You are on page 1of 41

CEH Lab Manual

Enumeration
Module 04

Enumeration
E n u m e r a t i o n i s th e p r o c e s s o f e x tr a c tin g u s e r n a m e s , m a c h in e n a m e s , n e tir o r k r e s o u r c e s , s h a r e s , a n d s e r v ic e s f r o m i n t r a n e t e n v ir o n m e n t. a s y s te m . E ‫ ־‬n u m e r a t i o n i s c o n d u c te d i n a n

I CON

KEY

Lab Scenario
Penetration testing is much more than just running exploits against vulnerable systems like we learned 111 the previous module. 111 fact a penetration test begins before penetration testers have even made contact with the victim systems. As an expert ethical hacker and penetration tester you must know how to enum erate target networks and extract lists of computers, user names, user groups, ports, operating systems, machine names, network resources, and services using various enumeration techniques.

/ Valuable information y ‫ ״‬Test your knowledge

Web exercise Workbook review

m

Lab Objectives
The objective of tins lab is to provide expert knowledge enumeration and other responsibilities that include: ■ User name and user groups ■ Lists of computers, their operating systems, and ports ■ Machine names, network resources, and services ■ Lists of shares
011 011

network

individual hosts

011

the network

■ Policies and passwords
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

Lab Environment
To earn‫ ־‬out die lab, you need:
■ Windows Server 2012 as host machine ■ Windows Server 2008, Windows 8 and Windows 7 a s virtual machine

■ A web browser with an Internet connection ■ Administrative privileges to mil tools

Lab Duration
Time: 60 Minutes

Overview of Enumeration
Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted 111 an intranet environment.

C E H L ab M an u al P ag e 267

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

TASK 1
Overview

Lab Tasks
Recommended labs to assist you 111 Enumeration: ■ Enumerating a Target Network Using Nmap Tool ■ Enumerating NetBIOS Using the SuperScan Tool ■ Enumerating NetBIOS Using the NetBIOS Enumerator Tool ■ Enumerating a Network Using the S oftP erfect Network Scanner ■ Enumerating a Network Using SolarWinds T oolset ■ Enumerating the System Using Hyena

Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on your target’s security posture and exposure.

P L EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

C E H L ab M an u al Page 268

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Enumerating a Target Network Using Nmap
E n u m e r a t i o n i s th e p r o c e s s o f e x t r a c tin g u s e r n a m e s , m a c h in e n a m e s , n e t i r o r k r e s o u r c e s , s h a r e s , a n d s e r v ic e s f r o m a s y s te m .

I CON
1

KEY

Lab Scenario
111 fact, a penetration test begins before penetration testers have even made contact with the victim systems. During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems in their entirety, which allows evaluating security weaknesses. 1 1 1 tliis lab, we discus Nmap; it uses raw IP packets 111 novel ways to determine what hosts are available on die network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet biters/firewalls are 111 use, it was designed to rapidly scan large networks. By using the open ports, an attacker can easily attack the target machine to overcome this type of attacks network filled with IP filters, firewalls and other obstacles.

._ Valuable information Test your knowledge

s

O T Web exercise c a Workbook review

As an expert ethical hacker and penetration tester to enum erate a target network and extract a list ot computers, user names, user groups, machine names, network resources, and services using various enumeration techniques.

Lab Objectives
The objective ot tins lab is to help students understand and perform enumeration on target network using various techniques to obtain: ■ User names and user groups ■ Lists of computers, their operating systems, and the ports on them ■ Machine names, network resources, and services ■ Lists of shares on the individual hosts on die network ■ Policies and passwords

C E H L ab M an u al Page 269

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

Lab Environment
To perform die kb, you need: ■ A computer running Windows Server 2008 as a virtual machine ■ A computer running with Windows Server 2012 as a host machine ■ Nmap is located at D:\CEH-Tools\CEHv8 Module 04
Enumeration\Additional Enumeration Pen Testing Tools\Nmap

■ Administrative privileges to install and mil tools

Lab Duration
Time: 10 Minutes

Overview of Enumeration
Take a snapshot (a type o f quick backup) o f your virtual machine before each lab, because if something goes wrong, you can go back to it.

Enumeration is die process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted 111 an intranet environment

Lab Tasks
The basic idea 111 diis section is to: ■ Perform scans to find hosts with NetBIOS ports open (135,137-139, 445) ■ Do an nbtstat scan to find generic information (computer names, user names, ]MAC addresses) on the hosts ■ Create a Null Session to diese hosts to gain more information ■ Install and Launch Nmap 111 a Windows Server 2012 machine TASK 1
Nbstat and Null S essio n s

1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.

■3 Windows Server 2012

/ Zenmap file installs the following files: * Nmap Core Files * Nmap Path ■ WinPcap 4.1.1 ■ Network Interface Im port ■ Zenmap (GUI frontend)

winaows btrvw tt)‫׳>׳‬Ke*<$eurK!1 aau L»uc«mr Fvaliatior cepj Bum Mtt

FIGURE 1.1: Windows Server 2012—Desktop view

Click the Nmap-Zenmap GUI app to open the Zenm ap window.

C E H L ab M anual Page 270

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

5 t3 T t

Administrator

Server Manager

Windows PowerShell

Google Chrome

Hyper-V Manager

Nmap Zenmap GUI

r=
Computer

m
Central Panel

o
Hyper-V Virtual Machine...

ft
SQL Server Installation Center...

O‫־‬

*J
Command Prompt

Q
Mozilla Firefox Global Network Inventory

£
liflgnr

‫־מ‬
MegaPing

1!
HTTPort 3.SNFM

0c*3Of

s « S

!*
FIGURE 1.2: Windows Server 2012—Apps

3. Start your virtual machine running WMcwsSetver2008 4. Now launch die nmap tool 111 die Windows Server 2012 host machine. 5. Perform nmap -O scan for die Windows Server 2008 virtual machine (10.0.0.6) network. Tins takes a few minutes.
HU Use the — ossscanguess option for best results in nmap.

Note: IP addresses may vary 111 your lab environment.
Zenmap
Scjn Target: Tools Profile Help [v ] Profile: [Scan] |Cancel
|

10.0.0.6 nmap 10.0.0.6 0‫־‬

Command:

Nmap Output Ports / Hosts [ Topology | Host Details | Scans

FIGURE 1.3: H ie Zenmap Main window

Nmap performs a sca n for die provided target IP address and outputs die results on die Nmap Output tab.
Nmap.org is die official source for downloading N m ap source code and binaries for N m ap and Zenmap.

m

Your tirst target is die computer widi a Windows operating system on which you can see ports 139 and 445 open. Remember tins usually works onlv aga in st W indows but may partially succeed it other OSes have diese ports open. There may be more dian one system diat has NetBIOS open.

C E H L ab M an u al Page 271

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Zenmap

TASK 2
Find hosts with NetBIOS ports open

Scan

Tools

£rofile

Help
V

10.0.0.6

Profile

V

||Scani

Command:

nmap -0 10.0.0.6 Services Nmap Output Ports / Hosts | Topology | Host Details | Scans | nmap -0 10.0.0.6
S ta r t in g Nmap 6 .0 1 ( h ttp ://n m a p .o r g ) a t 2 0 1 2 -0 9 -0 4 1 0 :5 5

OS < Host
-‫׳‬

10.0.0.6

Nmap sca n r e p o r t f o r 1 0 . 0 . 0 . 6 H o s t i s up ( 0 .0 0 0 1 1 s l a t e n c y ) . N o t show n: 993 f i l t e r e d p o r t s PORT STATE SERVICE 1 3 5 / tc p open m srpc 1 3 9 / tc p open n e t b io s - s s n open 4 4 5 /tc p r o ic r o s o f t - d s open 5 5 4 / tc p rts p open 2 8 6 9 /tc p ic s l a p 5 3 5 7 /tc p open w sdapi 1 0 2 4 3 /tc p open unknown ( M ic r o s o f t ) MAC A d d re s s : W a rn in g : OSScan r e s u l t s may b n o t f i n d a t l e a s t 1 open and 1 c lo s e d p o r t D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t W indows 7 | V i s t a | 2008 OS CPE: c p e : / o : m i c r o s o f t : w in d o w s _ 7 : : p r o f e s s io n a l c p e : / o : m ic r o s o f t : w in d o w s _ v is t a : : ‫ ־‬c p e : /

Filter Hosts

n • ‫ ויזו‬r r n c n ^ t • u i n H n w c

%/‫ ו‬c ‫־‬ t ‫ ־‬s» • • c n l

rn s •/

FIGURE 1.4: The Zenmap output window

8. Now you see that ports 139 and 445 are open and port 139 is using NetBIOS. 9. Now launch die com m and prompt 111 W indows Server 2008 virtual machine and perform nbtstat on port 139 ot die target machine.

