C/EH cal Thiol Hecker Module 04 EnumerationThis page is intentionally left blank.Module Objectives In the previous modules, you learned about footprinting and scanning networks. The next phase is enumeration. ‘This module starts with an introduction to enumeration concepts. The module provides an insight Into afferent techniques for NETBIOS, SNMP, LDAP, NTP, SMTP, ONS, IPsec, VoIP, RPC, and {inw/Unix enumeration. Later the module discusses enumeration countermeasures. The module tends with an overview of pen testing steps that an ethical hacker should follow to perform a security assessment of a target, ‘At the end of this module, you willbe able to: Describe the enumeration concepts Explain different techniques for NetBIOS enumeration Explain different techniques for SNMP enumeration Explain different techniques for LDAP enumeration Explain different techniques for NTP enumeration Explain different techniques for SMTP and ONS enumeration Explain other enumerations such as IPsec, VoIP, RP, and Linux/Unix enumeration ‘Apply enumeration countermeasures Perform enumeration penetration testing Mee OF Pe (hal acing owners Cnr ty FEOe 2) oe | meeecmm | | sommne | | erin | Enumeration Concepts Fach section of this module deals with different services and ports to enumerate. Before beginning with the actual enumeration process, we will discuss enumeration concepts. Wie of Pees ‘ho aiand omen Ci aadee hheenertion mt ce tee ——— ‘Secon wn on pts arc ® See B weevtare B mencnaee S| Glaemumn Saco pa © wwevcninn Beate anes severe rv Bonnie © renee What is Enumeration? Enumeration s the process of extracting user names, machine names, network resources, shares, and services from a system or network. In the enumeration phase, attacker creates active connections with system and performs directed queries to gain more information about the ‘target. The attackers use the information collected by means of enumeration to Identify the ‘wlnerabities or weak points in the system security, which helps them exploit the target system, It allows attacker perform password attacks to gain unauthorized access to information system resources. Enumeration techniques workin an intranet environment. Enumeration allows you to collect following information: Network resources ‘+ SNMP and FODN details Network shares + Machine names Routing tables, Users and groups Audit and service settings ‘+ Applications and banners During enumeration attackers may stumble upon a remote IPC share, such as IPCS in Windows, ‘which they can probe further for null sessions to collect information about other shares and system accounts, “The previous modules highlighted how attackers gather necessary information about a target ‘without really geting on the wrong side ofthe legal barrier. However, enumeration activities ‘may be illegal dependingon the organization policies and any laws that are ineffect. Asan ethical fF pen tester, you should always acquire proper authorization before performing enumeration ons ot 25 athena coun copy Cy Kd AMigie ewes Rerauceesesy PomaeEo Pentecost eo oe aa aA eae =A «=-- ‘Techniques for Enumeration ‘To extract information about a target: Extract user names using email IDs Every emall address contains two parts: the user name and the domain name. The structure of an email address is userame@ domainname. Consider abe@gmal.com; in this email address, the "abe" (the string of characters preceding the '@" symbol) is the User name and "gmail.com" (the string of characters following the '@' symbol) is the domain name, ‘Extract information using default passwords Many online resources provide a list of default passwords assigned by manufacturers to their products, Users often neglect to change the default usernames and passwords provided by the manufacturer or developer ofa product. Thiseasesthe task ofan attacker in enumerating and exploiting the target system. Brute force Active Directory Microsoft Active Directory is susceptible to a username enumeration at the time of user- supplied input verification. This Is a design error in the Mlerosoft Active Directory implementation. fa user enables the “logon hours" feature, then all the attempts at service authentication resutin different error messages. Attackers take advantage of this to enumerate valid user names. An attacker who succeedsin extracting valid user names can conduct a brute-force attack to crack the respective passwords. Mie ok Pee ‘bit ndingedcnertemem yey amExtract information using DNS Zone Transfer [A network administrator can use ONS Zone Transfer to replicate Domain Name System (DNS) data across a number of DNS servers, or to back up DNS files. The administrator needs to execute a specific one transfer request to the name server. Ifthe name server ‘permits zone transfer, it will convert all the DNS names and IP addresses, hosted by that server to ASCII text. If the network administrators did not configure the DNS server properiy, the DNS Zone transfer isan effective method to obtain information about the organization's network. Thisinformation may include ist of all named hosts, sub-zones, and related IP addresses. ‘Auser can perform DNS zone transfer using nslookup. [Extract user groups from Windows, To extract user groups from Windows, the attacker should have a registered ID as a user In the Active Directory. The attacker can then extract information from groups in which the user isa member by using the Windows interface or command line method, Extract user names using SNMP [Attackers can easily guess the read-only or read-write community strings using the SNMP. ‘APL to extract user names.Services and Ports to Enumerate e7joe 09 lenigneery eae raat rerjee 308 = io serjoe 2 Gl Tero 05,563 Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) manage data ‘communications between terminals in @ network Services and Ports to Enumerate TCP is a connection-oriented protocol. It is capable of carrying messages or email over the Internet. It provides a reliable multi-process communication service in a multinetwork ‘environment. The features and functions of TCP include: "+ Supports acknowledgement for receiv acknowledgement system data through sliding window Provides automatic retransmission of lost or acknowledged data ‘+ Provides addressing and multiplexing data ‘Capability to establish, manage, and terminate the connection Offers quality of service transmission ‘+ Provides congestion management and flow control UDP is @ connectionless protocol, which provides unreliable service. It caries short messages ‘over a computer network. ‘Applications include: ‘Streaming audio ‘+ Video and Teleconferencing Magia 4 ge 378 pdm ny hy EmServices and TCP/UDP ports to enumerate might include: ‘TCP/UDP 53: DNS Zone Transfer ‘The DNS resolution process establishes communication between DNS clients and DNS servers, DNS clients send DNS messages to ONS servers listening on UDP port 3, In case, the DNS message size exceeds the default size of UDP (512 octets), the response contains only data that UDP can accommodate, and the DNS server sets a flag to indicate the ‘truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol and in case of lengthy queries where UDP falls, uses TCP as a backup fallover solution, Some rmalwares such as ADM worm, Bonk Trojan, etc. use port 53 to exploit vulnerabilities ‘within DNS servers. This can help intruders to launch attacks. ‘TCP/UDP 135: Microsoft RPC Endpoint Mapper Source: htps://technet. microsoft.com RPC isa protocol used by a client system to request a service from the server. An end point is the protocol port on which the server istens for the client's remote procedure calls. RPC end point mapper enables RPC clients to determine the port number currently assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges messages over TCP/IP. Fallure results due to the incorrect handling of malformed ‘messages. This affects the RPC end point mapper that listens on TCP/IP port 135. This ‘vulnerability could allow an attacker to send RPC messages tothe RPC End point Mapper ppracess on a server, in order to launch a Denial of Service (Do) attack UDP237: NetBIOS Name Service (NBNS) [NBNS, also known as Windows Internet Name Service (WINS), provides name resolution service for computers running NetBIOS. NetBIOS Name Servers maintain a database of the NetBIOS names for hosts and the corresponding IP address, the hosts using. The job ‘of NBNS is to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service fist. ‘Typically, NBNS uses UDP 137 as its transport protocol it can also use TCP 137 as its transport protocol for few operations, though this might never happen in practice. ‘TCP139: NetBIOS Session Service (SMB over NetBIOS) ‘This is perhaps the most welLknown Windows port. It is used to transfer files over a retwork. Systems use this port for both NULL Session establishment and file and printer sharing. A system administrator considering restricting access to ports on a Windows system should make TCP 139 a top priority. An improperty configured TCP 139 port can allow an intruder to gain unauthorized access to critical system files or the complete fle system, resulting in data theft or other malicious activities. ‘TCP/UDP 445: SMB over TCP (Direct Host) ‘Windows supports fle and printer sharing traffic using the Server Message Block (SMB) protocol directly hosted on TCP, In earlier O5s, SMB traffic required the NetBIOS over TCP Moaie tt tees (hal eingandounereres Cnr Fm(NBN) protocol to work on a TCP/IP transport. Direct hosted SMB traffic uses port 445 (TcP and UDP) instead of NETBIOS.. UDP 161: Simple Network Management protocol (SNMP) ‘Simple Network Management Protocol (SNMP) is widely used in network management ‘systems to monitor network attached devices such as routers, switches, firewalls, printers, servers, etc consists ofa manager and agents. The agent receives requests on Port 161 from the managers, and responds to the managers on Port 162. TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) LDAP is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. By default, LDAP uses TCP or UDP as its ‘transport protocol over port is 389, TCP/UDP 3258: Global Catalog Service Microsoft's Global Catalog Server, a domain controller that stores extra information, uses port 3268; its database contains rows for every object inthe entire organization instead ‘of rows for only the objects in one domain. Global Catalog allows one to locate objects from any domain without having to know the domain name. LDAP in Global Catalog Server uses port 3268, This service listens to port 3268 through 2 TCP connection ‘Administrators use Port 3268 for troubleshooting issues in the Global Catalog by connecting tot using LDP. * TCP25: Simple Mall Transfer Protocol (SMTP) SMIP is aTCP/P mail delivery protocol. It transfers email across the Internat and across the local network. It cuns on the connection-orlented service provided by Transmission Control Protocol (TCP), and it uses well-known port number 25. ‘Some of the commands used by SMTP and ther respective syntax: mele HELO Bepand | ExPNEstring> ‘elp HELP(oteing! oo ‘curr ABLE STP conan an thar rection oade oe rne250 calietngand courses Copy © > fe ct ‘itn socnce opens nay Pon‘TCP/UDP 162: SNMP Trap Simple Network Management Protocol Trap (SNMP Trap) uses TCP/UDP port 162 to receive notifications such as optional variable bindings, sysUpTime value, ete. fromagent to manager. UDP 500: ISAKMP/Intemnet Key Exchange (IKE) Intemet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec Protocol suite. It uses UDP port 500 to establish, negotiate, modify and delete Security ‘Associations (SA) and cryptographic keys ina VPN environment. ‘TCP/UDP 5060, 5061: Session Initiation Protocol (SIP) ‘Session Initiation Protocol (SIP) isa protocol used inthe applications of Internet telephony for voice and video calls. It typically uses TCP/UDP port S060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other end points Moe e581 (ca Netingand outers pret © Ke| maaan | | iene | | nl | e Jose || = || <= | SL "2 Ne05 nome sa neve 16ASOcaace sn ed dette network ees eer TO 5 cheers {ie taedtorthe daa name whe 1 cancer ised br temo hame mr peas (i seo-nesosnaneran wntprod Mc rr aac 6h) ae ot rge382 hal agand course: cpa Oy Ee Ge ‘hig coud apason roma eesSS © exaust in Winns splays NaiOS over TERN NetT Protoca statetie,NtOs mms tbe for btn ne el ane jesse a —— ‘NetBIOS Enumeration So far, we have discussed enumeration concepts and resources that provide valuable information, To enumerate the target network, consider NetBIOS first, as it extracts a lot of, sensitive information about the target such as users, network shares, etc. Thissection describes, 'NetBlOS enumeration, the information obtained, and various NetBIOS enumeration took. ‘The fist stepin enumerating a Windows system Is totake advantage of the NetBIOS API. NetBIOS stands for Network Basic Input Output System. It was originally an Application Programming Interface (AP) for client software to access LAN resources. Windows uses NetBIOS for file and