CEH Lab Manual Enumeration Module 04Enumeration Ennmeration isthe process of extracting user names, machine names, network. resources, shares, and services from a system. Enumeration is conducted in an intranet enironment ‘on key Lab Scenario © Vatoable Penetration testing is much more than just manning exploits against vulnerable —— systems like we learned in the previous module. In fact a penetration test begins A Test you before penetration testers have even made contact with the victim systems. elec: ___ AS an expert ethical hacker snd penetration tester you must know how to Z Weewicie enumerate target networks and extrict lists of computers, user names, user [2 Woaooksesiew @tOUPS, ports, operating systems, machine names, network resources, and services sing Various entmeration techniques. Lab Objectives ‘The objective of this lab is to provide expert knowledge on network ‘enumeration and other responsibilities that include: User name and user groups * Lists of computers, their operating systems, and ports © Machine names, network resources, and services Lists of shares on individual hosts on the network, © Policies and passwords Lab Environment To carry out the lab, you need: "= Windows Server 2012 as host machine * Windows Server 2008, Windows 8 and Windows 7 as virtual machine © Aweb browser with an Intemet connection "Administrative privileges to man tools Lab Duration ‘Time: 60 Minutes Overview of Enumeration ‘Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are ‘conducted in an intranet environment. ‘CEH Lab Manual Page 257 TEeal Hacking and Connermessares Coppin © by EC Comal "AE Rights Revere. Repuodoction Stic Pooied.Lab Tasks Recommended labs to assist you in Enumeration: "Enumerating a Target Network Using Nmap Tool "Enumerating NetBIOS Using the SuperSean Tool * Enumerating NetBIOS Using the NetBIOS Enumerator Too! + Enumerating a Network Using the SoftPerfect Network Scan = Enumerating a Network Using SolarWinds Toolset © Enumerating the System Using Hyena Lab Analysis Analyze and document the results selated to the lab exercise. Give your opinion on ‘your target's security posture and exposure. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. ‘CEH Lab Manwal Page 255 TEeal Hacking and Connermessares Coppin © by EC Comal Ab Righs Revered Repost Stic Proied.© Vatuable P? Test your kaowledge BS Webeseicise £2 Workbook review Enumerating a Target Network Using Nmap Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a syste Lab Scenario In fact, a penetration test begins before penetration testers have even made contact, with the victim systems. During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems in their centitety, which allows evaluating secusity weaknesses. In this lab, we discus Nonap; it uses saw IP packets in novel ways to deteemine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating, systems (and OS versions) they are running, what type of packet filters firewalls are in use, it was designed to rapidly scan lage neworks. By using the open ports, an attacker can easily attack the target machine to overcome this type of attacks network filled with IP fess, firewalls and other obstacles. AS an expert ethical hacker and penetration tester to enumerate a target network and extract a list of computers, user names, user groups, machine names, network resources, and services using various enumeration techniques. Lab Objectives ‘The objective of this lab is to help students understand and perform enumeration ‘on target network using various techniques to obtain: User names and user groups = Lists of computers, their operating systems, and the ports on them ® Machine names, network resources, and services ® Lists of shares on the individual hosts on the network * Policies and passwords ‘CEH Lab Manval Page 20 TEeal Hacking and Connermessares Coppin © by EC Comal "AE Rights Revere. Repuodoction Stic Pooied.Lab Environment To petform the lab, you need: this lab are " = A computer sinning Windows Server 2008 as a virtual machine ACEH. * A computer sinning with Windows Server 2012 as 3 host machine Tools\CEHV8 en * Nimap is located at DiCEH-Tools\CEHv8 Module 04 amahel Enumoration\Additional Enumeration Pen Testing Tools\Nmap * Administsative privileges to install and sun tools Lab Duration ‘Time: 10 Minutes Overview of Enumeration © Tate ssaapioe speefqucbadop of | Enumeration is the process of extracting