10. Run die command nbtstat -A 10.0.0.7.
c ‫ י‬A d m in is tr a to r C om m and P ro m p t C : \ U s e r s \ A d n in is tr a t o r > n b ts t a t L o c a l A re a C o n n e c tio n 2 : Node I p A d d r e s s : [ 1 0 . 0 . 0 . 31 N e tB IO S Nane W IN - D 3 9 M R S H L9E 4<0 0 > WORKGROUP <00> W IN -D 3 9 M R 5 H L 9 E 4 < 2 0 > MAC A d d r e s s = D . J l. A R e m o te -A 1 0 .0 .0 .? _x * — S cope M a c h in e Type U N IQ U E GROUP U N IQ U E M J1_-2D Id : [1

N map has traditionally been a command-line tool run from a U N IX shell or (more recently) a Windows command prompt.

m

Name T a b l e S ta tu s R e g is te re d R e g is te re d R e g is te re d

C :\U s e r s \A d n in is tr a to r >

zl
FIGURE 1.5: Command Prompt with die nbtstat command

11. We have not even created a null s e s s io n (an unaudienticated session) yet, and we can still pull tins info down. 3
t a s k

3

12. Now cr e a te a null session.

Create a Null Session

C E H L ab M an u al Page 272

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

13. 1 1 1 the command prompt, type net u se \\X.X.X.X\IPC$ /u:”” (where X.X.X.X is die address of die host machine, and diere are no spaces between die double quotes).
cs .Administrator:Command Prompt C:\'net use \\10.0.0.7\IPC$ ""/u:"" Local name Renote name W10.0.0.7\IPC$ Resource type IPC Status OK # Opens 0 t t Connections 1 The command completed successfully. & N et Command Syntax: N E T [ ACCOUNTS | COM PUTER | C O N FIG | C O N T IN U E | FILE | G R O U P | H ELP | HELPM SG | LOCALGROUP | NAME | PAUSE | PRIN T | SEN D | SESSION | SHARE | START | STATISTICS | STOP | TIM E | USE | USER | VIEW ] C:\>

H

FIGURE 1.6: The command prompt with the net use command

14. Confirm it by issuing a genenc net u se command to see connected null

sessions from your host. 15. To confirm, type net u se, which should list your new ly created null session.

FIGURE 1.7: The command prompt ,with the net use command

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure.

C E H L ab M an u al Page 273

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

T ool/U tility

Inform ation C ollected/O bjectives Achieved T arget M achine: 10.0.0.6 List of O pen Ports: 135/tcp, 139/tcp, 445/tcp, 554/tcp, 2869/tcp, 5357/tcp, 10243/tcp N etB IO S Rem ote m achine IP address: 10.0.0.7 O utput: Successful connection of Null session

N m ap

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB.

Questions
1. Evaluate what nbtstat -A shows us for each of the Windows hosts. 2. Determine the other options ot nbtstat and what each option outputs. 3. Analyze the net u se command used to establish a null session on the target machine. Internet C onnection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H L ab M an u al Page 274

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Lab

Enumerating NetBIOS Using the SuperScan Tool
S/tperScan is a TCP po/t scanner, pinger, and resolver. The tool'sfeatures include extensive Windows host enumeration capability, TCP S Y N scanning, and UDP scanning.
I CON KEY

Lab Scenario
During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems 111 their entirety; tins allows evaluating security weaknesses. 1 1 1 this lab we extract die information of NetBIOS information, user and group accounts, network shares, misted domains, and services, which are either running or stopped. SuperScan detects open TCP and UDP ports on a target machine and determines which services are nuining on those ports; by using this, an attacker can exploit the open port and hack your machine. As an expert ethical hacker and penetration tester, you need to enumerate target networks and extract lists of computers, user names, user groups, machine names, network resources, and services using various enumeration techniques.

[£Z7 Valuable information

s

Test your knowledge Web exercise

m Workbook review

Lab Objectives
The objective of tins lab is to help students learn and perform NetBIOS enumeration. NetBIOS enumeration is carried out to obtain: ■ List of computers that belong to a domain ■ List of shares on the individual hosts on the network ■ Policies and passwords

C E H L ab M an u al Page 275

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Lab Environment
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

To earn* out die kb, you need: ■ SuperScan tool is located at D:\CEH-Tools\CEHv8 Module 04
Enumeration\NetBIOS Enumeration Tools\SuperScan

■ You can also download the latest version of SuperScan from tins link http://www.mcatee.com/us/downloads/tree-tools/superscan.aspx ■ A computer running Windows Server 2012 as host machine
■ Windows 8 running on a virtual macliine as target machine

■ Administrative privileges to install and run tools ■ A web browser with an Internet connection
You can also download SuperScan from http: / /\v\v\v. foundstone.co

m

Lab Duration
Time: 10 Minutes

Overview of NetBIOS Enumeration
1. The purpose ot NetBIOS enumeration is to gather information, such as: a. Account lockout threshold b. Local groups and user accounts
SuperScan is not supported by Windows 95/98/M E .

c.

Global groups and user accounts

2. Restnct anonymous bypass routine and also password checking: a. Checks for user accounts with blank passwords

b. Checks for user accounts with passwords diat are same as die usernames 111 lower case

Lab Tasks
m. TASK 1
Perform Enumeration

1. Double-click the SuperScan4 file. The SuperScan window appears.

C E H L ab M an u al Page 276

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

Windows XP Service Pack 2 has removed raw sockets support, which now limits SuperScan and many other network scanning tools. Some functionality can be restored by running the net stop Shared Access at the Windows command prom pt before starting SuperScan.

m

isJ SuperScan features: Superior scanning speed Support for unlimited IP ranges Improved host detection using multiple ICMP mediods TCP SYN scanning U D P scanning (two mediods) IP address import supporting ranges and CIDR formats Simple HTM L report generation Source port scanning Fast hostname resolving Extensive banner grabbing Massive built-in port list description database IP and port scan order randomization A collection o f useful tools (ping, traceroute, Whois etc.) Extensive Windows host enumeration capability
Ready

2. Click the Windows Enumeration tab located on the top menu. 3. Enter the Hostname/IP/URL 111 the text box. 111 this lab, we have a Windows 8 virtual machine IP address. These IP addresses may van 111 ‫׳‬ lab environments. 4. Check the types of enumeration you want to perform. Now, click Enumerate. %
H o stn a m e /IP /U R L Enumeration Type 0 NetBIOS Name Table 0 NULL Session 0 MAC Addresses 0 Workstation type 0 Users 0 Groups 0 RPC Endpoint Dump 0 Account Policies 0 Shares 0 Domains 0 Remote Tme of Day 0 0 Logon Sessions T rusted Domains 0 Drives

SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools | Windows Emmefabon"| About |

>^Tx
j

1 0 0 0 8

|

Enumerate

Options...

|

Clear

o

0 Services 0 Registry

-J
FIGURE 2.2: SuperScan main window with IP address

C E H L ab M anual Page 277

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

6. SuperScan starts enum erating the provided hostname and displays the results 111 the right pane of the window. %‫־‬
You can use SuperScan to perform port scans, retrieve general network information, such as name lookups and traceroutes, and enumerate Windows host information, such as users, groups, and services.
H o stn a m e /I P /U R L Enumeration Type 0 0 0 0 0 0 0 0 0 0 NetBIOS Name Table MAC Addresses Users Groups RPC Endpoint Dump Shares Domains Remote T»ne of Day Logon Sessions Drives Trusted Domains Services Registiy W\ NULL Session 0 Workstation type

SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools W ndow s Enumeration | About |

X

'

1 0 .0 .0 .8
4 names in table AOMIN WORKGROUP ADMIN WORKGROUP MAC address 0
00 00 20

Enumerate

Options...