printer sharing. The NetBIOS name isa unique computer name assigned to Windows systems and, sa 16 character ASCI string used to identify the network devices over TCP/IP; 15 characters are Used for the device name and the 16th is reserved forthe service or name record type, NetBIOS ses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 138 session services). Attackers usually target the NetflOS service, as itis easy to exploit and runs on ‘Windows systems even when notin use. ‘Attackers use the NetBIOS enumeration to obtain: List of computers that belong to a domain ‘= List of shares on the ineividual hosts in the network Policies and passwords ‘An attacker, who finds @ Windows OS with port 139 open, can check to see what resources can be accessed or viewed on the remote system. However, to enumerate the NetBIOS names, the remote system must have enabled fle and printer sharing. NetBIOS enumeration may enable an ae tree 388 alain and cosines cp yf me ‘Aiken Rortedraacenrateay Penceattacker toread or write to the remote computer system, depending onthe availabilty of shares, fr launch a DoS. 'Neta10S name ist: NetBi0s code host name> | <0» | UNUE | Hostrame Name Type Information Obtained “domains | | GROUP [Donain name “tout rame> | >| UNIQUE | Mestenger service ning fr that computer semame> | <€2>_| UNIQUE | Menener sevice runing for that ppd usr Bost name> | 20> | UMOUE | Server serie runing ‘ | <1D> | GROUP | Master browser name fr the subnet Domain master Browser name, identifies the Primary < | UNIQUE | sJomain controller (POC] or that domain "Note: Microsoft does not support NetBIOS name resolution for Internet Protocol Version 6 IP¥6) [Nbstat Utility, Source: htips//technet.microsoft.com \Nbtstat is @ Windows utility that helps in troubleshooting NETBIOS name resolution problems. ‘Theabeatat command removes and corrects preloaded entries usinga number of case-sensitive ‘switches. Nbtstat displays NetBIOS over TCP/IP (Net8T) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache, Nbtstat allows 2 refresh Of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS) Entering Notstat command without parameters displays help. "Notstat Syntax: nbtatat [-a RenoteName] [-A TPAddress] [-c] (-n] [-r] [-R] [-RRl [ [-8] [interval] ‘The table shown below displays various Nbtstat parameters and ther respective functions: Nbtstat Parameters. a Displays the NetBIOS name table of s remote computer, where o8 Remoterame | pmoteName is the NetlOS computer name ofthe remate computer Displays the NetBIOS name table ofa remote computer, specified bythe IP TR TeAasE~8S | sides (in dotted decimal notation) ofthe remote computer. Lists the contents ofthe NetBIOS name cache the table of NetBIOS names and thee resolved IP addresses Mee OF Fae S88 ‘scaata nn ormere yet hy Ee Samek7 Displays the names registered locally by NetBIOS applications such asthe server and redirector “= Displays @ count of all names resolved by broadcast or WINS server. = Purges the name cache and reloads all APRE entries from LMHOSTS, mR Releases and reregisters all names with the name server. Lsts the NetIOS sessions table converting destination IP addresses to computer NetBIOS names. “s LUsts the current NetBIOS sessions and their tatus with the IP addresses intervar _ Pedisplaysselected statistics, pausing the numberof seconds specified in Interval betwaen each display. Nbstat Examples: ‘= Run nbtstat command ‘abtstat.exe -c" to get the contents of the NetBIOS name cache, the table of NetBIOS names, and thei resolved IP addresses. Run nbtstat command “nbtatat.exe -a ” to get the NetBIOS name table of aremate computer GUREA2: Nat command obtain th are abla cremate stern Mole oe geass ‘aingancaarmeam cp gmtNetBIOS Enumeration Tools “Nina tect ae etre ‘NetBIOS Enumeration Tools [NotBI0s enumeration tools explore and scan the network within a given range of IP addresses and lists of computers to identify security loop holes or flaws present in networked systems. ‘These tools also enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disksand security event logs. + Hyena Source: htas://www.systemtoots.com Hyena manages and secures Windows operating systems. it uses a Windows Explorer- style interface forall operations. Itsupports management of users, groups (both local and lobal), shares, domains, computers, services, devices, events, les, printer, print Jobs, Sessions, open file, disk space, user rights, messaging, exporting, job scheduling, processes, and printing. Itshows shares and user log on names for Windows servers and domain controllers. Itdisplays a graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc. Features: (© Active Task Matching Options - Added Key match option to Active Task when performing Active Directory update tasks. The new key option allows for any unique directory attribute to be used as a'match' field when updating directory objects. © Group Member Matrix - Presents all members of multiple groups in a simple arid, Including direct, indirect (nested), and primary membership ae sooumgtserernearysty inet(© Active Editor Improvements ~ The new release of Hyena includes new feature ‘enhancements to the Editor, including support for multi-valued attributes, account ‘expiration date, 2s well as multi-selection and update capabilites Some ofthe enumeration tools are lsted below: "Nsauditor Network Security Auditor (httos://wmw.nsauditor;com) NetScanTools Pro (httpsy//www.netscantools.com) SoftPerfect Network Scanner (httpsi//www-softperfect.com) Superscan (https//wuw.mcofee.com) NetBI0s Enumerator(hetp//nbtenum sourceforge.net) Nbtscan (htp://wwm.unixwia.net) I Tools (htps://awwks-soft.net) MegaPing (http://wwav.magnetosoft.com) okie ot Peer hcalnetigand coum cpr Oy KeemaPeete ples sce) 1 Ena acco srg anes pt coraland manag ate pte rahe oman ine ae poco ie lt iain sb roe gestodene aa ous bysans pac Pen rg ct ps Enumerating User Accounts Source: https//docs.microsoft.com Enumerating user accountsusing PsTools suite helps to control and manage remotesystems from the command line, ‘Commands for enumerating user accounts include: = PsExec Pstxec sa lightweight telnet replacement that can execute processes on other systems, complete with ullinteractivty for console applications, without having tomanually install client software. PsExec's most powerful usage include launching interactive command prompts on remote systems and remote-enabling tools like Ipconfig that otherwise do ‘ot have the ability to show information about remote systems. Syntax: paexec [\\computer[,computer?