user names, machine names, network ss sesources, shares, and services from a system. Enumeration techniques ae someting gee wiong.roe conducted in an inteanet environment. ange bao Lab Tasks “The basic idea in this section is to: "Perform scans to find hosts with NetBIOS ports open (135, 137-139, 445) "Do an nbtstat scan to find genesic information (computer names, user names, MAC addresses) on the hosts "Create a Null Session to these hosts to gain more information Install and Launch Nmap in a Windows Server 2012 machine aeK a 1. Launch the Start menu by hovering the mouse cursor on the lower-left comer of the desktop. Nbstat and Null Pewee ft ies the flowing le: Nem Coe Fes FIGURE 1: Wasows See 2012—Deskp cw 4 Nop Path 2. Click the Nmap-Zenmap GUI app to open the Zenmap window. + WiPap st 1 Neseodltesfice Inport + Zeamap (GUI fontend) ‘CEH Lab Manual Page 270 ‘Eeal Hocking and Countermeasures Copjaght © by EC Comal "AU Rights Revere. Reprodoction Stet Pooied.‘Module 04 - Enumeration FIGURE 12 Windows Seve 212 Appr Start yout viemal machine manning Walows Server2008 Now launch the nmap too! in the Windows Server 2012 host machine. Pecform nmap -O sean for the Windows Server 2008 virtual machine (10,0.0,6) nework. This takes a few minutes. 2 veesie-ovsean Note: TP addresses may vary in your lab environment. oes option far best, ‘eos map. BD Nauporgis ine offical soute foe owaloading Nap sousce dere nis bor Nnp and Zena. San Toot Bete Hep Toye (soans El pte [ese Soe] [treo [pos es Tepe ant ar] FIGURE 13 The Zeanup Mi winow Ninap performs a sean for the provided target IP address and outputs the results on the Nmap Output tab, Your first target is the computer with a Windows operating system on which you can see ports 139 and 445 open. Remember this usually works only againat Windows but may partially succeed if other OSes have these ports open. There may be more than one system that has NetBIOS open. ‘CEH Lab Manual Page 51 seasaves Copright © by EC Caine erred. Reprodortion Stet Pete ‘Beal Hacking sod ‘AE Ries‘Module 04 - Enumeration Tage [sane Find hosts with Command: prep 010.006 NetBIOS ports: a - open TRIES hr Oc [oa Toso [eas & Now you see that ports 139 and 445 are open and port 139 is using NetBIOs. 9, Now launch the command prompt in Windows Server 2008 vistial iuchine and perform nbtatat on port 139 of the target machine. 10, Ran the command nbtstat -A 10.0.0.7. fom s UNIS shel x son _ (move recently) a Windows td ‘nm prompt oe a FIGURE 15 Commo! Pong oth ie a om 11, We have not even created a null session (an unauthenticated session) yet and we can stl pull this info down, Dl rasx 3 12. Now ereate a null session. Create a Null Session ‘CEH Lab Manual Page 72 ibical Hacking and Countermensaves Coppight © by EC Comal A Rights Reserved. Repwoduction Sic Prohoted.‘Module 04 - Enumeration 13, In the command prompt, type net use WXXXXIPCS 4 /uz™ (where XX is the address of the host machine, and there are no spaces between the double quotes). as TE Sjous NET xccouNT | Copter | conic TeoNTINte | MRE | Grovr LP | HELnase | LOCALGROUP | NAME [PAUSE | PRINT| SExD | SESSION | SHARE | START | SEAnstics | STOP | FIGURE 16 Te commen pp wi et cna ver) 4, Confirm it by issuing a generic net use command to see connected null sessions from your host. 15. To confirm, type net use, which should list your newly ereated ull TY FIGURE 17; Te command pompr wth he net commas Lab Analysis Analyze and document the results selated to the lab exercise. Give your opinion on ‘your target’s secusity posture and exposuce. ‘CEH Lab Manual Page 75 ical Hacking nod Countermensaces Copright © by EC Comma A Rights Retreed. Repuodortion Stet Petiterenyatnts Information Collected / Objectives Achieved Nmap Target Machine: 10.0.0.6 List of Open Ports: 135/tcp, 139/tep, 445/tep, 554/tcp, 2869/tep, 5357/tep, 10243/tep ‘NetBIOS Remote machine IP address: 10, ‘Output: Successfull connection of Nall session PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS Questions RELATED TO THIS LAB. 1. Evaluate what mbtstat -A shows us for each of the Windows hosts. 2. Determine the other options of nbtstat and what each option outputs. 