NetBIOS information on 10.0.0.8

IE

UNIQUE CROUP UNIQUE GROUP

Workstation service name Workstation service name Server services name Group name

0 Account Policies

Attempting a NULL session connection on 10.0.0.8

on 10.0.0.8

un

0 0 0

Workstation/server type on 10.0.0.8

s.

Users on 10.0.0.8

Groups on 10.0.0.8

RPC endpoints on 10.0.0.8 Entry 0

Ready

FIGURE 2.3: SuperScan main window with results

7. Wait for a while to com p lete the enumeration process. 8. Atter the completion of the enumeration process, an Enumeration com pletion message displays. %
H o stn a m e /I P /U R L Enumeration Type 0 NetBIOS Name Table NULL Session MAC Addresses

SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools W ndow s Enumeration [About |

1 ^ 1 °

r

X

‫י‬

1 0 .0 .0 .8
Shares on 10.0.0.8

Enumerate |

Options...

|

Clear M

Your scan can be configured in die H ost and Service Discovery and Scan Options tabs. The Scan Options tab lets you control such tilings as name resolution and banner grabbing.

0 0 0 0 0 0 0 0 0 0

0 Workstation type Users Groups RPC Endporrt Dump Shares Domasis Remote Time of Day Logon Sessions Drives Trusted Domains Services Registry

Domains on 10.0.0.8

Remote time of day on 10.0.0.8

0 Account Pofccies

Logon sessions on 10.0.0.8

Drives on 10.0.0.8

on a>

0 0 0

Trusted Domains on 10.0.0.8

Remote services on 10.0.0.8

Remote registry items on 10.0.0.8

Enumeration complete 1
1 ‫✓י‬

Ready

Erase Results

FIGURE 2.4: SuperScan main window with results

9. Now move the scrollbar up to see the results of the enumeration.

C E H L ab M an u al Page 278

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

10. To perform a new enumeration on another host name, click the Clear button at the top right of the window. The option erases all the previous results. 'IT
H o stn a m e /I P /U R L Enumeration Type 0 NetBIOS Name Table NULL Session MAC Addresses Users Groups RPC Endpoint Dump Shares Domans Remote Tm e 0/ Day Logon Sessions Drives Trusted Domains Services Registiy 10008

SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools Windows Enumeration | About |

1 ^ ‫־ם‬

x

‫י‬

Enumerate |

j

Oea,

|

£ Q SuperScan has four different ICMP host discovery methods available. This is useful, because while a firewall may block ICMP echo requests, it may not block other ICMP packets, such as timestamp requests. SuperScan gives you die potential to discover more hosts.

0 0 0 0 0 0 0 0 0 0 0

0 Workstation type

0 Account Pofccies

03

0 0

Binding: Object Id: Annotation: Entry 25 Interface: 1.0 Binding: Object Id: Annotation: Entry 26 Interface: 1.0 Binding: Object Id: Annotation: Entry 27 Interface: 1.0 Binding: Object Id: Annotation: Entry 28 Interface:
1.0

‫״‬ncacn_ip_tcp:10.0.0.8[49154]‫״‬
‫״‬ 0 0 0 0 0 0 0 0 - 0 0 0 0 -0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 ‫״‬

"X«ctSrv service" ‫״‬Ia0d010f-lc33-432c-b0f5-8cf4e8053099" ver "ncacn_np:10.0.0.8[\\PIPE\\at*vc]"
" 0 00 0 00 00 - 0 00 0 - 0 00 0 - 0 00 0 - 0 00 0 00 00 0 00 0 ‫״‬

"IdSagSrv ■trvic•" ‫״‬Ia0d010f-lc33432‫־‬c‫־‬b 0 f S 8 ‫־‬cf4a3053099" ver "ncacn_ip_tcp:10.0.0.8[49154]‫״‬
‫״‬ 0 0 0 0 0 0 0 0 - 0 0 0 0 -0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 ‫״‬

"IdSegSrv service" "880fd55e-43b9-lle0-bla8-cf4edfd72085" ver "ncacn_np:10.0.0.8 [WPIPSWatsvc] "
" 00000000 - 0000 - 0000 - 0000 - 000000000000 ‫״‬

"KAPI Service endpoint" "880fd55e-43b9-lle0-bla8-cf4edfd72085” ver "ncacn_ip_tcp:10.0.0.8[49154]‫״‬
‫ ״‬0 00 0 00 00 - 0 000 - 0 00 0 - 0 00 0 - 0 00 0 00 00 0 00 0 ‫״‬

Binding: Object Id: Annotation: Entry 29 Interface:

‫״‬KAPI Service endpoint" "880fdS5e-43b9-lle0-bla8-cf4edfd72085" ver

Ready

FIGURE 2.5: SuperScan main window with results

Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure. T ool/U tility Inform ation C ollected/O bjectives Achieved E num erating Virtual M achine IP address: 10.0.0.8 Perform ing E num eration Types: ■ ■ ■ ■ ■ ■ ■ ■ Null Session MAC Address Work Station Type Users Groups Domain Account Policies Registry

SuperScan Tool

O utput: Interface, Binding, Objective ID, and Annotation

C E H L ab M anual Page 279

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Analyze how remote registry enumeration is possible (assuming appropriate access nghts have been given) and is controlled by the provided registry.txt tile. 2. As far as stealth is concerned, tins program, too, leaves a rather large footprint in die logs, even 111 SYN scan mode. Determine how you can avoid tins footprint 111 the logs. Internet C onnection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H L ab M an u al Page 280

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

3
Enumerating NetBIOS Using the NetBIOS Enumerator Tool
Enumeration is theprocess of probing identified servicesfor known weaknesses.
I CON KEY

Lab Scenario
Enumeration is the first attack 011 a target network; enumeration is the process of gathering the information about a target machine by actively connecting to it. Discover NetBIOS name enumeration with NBTscan. Enumeration means to identify die user account, system account, and admin account. 111 tins lab, we enumerate a machine’s user name, MAC address, and domain group. You must have sound knowledge of enumeration, a process that requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.

/ Valuable information Test your knowledge g m Web exercise Workbook review

Lab Objectives
The objective of this lab is to help students learn and perform NetBIOS enumeration. Tlie purpose of NetBIOS enumeration is to gather the following information: ■ Account lockout threshold ■ Local groups and user accounts ■ Global groups and user accounts

■ To restrict anonymous bypass routine and also password checking for user accounts with:
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

• •

Blank passwords Passwords that are same as the username
111

lower case

Lab Environment
To earn‫ ־‬out die lab, you need:

C E H L ab M an u al Page 281

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

■ NETBIOS Enumerator tool is located at D:\CEH-Tools\CEHv8 Module
04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator

■ You can also download the latest version of NetBIOS Enumerator from the link h ttp :// nbtenum.sourceforge.11et/ ■ If you decide to download the latest version, then screenshots shown m the lab might differ ■ Run tins tool 111 W indows Server 2012 ■ Administrative privileges are required to run this tool

Lab Duration
Time: 10 Minutes

Overview of Enumeration
Enumeration involves making active connections, so that they can be logged. Typical information attackers look for 111 enumeration includes user account names for future password guessing attacks. NetBIOS Enumerator is an enumeration tool that shows how to use rem ote network support and to deal with some other interesting web techniques, such as SMB.

Lab Tasks
£ TASK 1
Performing Enumeration using NetBIOS Enumerator

1. To launch NetBIOS Enumerator go to D:\CEH-Tools\CEHv8 Module 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator, and double-click NetBIOS Enumerater.exe.

