LAB 4 – Enumeration

Source: EC-Council CEH v12

VMs Required:
 Kali
 ET0741-Windows 10x64s
 ET0741-Windows 2K Server v.1
 ET0741-Metasploitable2-Linux v.1

Startup and Document your VMs IP Address

ET0741-Windows 10x64s - ______________________

ET0741-Windows 2K Server v.1 - ______________________

ET0741-Metasploitable2-Linux v.1 -_______________________

Overview of NetBIOS Enumeration

NetBIOS stands for Network Basic Input Output System. Windows uses NetBIOS for
file and printer sharing. A NetBIOS name is a unique computer name assigned to
Windows systems, comprising a 16-character ASCII string that identifies the network
device over TCP/IP.
The NetBIOS service is easily targeted, as it is simple to exploit and runs on
Windows systems even when not in use. NetBIOS enumeration allows attackers to
read or write to a remote computer system (depending on the availability of shares)
or launch a denial of service (DoS) attack.

Lab Objectives
Task 1: Perform NetBIOS enumeration using Windows command-line utilities
Task 2: Perform NetBIOS enumeration using NetBIOS Enumerator
Task 3: Perform NetBIOS enumeration using an NSE Script
Task 4: Perform SMTP enumeration using Telnet
Task 5: Perform SMTP Enumeration using smtp-user-enum package
*NOTE: The IP subnets will vary depending on your VMWare Workstation
Virtual Network Editor Setting. Use the appropriate subnets and IP Addresses
based on your system setup.

Task 1: Perform NetBIOS Enumeration using

Windows Command-Line Utilities
Nbtstat helps in troubleshooting NETBIOS name resolution problems. The nbtstat
command removes and corrects preloaded entries using several case-sensitive
switches. Nbtstat can be used to enumerate information such as NetBIOS over
TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and
remote computers, and the NetBIOS name cache.
Net use connects a computer to, or disconnects it from, a shared resource. It also
displays information about computer connections.
Here, we will use the Nbtstat, and Net use Windows command-line utilities to
perform NetBIOS enumeration on the target network.
1. Launch the ET0741-Windows 10x64s VM and login
2. Perform a scan to discover the IP address of your ET0741-Windows 2K
Server v.1
3. Open a Command Prompt window.
4. Type nbtstat -a [Target IP address] (the target IP address is Your ET0741-
Windows 2K Server v.1 ) and press Enter.
5. The result appears, displaying the NetBIOS name table of a remote computer
(in this case, the Windows Server 2000 Server machine).
6. Type net use and press Enter. The output displays information about the
target such as connection status, shared folder/drive and network information.
7. Perform a windows mapping to Z: Drive. Type net use z: \\[Target IP
address]\c$ (where Target IP address is your ET0741-Windows 2K Server
v.1 address)
8. When prompted for username and password. Use Administrator and
password
9. Your mapping will NOT be successful as Windows 10 uses more secure
protocol compared to Windows 2K Server.
10. Enable SMB1 feature on your Windows 10 VM with the following commands.
 Click on the Start menu
 Type cmd to find the command prompt
 Right click on Command Prompt
 Select Run as administrator
 Type the following command :
DISM /Online /Enable-Feature /All /FeatureName:SMB1Protocol
 Confirm and Reboot.

11. Ensure the date and time between the Windows 10 and Windows 2K Server
is within 1 minute of each other.
12. Perform the windows drive mapping in step 7.
13. Type net use to view the mapping status.
 14. Using this information, the attackers can read or write to a remote computer
system, depending on the availability of shares, or even launch a DoS attack.

Task 2: Perform NetBIOS Enumeration using

NetBIOS Enumerator
NetBIOS Enumerator is a tool that enables the use of remote network support and
several other techniques such as SMB (Server Message Block). It is used to
enumerate details such as NetBIOS names, usernames, domain names, and MAC
addresses for a given range of IP addresses.
Here, we will use the NetBIOS Enumerator to perform NetBIOS enumeration on the
target network.
1. Launch the ET0741-Windows 10x64s VM and login
2. Download and install the latest copy of NetBIOS Enumerator
(Nbtenum Win32 Binary x.xx) from https://nbtenum.sourceforge.net/
3. Due to restriction to sourceforge.net site, the required file has been shared in
the Lab’s shared folder at \\10.32.36.200 Download the required application
from the shared folder.
4. The NetBIOS Enumerator main window appears, as shown in the
screenshot.
5. Under IP range to scan, enter an IP range in the from and to fields and click
the Scan button to initiate the scan (In this example, we are targeting the IP
range 192.168.17.1-192.168.17.255 . Use the subnet range appropriate to
your setup).
6. The Debug window section in the right pane shows the scanning range of IP
addresses and displays Ready! after the scan is finished.

