Ethical Hacking v10 Enumeration Module 4-

Ethical Hacking v10 Module 4 -Enumeration

Enumeration

Goals• Describe enumeration• List information obtained from

enumeration• Describe enumeration types and

techniques• List enumeration countermeasures

Module 4.0 Enumeration

• 4.1 Enumeration Concepts• 4.2 NetBIOS Enumeration• 4.3 SNMP Enumeration• 4.4 LDAP Enumeration• 4.5 NTP Enumeration• 4.6 SMTP and DNS Enumeration• 4.7 Enumeration Countermeasures• 4.8 Enumeration Pen Testing

4.1 Enumeration

Concepts

• What is Enumeration• Techniques for Enumeration• Service and Port to Enumerate

What is Enumeration?• Network enumeration is a process that involves gathering information

about a network including hosts, connected devices, usernames, group information and related data• Using protocols like ICMP and SNMP, network enumeration gives a

better view of an organization’s network for either protection or hacking purposes• An attacker creates an active connection to a system and sends

queries to gather information regarding the target• The attacker then uses the extracted information to identify attack

areas and password attacks to gain unauthorized access to information system resources

Information Enumerated • Network resources• Network shares• Routing tables• Audit and service settings• SNMP and DNS information• Machine names• Users and groups• Applications and banners

Techniques for Enumeration• Extract usernames using email IDs and/or SNMP• Extract information using default passwords• Extract Active Directory data using brute force• Extract Information using DNS zone transfer

Nmap Enumeration Example

Services and Ports to Enumerate• Simple Mail Transfer Protocol (SMTP) – TCP port 25• DNS Zone Transfers – TCP/UDP port 53• Microsoft RPC Endpoint Mapper – TCP/UDP port 135• NetBIOS Name Service (NBNS) – UDP port 137• NetBIOS Session Service (SMB over NetBIOS) – TCP port 139• Simple Network Management Protocol (SNMP) – UDP port 161• SNMP Trap – TCP/UDP port 162• Lightweight Directory Access Protocol (LDAP) – TCP/UDP 389• SMB over TCP (Direct Host) – TCP/UDP port 445• Global Catalog Service – TCP/UDP 3268

4.2 Enumeration

Techniques and Tools

Host Enumeration

Examples

• nmap• nmap -O 192.168.1.50• nmap -sV 192.168.1.20• nmap --script=smb-os-discovery <target>

• rpcclient• rpcclient <target IP> -U <username>srvinfolookupnames administratorlookupsids

• rpcclient -U "" 192.168.1.20

• Metasploit• use /auxiliary/scanner/smb/smb_lookupsidset SMBUser mooset SMBPass Pa22w0rdset MinRID 1000set MaxRID 1100set RHOSTS 192.168.74.50

Service and Application EnumerationServices required by default processes and by installed software

Service and Application Enumeration (cont’d)Services required by default processes and by installed software

4.3 NetBIOS Enumeration

NetBIOS Names• A unique 16 ASCII character string used to identify network devices

over TCP/IP• 15 characters are the device name• 16th character is reserved for the service or name record type

Name NetBIOS Code Type Information Obtained

<host name> <00> Unique Hostname

<domain> <00> Group Domain name

<host name> <03> Unique Messenger service running for that computer

<username> <03> Unique Messenger service running for that individual logged-in user

<host name> <20> Unique Server service running

<domain> <1D> Group Master browser name for that subnet

<domain> <1B> Unique Domain master browser name, identifies PDC for domain

NetBIOS Enumeration• Attackers use NetBIOS enumeration to obtain:• List of computers in the domain• List of shares on hosts and network• Policies and passwords

• Note: NetBIOS name resolution is not supported by Microsoft for IPv6

SuperScan Enumeration• SuperScan is a connection-based TCP port scanner, pinger, and

hostname resolver• Support for unlimited IP ranges• Host detection by multiple ICMP methods• TCP SYN and UDP scanning• Simple HTML report generation• Source port scanning• Hostname resolving• Banner grabbing• Windows host enumeration

More NetBIOS Enumeration Tools• Nbtstat

• Windows utility that displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables for local and remote computers, and the NetBIOS name cache

• Hyena • A GUI application for managing and security Microsoft operating systems• Shows shares• User logon name for Windows servers and domain controller• Displays graphical representation of Microsoft Terminal Services, Microsoft Windows

Network, Web Client Network, etc.