!

NetBIOS Enumerator
fkjIP range to scan Scan Your local ip: 10.0.0.7 | Clear Settings |

from: | to :||

W

[1...254]

Debug window

1 X
A

NetBIOS is designed to help troubleshoot NetBIOS name resolution problems. W hen a network is functioning normally, NetBIOS over T C P /IP (NetBT) resolves NetBIOS names to IP addresses.

m

‫ם‬

1

‫לעב‬
FIGURE 3.1: NetBIOS Enumerator main window

\

C E H L ab M an u al Page 282

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

2. In the IP range to scan section at the top left of the window, enter an IP range in from and to text fields. 3. Click Scan. m
Feature:

NetBIOS Enumerator
Added port scan G U I - ports can be added, deleted, edited Dynamic memory management Threaded work (64 ports scanned at once)
IP range to scan fron :| 10.0.0.1 to | 10.0.0.501 Scan Your local ip: 10.0.0.7 Clear Settings

T ZL ^1 *

'

W

[1...254]

Debug window

Network function SMB scanning is also implemented and running.

m

FIGURE 3.2: NetBIOS Enumerator with IP range to scan

4. NetBIOS Enumerator starts scanning for die range of IP addresses provided.

m The network
function, N etServerGetlnfo, is also implemented in this tool.

5. After the compledon of scanning, die results are displayed in die left pane of die window. 6. A Debug window section, located 111 the right pane, show’s the scanning of die inserted IP range and displays Ready! after completion of the scan.

C E H L ab M anual Page 283

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

a
f i ) IP rang e to scan from :| 1 0 .0 .0 .1 to : | 1 0 .0 .0 .5 0 P

NetBIOS Enumerator
Scan Your local ip: ]1 0 .0 .0 .7 [1 ...2 5 4 ] Debog window Scanning from: to : 1 0 .0 .0 .5 0 R eady! Settings

B?
0

1 0 .0 .0 .3 [W IN-ULY858KHQIP] |U N etB IO S Names (3) ^ W IN -U LY858KH Q IP - W orkstation Service WORKGROUP - Domain Name W IN -U LY858KH Q IP - R le Server Service U sername: (No one logged on)

Q=* The protocol SNMP is implemented and running on all versions o f Windows.

l~ 2 f

‫י‬
%
%

Domain: WORKGROUP

Of Round Trip Tim e (RTT): 3 ms - Tim e To Live ( m i

S ?
3

1 0 .0 .0 .6 [ADMIN-PC] H I N etB IO S Names (6) A DMIN-PC - W orkstation Service WORKGROUP - Domain Name A DMIN-PC - R le Server Service WORKGROUP - Potential M aster Browser

‫י‬
,r
B ? [

^

WORKGROUP - M aster Browser □ □ _ M S B R O W S E _ □ □ - M a s t e r Browser

Username: (No one logged on) I— ET Domain: WORKGROUP

■-1

5 — Of Round Trip Tim e (RTT): 0 m s -T im e T o U ve (TT1. 1 0 .0 .0 .7 [W IN -D 39M R 5H L9E4]

0 • E 3 N etB IO S Names (3) ! Q Username: (No one logged on)

■ # <‫ ע ״ ״‬- .t.

Of Domain: WORKGROUP

{

5 - • O f Round Trip Tim e (RTT): 0 ms -T im e To Lrve ( T H ^

FIGURE 3.3: NetBIOS Enumerator results

7. To perform a new scan
erased.

01‫ ־‬rescan,

click Clear.

8. If you are going to perform a new scan, die previous scan results are

Lab Analysis
Analyze and document die results related to die lab exercise. T ool/U tility Inform ation C ollected/O bjectives Achieved IP Address Range: 10.0.0.1 —10.0.0.50 Result: N etB IO S E num erator Tool ■ ■ ■ ■ ■ ■ Machine Name NetBIOS Names User Name Domain MAC Address Round Trip Time (RTT)

C E H L ab M anual Page 284

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Internet C onnection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H L ab M an u al Page 285

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Enumerating a Network Using SoftPerfect Network Scanner
SoftPerfectNetirork Scanner is afree multi-threaded IP, NetBIOS, and SN M P scanner nith a modern interface and many advancedfeat!ires.
I CON KEY

Lab Scenario
To be an expert ethical hacker and penetration tester, you must have sound knowledge of enumeration, which requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources, hi this lab we try to resolve host names and auto-detect vour local and external IP range.

[^ 7 Valuable information y Test your knowledge Web exercise Workbook review

m

Lab Objectives
The objective of this lab is to help students learn and perform NetBIOS enumeration. NetBIOS enumeration is carried out to detect: ■ Hardware MAC addresses across routers

& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

■ Hidden shared folders and writable ones ■ Internal and external IP address

Lab Environment
To carry out the lab, you need: ■ SoftPerfect Network Scanner is located at
D:\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration T ools\SoftPerfect Network Scanner

■ You can also download the latest version of SoftP erfect Network Scanner from the link http: / / www.sottpertect.com/products/networkscanner/

C E H L ab M an u al Page 286

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

■ If you decide to download the latest version, then screenshots shown the lab might differ ■ Run tliis tool 111 W indows 2012 server ■ Administrative privileges are required to run this tool
You can also download SoftPerfect Network Scanner from http://w w w .SoftPerfect. com.

111

m

Lab Duration
Tune: 5 A!unites

Overview of Enumeration
Enumeration involves an active connection so diat it can be logged. Typical information diat attackers are looking for nicludes user account nam es for future password-guessnig attacks.

Lab Task
E TASK 1
Enumerate Network

1. To launch SoftPerfect Network Scanner, navigate to D:\CEH-Tools\CEHv8
Module 04 Enumeration\SNMP Enumeration Tools\SoftPerfect Network Scanner

2. Double-click n etscan .exe
■0 SoftPerfect Network Scanner L^J Q (0 Web-site
f£>

File View Actions Options Bookmarks Help

□‫ ט‬y
Range From f g IP Address . 0 .0 Host Name .0 | to |~ 0 MAC Address
.

*■ ₪ A
0 . 0 . 0

«r j * ■ * I ♦ 3►

Start Scanning *

Response Time

SoftPerfect allows you to mount shared folders as network drives, browse them using Windows Explorer, and filter the results list.
Ready Threads Devices 0 /0 Scan

m

FIGURE 4.1: SoftPerfect Network Scanner main window

3. To start scanning your network, enter an IP range 111 die Range From field and click Start Scanning.

C E H L ab M an u al Page 287

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

•0 0

SoftPerfect Network Scanner

1 -1

File View Actions Options Bookmarks Help □ L3 H
E0 . 0 . 0 . 1
to

B
I 10

#

Web-site

Range From I

• 0

. 50 ‫ ♦ ן‬a

Start Scanning

II

Response Time

& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

Ready_______________ Threads_______Devices

0 /0

FIGURE 4.2: SoftPerfect setting an IP range to scan

4. The statu s bar displays the status ot the scamied IP addresses at die bottom of die window.
>*j
File View Actions Options

SoftPerfect Network Scanner
Bookmarks Help

y .₪ ‫״‬
Host Name WIN-MSSELCK4... WIN-ULY858KH... WIN-LXQN3WR... ADMIN-PC WIN-039MR5H... ADMIN WIND0WS8 1

| X fc* V IP ₪ A
| To |
10 . 0 0 . 50

g J=l A ~| ♦ a

B «

Web-site » jj

Range From r 0 . 0
F Address ? B ffl a B 10.0.0.1 10.0.0.2 10.0.0.3 ,■« 10.0.0.5 ISA 10.0.0.6 e ■ 10.0.0.7 Igu 10.0.0.8

IB Stop Scanning

MAC Address 0! D 0! 0! 0' D 0! Ot . ■‫י‬-1... 1-0... S-6... 1-0... 5-C... t-0... .8-6...

