4 - Enumeration Flashcards
What is Enumeration?
Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network.
What are some Enumeration techniques?
-
Extract user names using Email ID’s
- Every email address contains 2 parts: the user name and domain name.
-
Extract info using default passwords
- Default manufacture passwords can be found on the web.
- Some users won’t change them upon setup
-
Brute force AD
- AD is susceptible to a username enumeration at the time of user supplied input verification
-
Extract Info using DNS Zone Transfer
- A DNS zone is used to replicate data across DNS servers.
- In this process, all the data is put into an ASCII file
- This could be an effective method to extract data.
-
Extract user groups from Windows
- To extract user groups, an attacker should have a registered ID as a user in AD.
-
Extract user names using SNMP
- Attacker can easily guess read-only or read-write community strings using the SNMP API to extract user names.
What are some services and ports to enumerate?
- TCP/UDP 53:
- DNS Zone Transfer
- TCP/UDP 135:
- MS RPC Endpoint Mapper
- UDP 137:
- NetBIOS Name Service (NBNS)
- TCP 139:
- NetBIOS Session Service (SMB over NetBIOS)
- This port is used to transfer files over a network.
- TCP/UDP 445
- SMB over TCP (Direct Host)
- UDP 161:
- SNMP
- TCP/UDP 389:
- LDAP
- TCP/UDP 3268:
- Global Catalog Service
- TCP 25:
- Simple Mail Transfer Protocol (SMTP)
- TCP/UDP 162:
- SNMP Trap
- UDP 500:
- ISAKMP/Internet Key Exchange (IKE)
- TCP/UDP 5060, 5061:
- Session Initiation Protocol (SIP)
What is NetBIOS Enumeration?
- NetBIOS name is a unique 16 ASCII char string used to identify the network devices over TCP/IP
- 15 characters are used for the device name
- 16th character is reserved for the service or name record type
How can an attacker Enumerate User Accounts using NetBIOS?
- Using PsTools suites to control and manage remote systems from the command line.
- Commands:
-
PsExec:
- Execute processes remotely
-
PsFile:
- Shows files opened remotely
-
PsGetSid:
- Display the SID of a computer or user
-
PsKill:
- Kill processes by name or process ID
-
PsInfo:
- List info about a system
-
PsList:
- List detailed information about processes
-
PsLoggedOn:
- See who’s logged on locally and via resource sharing
-
PsLogList
- Dump event log records
-
PsPasswd:
- Changes account passwords
-
PsShutdown
- Shuts down and optionally reboots a computer
-
PsExec:
What is SNMP Enumeration?
- A process of enumerating user accounts and devices on a target system using SNMP.
- SNMP consists of a manager and agent(s)
- Agents are embedded on every network device
- The manager is installed on a separate computer
What is Management Information Base (MIB) in SNMP?
- a virtual database containing formal description of all the network objects that can be managed using SNMP
- it is hierarchical and each object is addressed through Object Identifiers (OIDs)
- There are 2 types of objects:
-
Scalar objects
- Defines a single object instance
-
Tabular objects
- Defines multiple related instances are grouped in MIB tables.
-
Scalar objects
What is LDAP Enumeration?
- LDAP is an internet protocol for accessing distributed directory services.
- Directory services may provide any organized set of records, often in a hierarchical and logical structure.
- Attacker queries LDAP service to gather info such as user names, addresses, department details, etc.
What is NTP Enumeration?
- Network Time Protocol is designed to synchronize clocks of networked computers
- Attackers query NTP server to gather valuable info such as:
- List of hosts connected to NTP server
- Clients IP addresses and OS’s
- Internal IP’s can also be obtained if server is in DMZ
How can SMTP be used for enumeration?
- SMTP is used for mail (Simple Mail Transfer Protocol)
- SMPT provides 3 built-in commands:
-
VRFY
- Validates users
-
EXPN
- Tells the actual delivery addresses of aliases and mailing lists
-
RCPT TO
- Defines the recipients of the message
-
VRFY
How can DNS be used for enumeration?
- An attacker can gather info such as:
- DNS server names
- Host names
- Machine names
- Usernames
- IP addresses
What is IPsec Enumeration?
A scan for ISAKMP at UDP port 500 can indicate a presence of a VPN gateway
What is VoIP Enumeration?
- VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network
- VoIp enumeration can provide:
- Gateway servers
- IP-PBX systems
- Client software
What is RPC Enumeration?
- Remote Procedure Call allows client and server to communicate in distributed client/server programs
- Enumerating RPC endpoints enable attackers to identify vulnerable services
What is Unix/Linux Enumeration?
- Provides a list of users along with details like user name, hostname, start date and time of each session, etc
- Commands:
-
rusers
- Displays a list of users who are logged onto remote machines or machines on local network
-
rwho
- Displays a list of users who logged into machines on local network
-
finger
- Displays info about system users such as login name, real name, terminal name, idle time, login time
-
rusers