[,...] | @£ile}}[-u user [-p peswd] [-n s][- servicenane] [-bj [-11-s|~e] [-x] [-T [session] [-c [-fl-v}]{-w directory] [-d] [-l [ Bynes] em [argunents} = PsFile PsFile isa command-line utility that shows list of files ona system that opened remotely, and itcan close opened files either by name or by a file identifier. The default behavior of PFile is tos the file on the local system opened by remote systems. Typing a command {followed by°-" displays information on the syntax for the command. ‘Syntax: ps£ite [\\RenoteComputer [-u Username [-p Password)]] [[Té | path} [-c]] Mee 0 gett that nainandcounme as cong Oy ES ‘iti eens esacen ry Poked+ PsGetsid PsGetSid translates SIDs to their display name and vice versa, It works on builtin ‘accounts, domain accounts, and local accounts. It also displays the SIDs of user accounts and translates a SID into the name that represents it It works across the network to query SIDs remotely. Syntax: psgetsid {\\compater| ,computer [ [-p password) ]] [account|31D] skal Pekili a illutilty that can killpracesses on remote systems and terminate processes on the local computer. Running PsKil witha process ID directs it to kill the process of that ID ‘on the local computer. Ifa process name is specified, Psill wl kil all processes that have that name. One need not installa client on the target computer to use Pskill to terminate ‘aremote process. Syntax: pski21 [= ] [-t] [\\computer [-w us + Psinfo Psinfo is a commande tool that gathers key information about local or remote legacy ‘Windows NT/2000 systems, including the type of installation, kernel build, registered ‘organization and owner, number of processors and thelr type, amount of physical memory, the instal date ofthe system, and i tis a tral version, the expiration date. By default, Psinfo shows information forthe local system. Specify a remote computer name ‘to obtain information from the remote system. 11 @fite) [-u username ysname] [-p password]] Syntax: psinfo [{\\computer{,computer[,..] | @file [-u Ip paswa]]] (-h} (-8] (-d] (e [-t delimiter}] [filter] + otist Pastis a commandt-line tool that displays information about process CPU and memory information or thread statistics. Tools in the Resource kits, pstat and pmon, show different types of data but display only the information regarding the processes on the system on which the tools are run, + Pstoggedon PsLoggeddn is an applet that displays both the locally logged on users and users logged ‘on via resources for either the local computer ora remote one. Ifa user name is specified Instead ofa computer, PsLoggedOn searches the computers inthe network neighborhood ‘and reveals ifthe user currently logged on. PsLoggedOn's definition of a loally logged on User is one that has a profile loaded into the Registry so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name ‘or user SID (security dentiier, PsLoggedOn looks up the corresponding user name and displays It. To determine who logged onto a computer via resource shares, PsloggedOn Uses the NetSessionénum APL oe cai Rg anon prehcn coac PONSyntax: peloggedon [- ] [-1] [-x] [\\computernane | username] + Pstogtist The elogdump utility dumps the contents of an Event Lag on 2 local or remote computer PsLoglist is 2 clone of elogdump except that PsLoglist can log into remote systems in situations where the user's security credentials would not permit access to the Event Log, and PsLoglist retrieves message strings from the computer on which the event log resides. The default behavior of PsLoglists to display the contents of the System Event Log on the local computer, with visually friendly formatting of Event Log records Syntax: paloglist [- ] {\\computer{,computer[,...]. | @file [-u username [-p password]]] [-s [-t delimiter]] [-m @[-n BI-m #l-d fiw (-e) [-x [2] [-2 mm/dd/yy {-b mm/ad/yyl[-£ filter] [-i TD[ID(y..-] |e IDE,3[,.-J]] (-0 event source [ event. source] {, -]]] [-q event source[,event source}[,-.]]] [-1 event og file} + PsPasswd Pspasowd can change an account password on local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they ‘manage in ordor to perform a mass change of the administrator password. PsPasswd uses Windows password reset APIs, so it does not send passwards over the network in the clear. ‘Syntax: pspasswd [{\\computer{,computer{,..] | @file [-u user [-p Peewd)}] Username [NewPassword] = Psshutdown Psshutdown can shut dawn or reboot local or remote computer. It requires no manual installation of client software. ‘Syntax: psshutdown [{\\computer{,compater{,..] | @file [-u user [-p péewd]}} ~s|~r/-h/-d|-k[-al-11-0 [=e] [-c] [-t anihem] [-n 8} [-v an] [-e [ulp]:xx:yy] [-m "nessage"] Mae 8 e380 [hal edingendccunarmere ph Oy Ome= a | Enumerating Shared Resources Using Net View Net View is a command line utllty that displays a lst of computer or network resources. It displays a list of computers in the specified workgroup or shared resources available on the specified computer. Usage: net view \\ Where is the name of a specific computer, whose resources you want to view or net view /workgroup: version ntpq 4.2.8p1001.3728-0 ntpp host. current host is localhost Mee 8 rae 02 hal aingandcounerme mire cpg Oy FEOrear By Poteet ey “6 PAG Netw Mentor nes STP Serr montersSmae Newark Tne Pte SN Server a ‘Somespans tne other stn ditrenein oan te lyon ne [NTP Eaumeration Tools ‘rap hp manor) res hes /mmshrko (ipso port cou (n/m menor cond NTP Enumeration Tools [NTP enumeration tools are used to monitor working of NTP and SNTP servers present in the ‘network and also help in the configuration and verification of connectivity from the time client tothe NTP servers, 1+ PRTG Network Monitor Source: httpsi//www.paesslercom PRTG monitors all systems, devices, traffic and applications ofthe IT infrastructure using various technologies such as SNMP, WMI SSH, etc. PRTG Network Monitor includes SNTP ‘Sensor monitors, a Simple Network Time Protacel(SNTP) server that shows response time ofthe server and time difference in comparison to the local system time. Some of the NTP enumeration tool include: + Nmap (httpsi/nmap.ora) 1 Wireshark hitpsi//ww.wiresharkorg) + udp-prote-scanner(https:/fabs portculis.co.uk) ‘+ NTP Time Server Monitor (httas://www.meinbergglobel.com) ite tenes escon tie HoneRUC stg | im | | cs | | a Co) SMTP and DNS Enumeration This section describes enumeration techniques to extract information related to network resources. It also covers DNS enumeration techniques that obtain information about DNS servers and the network