Response Tme 0 ms 2ms 1ms 4 ms 0 ms 0 ms 0 ms 2 ms

£ Q SoftPerfect Network Scanner can also check for a user-defined port and report if one is open. It can also resolve host names and auto-detect your local and external IP range. It supports remote shutdown and Wake-On-LAN.

1«u 10.0.0.10

FIGURE 4.3: SoftPerfect status bar

5. To view die properties of an individual IP address, nght-click diat particular IP address.

C E H L ab M an u al Page 288

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

SoftPerfect Network Scanner
File View Actions Options Bookmarks Help

R an g e From

B3

To

10

50

♦ £% •

j^> Start Scanning *

IP A ddress

MAC Address

R esponse Tim e 0m s 2m s

ei
11 ‫ש‬

10 0 0.1

..

».

10. 0.0.2

0 ■ ^ ^-2...
VVIN-M SSELCK4.. D ■ « -l... WIN-UL'f Open Computer W IN -L X Q
A D M IN -P W IN -D 39 A D M IN W IN D O W

■j 10.0.0.3 e u 10.0.0.6

El eta 10.0.0.5

> ►

Copy Properties Rescan Computer Wake-On-LAN Remote Shutdown Remote Suspend / Hibernate Send Message... Create Batch File...

s eb eu

1 0 .0 .0 .7

10 0 0.8

..

eta 10.0.0.10

i

Devices

8 /8

FIGURE 4.4: SoftPerfect IP address scanned details

Lab Analysis
Analyze and document die results related to die lab exercise. T ool/U tility Inform ation C ollected/O bjectives Achieved IP Address Range: 10.0.0.1 —10.0.0.50 SoftPerfect N etw ork Scanner Result: ■ ■ ■ ■ IP Address Host Names MAC Address Response Time

P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Examine die detection of die IP addresses and MAC addresses across routers. 2. Evaluate die scans for listening ports and some UDP and SNMP services.

C E H L ab M an u al P ag e 289

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

3. How would you launch external third-party applications? Internet Connection Required
□ Yes 0 No

Platform Supported 0 Classroom 0 !Labs

C E H L ab M an u al Page 290

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Lab

Enumerating a Network Using SolavWinds Toolset
The SolarWinds Toolsetprovides the toolsyon need ns a network engineer or netn ork consultant to get your job done. Toolset includes best-of-breed solutions that work sit/ply and precisely, providing the diagnostic, peiformance, and bandwidth measurements you want, without extraneous, nnnecessay features.
I CON KEY

Lab Scenario
Penetration testing is much more than just running exploits against vulnerable systems like we learned 111 the previous module. 111 fact a penetration test begins before penetration testers have even made contact with die victim systems. Rather dian blindly dirowing out exploits and praying diat one of them returns a shell, penetration tester meticulously study the environment for potential weaknesses and their mitigating factors. Bv the time a penetration tester runs an exploit, he or she is nearly certain diat it will be successful. Since failed exploits can in some cases cause a crash or even damage to a victim system, or at die very least make the victim 1111exploitable 111 the future, penetration testers won't get the best results. 111 tins lab we enumerate target system services, accounts, hub ports, TCP/IP network, and routes. You must have sound knowledge of enumeration, which requires an active connection to the macliine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.

/ Valuable information Test your knowledge — Web exercise m Workbook review

Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

Lab Objectives
The objective of tins lab is to help students learn and perform NetBIOS enumeration. NetBIOS enumeration is carried out to detect: ■ Hardware MAC addresses across routers ■ Hidden shared folders and writable ones

■ Internal and external IP addresses

C E H L ab M an u al Page 291

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

Lab Environment
To earn’ out the lab, you need:
‫י‬ SolarW inds-Toolset-V10 located at D:\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration Tools\SolarW ind’s IP Network B rowser

You can also download SoftPerfect Network Scanner from http://www.solarwinds .com

m

■ You can also download the latest version of SolarWinds T oolset Scanner Irom the link http:/ / www.solarwmds.com/ ■ If you decide to download the la te st version, then screenshots shown 111 the lab might differ ■ Run this tool 111 W indows Server 2012 Host machine and W indows Server 2008 virtual machine

■ Administrative privileges are required to run this tool ■ Follow the wizard-driven installation instructions

Lab Duration
Time: 5 Minutes

Overview of Enumeration
Enumeration involves an active connection so that it can be logged. Typical information diat attackers are looking for includes user account nam es lor future password guessing attacks.

Lab Task
W TASK 1
Enumerate Network

1. Configure SNMP services and select Start ‫^־־‬Control Panel
‫^־‬Administrative Tools ‫ ^־־‬Services.
_

□‫ ־‬X

F i l e Acton ViM H e l p

4 ■ ‫ *־‬.S j □ £5

B 3

► ■ « ‫►י‬

E3 Cut troubleshooting time in half using the Workspace Studio, which puts the tools you need for common situations at your fingertips

f t Stiver Sh«H Hardware Detect!:n S^Smir Card £4 Smart Card Removal Policy E SNMP Service O e s c n p t i o r : Lrvjfck: Smpk Network 4 SNMP Trap Management Protocol (SNMP) ^ Software Protection requests to be processed by this ^ Spccial Administration Comclr Hdpct cornputer If this service 1 5stopped, the computer •will be unoble to 4 Spot Verifier proem SNMP irquettt. If this servic. &SGI Full-text Filter Daemon launcher -. k disabled, any services that explicit!) £* SQL Server (M SSQ LSERVER) depend on it will fail to start. &SQL Server Agent (M SSQ LSERVER) S*,SQL Server Analyse Services (MSSQLS— SQL Server Browser & SQL Server Distributed Replay CSert £6 SQL Server Distributed Replay Cortrcl S* SQL Server Integration Services 110 5* SQ L Server Reporting Services (MSSQL Q SQ L Server YSS Writer SfcSSDP Discovery Superfetch & System Event Nctficaton Scrvicc ‫׳‬$ , Task Scheduler S i TCP/IP NetBIOS Helper \ Extended > vStandard /

Dcscnpton Supports W e, paProvide* notifica.. Manages k c i ! ! .. A!lc«ss th» systr.. Enafcks Simple... Recedes trap m#_. Enables the dow .. A lcm admreit(.. Verifies potential.. Service to launch . Provides stcrcge... Executesjobs. m... Supplies online a-. Provides SQL Ser.. One or more Dist.. Provides trace re... Provides manag.. Manages, execut.. Provides the inte.. Discover* rehvor. Maintains end i . Monitors system— Enables a user to.. Provides support..

Status Running Running

Running

Running Running Running

Running Running Running

Running Running Running

Startup type Automatic Automatic Disabled Manual Automatic Manual Automatic (D... Manual Manual (Trig... Manual Automatic Manual Automatic Disabled Manual Manual Automatic Automatic Automatic Disabled Manual Automatic Automatic Automatic (T».

Log On As Local Syste... Local Syne... Local Servict Local Syste .. Local Syne.. 1 Local Service Network S.. Local Syste... Local Syste.. NT Service... NT Service... NT Scrvice.. NT Service... Local Service NT Service... NT Service... NT Service... NT Service... Local Syste.. Local Service Local Syste.. Local Syste.. Local SysteLocal Service

FIGURE 5.1: Setting SNMP Services

C E H L ab M anual Page 292

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

2. Double-click SNMP service. 3. Click die Security tab, and click Add... The SNMP Services Configuration window appears. Select READ ONLY from Community rights and Public 111 Community Name, and click Add.
SNMP Service Properties (Local Computer)
General ] Log On [ Recovery [ Agent [ Traps @ Send authentication trap Accepted community names Community Rights Security Dependencies

Add...

Edit

Remove

IP Monitor and alert in real tim e on network availability and health with tools including RealTime Interface Monitor, SNMP Real-Time Graph, and Advanced CPU Load

D Accept SNMP packets from any host

SNMP Service Configuration
Community rights:___________________ ! reado nly Community Name: |public Leam more about SNfflP‫־‬ ^1 Cancel [“ “

OK

Cancel

Apply

FIGURE 5.2: Configuring SNMP Services

4.