3. Analyze the net use command used to establish a nuil session on the target, machine. ie ee OYes No Platform Supported © Classroom Zilabs CEH Lab Manval Page 74 TEeal Hacking and Connermessares Coppin © by EC Comal "AE Rights Revere. Repuodoction Stic Pooied.Enumerating NetBIOS Using the SuperScan Tool SuperScan is a TCP port scanner, pinger, and resolver: The tool's features include extensive Windows bast enumeration capability, TCP SYN seanning, and UDP scanning. Lab Scenario During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems in their entirety; this allows evaluating security weaknesses. In this lab we extract the information of NetBIOS information, user and group accounts, network shares, trusted domains, and services, which are either running or stopped. SuperScan detects open TCP and UDP ports on a target machine and determines which services are munning on those ports; by using this, an attacker can exploit the open port and hack your machine. As ‘an expest ethical hacker and penetration tester, you need to enumerate taget networks and extract lists of computers, user names, user groups, machine names, network resources, and services using various enumeration techniques. Lab Objectives “The objective of this lb is to help students learn and perform NetBIOS ‘enumeration. NetBIOS esmmeration is cartied out to obtain: List of computers that belong toa domain List of shares on the individual hosts on the network, "Policies and passwords ‘CEH Lab Manwal Page 75 TEeal Hacking and Connermessares Coppin © by EC Comal "AE Rights Revere. Repuodoction Stic Pooied.Tools domonstrated in this lab are available in DACEH- Tools\CEHV8. Module 04 DD vou can ato dovalad SupeSean fom Ingp/ eww foundsone co P* sopesscnis ot “sppoted by Winders 95/58/ME, ‘Module 04 - Enumeration Lab Environment To carry out the lab, you need: SuperScan tool is located at DACEH-Tools\CEHv8 Module 04 Enumeration|NetBI0S Enumeration Tools\SuperScan You can also download the latest version of SuperScan. from this link hinp:/ Awww.meafee.com/us/downloads /free-tools/superscanasps A computer minning Windows Server 2012 as host machine Windows 8 running on a virtual machine as target machine Administrative privileges to install and run tools A web browser with an Internet connection Lab Duration ‘Time: 10 Minutes Overview of NetBIOS Enumeration 1 ‘The purpose of NetBIOS enumeration is to gather information, such as: a. Accountlockout threshold b, Local groups and nser accounts Global groups and user accounts Restrict anonymous bypass routine and also password checking: a. Checks for user accounts with blank passwords b, Checks for user accounts with passwords that age same as the usernames in lower ease Lab Tasks Double-click the SuperSean4 file. The SuperSean window appears. CEH Lab Mannal Page 76 TEeal Hacking and Connermessares Coppin © by EC Comal Ad Rights Reserved. Repwoduction Sic Prod1D Windows XP Seevice Packs emoved cx socks appar wc ‘Slate SoperSen and ‘naar other netwode Seanaing oa Some rnetioly can be estore by nang the net Stop Sheed Acces atthe Windows command romp before stating D supersean fearues: 1 Sopeie seaming speed 1 Soppoc for uit TP 4+ Tapoved bot detection ‘sing muiple ICMP = UDP caning (two Se |e vee st Yo | ren sat | =—_—— cent sue x) co ewe xf ratte York nt FIGURE 21: Sipesscn mn wir Click the Windows Enumeration tab located on the top menu. Enter the Hostname/IP/URL in the text box. In this lab, we have a ‘Windows 8 virtual machine IP address. These IP addresses may vary in Jab environments. Check the types of enumeration you want to perform. Now, click Enumerate. ‘sem | Hover me Santee toe [Wet Eamon Jno | FIGURE 22: SupeiScan main window wih IP ase CEH Lab Manual Page 7 ‘Eeal Hacking and Countermeasures Copyigit © by EC Come "AU Rights Revere. Reprodoction Stet Pooied.7 Youanwe SapetSean to pefoum port, Seas eee evel ‘setwodk nfoamation, such Sumekobgeet fesertten al enumente Windows hos information, sochas tiers, pups and DD Your sean ean be configu in the Hot ane Seroce Discovery and Sean (Opsons abs. The Sean (Options bets you cate mach thigs a8 ‘nner grabbing. S tasw 2 6, SuperScan starts enumerating the provided hostname and displays the results in the tight pane of the window. Seu | tty] Sep a an | manne no BTO———~_tnmate tie | _ poe | FIGURE 25. SopetSca in window wi ens 7. Wait for a while to complete the enumeration process. 