7. Click on the expand icon (+) to the left of the 192.168.17.133 in the left pane
of the window. Then click on the expand icon to the left of NetBIOS Names to
display NetBIOS details of the target IP address, as shown in the screenshot.
 8. This enumerated NetBIOS information can be used to strategize an attack on
the target.

Task 3: Perform NetBIOS Enumeration using an NSE

Script
NSE allows users to write (and share) simple scripts to automate a wide variety of
networking tasks. NSE scripts can be used for discovering NetBIOS shares on the
network.
1. Login to Kali VM
2. Click the Terminal Emulator icon at the top of the Desktop to open
a Terminal window.
3. In the terminal window, type sudo su - and press Enter to run the programs
as a root user.
4. In the terminal window, type nmap -sV -v --script nbstat.nse [Target IP
Address] (the Target IP Address is your ET0741-Windows 2K Server v.1)
and press Enter.
Q. What is the option -sV ?
______________________________________________________________
 Q. What is the option -v ?
______________________________________________________________
5. The scan results appear, displaying the open ports and services, along with
their versions. NetBIOS name, NetBIOS user, and NetBIOS MAC address.

Q. What is the significance of knowing the NetBIOS name?

___________________________________________________

Q. What do the numbers in < > signify? Google search or ask ChatGPT for
the answer.
Overview of SMTP Enumeration
Source: https://www.geeksforgeeks.org/smtp-enumeration/
SMTP (Simple Mail Transfer Protocol) is a set of communication guidelines that
allow web applications to perform communication tasks over the internet, including
emails. It is a part of the TCP/IP protocol and works on moving emails across the
network. SMTP enumeration allows us to identify valid users on the SMTP server.
This is done with the built-in SMTP commands using them. VRFY – This command
is used to authenticate the user. EXPN – This command displays the actual mailing
address for aliases and mailing lists. RCPT TO – It identifies the recipient of the
message. SMTP enumeration is a technique used to enumerate the SMTP service
that is running on the target server.
Pre-Defined Commands:
 VRFY: It is used to validate the user on the server.
 EXPN: It is used to find the delivery address of mail aliases
 RCPT TO: It points to the recipient’s address.

Task 4: Perform SMTP Enumeration using Telnet

1. Login to Kali VM
2. Click the Terminal Emulator icon at the top of the Desktop to open
a Terminal window.
3. In the terminal window, type sudo su - and press Enter to run the programs
as a root user.
4. Perform a scan to determine the IP address of your ET0741-Metasploitable2-
Linux v.1 The discovered IP will be your [Target IP Address]
5. Type telnet [Target IP Address] 25 (in this example Target IP address is
SMTP server 192.168.17.158. You will target your ET0741-Metasploitable2-
Linux v.1)

6. Type vrfy [email user] (where email user is the account to enumerate, in this
example email user is root)
 Email user root exists.
7. Type vrfy me to enumerate email account me

Email user me does not exist.

8. Enumerate the email accounts in the table below:
Account Exists (yes/no)
sys
ftp
hackproof
admin

9. Type quit to exit the telnet session.

Task 5: Perform SMTP Enumeration using smtp-

user-enum package
1. Login to Kali VM
2. Click the Terminal Emulator icon at the top of the Desktop to open
a Terminal window.
3. In the terminal window, type sudo su - and press Enter to run the programs
as a root user.
4. Type smtp-user-enum. Kali will install if package is not installed.
5. Type smtp-user-enum and Press Enter to obtain the command usage.

6. Type smtp-user-enum -M VRFY -U [userlist] -t [Target IP Address] (in this

example userlist is /usr/share/wordlists/metasploit/unix_users.txt and
Target IP address is your ET0741-Metasploitable2-Linux v.1) and Press
Enter.

Q. How many accounts were enumerated?

_____________________________________________________

Q. View the content of the is /usr/share/wordlists/metasploit/unix_users.txt

what is the content?

______________________________________________________
Q. What other files are found in /usr/wordlists/metasploit directory?

______________________________________________________