infrastructure of the organization. The section discusses both SMTP and DNS enumeration techniques. Ths section will familiarize you with SMTP enumeration, how to get a Istof vad users on the SMTP server, SMITP enumeration tools, DNS Zone Transfer Enumeration, atc. osteo rope ‘hal aigandcounargere cpg Oy EO ame ‘aitgherccned teraction ay PenaSMTP Enumeration SMTP Enumeration ‘Mail systems commonly use SMTP with POP3 and IMAP that enables users to save the messages Inthe server mailboxand download them occasionally rom the server. SMTP uses Mal Exchange (WAX) servers to direct the mall via DNS. Itruns on TCP port 2. ‘SMTP provides 3 built-in-commands: 1 -VRFY- Validates users 8 telnet 192.168.168.225 ‘eying 192.168.168.1 Connected to 192,168, 168.2, Bacape character ia '*)' ‘exo S01 MELO requires domain addres 250 Winalleerver Hello (10.0.0.06], pleased to met you vary Jonathan 250 Super-User ary saith 580 Sith... User unknown ‘+ EXPN Tells the actual delivery addresses of aliases and mailing lists 8 telnet 192.168.268.125 ‘eying 192.160.160.1 Connected to 192.160.168.2. Bacape character ia '4]' ‘HELO Messe Fae 2 nal adingandcounermenrs cna Oo em sitgpe tained nance acy ete501 HELO requires domain address 250 Numaiiserver Hello [10.0.0.86), pleased to mest you EXPN Jonathan 250 Super-User EPH saith + RCPT TO - Defines the recipients of the message $ telnet 192.168.168.125 ‘eying 192.168.168.1 Connacted to 192.168.168.2. Escape character is '*)'. 220 uimasiserver ESMIP Senansi2 €.9.3 501 HELO requires donain addres BELO 250 NYnsilserver Hello [10.0.0.86], pleased to anet you Mat, FROM: Jonathan 250 Jonathan... Sender ok ROPE TO:Ryder 250 Ryder... Recipient of 550 Smith... User unknown [SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and Invalid Lsers from which we can determine valid users on SMTP server, Attackers can directly interact “with SMTP via the telnet prompt and collect ist of valid users on the SMTP server. ‘Administrators and pen testers can perform SMTP enumeration using command-line utilities such as telnet, netcat, et. or by using tools such as Metasploit, Nmap, NetScanTools Pro, smtp- userenum, etc, tocollect list of valid users, delivery addresses, recipients of the message, etc. eS cette an nooucin estan oneSMTP Enumeration Tools SMTP enumeration tools are used to perform username enumeration. Attackers can use the usernames obtained from this enumeration to launch further attacks on other systems in the network 1 NetSeantools Pro Source: https://www.netscantools.com NetScanTools Pro's SMTP Emall Generator tool tests the process of sending an emall message through an SMTP server, Itcan extract all the common emailheader parameters including confirm urgent flags. NetScanTols Pro supports SMTP Authentication, either basic or using STARTTLS with username and password for servers requiring it: This tool includes the ability to send email attachments. It can save the email session toa log fle {and then display the log file showing the communications between NetScenTools Proand the SMTP server NetScanTools Pro's Email Relay Testing Tool performs relay testing by communicating with an SMTP server. The report includes log of the communications between NetScanTools Pro and the target SMITP server. The relay test report displaysas either text ‘or as HTMLn a browser. + smtp-user-enum Source: htt://pentestmonkey.net “smntp-user-enum isa tool for enumerating OS-level user accounts on Soars va the SMTP service (sendmal), Enumerationis performed by inspecting the responses to VRFY, EXPN, {and RCPT TO commands. smtp-user-enum simply needs to be passed on to alist of users and atleast one target running an SMTP service. Mester cat ‘ictidingnnscmmrmemen prec WomeUsage: smtp-user-orum.pl [options] (-u usernane|-U_file-of- usernames) (-t host |-7 file-of-targets) Options are: (©. -mn - Maximum number of processes (default: 5) © -Mmode - Method to use for usemame guessing EXPN, VRFY or RCPT (default: VRFY) (© -tuuser - Check f user exists on remote system © f addr From email address to use for "RCPT TO" guessing (default tuser@example.com) © -Ddom - Domain to append to supplied userlist to make email addresses (Defaut: none) © -Uflle - File of usernames to check via smtp service (© -thost - Server host running smtp service (© -Tfile - File of hostnames running the smtp service (©. -pport ~ TCP porton which smtp service runs (default: 25) © -d = Debugging output (©. th - Wait for a maximum of n seconds for reply (default: 5) 0 -¥- Verbose ch -Thishelp message ‘Some ofthe SMTP enumeration tools include: Telnet (hetps://technet. microsoft.com) Vanquish (https//github.com) Nx Toolbox (ntps://mxtoolbax.com) ‘aig tant opanazan tary PenneDSc Mone Pew eC TS Cd DNS Enumeration Using Zone Transfer DNS zone transfers the process of transferring a copy ofthe DNS zone file from the primary DNS server to a secondary DNS server. The attacker performs DNS zone transfer enumeration to locate the DNS server and records of the target organization, Through this process, an attacker {gathers valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets. In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for @ domain from the DNS server, To perform DNS zone transfer enumeration, the attacker can use tools such as nslookup, DNSstuff, ete. ‘To perform a DNS zone transfer, the attacker sends a zone transfer request to the DNS server pretending to be a client; the DNS server then sends a portion of its database as a zane to you. This zone may contain alt of information about the DNS zone network, obie ot reese ta tegsndcoumersnre phy £0 ae Aiton tocnce open sna oresModule Flow eo eo oe | an | | as | | neon o o o e jose || cee. || Other Enumeration Techniques ‘This ection will familiarize you with IPsec, Vol PC, and Unix/Linux user enumerations. ee 8 est? ala and causes cp yf me ig cme ersuton tad ena1 secus tS Enestn Securty Paonsh ‘ita fender iy Salenecoaen a on pe ‘Mot Pic bed VON eer Sci Ismet ond key Maropmer Powe (ck prea tembe, ena yn ete Secy sect) a hpmessilayin sweN crane inde the peers PN gens Inc spe nahashing aga, eon iy ren etn, IPsec Enumeration 'Psecis the most commonly implemented technology for both gatoway-to-gateway (LAN-to-LAN) ‘and host to gateway (remote access) enterprise VPN solutions. IPsec provides data security by employing various components like ESP (Encapsulation Security Payload), AH (Authentication Header}, and IKE (Internet Key Exchange) to secure communication between VPN end-points ‘Most IPsec based VPNs use ISAKMP (Internet