8 After the completion of the enumeration process, an Enumeration completion message displays. FIGURE 24 Spec in wind wih es 9. Now move the scrollbar up to see the results of the enumeration. ‘CEH Lab Manual Page 78 ‘Eeal Hacking and Countermeasures Copyigit © by EC Come "AU Rights Revere. Reprodoction Stet Pooied.10. To perform a new enumeration on another host name, click the Clear button at the top sight of the window. The option erases all the previous results, Se ratory Ser nk Ener itn ‘memset ———— tevase | tome | [ioe (Disepescan ae foot {ifort CMP hoe ‘daeovey methods Se Tis et, Sree wie wal toy bok ICMP cho gues ey no block ther ICMP pct sch 2 tinetin eon Soper gery the omnia docore nese Boe FIGURE 25 SopaScn awn with sens Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on Your target's secusity posture and exposuce. ety Enumerating Virtual Machine IP addre: Performing Enumeration Types: Null Session © MAC Address SuperSean Tool *_ Work Station Type © Users © Groups © Domain Account Policies Registry Output: Interface, Binding, Objective ID, and Annotation CEH Lab Manval Page 27 ‘Bibical Hacking and Covatemeasares Copyht © by EC Canned "AU Rights Revere. Reprodoction Stet Pooied.PLEASE TALK TO YOUR I R STRUCTOR IF YOU HAVE QUESTIONS TED TO THIS LAB. Questions 1, Analyze how remote registry enumeration is possible (assuming appropriate access rights have been given) and is controlled by the provided sepistry.tst file. 2. As faras stealth is concerned, this program, too, leaves a rather large footprint in the logs, even in SYN scan mode. Determine how you can avoid this footprint in the logs. eaten eet OYes No Platform Supported © Classroom Wilabs ‘CEH Lab Manwal Page 250 ‘Eeal Hocking and Gountenneasores Copjaght © by EC Comal "AE Rights Revere. Repuodoction Stic Pooied.Enumerating NetBIOS Using the NetBIOS Enumerator Tool Enumeration is the process of probing identified services for knonn weaknesses. ‘on Key Lab Scenario DVaoabte ‘Enumeration is the first attack on a target network; enumeration is the process of seman gathering the information about a target machine by actively connecting to it. 7? Testyour Discover NetBIOS name enumeration with NBTscan, Enumenition means to —tuwztledge _ identify the user account, system account, and admin account. In this lab, we ‘enumerate a machine’s user name, MAC address, and domain group. You must have sound knowledge of enumeration, a process that reqiges an active connection to the machine being attacked. A hacker enumerates applications and banners in addition to identifying user accounts and shared resousces. Lab Objectives The objective of this lab is to help students learn and perform NetBIOS ‘enumeration. BS Webeseicise Al Workbook seview ‘The purpose of NetBIOS enumeration is to gather the following information: # Account lockout threshold © Local groups and user accounts "© Global groups and user accounts © To restsict anonymous bypass routine and also password checking for user accounts with: © Blank passwords © Passwords that are same as the username in lower case DCEH. a r, Lab Environment Module 04 ‘To carry out the lab, you need: Enumeration ‘CEH Tab Manval Page 251 ‘ibiza Hacking and Covntermeasares Coppiht © by EC Canned "AE Rights Revere. Repuodoction Stic Pooied.(Dixet0$ is designed teh easton Neos aan won praiens hea seer NeOS over TCP/IP (NewBN sesaees NeBIOS ‘aes oP addesses, © NETBIOS Enumerator tool is located at DACEH-Tools\CEHV8 Module 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator You can also download the latest version of NetBIOS Enumerator fom the link hitp://nbtenum.sourceforgesnet/ * Ifyou decide to download the latest version, then screenshots shown in the lab might differ Run this tool in Windows Server 2012 "Administrative privileges are required to nun this tool Lab Duration Time: 10 Minutes Overview of Enumeration Enumeration involves making active connections, so that they can be logged. ‘Typical information attackers look for in enumeration includes user account names for furure password guessing attacks. NetBIOS Enumerator is an enumeration tool that shows how to use remote network support and to deal with some other interesting web techniques, such as SMB. Lab Tasks 1, To launch NetBIOS Ennmerator go to DACEH-Tools\CEHv8 Module 04 Enumeration|NetBIOS Enumeration Tools\NetBIOS Enumerator, and double-click NetBIOS Enumerater.exe. FIGURE 3: NeBIOS Emmentoroain window ‘CEH Lab Manual Page 22 ‘Eeal Hacking and Countermeasures Copyigit © by EC Come "AU Rights Revere. Reprodoction Stet Pooied.