerDisplays graphical representation of Microsoft Terminal Services, Microsoft WindowsNetwork, Web Client Network, etc. Winfingerprint Shows operating system, enumerates users, groups, SIDs, transports, session,services, service pack and hotfix level, date and time, disks, and open TCP/UDP ports

More NetBIOS Enumeration Tools (cont’d) NetBIOS Enumerator NSAuditor Network Security Auditor Advanced All-In-One Network Security Auditing Tools Suite Includes more than 45 network tools and utilities for network securityauditing, network scanning, network monitoring, etc.

Enumeration User Account Tools Net userNet LoggedOnPsLogListPsPasswdPsShutdown

Enumerating Shared Resources Using NetView Net View utility is used to obtain a list of all the shared resources ofremote hosts or workgroups

ShareEnum Example

4.4 SNMPEnumeration

SNMP Enumeration Simple Network Management Protocol enumeration is used toenumerating user accounts and devices on a target using SNMP Consists of a manager and an agent Agents installed on all devices Managers are installed on managing computers Has two passwords to access and configure the SNMP agent from themanagement Read community string – allows viewing of device/system configuration Read/write community string – allows remote editing of configuration and isprivate by default

SNMP Enumeration (cont’d) Attackers use default community strings to extract information fromdevices Attackers enumerate SNMP to extract information about networkresources including hosts, routers, devices, shares, etc. and networkinformation including ARP tables, routing tables, traffic, etc.Printer

Management Information Base (MIB) MIB is a virtual database containing formal description of all networkobjects that can be managed by SNMP MIB database is hierarchical and each object is addressed using anObject Identifier (OIDs) There are two types of managed object Scalar objects – define a single object instance Tabular objects – define multiple related object instance are grouped in MIBtables The OID includes the type of MIB object such as counter, string, oraddress, access level such as not-accessible, accessible-for-notify,read-only or read-write, size restrictions, and range information SNMP uses the MIBs hierarchical namespace containing OIDs fortranslate the OID numbers into a human-readable display

SNMP Architecture

SNMP Enumeration Example

SNMP Enumeration Tools OpUtils An integrated set of tools helps network engineers to monitor, diagnose, andtroubleshoot their IT resources Engineer’s Toolset (SolarWinds) Over 60 network management and troubleshooting tools for automatednetwork discovery, real time monitoring and alerting, diagnostic capabilities,enhanced network security, configuration & log management, IP address andDHCP scope monitoring

SNMP Enumeration Tools (cont’d) SNMP Scanner Getif OIDVIEW SNMP MIB Browser iReasoning MIB Browser SNScan SoftPerfect Network Scanner SNMP Informant Net-SNMP Nsauditor Network Security Spiceworks

4.5 LDAPEnumeration

LDAP Enumeration Lightweight Directory Access Protocol enumeration is an Internet protocolthat allows access to distributed directory services Provides an organized set of records in a hierarchical and logical structure Follows the X.500 naming convention Used by Active Directory and others Client starts an LDAP session by connecting to a Directory System Agent(DSA) on TCP port 389 and sends an operations request to the DSA Attackers queries LDAP service to gather information including valid usernames, addresses, department details, etc. that can be used for furtherattacks

X.500 Naming Hierarchy

Softerra LDAP Administrator Softerra LDAP Administrator is an LDAP administration tool designedto work with many LDAP servers including Active Directory, NovellDirectory Services, Netscape/iPlanet, etc. Softerra LDAP Administrator simplifies management of LDAPdirectories providing advanced directory search facilities, bulk updateoperations, group membership management facilities, etc. Customizable directory reports for effective monitoring and audit Directory data can be exported and imported in LDIF, CSV, DSML1, DSML2 andother formats LDAP-SQL support allows managing LDAP entries using SQL-like syntax andperforming LDAP operations that cannot be executed usinf standard LDAPresources

LDAP Tools Active Directory Users and Computers Softerra LDAP Administrator LDP.exe

4.6 NTPEnumeration

NTP Enumeration Network Time Protocol (NTP) is designed to synchronize clocks ofnetworked computer Uses UDP port 123 as primary means of communication Can maintain time to within 10 milliseconds over the public Internet Realizes accuracies of 200 milliseconds or better in ideal conditions ina local area network Attackers query NTP for List of hosts connected to NTP server Clients IP addresses, system names, and operating systems Internal IP addresses can be acquired if the NTP server is on the DMZ

NTP Commands Ntptrace – traces a chain of NTP servers back to the primary source Ntpdc – monitors operation of the NTP daemon, ntpd Ntpq – montiors NTP daemon ntpd operations and determinesperformance

NTP Enumeration Tools NTP Time Server MonitorNTP Server ScannerNmapWiresharkAtomSyncNTPQueryPresenTense NTP AuditorPresenTense Time ServerPersenTense Time ClientNTP Time Server MonitorLAN Time Analyser

4.7 SMTP andDNSEnumeration

SMTP Enumeration Simple Mail Transfer Protocol (SMTP) has three build-in commands VRFY – validates user EXPN – tells the actual delivery address of aliases and mailing lists RCPT TO – Defines the recipients of the message SMTP servers respond differently to each command for valid andinvalid users allows determination of valid users on the SMTP server Attackers can directly interact with SMTP using Telnet and collect a listof valid users on the SMTP server

SMTP Enumeration Tools NetScanTool Pro’s SMTP Email Generator and Email Relay TestingTools are designed for performing tests sending email messagesthrough an SMTP server and performing relay tests smtp-user-enum is a tool for enumerating OS-level user accounts onSolaris using the SMTP service sendmail Enumeration is performed by inspecting responses to the SMTP commandsVRFY, EXPN, and RCPT TO

SMTP Enumeration Example

DNS Enumeration Get DNS Records A MX NS SoA CNAME PTR

NSlookup Microsoft tool for querying DNS Depends on the existence of a reverse lookup zone

Dig *Nix tool for querying DNS

4.8 EnumerationCountermeasures

SNMP Enumeration Countermeasures Simple Network Management Protocol (SNMP) Turn off the service Change the default community string name Upgrade to SNMP3 – encrypts passwords and messages Implement the Group Policy security option called, “Additionalrestrictions for anonymous connections Make certain that access to null session pipes, null session shares,and IP Sec filtering is restricted

DNS Enumeration Countermeasures Domain Name System (DNS) Disable DNS zone transfers to untrusted hosts Make certain private hosts and IP addresses are not published into DNS zonefiles of public DNS server Use premium DNS registration services that hide sensitive information fromthe public; example HINFO User standard network admin contacts for DNS registrations in order to avoidsocial engineering attacks

SMTP and LDAP Enumeration Countermeasures Simple Mail Transfer Protocol (SMTP) Configure SMTP to Ignore email message to unknown recipients Not include sensitive mail server and local host information in mail responses Disable open relay feature Lightweight Directory Access Protocol Configure LDAP to Use SSL technology to encrypt the traffic Select a user name different from your email address and enable accountlockout