Last Updated on by ICT Byte
What is Enumeration?
- In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target.
- Attackers use extracted information to identify system attack points and perform password attacks to gain unauthorized access to information system resources
- Enumeration techniques are conducted in an intranet environment.
Information Enumerated by Intruders
- Network resources
- Network shares
- Routing tables
- Audit and service settings
- SNMP and DNS details
- Machine names
- Users and groups
- Applications and banners
Techniques for Enumeration
- Extract user names using email IDs
- Extract information using the default passwords
- Extract user names using SNMP
- Brute force Active Directory
- Extract user groups from Windows
- Extract information using DNS Zone Transfer
Service and Ports to Enumerate
TCP/UDP 53: DNS Zone Transfer
TCP/UDP 135: Microsoft RPC Endpoint Mapper
UDP 137: NetBIOS Name Service (NBNS)
TCP 139: NetBIOS Session Service (SMB over NetBIOS)
TCP/UDP 445: SMB over TCP (Direct Host)
UDP 161: Simple Network Management Protocol (SNMP)
TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
TCP/UDP 3268: Global Catalog Service
TCP 25: Simple Mail Transfer Protocol (SMTP)
NetBIOS Enumeration
- NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP, 15 characters are used for the device name and 16th character is reserved for the service or name record type.
- Attackers use the NetBIOS enumeration to obtain:
- List of computers that belong to a domain
- List of shares on the individual hosts in the network
- Policies and passwords
- Nbtstat
- nbtscan in Kali
NetBIOS Enumeration: Tools
# SuperScan:
- SuperScan is a connect-based TCP port scanner, pinger, and hostname resolver.
#Hyena:
- Hyena is a GUI product for managing and securing Microsoft operating systems. It shows shares and user logon names for Windows servers and domain controllers.
- It displays graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc.
#Winfingerprint:
- Winfingerprint determines OS, enumerate users, groups, shares, SIDs, transports, sessions, services, service pack and hotfix level, date and time, disks, and open TCP and UDP ports.
SNMP Enumeration
- SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
- SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer.
- SNMP holds two passwords to access and configure the SNMP agent from the management station:
- Read community string: It is public by default; allows viewing of device/system configuration.
- Read/write community string: It is private by default; allows remote editing of configuration
SNMP Enumeration: snmp-check example
Scan the target host (192.168.1.2) using the public SNMP community string (-c public)
root@kali:~# snmp-check 192.168.1.2 -c public
snmp-check v1.9 – SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni
(www.nothink.org) [+]
Try to connect to 192.168.1.2:161 using SNMPv1 and community ‘public’
SNMP Enumeration: Tools
# OpUtils: OpUtils with its integrated set of tools helps network engineers to monitor, diagnose, and troubleshoot their IT resources.
#Engineer’s Toolset:
- Engineer’s Toolset performs network discovery on a single subnet or a range of subnets using ICMP and SNMP.
- It scans a single IP, IP address range, or subnet and displays network devices discovered in real time
LDAP Enumeration
- Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services.
- Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory.
- A client starts an LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and sends an operation request to the DSA.
- Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks.
LDAP Enumeration: Example
# Exploiting LDAP Server with NULL https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/
NTP Enumeration
- Network Time Protocol (NTP) is designed to synchronize clocks of networked computers
- It uses UDP port 123 as its primary means of communication
- Attacker queries NTP server to gather valuable information such as:
- List of hosts connected to NTP server 4
- Clients IP addresses in a network, their system names and Oss
SMTP Enumeration
- SMTP provides 3 built-in-commands:
- VRFY: Validates users
- EXPN: Tells the actual delivery addresses of aliases and mailing lists
- RCPT TO: Defines the recipients of the message
- SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server
- Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.
SMTP Enumeration: Example1 (telnet)
SMTP Enumeration: Example2 (msf)
SMTP Enumeration: Example3 (smtp-user-enum)
# Example https://www.hackingarticles.in/4-ways-smtp-enumeration/