‘Module 04 - Enumeration 2. In the IP range to sean section at the top left of the window, enter an IP range in from and to text fields DA reanse: 1 Ade poe sean + GUI-poss canbe ded dee elie + Dynamic memory ‘management 1 Thaeaded work (64 poss semned stows) FIGURE 32 NeBlOSEmneatoc with IP ang to sa0 4, NetBIOS Enumerator starts scanning for the range of IP addresses provided. 5. After the completion of scanning, the results are displayed in the left pane D Te mewot of the window. NetSerresGetlao, i aso 6. A Debug window section, located in the sight pane, shows the scanning of ‘mmplenented inthis oc the inserted IP range and displays Ready! after completion of the scan. CEH Lab Manoal Page 283 ical Hacking al Coaternssaes Cop © by EC Cad "AU Rights Revere. Reprodoction Stet Pooied.(Dept NP isinplnciet ed famtignal vanes FIGURE 33:.NeBlOS Enaneocems 7. To perform a new sean or rescan, click Clear. 8. Ifyou are going to perform a new scan, the previous scan results are erased. Lab Analysis Analyze and document the results related to the lab exercise. eben IP Address Range: 10.0.0.1 — 10.0.0.50 Result: NetBIOS = Machine Name numerator = NetBIOS Names Tool © User Name * Domain = MAC Address "Round Trip Time (RTT) CEH Lab Manval Page 287 ical Hacking al Coaternssaes Cop © by EC Cad "AU Rights Revere. Reprodoction Stet Pooied.Platform Supported 2 TALK TO YOUR INSTRUCTOR IF YOU HAVE QU RELATED TO THIS LAB. MNo Z Classroom Zilabs ‘CEH Lab Manual Page 255Enumerating a Network Using SoftPerfect Network Scanner SoftPerfect Netw ork Scanner is a fee nuti-threaded IP, NetBIOS, and SNMP ssearmer with a modern interface and many advanced features. Lab Scenario To be an expert ethical hacker and penetration tester, you must lave sound knowledge of enumeration, which requires an active connection to the machine being attacked. A hacker enumerates applications and banners in addition to identifying user accounts and shared resources. In this lib we try to resolve host ‘names and auto-detect your local and external IP range. Lab Objectives ‘The objective of this lab is to help students learn and perform NetBIOS ‘eaumeration, NetBIOS enumeration is castied out to detect: = Hardware MAC addesses across routers "Hidden shared folders and writable ones © Toots domonstrated in Internal and external IP address this lab aro - available in Lab Environment DiCEH. Tools\CEHva To carry out the lab, you need: Module 04 SoftPerfect Network Scanner is located at DAGEH-Tools\CEHV8 Enumeration Module 04 Enumeration\SNMP Enumeration Tools\SoftPerfect Network Seanner * You can also download the latest version of SoftPerfect Network Scanner from the link hutp:/ /swww. sofiperfect.com/ products /networkscanner, CEH Lab Manval Page 286 Tiical Hacking nad Couternsnaes Copnig © by EC Cam Ab Righs Revered Repost Stic Proied.= Ifyou decide to download the latest version, then screenshots shown in the lab might differ "Run this tool in Windows 2012 server "Administrative privileges are required to run this tool BD You can seo Lab Duration downlad SofiPeriect [Network Sean fom Inp//ewesontedce, Time: 5 Minutes Overview of Enumeration Enumeration involves an active connection so that it can be logged. Typical information that attackers are looking for includes user aeeount names for future password guessing attacks Lab Task EFAs 1 1 To Lmunch SofiPerfect Network Scanner, navigate to DACEH-ToolsiCEHv8: Enumerate ‘Module 04 EnumerationiSNMP Enumeration ToolsiSoftPorfect Network Network ‘Scanner 2. Double-click netsean.exe Fle View Actions Options Boatman Hep OOM SEAR EY KHOR Eke Ems Bovem oetom[ D000 Jro[ 0.0.0.0 ]+ ce Dp SiatSaming- Il Ades rettane NACE Ree Te 2 sotPeatect stows you to mount shared Toldersas network dives, bows then wang Wonlows Expo and ‘Ber he et FIGURE 41: SofPaec New Seat in wo 3. To start scanning your network, enter an TP range in the Range From field and click Start Scanning. ‘CEH Tab Manual Page 57 ‘Bibical Hacking and Covatemeasares Copyht © by EC Canned "AU Rights Revere. Reprodoction Stet Pooied.Fle View Actions Optens Bootmars Help DoW Seager xu se [ext [oo tee © Toots demonstrated in this lab are available in DACEH- Tools\CEHV8 Module 04 Enumeration FIGURE 42 SofPaec ting an TP age on 4, The status bar displays the status of the scanned IP addresses at the bottom of the window. Fie View Actions Options Bookman He OOM EEAR EY XH) Rod Oo Ems G One toveron{ Ho 01 Jm[ 0.0.8 J+ Ml StpSaming - 7 a weapons wewemon. oy on Sdnoss wwomom. on CD