Security Association Key Management Protocol), a part of IKE, to establish, negotiate, modify and delete Secunty Associations (SA) and exyptographic keys ina VPN environment. ‘Attacker can perform a simple direct scanning for ISAKMP at UDP port $00 with tools like Nmap, ‘etc. to acquire the information related to the presence of a VPN gateway. You can enter the following command to perform Nmap scan for checking the status of sakmp ‘over port 00: # nmap aU —p 500 ‘Attackers can probe further using fingerprinting tools such as ike-scan to enumerate the sensitive information including encryption and hashing algorithm, authentication type, key distribution algorithm, SA LifeDuration, etc. In this type of scan, specially crafted IKE packets with ISAKMP. hheader are sent tothe target gateway and the responses are recorded. ‘An initial IPsec VPN discovery with ike-scan tool s discussed below: # ike-scan -M © ikescan Source: htps://qithub.com ey ee Aitahe haracdfacedeo stnay toedike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern. Ike-scan can perform the following functions: (© Discovery: Determine which hosts in a given IP range are running KE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan. (© Fingerprinting: Determine which IKE implementation the hosts ae using, andin some ‘ses determine the version of software that they are running. This is dane in two ‘ways: firstly by UDP backof fingerprinting which involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; and secondly by Vendor ID fingerprinting which compares Vendor 1D payloads from the VPN servers against known vendor id patterns. ‘9. Transform Enumeration: Find which transform attributes are supported by the VPN server for IKE Phase-1 (e.g, encryption algorithm, hash algorithm, etc) User Enumeration: For some VPN systems, discover valid VPN usernames. Pre-Shared Key Cracking: Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses ike-scan to ‘obtain the hash and other parameters, and psk-crack (which is part of the ike-scan package] to perform the cracking. gpdcsunermenare cong Oy E.SunB= === (Sesion into Proc pata a ee 6 spsare gear uae UOTE pats 200 201, $50, “extewer sere PKs cert toe rps ‘Nab>prons Ue pee Passes wer emai ‘ohanDesaterve (bs) Sesion Hcg, aller ne Spring eet ery soantng arn er noe paahrg hehe ‘VoIP Enumeration \VolP is the advanced technique that has replaced traditional PSTN in both corporate and home environments. VoIP uses internet infrastructure to establish the connection for voices, data also ‘travels on the same network; however, VoIP is vulnerable to TCP/IP attack vectors. SIP (Session Initiation Protocol is one of the protocols used by VoIP in performing voice cals, video calls, etc Cover and IP network, This SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061. ‘Attackers use Sumap and Metasploit tools to perform VolP enumeration. VoIP enumeration provide sensitive information such as VoIP gateway/servers, IP-PBX systems, client software (Goftphones}/VolP phones User-agent IP addresses and user extensions et. tothe attacker. This information can be used to launch various VolP attacks such as Denial-of Service (D0S), Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Intemet Telephony (SPIT), VoIP phishing (Vishing), et, + Sumap Source: htps://github.com ‘Sumap is 2 free and Open Source scanner to identify sip devices and PBX servers on a target network It can also be helpful for systems administrators when used asa network Inventory tool. Svmap was designed to be faster than the competition by specifically targeting SIP over UDP. ‘Sumap can: (2 Identity SIP devices and PBX servers on default and non-default ports, (©. Scan large ranges of networks ae tree s30 malian andcaurmenare cp yf me ‘Aikehe tacred radon tea ees(©. Scan just one host on different ports, looking for a SIP service on that host or just ‘multiple hosts on multiple ports (© Take previous scan results as input, allowing you to only scan known hests running SIP © Use diferent scanning methods (make use of REGISTER instead of OPTIONS request) Got allthe phones on a network to ring atthe same time (using INVITE as method) Randomly scan internet ranges Resume previous scans Wobde ot rpc hal adgandcounarnere cpg Oy EO ame “itghereened teyaucon ody PetersES “6 fomete reer ca PC sowsctet nase SEaccae aneels ieaitona! ero Idee any aerate eres on hese eve ‘RPC Enumeration RPC (Remote Procedure Call) isa technology used for creating distributed client/server programs. RPC allows client and server to communicate in distributed client/server programs. It isan inter process communication mechanism, which enables data exchange in between different processes, In general, RPCconsists of components Ike client, server, endpoint, endpoint mapper, client stub and server stub along with various dependencies. ‘The portmapper service listens on TCP and UDP port 111 in order to detect the endpoints and present clients details of lstening RPC services. Enumerating RPC endpoints enable attackers to identify any vuinerable services on these service ports, In networks protected by firewalls and other security establishments this portmapper is often filtered, Therefore, attackers scan high rt ranges to identify RPC services that are open to direct attack, ‘You can use the following Nmap scan commands to identify the RPC service running on the network. 4 nmap eR # nmap -T4 -a ‘Additionally, you can also use tools ike NetScanTook: Pro to capture the RPC information of the ‘target network. Wie tree s2t ‘icine err ih hy mmUnix/Linux User Enumeration ame (ooh -at =a} ort = Unix/Linux User Enumeration One of the important step for conducting an enumeration is to perform Unix/Linux user enumeration. Unix/Linux user enumeration provides list of users along with details lke user rrame, host name, tart date and time of each session, etc. You can use following command line utlties to perform UNIX / Linux user enumeration: users displays alist of users who are logged on to remote machines or machines on local ‘network, Itaisplays outputsimilar towho, but for the hosts/systems on the local network, Syntax: /usr/bin/resers [-a] [-1] [-ul “hl -i] [Host ..