Enumeration in Cyber Security! Everything that you need to understand.

What is Enumeration?

• In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target.
• Attackers use extracted information to identify system attack points and perform password attacks to gain unauthorized access to information system resources
•  Enumeration techniques are conducted in an intranet environment.

Information Enumerated by Intruders

• Network resources
•  Network shares
• Routing tables
• Audit and service settings
•  SNMP and DNS details
•  Machine names
• Users and groups
• Applications and banners

Techniques for Enumeration

• Extract user names using email IDs
•  Extract information using the default passwords
•  Extract user names using SNMP
•  Brute force Active Directory
•  Extract user groups from Windows
•  Extract information using DNS Zone Transfer

Service and Ports to Enumerate

TCP/UDP 53: DNS Zone Transfer

TCP/UDP 135: Microsoft RPC Endpoint Mapper

UDP 137: NetBIOS Name Service (NBNS)

TCP 139: NetBIOS Session Service (SMB over NetBIOS)

TCP/UDP 445: SMB over TCP (Direct Host)

UDP 161: Simple Network Management Protocol (SNMP)

TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)

TCP/UDP 3268: Global Catalog Service

TCP 25: Simple Mail Transfer Protocol (SMTP)

NetBIOS Enumeration

• NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP, 15 characters are used for the device name and 16th character is reserved for the service or name record type.
•  Attackers use the NetBIOS enumeration to obtain:
  •  List of computers that belong to a domain
  •  List of shares on the individual hosts in the network
  • Policies and passwords
• Nbtstat
• nbtscan in Kali

NetBIOS Enumeration: Tools

# SuperScan:

• SuperScan is a connect-based TCP port scanner, pinger, and hostname resolver.

#Hyena:

• Hyena is a GUI product for managing and securing Microsoft operating systems. It shows shares and user logon names for Windows servers and domain controllers.
•  It displays graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc.

#Winfingerprint:

• Winfingerprint determines OS, enumerate users, groups, shares, SIDs, transports, sessions, services, service pack and hotfix level, date and time, disks, and open TCP and UDP ports.

SNMP Enumeration

• SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
• SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer.
•  SNMP holds two passwords to access and configure the SNMP agent from the management station:
  •  Read community string: It is public by default; allows viewing of device/system configuration.
  • Read/write community string: It is private by default; allows remote editing of configuration

SNMP Enumeration: snmp-check example

Scan the target host (192.168.1.2) using the public SNMP community string (-c public)

root@kali:~# snmp-check 192.168.1.2 -c public

snmp-check v1.9 – SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni

(www.nothink.org) [+]

Try to connect to 192.168.1.2:161 using SNMPv1 and community ‘public’

SNMP Enumeration: Tools

# OpUtils: OpUtils with its integrated set of tools helps network engineers to monitor, diagnose, and troubleshoot their IT resources.

#Engineer’s Toolset:

• Engineer’s Toolset performs network discovery on a single subnet or a range of subnets using ICMP and SNMP.
• It scans a single IP, IP address range, or subnet and displays network devices discovered in real time

LDAP Enumeration

• Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services.
•  Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory.
•  A client starts an LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and sends an operation request to the DSA.
•  Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks.

LDAP Enumeration: Example

# Exploiting LDAP Server with NULL https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/

NTP Enumeration

• Network Time Protocol (NTP) is designed to synchronize clocks of networked computers
• It uses UDP port 123 as its primary means of communication
•  Attacker queries NTP server to gather valuable information such as:
  •  List of hosts connected to NTP server 4
  • Clients IP addresses in a network, their system names and Oss

SMTP Enumeration

• SMTP provides 3 built-in-commands:
  •  VRFY: Validates users
  •  EXPN: Tells the actual delivery addresses of aliases and mailing lists
  • RCPT TO: Defines the recipients of the message

• SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server

•  Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.

SMTP Enumeration: Example1 (telnet)

SMTP Enumeration: Example2 (msf)

SMTP Enumeration: Example3 (smtp-user-enum)

# Example https://www.hackingarticles.in/4-ways-smtp-enumeration/