soripeeerNerwork inna women 0 is Seaoer ean ao check fot suiedetned port ad Steal ge ‘Ropers emote sdowm SENOS LAN FIGURE 43 SPs sone 5. To view the properties of an individual IP address, sight-click that particular IP address. CEH Lab Masval Page 288 ical Hacking al Coaternssaes Cop © by EC Cad "AU Rights Revere. Reprodoction Stet Pooied.or tes tw Pat Hp OPE TEAS BY KBP Bho OBS Beem le a Paster vette WACAiest ere me ‘ei 00 ar Lab Analysis SoftPerfect Result: Network «IP Address Scanner © Host Names + MAC Address + Response Time PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Questions 1. Examine the detection of the IP addresses and MAC addresses across routers. 2. Evaluate the scans for listening ports and some UDP and SNMP services. ‘CEH Lab Mansal Page 259 ‘Eeal Hocking and Countermeasures Copjaght © by EC Comal "AU Rights Revere. Reprodoction Stet Pooied.3. How would you launch external third-party applications? eet OYes ZNo Platform Supported © Classroom Zilabs CEH Tab Manval Page 30 ‘ibiza Hacking and Covntermeasares Coppiht © by EC Canned "AL Rigs Retr. Reproduction Sic Probie.Enumerating a Network Using SolarWinds Toolset The SolarWinds Toolset provides the tools you need as a network engineer or network consultant to get your job done, Toolset includes best-of-breed solutions that work. simply and preci, providing the diagnostic, performance, and bandvidth measurements you want, without extraneous, rnnecesary features. Lab Scenario Penetration testing is much more than just running exploits against vulnerable systems like we learned in the previous module. In fact a penetration test begins before penetration testers have even made contact with the victim systems. Rather than blindly throwing out exploits and praying that one of them returns a shell, Bl Webexeccise penetration tester meticulously study the envionment for potential weaknesses and Dn their mitigating factors. By the time a penetration tester suns an exploit, he or she is EA Woutsoot serie pearly certain that it will be successful Since failed exploits can in some cases cause a ‘cash or even damage to a vietim system, or at the very least make the victim wn- cesploitable in the furuce, penetration testers won't get the best results. In this lab we centumerate target system services, accounts, hub ports, TCP/IP network, and routes. You mmust have sound knowledge of enumeration, which requires an active eS connection to the machine being attacked. A hacker enumerates applications and 2 Tools in _ banners in addition to identifying user accounts and shared resources. this lab are oe pontinreiagh Lab Objectives Loar ive The objective of this lab is to help students learn and perform NetBIOS fared ‘enumeration. NetBIOS enumeration is carsied out to detect: Enumeration "Hardware MAC addresses across routers "Hidden shared folders and writable ones Internal and external IP addresses CEH Lab Masoal Page 27 Tiical Hacking nad Couternsnaes Copnig © by EC Cam "AE Rights Revere. Repuodoction Stic Pooied.Lab Environment To catty out the lab, you need: = SolarWinds-Toolset-V10 located at Di\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration Tools\SolarWind’s IP Network Browser You can also download the latest version of SolarWinds Toolset Scanner from the link hitp:/ /www.solarwinds.com/ DD vou can aiso ent te, # Ifyou decide to download the latest version, then screenshots shown Deecoouenn in the lab might differ > * Run this tool in Windows Server 2012 Host machine and Windows Server 2008 virtual machine "Administrative privileges are required to run this tool * Follow the wizard-driven installation instructions Lab Duration ‘Time: 5 Minutes Overview of Enumeration Enumeration involves an active eonneetion so that it can be logged. Typical information that attackers are looking for inclides user aeeount names for future password guessing attacks. Lab Task —Birasms 1. Configuee SNMP services and select Start > Control Panel Enumerate Network Boxe wovbioooing ‘ine in a wing he Woakspace Seto, wich the tools you ned for ‘Sono sae yo age ‘CEH Lab Manual Page 2922 Monitor and alert in real time ‘on network health with tools including Real- Time Interface Monitor, SNMP Real-Time Graph, ‘and Advanced CPU Load Double-click SNMP service. 