-] Where, (©. -a:Givesa report for a machine even if no users are logged in (© -h:Sorts alphabetically by hast name (©. +4: Gives a longer isting similar to the who command (9 -uiSorts by number of users © +k Sorts by idle time ease of gett. hal tigandcaunarmesae cng yf me ‘ithe oem earswsonstnay Penawho ‘who displays alist of users who are logged in to hosts on the local network. It produces ‘output similar towho command which containsinformation about user name, host name, and start date and time of each session forall machines on the local network running the ‘who daemon. Syntax zwho [a] where, (© -a: Includes all users. Without this flag, users whose sessions are idle an hour or more are notincluded in the report finger finger displays information about system users such as users login name, real name, terminal name, ide time, login time, office location and office phone numbers, Syntax €lager [-1] [-m] [-p] [-#] [user ...] [usexthost ...] Where, (© <8: Displays user’ login name, real name, terminal name, idle time, login time, office location and office phone number. (© +k Produces a mult-ine format displaying al ofthe information described for the -s ‘option as well as the user's home directory, home phone number, login shell, mail status, and the contents of the files jpkoy " and ” forward " from the user's home directory. (© -B: Prevents the -1 option of finger from displaying the contents of the “plan project" and .pgpkey fies (© om: Prevent matching of user names, eae rae s2¢ maliectngendcoumermaureepyghC > Ke au ‘itn soca topensc racy PonoSs Medsle ow cee | [ee | | | = Vz = || Enumeration Countermeasures ‘So far, we have described enumeration techniques and tools used to extract valuable information from the target. Now let us discuss countermeasures thet can prevent attackers from enumerating sensitive information from the network or host. This section focuses on how to avoid information leakage through SNMP, DNS, SMTP, LDAP, and SMB enumeration. ‘The following countermeasures can prevent information leakage through SNMP, DNS, SMTP, LDAP, and SMB enumeration, Woe ot Peeks ‘ho nanand ommendpartir c tl Relea cinco me = Remove ha MMP ap or un fsa Su © Dubie the ons ene ree he unre ete oA “© Nake sre tate phate hess and ease "= Hsu o5AN set anopsn,tencharsthe. | Sent pushed ONS sve Mes fpubleDNS deagtecnmane seine me Sener “ Upgosetesnura werent: puzwersond © Use rm Ou epson earn Ne moe Seat mformatonstch sho inert NEO} “6 plore ne Gp Pay ecary oon clas ag “rasion escort areryows connects” © Use Sano petwram comac DNS Dar ta te moma. : fegtatoninoriertoavod sl egoewrg scm son pipe a "Scolon she an Sec rgi wices prec te Keeii ee cet Tet) sme ‘LDP SMB contest savant: | 6 nyateutiow eee bess ton eee) ‘Storstais tector 2 permite uasiesusrtclon eet * Mit ecsainar | 6 sdeteuernameationrton | Sanesenet Srrctonmeatrmmes | yarenatocn tone | y gape aerate ei aan ay tre renee es eS po 2 Aighanin te ‘oder pewt ra ove SNMP Enumeration Countermeasures ‘+ Remove the SNMP agent or turn off the SNMP service ‘+ If shutting off SNMP is not an option, then change the default community string names ‘+ Upgrade to SNMP3, which encrypts passwords and messages ‘+ Implement the Group Policy security option called “Additional restrictions for anonymous connections" Mee fe 26 hal ain apdouneeme mre Core by mn ‘ig tenn foponecn cay robesEnsure that the access to null session pipes, null session shares, and IPSec fitering is restricted Block access to TCP/UDP ports 161 + Donotinstall the management and monitoring Windows component unless itis required. Encrypt or authenticate using IPSEC DNS Enumeration Countermeasures * Disable the DNS zone transfers to the untrusted hosts Make sure thatthe private hosts and their IP addresses are not published into DNS zone fles of pubic DNS server, Use premium ONS registration services that hide sensitive information such as host information (HINFO) from public. Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks Prune DNS zone files to prevent revealing unnecessary information ‘SMTP Enumeration Countermeasures Configure SMTP servers to: * Ignore email messages to unknown recipients "Not to include sensitive mall server and local host information in mall responses Disable open relay feature Limit the number of accepted connections from a source in order to prevent brute force attacks ' Disable EXPN, VRFY, and RCPT TO commands, or restrict them to authentic users * Ignore emails to unknown recipients by configuring SMTP servers LDAP Enumeration Countermeasures By default, LDAP traffic Is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic Selecta user name different from your email address and enable account lockout Restrict the access to Active Directory by using software such as Citric ‘SMB Enumeration Countermeasures ‘Common sharing services or other unused services may prove to be doorways for attackers to break into a network's security. Server Message Block (SMB) isa protocol that provides shared ‘access to files serial ports, printers, and communications between nodes on a network. If this, service is running on a network, then there isa high risk of enumeration via SMB. Since web and DNS servers do not require tis protocol, [ts advisable to disable it on them, SMB protocol can We of Peet) ‘haan autermenres Cnet © y £0 Came ‘ge tscnes taromcon ena oerbe disabled by uninstalling the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks properties of Network and Dial-up Connections. On servers that are accessible from the internet, also known as bastion hosts, SMB can be disabled by uninstaling the same two properties of the TCP/IP properties dialog box. One other way of disabling SMB protocol on bastion hosts, without explicitly disabling it, is by blocking the ports which are used by the SMB service, These are TCP 139 and TCP 445 ports Since disabling SMB services Is not always a feasible option, there are other countermeasures that can be taken against SMB enumeration. Windows registry can be configured to limit anonymous access from internat to just a specified sot of files. These files and folders are specified in Network access: Named pipes that can be accessed anonymously and Network ‘access: Shares that can be accessed anonymously setting. Ths configuration involves adding the RestctNullsessAccess parameter tothe registry key: KEY_LOCAL_MACHINE\SYSTEM|CurrentControlSet\services\LanmanServer\Parameters ‘The RestrictNuliSessAccess parameter takes binary values with 1 denoting enabled, and 0 denoting disabled. Setting this parameter to 1 or enabled restricts access of anonymous users to just the files specified in the Network access settings. Moaieot rest nal eingandcaunamesrecnyoh © FEC ‘ge tennce epoon sna HonesModule Flow | pee | | eames | | aa | eaten eee w rity Enumeration pe testing usd ta ident vals ser accounts pooty protected resource seres ing active