Select A ccept SNMP packets from any host, and click OK.
SNMP Service Properties (Local Computer)
General Log On Recovery Agent raps | | Z-epenaencies

0 Send authentication trap Accepted community names

® \ccept SNMP packets from any host

O Accept SNMP packets from these hosts

Leam more about SNMP

OK

Cancel

Apply

C E H L ab M anual Page 293

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

FIGURE 5.3: setting SNMP Services

5. Install SolarWinds-Toolset-V10, located 111 D:\CEH-Tools\CEHv8 Module
04 Enumeration\SNMP Enumeration Tools\SolarWind’s IP Network Browser.

6. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.

FIGURE 5.4: Windows Server 2012—Desktop view

& Perform robust network diagnostics for troubleshooting and quickly resolving com plex network issu e s with tools such as Ping Sw eep, DNS Analyzer, and Trace Route

7. Click the W orkspace Studio app to open the SolarWinds W orkspace Studio window.

Start
Server Manager Windows PowerShel IT Control Panel Google Chrome Hyper-V Manager Workspace Studio

Administrator

^

IL Computer

o
Hyper‫־‬V Virtual Machine...

‫י י‬ SQL Server Installation Center...

m

? £
Internet Explorer Command Prompt

‫זז‬
1
ft

Mozilla Firefox

ProxySwiL.. Standard

F3

< ©
Global Network Inventory

II

Nmap Zenmap GUI O

FIGURE 5.5: Windows Server 2012—Apps

6. ‫־‬ nie main window of SolarWinds W orkspace Studio is shown in the following figure.

C E H L ab M anual Page 294

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

SolarW inds W orkspace Studio File Tabs Yiew Devices Interfaces Gadgets External Tocls Help Settings... Q Page Setup...

’ ‫י * "!ם‬
Compare Engineer s Toolset- I •‘^N ew Tab £5 ‫ ׳‬Save Selected Tabs aa

Add New De/ice..

Manage SNMP Credentials © Manage Tehec/SSH Credentials

!5 Switch Port Mapper _ Telnet/SSH 4A Interface Chart ^ ^ I O

Getting Started • *

r \ r *

t TraceRoute V x I I !* ■ ^ ^

S

Devices

GrojpDy. Cro_p rtane ‫״‬ rSar«G Cevices Q j Recently tseo

G e ttin g Started SETTING UP WORKSPACE STUDIO COESTT HAVE TO BE SCARY Step 1 - Register the ne:wori devices you wcuH iie to montor. Add Device

EM] ‫ד‬
Id

Step 2 - Drag gadgets from the explorer at feft to this w3rt space and associate them with a device.

I 0 of Cdev<*(s) selected _ Stow Q Q U Orarres | E>t::re‫־‬ '• ‫׳‬ d Q ¥ X O 0

Step 3 - Add tabs to create grojps cf gadgets 0* crganze then any way you wart.

New Tab & L

Gadgets
Mcn<o1‫־‬ng

M ore Help OTHER RC30URCC3 TO GCTYOU : M em ory G a u g e s MEMORY STATISTICS TOR ONE OR TWO HOSTS

♦ CllCPUandMerro'y

II

‫ץ‬- mI Interface CHait ln!er?aee Gauge £ Interface Table

_

< TFTP Service Status‫ ־‬Running

.1.

T
Clear

>
Sefcinas

[ » l Tdb* 1^, Gadgets

Evert Viewer TFTP Service

FIGURE 5.6 Solarwinds workspace studio main window

7. Click External Tools, and then select Classic tools -> Network Discovery
-> IP Network Browser.
SolarW inds W orksp a ce Stu d io File Tabs View Devices Interfaces Gadgets [‫ ״‬Extcma^ools I Help tj Create New External Tod... Recently Used Remote Dcsrtoo ngj.« Q Poge Setup... 1 ., ^N e w To b Save Selected Tabs

T=TO

gf? Add New Device...

Manage SNMP Credentials ^ , Telnet/SSH

B Deploy an array o f n etw ork discovery tools including Port Scanner, Switch Port Mapper, and Advanced Subnet Calculator.

S S Switch Pert Mapper

u u l

Interface Chart oe!tmg Started ' ‫׳‬

____________
Cisco Tools IP Address Management LdunchPad Network Discovery Network Monitoring ] :£ It*)

in
U E 2

O
Groupby: GnupNan* *

C cttin g sL SETTING JP /WORKSPACE STUDO DOESN'T HAVE TO

10311a |
DNS Audit IP Address Management IP Network Browser Etyr Q ti |

St6p 1 - Register the network devices you wouH l*e te n ‫ ר ח‬Devices P 1Recently Jsed Step 2 - Drag gadgets frcm the explorer at le i tc this wort

Ping Diagnostic ‫ כ‬of Ddevee(s) seecte: Step 3 - A(M taos :0 create groups or gacgets or orgarize Security SMMP Tools

MAC Address Discovery Network Sonar Ping Ping Sweep

Starcro^raiies

da
■jt J Monitoring f o f ^ l CPU and Wenory a i Interface Chart & interface Cauge ® nteraceTaWe TFTP Service Statu*‫ ׳‬Rjnning gy Gadgets Clear ^ @ "!

Port Scanner SNMP Sweep Subnet List Switch Port Moppet

SHtma*

‫»*» י‬

| Step ]

Event Viewer TFTP Service

FIGURE 5.7: Menu Escalation for IP network browser

8. IP Network Browser will be shown. Enter die Windows 8 Virtual Machine IP address (10.0.0.7) and click Scan Device ( the IP address will be different 111 your network).

C E H L ab M anual Page 295

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

1ST
P SolarWinds Toolset applications use several m ethods to co llect data about the health and performance of your network, including ICMP, SNMPv3, DNS and Syslog. Toolset does NOT require deployment of proprietary agents, appliances, or garden gnom es on the network.
Nevr

IP Network Browser

‫ פי‬t□ ‫ ט‬m % *
Re *a rt Export Prin‫־‬ Copy

Cop/

Stop

Zoom

Ping

m 0 ♦ 3 0 1^ ‫ף‬
Telnet Trace Config Surf Settings Help

IP Network Browser
Scan a S ingle D evice_________

‫־‬3 3 '
Scan a S u bn et Subnet Address Subnet Mask 1 255.255.255.0

jd
. ‫ן‬

• Scan Suhnel

Scan an IP A d d re s s R anqe
Dcgining IP Addicss tnding IP Addtess

‫פר‬ ‫פר‬

Engineer’s Toolset v10 - Evaluation

FIGURE 5.8: IP Network Browser windows

9. It will show die result 111 a line widi die IP address and name ot die computer diat is being scanned. 10. Now click the Plus (+) sign before die IP address.
‫״ ז י‬ File Edit IP N etw ork Brow ser [ 1 0 .0.0.7 J Nodes MBs Discovery Subnet 4 Copy View % Copy Help 1 O X

& NetFlow Realtime is intended for granular, real-time troubleshooting and analysis of NetFlow sta tistics on single interface and is limited to a 1 hour capture

® NeA‫׳‬

Restart

E>port

y m
Print


Stop

* Zoom

j
|

‫»י‬ Ping

1 Telnet

Trace

@ Confg

e Surf

rf
Setting:

f
Help

A \0■ ,A / W / 4 V ^ A <

.o
n A

A

oV

‫׳‬ o v<y r J?

\ |

A o V
w

/

>‫ן‬£■ >* / /
V ‫׳‬-•V*

J j&
4 eV

< & */

Y
./‫־‬

( IS *

AU
S Jbre* Scan Ccmoteed

,‫יי‬ &

3 / ‫\י‬

r r

* J ?

FIGURE 5.9: IP Network Browser windows results page

11. It will list all die information ot die targeted IP address.

C E H L ab M anual Page 296

E thical H a ck in g and C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

IP Network Browser [ 100.0.7 J
File Edit Node* MlBs Discovery

‫ן‬- ‫* ־ ם‬

'

Export

y

m

Print

Copy

%

Subnet

View

Help

Copy

Stop

}s • * 0
Zoom Ping

Telnet

Tra<«

Config

Surf

f & s

Setting!