• Winfingerprint• Shows operating system, enumerates users, groups, SIDs, transports, session,

services, service pack and hotfix level, date and time, disks, and open TCP/UDP ports

More NetBIOS Enumeration Tools (cont’d)• NetBIOS Enumerator• NSAuditor Network Security Auditor • Advanced All-In-One Network Security Auditing Tools Suite• Includes more than 45 network tools and utilities for network security

auditing, network scanning, network monitoring, etc.

Enumeration User Account Tools• Net user• Net localgroup• PsExec• PsFile• PsGetSid• PsKill• PsInfo• PsList• PsLoggedOn• PsLogList• PsPasswd• PsShutdown

Enumerating Shared Resources Using Net View• Net View utility is used to obtain a list of all the shared resources of

remote hosts or workgroups

ShareEnum Example

4.4 SNMP Enumeration

SNMP Enumeration• Simple Network Management Protocol enumeration is used to

enumerating user accounts and devices on a target using SNMP• Consists of a manager and an agent• Agents installed on all devices• Managers are installed on managing computers

• Has two passwords to access and configure the SNMP agent from the management• Read community string – allows viewing of device/system configuration• Read/write community string – allows remote editing of configuration and is

private by default

SNMP Enumeration (cont’d)• Attackers use default community strings to extract information from

devices• Attackers enumerate SNMP to extract information about network

resources including hosts, routers, devices, shares, etc. and network information including ARP tables, routing tables, traffic, etc.

Printer

Management Information Base (MIB)• MIB is a virtual database containing formal description of all network

objects that can be managed by SNMP• MIB database is hierarchical and each object is addressed using an

Object Identifier (OIDs)• There are two types of managed object• Scalar objects – define a single object instance• Tabular objects – define multiple related object instance are grouped in MIB

tables• The OID includes the type of MIB object such as counter, string, or

address, access level such as not-accessible, accessible-for-notify, read-only or read-write, size restrictions, and range information• SNMP uses the MIBs hierarchical namespace containing OIDs for

translate the OID numbers into a human-readable display

SNMP Architecture

SNMP Enumeration Example

SNMP Enumeration Tools• OpUtils• An integrated set of tools helps network engineers to monitor, diagnose, and

troubleshoot their IT resources

• Engineer’s Toolset (SolarWinds)• Over 60 network management and troubleshooting tools for automated

network discovery, real time monitoring and alerting, diagnostic capabilities, enhanced network security, configuration & log management, IP address and DHCP scope monitoring

SNMP Enumeration Tools (cont’d)• SNMP Scanner• Getif• OIDVIEW SNMP MIB Browser• iReasoning MIB Browser• SNScan• SoftPerfect Network Scanner• SNMP Informant• Net-SNMP• Nsauditor Network Security• Spiceworks

4.5 LDAP Enumeration

LDAP Enumeration• Lightweight Directory Access Protocol enumeration is an Internet protocol

that allows access to distributed directory services• Provides an organized set of records in a hierarchical and logical structure• Follows the X.500 naming convention• Used by Active Directory and others• Client starts an LDAP session by connecting to a Directory System Agent

(DSA) on TCP port 389 and sends an operations request to the DSA• Attackers queries LDAP service to gather information including valid user

names, addresses, department details, etc. that can be used for further attacks

X.500 Naming Hierarchy

Softerra LDAP Administrator• Softerra LDAP Administrator is an LDAP administration tool designed

to work with many LDAP servers including Active Directory, Novell Directory Services, Netscape/iPlanet, etc. • Softerra LDAP Administrator simplifies management of LDAP

directories providing advanced directory search facilities, bulk update operations, group membership management facilities, etc.• Customizable directory reports for effective monitoring and audit• Directory data can be exported and imported in LDIF, CSV, DSML1, DSML2 and

other formats• LDAP-SQL support allows managing LDAP entries using SQL-like syntax and

performing LDAP operations that cannot be executed usinf standard LDAP resources

LDAP Tools• Active Directory Users and Computers• Softerra LDAP Administrator• LDP.exe

4.6 NTP Enumeration

NTP Enumeration• Network Time Protocol (NTP) is designed to synchronize clocks of

networked computer• Uses UDP port 123 as primary means of communication• Can maintain time to within 10 milliseconds over the public Internet• Realizes accuracies of 200 milliseconds or better in ideal conditions in

a local area network • Attackers query NTP for• List of hosts connected to NTP server• Clients IP addresses, system names, and operating systems• Internal IP addresses can be acquired if the NTP server is on the DMZ