3. Click the Seeurity tab, and click Add... The SNMP Services Configuration window appears. Select READ ONLY from Community rights ad Public in Community Name, an click Add. Gener | Lg On | Recovery | Age | Trans O hace SMP pak tom ry hot SNMP Service Configuration — | a a Ee) FIGURE 52 Conging SMP Services 4. Select Accept SNMP packets from any host, and click OK. (ev | nO | Facey [Art ae (send asmeecten ne CEH Lab Manual Page 295 ‘Eeal Hacking and Countermeasures Copyigit © by EC Come "AU Rights Revere. Reprodoction Stet Pooied.‘Module 04 - Enumeration FIGURE 5 sing SNMP Serves 5. Install SolarWinds-Tootset-V10, located in DAGEH-Tools\GEHv8 Module (04 EnumerationiSNMP Enumeration Tools\SolarWind’s IP Network Browser. 6. Launch the Start menu by hovering the mouse cursor on the lower-left comer of the desktop. FIGURE 54 Winlows See: 7. Click the Werkspace Studio app to open the SolarWinds Workspace © Perform robust Studio window diagnostics for troubleshooting and quickly resolving complex network issues with tools such as Ping Sweep, DNS ‘Analyzer, and FIGURE 55.Windows Sever 2012 Ape 6, Temain window of SolarWinds Workspace Studio is shown in the following figure. ‘CEH Lab Mansal Page 250 ‘Beal Hacking sod ‘AE Ries rmeasaves Coppaght © by EC Camel erred. Reprodortion Stet Pete© PP aammcnor mere wan FIGURE 56 Slirinds wesc stato ain widow > IP Network Browser. Deploy an ary of newwork discovery tole Siding Po Seater Switch Poe Mapper, sod ‘Advanced Saboce Catatoe. FIGURE 57: Mes scan for Pwo omer 8, IP Network Browser will be shown, Enter the Windows 8 Virtual Machine IP address (10.0.0.7) and click Sean Device ( the IP address will be different in your network). CEH Tab Manual Page 35 ‘Bibical Hacking and Covatemeasares Copyht © by EC Canned "AU Rights Revere. Reprodoction Stet Pooied.| ena nginen Tole 19 aio FIGURE 5 1P Newt Beer wins 9, twill show the result in line with the IP address and name of the computer that is being scanned, 10. Now click the Plus (+) sign before the IP addeess. FIGURE 59:1P Newotk Bares won ses page 11. Iewill lst all the information of the targeted IP address. ‘CEH Lab Manual Page 296 ‘Eeal Hacking and Countermeasures Copyigit © by EC Come "AU Rights Revere. Reprodoction Stet Pooied.Tost anew tah go to "ebro the sea be Ssdcooe new a” Rigechccnn bo cpm dams, Exporz Renune, Sire, (Cre) Yo can to terol om he Gap teeta ower ne (int fo gee oe Ageedweres ppoach tno colec ees more See uouebooting Ices comet tad campeon one ib. Nese BEES Sime you ce hae ston : ‘simply open that tab i FIGURE 510-1 Newodk Biome wios el age Lab Analysis Analyze and document the results related to the lab exercise. Ee ee een Scan Device IP Address: 10.0.0.7 Output: = Interfaces . "Services SolarWinds Tool Accounts « Shares © Hub Ports * TCP/IP Network = IPX Network = Routes PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB Questions 1. Analyze the deuals ofthe system such as user accounts, system MSI, hub ports, ete. CEN Manat Page BT Tica Hacking ad Connterncamara Coppigh © by EC Caml "AU Rights Revere. Reprodoction Stet Pooied.2. Find the IP address and Mac address of the system. ett OYes ZNo Platform Supported © Classroom Zilabs CEH Tab Manval Page ‘ibiza Hacking and Covntermeasares Coppiht © by EC Canned "AL Rigs Retr. Reproduction Sic Probie.Enumerating the System Using Hyena Hyena uses an Explorer style interface for all operations, including right mouse cick pop-up contest menus forall objects. Management of sers, groups (both local and gba), shares, domains, computers, services, devices, events, fies, printers and print “jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing are all supported. —t¢on key Lab Scenario 2 Vatostte The hacker enumemtes applications and banners in addition to identifying user accounts and shared resources. In this hb, Hyena uses an Explorer-stvle interface A Test you for all operations, management of users, groups (both local and global), shares, —tnotledae___ domains, computers, services, devices, events, fles, printers and print jobs, sessions, E Werereaise open files, disk space, user sights, messaging, exporting, job scheduling, processes, andl printing are all supported. To be an expert ethical hacker and penetration tester, you must have sound knowledge of enumeration, which requires an active ‘connection to the machine being attacked. Lab Objectives ‘The objective of this lab is to help students learn and perform network ‘enumeration: LD Workbook review © Users information in the system Services nunning in the system, Lab