&■ To start a new tab, go to ‘tabs’ on the menu bar and choose ‘new tab.’ Right-click on a tab to bring up options (Import, Export, Rename, Save, Close). You can add tools to tabs from die Gadgets b o s in die lower left or direcdy from the gadgets menu. A good way to approach it is to collect all the tools you need for a given task (troubleshooting Internet connectivity, for example) on one tab. Next time you face that situation simply open diat tab

ST
Jj S s3ten N a x ie :W D I-D 3 9 M P 5 H L 9 E 4 JD escription; H arcw are: Intel64 F am ily 6H cd el 4 2 . -eppinc 7 A I/& TC C M P A IIB L I-S o ftw ar! : Windows V e rsio n
a t !-‫ ־ ״ ״ ־‬.:
Ti

qp

4^

S.2 (B u ild 6

JJ sysO b;c«rD : 1.3.6.r.4.1.3 1 1 .r.1.3.1.2 Is* ‫מי‬ 0L ast B oot: 9/5/2012 9:13:49 A M R outer ( w ill fsrvard IF packets ?) : N o A dirinittritor
C Gueas A
f i UM5*JAaC.ll USSR A tn a

^

1 ‫׳‬

vO %
O'
‫<!ל׳‬

S hared Dilnttn

si? A>

V

‫<ז‬ A o .V

^

1

TC9 /ZF Networks IPX hetworic — E ^ 0 .0 .9 .0

£< $ >:0.0 0 0
S ti: S E ♦

2 5 5a
255.255 255.255

J? K%°^ 4 C * a rV* 'S> \

3> 1 0 .0 .0 .7 10.0.0.26S ^ 1 2 7.0.0 .0 ^ 1 2 7.0.0 .1 <$> 127.266.356.266

S jLtisl Sc<jr CoiufetsC

FIGURE 5.10: IP Network Browser windows results page

Lab Analysis
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Scan Device IP Address: 10.0.0.7 O utput: ■ ■ ■ ■ ■ ■ ■ ■ Interfaces Services Accounts Shares Hub Ports T C P/IP Network IPX Network Routes

SolarWinds Tool Set

P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S R E L A T E D T O T H I S L AB .

Questions
1. Analyze the details of die system such as user accounts, system MSI, hub ports, etc.

C E H L ab M anual Page 297

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

2. Find the IP address and Mac address of the system. Internet Connection Required
□ Yes

0 No

Platform Supported 0 Classroom 0 !Labs

C E H L ab M an u al Page 298

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

Enumerating the System Using Hyena
Hyena uses an Explorer-styk interfacefora// operations, including right mouse dick pop-/p context menusfor all objects. Management of users, groups (both local and global), shares, domains, computers, services, devices, events,files, printers andprint jobs, sessions, openfiles, disk space, user rights, messaging, expo/ting job scheduling, processes, andprinting are all suppo/ted.
I CON KEY
/ Valuable information ' Test your ____ knowledge______ m Web exercise

Lab Scenario
The hacker enumerates applications and banners m addition to identifying user accounts and shared resources. 1 11 tliis lab. Hyena uses an Explorer-style interface for all operations, management of users, groups (bodi local and global), shares, domains, computers, services, devices, events, tiles, printers and print jobs, sessions, open tiles, disk space, user nglits, messaging, exporting, job scheduling, processes, and printing are all supported. To be an expert ethical hacker and penetration tester, you must have sound knowledge of enumeration, which requires an active connection to the maclune being attacked.

£ Q Workbook review

Lab Objectives
The objective of this lab is to help suidents learn and perform network enumeration: ■ Users information 111 the system ■ Services running 111 the system
& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration

Lab Environment
To perform the lab, you need: ■ A computer ranning Windows Server 2012 ■ Administrative privileges to install and run tools ■ You can also download tins tool from following link http: / / www. systemtools.com/livena/download.litm
E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

C E H L ab M an u al Page 299

Module 04 - Enumeration

■ If you decided to download latest version of tins tool screenshots may differ

Lab Duration
Time: 10 Minutes

Overview of Enumeration
Enumeration is die process of extracting user names, machine names, network resources, shares, and sendees from a system. Enumeration techniques are conducted 111 an intranet environment

Lab Tasks
The basic idea 111 diis section is to: 1.
E t a s k

Navigate to D:\CEH-Tools\CEHv8 Module 04 Enumeration\NetBIO
Enumeration Tools\Hyena

1

Installation of Hyena

Double-click Hyena_English_x64.exe. You can see die following window. Click Next
Hyena v9.0 - InstallShield Wizard

You can download the Hyena from
h ttp :/

ca

/ u n v 1v . s y s t e m t o o l s . c o m

/

h y e n a /h y en a _ n e 1 v .h tm

FIGURE 6.1: Installation o f Hyena

3. 4.

The Softw are L icen se A greem ent window appears, you must accept the agreement to install Hyena. Select I a c c e p t th e term s of th e lic e n se agreem en t to continue and click Next.

C E H L ab M anual Page 300

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

FIGURE 6.2: Select die Agreement

5. 6.

Choose die destination location to install Hyena. Click Next to continue the installation.
Hyena v9.0 ‫ ־‬InstallShield Wizard
C h o o s e D e s tin a tio n L o c a tio n S e lect folder w here setup will install files.

x

‫ט‬ In addition to supporting standard Windows system management functions, Hyena also includes extensive Active Directory integration

Install H yen a v 9 .0 to: C :\Program F ie s\H y e n a

Change...

FIGURE 6.3: Selecting folder for installation

7.

The Ready to install th e Program window appears. Click Install

C E H L ab M anual Page 301

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

r

Hyena v9.0 - InstallShield Wizard
R e a d y to In s ta ll th e P ro g ra m The wizard is ready to begin installatic

— ‫ן‬

C lick Install to begin the insta latio n If yo u w ant to review or cha ng e any erf your re ta lia tio n settings, clic k Ba ck. C lick C ancel to exit the wizard.

ILU Hyena can be used on any Windows client to manage any Windows NT, Windows 2000, Windows XP/Vista, Windows 7, or Windows Server 2003/2008/2012 installation

FIGURE 6.4: selecting installation type

8.

The InstallShield Wizard com plete window appears. Click Finish ro complete die installation.

In s ta llS h ie ld W iz a r d C o m p le te

T he InstallShield W iza rd has s u c c e s s fu l insta le d H yena v9.0. C lick Finish to exit the wizard.

FIGURE 6.5: Ready to install window

Enumerating system Information

9.

Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.

C E H L ab M anual Page 302

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

FIGURE 6.6: Windows Seiver 2012—Desktop view

& Hyena also includes full exporting capabilities and both Microsoft A c c e ss and Excel reporting and exporting options

10.

Click the Hyena app to open the Hyena window.

FIGURE 6.7: Windows Server 2012 —Apps

11. The Registration window will appear. Click OK to continue. 12. The main window of Hyena is shown 111 following figiire.

C E H L ab M anual Page 303

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.

Module 04 - Enumeration

13. Click + to expand Local workstation, and then click Users. J
He Edit Wew Tools Help - J fr W1N-D39MR5HL9E4 (Local Workstation)!

Hyena v9.0

’ ‫ם ' ־‬

‫י‬

x

‫ף־‬

j
j

5 g

£1

Drives

a a 11
Hyena v9.0

£ " Local Co n n ec tio n s

-

cygSU
♦ E 4 C 4 C &

A dm inistrator Guest

Jason (Jason) J u g g y b o y (Juggyboy) Martin (Martin) Shiela (Shiela)

C C

B £ ♦

♦ J 1 Local Groups >' ‫^ ♦׳‬ Printers

8‫־‬
O

Shares S essio n s O p en Files Services

&

g p D evices ffi 4 ‫ >נ‬Events 9 j I '± ♦ 9 , a : j + ^ ± . Enterprise £ Disk Sp ace User Rights P erform ance S c h ed u led Jobs £ Registry WMI

c a Additional com m and-line options were added to allow starting Hyena and automatically inserting and selecting/ expanding a dom ain, server, or com puter.