NTP Commands• Ntptrace – traces a chain of NTP servers back to the primary source• Ntpdc – monitors operation of the NTP daemon, ntpd• Ntpq – montiors NTP daemon ntpd operations and determines

performance

NTP Enumeration Tools• NTP Time Server Monitor• NTP Server Scanner• Nmap• Wireshark• AtomSync• NTPQuery• PresenTense NTP Auditor• PresenTense Time Server• PersenTense Time Client• NTP Time Server Monitor• LAN Time Analyser

4.7 SMTP and DNS

Enumeration

SMTP Enumeration• Simple Mail Transfer Protocol (SMTP) has three build-in commands• VRFY – validates user• EXPN – tells the actual delivery address of aliases and mailing lists• RCPT TO – Defines the recipients of the message

• SMTP servers respond differently to each command for valid and invalid users allows determination of valid users on the SMTP server• Attackers can directly interact with SMTP using Telnet and collect a list

of valid users on the SMTP server

SMTP Enumeration Tools• NetScanTool Pro’s SMTP Email Generator and Email Relay Testing

Tools are designed for performing tests sending email messages through an SMTP server and performing relay tests• smtp-user-enum is a tool for enumerating OS-level user accounts on

Solaris using the SMTP service sendmail• Enumeration is performed by inspecting responses to the SMTP commands

VRFY, EXPN, and RCPT TO

SMTP Enumeration Example

DNS Enumeration

• Get DNS Records• A• MX• NS• SoA• CNAME• PTR

NSlookup• Microsoft tool for querying DNS• Depends on the existence of a reverse lookup zone

Dig

• *Nix tool for querying DNS

4.8 Enumeration Countermeasures

SNMP Enumeration Countermeasures• Simple Network Management Protocol (SNMP)• Turn off the service• Change the default community string name• Upgrade to SNMP3 – encrypts passwords and messages

• Implement the Group Policy security option called, “Additional restrictions for anonymous connections• Make certain that access to null session pipes, null session shares,

and IP Sec filtering is restricted

DNS Enumeration Countermeasures• Domain Name System (DNS)• Disable DNS zone transfers to untrusted hosts• Make certain private hosts and IP addresses are not published into DNS zone

files of public DNS server• Use premium DNS registration services that hide sensitive information from

the public; example HINFO• User standard network admin contacts for DNS registrations in order to avoid

social engineering attacks

SMTP and LDAP Enumeration Countermeasures• Simple Mail Transfer Protocol (SMTP)• Configure SMTP to• Ignore email message to unknown recipients• Not include sensitive mail server and local host information in mail responses• Disable open relay feature

• Lightweight Directory Access Protocol• Configure LDAP to• Use SSL technology to encrypt the traffic• Select a user name different from your email address and enable account

lockout

SMB Enumeration Countermeasures • Server Message Block (SMB)• Configure SMB• Disable SMB protocol on Web and DNS servers• Disable SMB protocol on Internet facing servers• Disable ports TCP 139 and TCP 445 used by SMB• Restrict anonymous access through RestrictNullSessAccess parameter from

the Windows Registry

4.9 Enumeration Penetration

Testing

Enumeration Penetration Testing • Used to identify valid user accounts or badly protected resource

shares using active connections to systems and directed queries• Information can be users and groups, network resources and shares,

and applications• Used in combination with data collected in the reconnaissance phase

Penetration Testing Steps• Identify the network range• Use WhoIs Lookup to enumerate important servers

• Calculate the subnet mask• Use Subnet Mask Calculators for input into ping sweep and port scanning

tools

• Undergo host discovery• Use Nmap to find servers connected to the Internet

• Perform port scanning• Use Nmap and other tools to perform port scanning to check for open ports

Penetration Testing Steps (cont'd)• Perform NetBIOS enumeration• Use SuperScan, Hyena, Winfingerpring, etc.

• Perform SNMP enumeration• Use OpUtils Network Monitoring Toolset, Engineer’s Toolset, etc.

• Perform LDAP enumeration• Use Softerra LDAP Administrator and similar tools

• Perform NTP enumeration• Use ntptrace, ntpdc, ntpq, and similar tools

• Perform SMTP enumeration• Use NetScanTools Pro and similar tools

Penetration Testing Steps (cont'd)• Perform DNS enumeration• Use Windows utility NSLookup

• Document all findings

Enumeration Review

• Enumeration seeks to discover additional target information• A number of protocols can be used

for enumeration:• NetBIOS• DNS• SNMP• SMTP• LDAP

• Information returned depends on the service:• Users• Groups• Installed applications• Interface and component statistics• OS information• Policies

Lab 4: Enumeration

Ethical Hacking v10 Enumeration Module 4-

Documents

Transcript of Ethical Hacking v10 Enumeration Module 4-