Environment this lab are To perform the lab, you need: en * A computer mnning Windows Server 2012 Tools\CEHVS * Administative privileges to install and sun tools Module 04 . Enumeration = You can also download this tool fom following link swwew.systemtools,com/hrena/downloas CEH Lab Masval Page 27 Tiical Hacking nad Couternsnaes Copnig © by EC Cam "AE Rights Revere. Repuodoction Stic Pooied."Ifyou decided to download latest version of this tool screenshots may differ Lab Duration ‘Time: 10 Minutes Overview of Enumeration ‘Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques ae conducted in an intranet environment Lab Tasks ‘The basic idea in this section is to: 1, Navigate to DACEH-ToolsICEHV8 Module 04 EnumerationiNetBIOS Dorase 7 Enumeration ToolsiHyena 2. Donble-click Hyena English x64.exe. You can see the following window. Hyena, Click Next. D vou candorntoad ‘he Hens fom Iepe! nwm ytentolcom Liye enn FIGURE 61:lton fea A. The Software License Agreement window appears, you must accept the agreement to install Hyena. 4. Select | accept the terms of the license agreement to continue and click Noxt, CE Tab Manval Page 30 ical Hacking al Coaternssaes Cop © by EC Cad "AU Rights Revere. Reprodoction Stet Pooied.‘Module 04 - Enumeration Tiyena OO nsalheld Wied FIGURE 62 Sethe geomet 5. Choose the destination location to install Hyena, 6, Click Next to continue the installation, Tera 0 hsalene Ward D rardaiion ro ssppoting sand Windows sem smanseenest foncsons, Hien alo inches cata Acie Diet itepaion FIGURE 63 Sein oes for itaaon ‘The Ready to install the Program window appears. Click Install ‘CEH Lab Mansal Page 301 “Eeal Hacking and Countermeasures Coppigt © by EC Camel "AU Rights Revere. Reprodoction Stet Pooied.(Di tyemeanbewe on soy Winton cent Sig ey Wines NT, Binder 00, Wandors Sr/Vorn, Windows Poe 203/2008/2012 inaasoe FIGURE 64 cing ineson pe 8. ‘The Installshield Wizard complete window appeats. Click Finish to complete the installation, Eras 2 FIGURE 65 Rey nwo Enumorating 9. Launch the Start menu by hovering the mouse cursor on the lower- ‘system left corner of the desktop. Information CE Tab Manoal Page 302 Tika Hacking ad Conners Coppigh © by EC Coal "AU Rights Revere. Reprodoction Stet Pooied.‘Module 04 - Enumeration FIGURE 66 Windows See 2012-—Desop vee © Hyena also 10. Click the Hyena app to open the Hyena window. includes full exporting capabilities and both Microsoft ‘Access and Excel reporting and ‘exporting options FIGURE 67. Windows Serve 2012 Appr 11. ‘The Registration window will appear. Click OK to continue. 12. The main window of Hyena is shown in following figure. ¥asxte alyereiaBoree FIGURE 68: Main window of yeaa ‘CEH Tab Manval Page 305 ‘Bibical Hacking and Covatemeasares Copyht © by EC Canned (AE Rights Reserved. Reproduction Sti Pokbted,domain serve, computes. 13, Click + to expand Local workstation, and then click Users, FIGURE 69: Expand the Sem ess 14, To check the services running on the system, double-click Services. Wasx¢sEloa yer OA BOrBe = Be OmRGaioainoten [BS i t i abbr ees Wi iy FIGURE 610 Services wang in he system 15. To check the User Rights, click # to expand it. ‘CEH Lab Manval Page 304 ‘Eeal Hacking and Countermeasures Copyigit © by EC Come "AU Rights Revere. Reprodoction Stet Pooied.Vas x+e/=ElOalyor os Bar Be +E samen aon 2 | 58 meson Daas or ET +Biaomn Bile: et eat tet fewmome Cia mee fSwmome.o stint tm g|emome.t tan mugs tee 2 § mrananenanpetonepe, 1 soscetemmtine arco $8 seeps 35 ee cin be Pesoeseseesarasond 7 aac = 7 FIGURE 611 Use Rights 16. To check the Scheduled jobs, click + to expand it. 1D pet ceaedte set cues Grog Pecy Sucnitimetae a emctente pen to x, = ad x i id = mo = ns ns a FIGURE 612: Seed be Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on your target’s security posture and exposure. CEN La Manat Page Tica Hacking ad Connterncamara Coppigh © by EC Caml "AU Rights Revere. Reprodoction Stet Pooied.Tool/Utility Information Collected /Objectives Achieved Intention : Enumerating the system Output: * Local Connections "Users "Local Group "Shares Hyena * Shares * Sessions = Services «Events "User Rights "Performance # Registey "WM PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. Peek ecn eee! OYes No Platform Supported © Classroom iLabs ‘CEH Lab Manwal Page 306 ‘Eeal Hocking and Gountenneasores Copjaght © by EC Comal "AE Rights Revere. Repuodoction Stic Pooied.