connects osems and tected Te infarmation canbe users an groups, network resources and shares, snd appeations etn combination wth dat collected inthe reconaisance hase aie 4 ge 28 salieingandcoutemaues opi 9K ae ite teseneePeseaocon sty oe“6 feo arsenic te enor ‘ponerse gas seen | Teossoor enn meso Nese “eto Oensewaton ne Windom waeoaas Por he Yh Coneertion eee Simon anahetsontoushe Por Unie enero ‘Shgeenmandescr sae eh, Sateen “This section describes the importance of enumeration pen testing, the framework of pen testing ‘steps, and the tools used to conduct pen testing. ‘Through enumeration, an attacker may gather sensitive information on organizations with weak security, That sensitive information can be used to hack and break into the organization's network, potentially resulting in huge lossin terms of information, service, or finance. To prevent onset get sveatnadiogndcoumermeaiescnygh 0) em ‘ile teamed anon wry ohnethese kinds of attacks, every organization must test its own security. Enumeration pen testing builds on the data collected in the reconnaissance phase. Itis used to identify valid user accounts oF poorly protected resource shares using active connections to systems and directed queries. ‘Apen tester should conduct pen tests against various enumeration techniques inorder to check if the target network is revealing any sensitive information that may help an attacker in performing an attack. This may reveal sensitive information such as user accounts, IP address, femal contacts, ONS, network resources and shares, application Information, etc, The pen tester should try to discover as much information as possible regarding the target, This helps to determine the wulnerabilties/weaknessesin the target organization's security. A pen tester should perform all possible enumeration techniques to enumerate as much information as possible about the target. To ensure the full scope of the test, enumeration pen testing includes a series of steps to provide information. Step 1: Find the network range Find the network range using tools such as Whois Lookup. Finding networkrange helps in ‘enumerating important servers in the target network Step 2: Caleulate the subnet mask Caleulate the subnet mask required for the IP range using tools such as Subnet Mask Caleulator, The calculated subnet mask can serve as an input to many of the ping sweep and port scanning tools for further enumeration, which includes discovering hosts and ‘open ports. Step 3: Undergo host discovery Find the important servers connected to the Internet using tools such as Nmap. Use the [Nmap syntaxto find the servers connected to Internet is as follows: nmap -sP . In place ofthe network range, enter the network range value obtained inthe fist step. Step 4: Perform port scanning Find any open ports and clase them if they are not required. Open ports are doorways for an attacker to break into a target’s security perimeter. Therefore, perform port scanning to check for the open ports nthe nodes. Pen testers and security auditors use tools such as Nmap to perform port scanning, ' Step 5: Perform NetBIOS enumeration Perform NetBIOS enumeration to identify the network devices over TCP/IP and to obtain a list of computers that belong to a domain, a Ist of shares on Individual hosts, and polices and passwords. Tools such as Hyena, Nsauditor Network Security Auditor, and NetScanTools Pro can perform NetBIOS enumeration. ‘Ait hoered. eed tnay eneStep 6: Perform SNMP enumeration Perform SNMP enumeration by querying the SNMP server in the network. The SNMP server may reveal information about user accounts and devices. Tools such as OpUtils "Network Monitoring Toolset and Engineer's Toolset can perform SNMP enumeration. ' Step 7: Perform LDAP enumeration Perform LDAP enumeration by querying the LDAP service. Enumerating LDAP service provides valid user names, departmental details, and address details An attacker can use this information to perform social engineering and other kinds of attacks. Tools such as Softerra LDAP Administrator can perform LDAP enumeration. Step &: Perform NTP enumeration Perform NTP enumeration to extract information such as the host connected to an NTP server, client IP address, OS running on client systems, etc. Commands such as mtptrace, atpde, and atpg can obtain this information ‘Step 9: Perform SMTP enumeration Perform SMTP enumeration to determine valid users on the SMTP server. Tools such as NetScanTools Pro can query the SMTP server for ths information. * Step 20: Perform DNS enumeration Perform DNS enumeration to locate all the DNS servers and their records. The DNS servers provide information such as system names, user names, IP addresses, etc. The Windows Utility nslookup can extract this information. * Step 20: Perform IPsec, VoIP, VPN and Linux enumeration Perform IPsec enumeration to extract information about encryption and hashing algorithm, authentication type, key distribution algorithm, SA UfeDuration, ete. Tools such as ike-scan and Nmap can extract this information. Perform VoIP enumeration to extract information about VolP gatewoy/servers, IP-POX systems, client software (softphones) /VolP phones User-agent IP addresses and user extensions, etc. Use tool such as Symap and Metasploit to collect this information. Perform RPC enumeration to identify any vulnerable services on the RPC service ports Use tools such as Nmap and NetScan Tools Pro to extract ths information. Perform Unix/Linux user enumeration to extract information about system users. Commands such as users, rwho, and finger can obtain thisinformation. Step 11: Document all the findings ‘The last steps to document all the findings obtained during the enumeration pen testing. Analyze the results and suggest countermeasures forthe client to lmprave their security.=== 1 SNMP enumerton ea races enuraraing er cous econ gta ng SANE tb sa vita dette antsrgfomaldecitin ofl terete bjs tata be rmeaged in 1 HetwerkTine toca MP) deseo conte dks rewind computes 1 Atederusespefeprt whit toerumene the seer verionrumirg onthe rome st Ace uae RPCsevee to ety anyweb eves 1 seacepartorms Unn/Una war enureraon oxo maton but ner ts ‘Module Summary ‘This module completes with an overview discussion of fundamental enumeration concepts. In the next module, we will see how attackers as well as ethical hackers and pen testers perform ‘winerabilty analysis to identity security loopholes in the target organization's network, communication infrastructure, and end systems. ete trast ‘sictrntcomarnas yi By HEA