6 user(s) fo u n d o n ,\\W1N-D39MR5HL9E4'

FIGU RE 6.9: Expand the System users

14. To check the services running on the system, double-click S erv ices
Hyena v9.0 ‫ ־‬Services on WWIN-D39MR5HL9E4
Re Ed« Wew Toots Help

^ & I

VVIN-D39MR5HL9E4 (Local W orkstation) Drives Local C o n n ec tio n s £ . Users

a

a
Services on WWIN-D39MR5HL9E4

c

Name________________ Display Nam e_________ Status______ $ 5 ‫־‬AdobeA R M service A eL ookupSvc © ALG A d ob e A crobat Up... A pp lication Experie... A pp lication Layer G... Running Stop ped Stop ped Stop ped Running Stop ped Stop ped Running Stop ped Stop ped R unning R unning R unning Stop ped Stop ped Stop ped Running R unning Stop ped Stop ped

A dm inistrator Guest Jason (Jason) J ug g y b o y (Juggyboy) Martin (Martin) Shiela (Shiela)

♦ C | 5 ♦ ^ ♦ ♦ “ 5 g ^ ffi Q c

C
C

© AIIUserlnstallAgent W in dow s A ll-U ser I... © A ppH ostSvc © ApplDSvc © A ppinfo $ 5 ‫ ־‬A ppM gm t © A udioEndpointB ... © A udiosrv ®BFE 0 • BITS © © © Brokerlnfrastruct... Browser CertPropSvc A pp lication H ost H... A pp lication Identity A pp lication Inform... A pp lication M anag... W in dow s A ud io En... W in dow s A udio B ase Filtering Engine B ackground Intellig... B ackground Tasks I... C om p uter Browser C ertificate Propaga... COM ♦ System App... C ryptographic Servi... DCOM Server Proce... O p tim ize drives D evice A s s o c ia tio n ...

C

Local Groups Printers Shares

S " Sessions iLJ• Q penhles

U&fZEELl
2 P D evices B E d L Events O S S * 9 I ♦ 0 Disk Sp ace User Rights P erform ance S c h ed u led Jobs Registry

© C O M S y sA p p

O crypt^v c
© D com L au nch © © defragsvc D eviceA ssociatio...

i &
♦ ^

WMI

Enterpnse

K//w w w .sy s te m to o ls.c o m

156 services fo u n d o n ‫\\־‬W 1 N -D 3 9 M R 5 H L 9 E 4 1 /1 5 6 ‫ ־‬o b jects

FIGU RE 6.10: Sendees running in the system

15. To check the U ser Rights, click + to expand it.

C E H L ab M anual Page 304

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

Hyena v9.0 - 3 Drives on A\WIN-D39MR5HL9E4'
He Edt VtcH * Tools Hdp

‫' ־‬°r *

y *3 a X
* C ♦ C

3* :::

5=] Q

SI

f lJ

»3 a i

f e ° E3 «

Ju g g y b o y (Juggyboy) Martin (Martin) Shiela (Shiela) Server *■

±C
♦ ^ + ^

3 Drives on ‫־‬ ‫־‬ \\WIN-D39MR5HL9E4‫־‬ ‫־‬
Drive Form at NTFS NTFS NTFS Total 97.31 GB 97.66 GB 270.45 GB U sed 87.15 GB 2.90 GB 1.70 GB © W 1N -D 39M R ... C © W 1N -D 39M R ... D © W IN -D 3 9 M R ... E

Local Groups Pnnters Shares

S ‫ ־‬S e ssio n s
j— ^ O p en Files Q b Services Devices ffi & ^ Events Disk Sp ace g h ts I

f t Backup Operators Users § A dm inistrators 3 1 ( Everyone § SeTcbP rivilege (Act as part of th e opera £ S eM ach m eA ccou ntP rivilege (Add work & St• SeBackupPrivilege (Back up files and dii-, i L S eC han geN otifyPrivilege (Bypass traver SeU nsolicitedln pu tPrivilege (Selln solicii ^ S eSystem tim eP rivilege (C h ange th e sys £ - | ‫־‬ - SeC reateP agefileP rivilege (Create a pag

21

SeC reateTo ken Privilege (Create a toki ■=£

:a ^^^biects

7 w w w .sy ste fn to o ls.co m

3 Drives o n "WW1N-D39MR5HL9E41

FIGURE 6.11: Users Rights

16. To check the S cheduled jobs, click + to expand it. J
File Ed« Wew Tools Help

Hyena v9.0 - 77 total scheduled jobs.

m Hyena will execute the
most current Group Policy editor, GPME.msc, if it is present on the system

y* 3< ‫ צ‬x♦3 ■ :: |e| o 1 $
ft C ♦ c J u g g y b o y (Juggyboy) Martin (Martin) Shiela (Shiela)

y

y
Server

A j .3;j r b «
77 total scheduled jobs.
*■ N am e Status Ready Ready Ready M ultiple Trigc Daily Daily Daily On Idle Trigger Type ^

a a [Ho
0 W IN -D 3 9 M R ... CCIeanerSkipUAC 0 W IN -D 3 9 M R ... GoogleU pdateT askM ac... 0 W IN -D 3 9 M R ... 0 W IN -D 3 9 M R ... 0 W IN -D 3 9 M R ... 5 ]W IN -D 39M R ... 0 W IN -D 3 9 M R ... GoogleU pdateT askM ac...

9
♦ $ & ^

C

Local Groups Printers

£ £ 1 Shares S essio n s O p en Files 9 Services

S '
^

G ooglellpdateT askU serS... Ready GoogleU pdateTaskU serS... Ready O p tim ize Start M en u Ca... .NET Fram ework NGEN ... Ready Ready Ready D isabled Ready D isabled Ready D isabled Ready Ready Ready Ready Ready Ready Ready

2 P D evices f f i - A Events Disk S p ace

ffi-S User Rights
E B P erform ance | — f o ] Sch ed u led Jobs | M icrosoft W in dow s ♦; ^ ffi @ ♦: .NET Framework A ctive D irectory R ights M anage! AppID

0 W IN -D 3 9 M R ... .NET Fram ework NGEN ... 0 W IN -D 3 9 M R ... AD RMS R ights P olicy T... 0 W IN -D 3 9 M R ... AD RMS R ights P olicy T... 0 W IN -D 3 9 M R ... 0 W IN -D 3 9 M R ... P olicyC onverter Sm artScreenSpecific V enfiedPublisherCertSto...

M ultiple Trigc At Log on

At Log on At Startup

S]WIN-D39MR...

0 W IN -D 3 9 M R ... A itA gent 0 W IN -D 3 9 M R ... Program DataU pdater 0 W IN -D 3 9 M R ... StartupAppTask 0 W IN -D 3 9 M R ... C leanupTem poraryState 0 W IN -D 3 9 M R ... 0 W IN -D 3 9 M R ... 0 W IN -D 3 9 M R ... Proxy System T ask UserTask

♦ I ® A pp lication Experience ■ A pplicationD ata

♦ j L < 9 A utoch k ♦ - 3 CertificateServicesClient E B US Chkdsk ffi ^ C usto m er Experience Im provem

At Startup M ultiple Trigc M ultiple Trigc

h ttp ://w w w .sy stem to o ls.co m

6 registry entries f o u n d o n WW1N-D39MR5HL 1 / 7 7 objects

FIGURE 6.12: Scheduled jobs

Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on your target’s security‫ ״‬posture and exposure.

C E H L ab M anual Page 305

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Module 04 - Enumeration

Tool/Utility

Information Collected/Objectives Achieved Intention : Enumerating the system Outpvit: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
‫י‬

H yena

Local Connections Users Local Group Shares Shares Sessions Services Events User Rights Performance Registry

mn

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB .

Internet Connection Required □ Yes Platform Supported 0 Classroom 0 !Labs 0 No

C E H L ab M an u al Page 306

E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.