4 - Enumeration Flashcards

1
Q

What is Enumeration?

A

Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are some Enumeration techniques?

A
  • Extract user names using Email ID’s
    • Every email address contains 2 parts: the user name and domain name.
  • Extract info using default passwords
    • Default manufacture passwords can be found on the web.
    • Some users won’t change them upon setup
  • Brute force AD
    • AD is susceptible to a username enumeration at the time of user supplied input verification
  • Extract Info using DNS Zone Transfer
    • A DNS zone is used to replicate data across DNS servers.
    • In this process, all the data is put into an ASCII file
    • This could be an effective method to extract data.
  • Extract user groups from Windows
    • To extract user groups, an attacker should have a registered ID as a user in AD.
  • Extract user names using SNMP
    • Attacker can easily guess read-only or read-write community strings using the SNMP API to extract user names.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are some services and ports to enumerate?

A
  • TCP/UDP 53:
    • DNS Zone Transfer
  • TCP/UDP 135:
    • MS RPC Endpoint Mapper
  • UDP 137:
    • NetBIOS Name Service (NBNS)
  • TCP 139:
    • NetBIOS Session Service (SMB over NetBIOS)
    • This port is used to transfer files over a network.
  • TCP/UDP 445
    • SMB over TCP (Direct Host)
  • UDP 161:
    • SNMP
  • TCP/UDP 389:
    • LDAP
  • TCP/UDP 3268:
    • Global Catalog Service
  • TCP 25:
    • Simple Mail Transfer Protocol (SMTP)
  • TCP/UDP 162:
    • SNMP Trap
  • UDP 500:
    • ISAKMP/Internet Key Exchange (IKE)
  • TCP/UDP 5060, 5061:
    • Session Initiation Protocol (SIP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is NetBIOS Enumeration?

A
  • NetBIOS name is a unique 16 ASCII char string used to identify the network devices over TCP/IP
    • 15 characters are used for the device name
    • 16th character is reserved for the service or name record type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can an attacker Enumerate User Accounts using NetBIOS?

A
  • Using PsTools suites to control and manage remote systems from the command line.
  • Commands:
    • PsExec:
      • Execute processes remotely
    • PsFile:
      • Shows files opened remotely
    • PsGetSid:
      • Display the SID of a computer or user
    • PsKill:
      • Kill processes by name or process ID
    • PsInfo:
      • List info about a system
    • PsList:
      • List detailed information about processes
    • PsLoggedOn:
      • See who’s logged on locally and via resource sharing
    • PsLogList
      • Dump event log records
    • PsPasswd:
      • Changes account passwords
    • PsShutdown
      • Shuts down and optionally reboots a computer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is SNMP Enumeration?

A
  • A process of enumerating user accounts and devices on a target system using SNMP.
  • SNMP consists of a manager and agent(s)
    • Agents are embedded on every network device
    • The manager is installed on a separate computer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Management Information Base (MIB) in SNMP?

A
  • a virtual database containing formal description of all the network objects that can be managed using SNMP
  • it is hierarchical and each object is addressed through Object Identifiers (OIDs)
  • There are 2 types of objects:
    • Scalar objects
      • Defines a single object instance
    • Tabular objects
      • Defines multiple related instances are grouped in MIB tables.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is LDAP Enumeration?

A
  • LDAP is an internet protocol for accessing distributed directory services.
  • Directory services may provide any organized set of records, often in a hierarchical and logical structure.
  • Attacker queries LDAP service to gather info such as user names, addresses, department details, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is NTP Enumeration?

A
  • Network Time Protocol is designed to synchronize clocks of networked computers
  • Attackers query NTP server to gather valuable info such as:
    • List of hosts connected to NTP server
    • Clients IP addresses and OS’s
    • Internal IP’s can also be obtained if server is in DMZ
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can SMTP be used for enumeration?

A
  • SMTP is used for mail (Simple Mail Transfer Protocol)
  • SMPT provides 3 built-in commands:
    • VRFY
      • Validates users
    • EXPN
      • Tells the actual delivery addresses of aliases and mailing lists
    • RCPT TO
      • Defines the recipients of the message
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How can DNS be used for enumeration?

A
  • An attacker can gather info such as:
    • DNS server names
    • Host names
    • Machine names
    • Usernames
    • IP addresses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is IPsec Enumeration?

A

A scan for ISAKMP at UDP port 500 can indicate a presence of a VPN gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is VoIP Enumeration?

A
  • VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network
  • VoIp enumeration can provide:
    • Gateway servers
    • IP-PBX systems
    • Client software
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is RPC Enumeration?

A
  • Remote Procedure Call allows client and server to communicate in distributed client/server programs
  • Enumerating RPC endpoints enable attackers to identify vulnerable services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Unix/Linux Enumeration?

A
  • Provides a list of users along with details like user name, hostname, start date and time of each session, etc
  • Commands:
    • rusers
      • Displays a list of users who are logged onto remote machines or machines on local network
    • rwho
      • Displays a list of users who logged into machines on local network
    • finger
      • Displays info about system users such as login name, real name, terminal name, idle time, login time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are some Enumeration countermeasures?

A
  • SNMP:
    • Remove agent
    • Change default community string names
    • Upgrade to SNMP3
    • Apply additional restrictions for anonymous connections via GP
  • DNS:
    • Disable DNS zone transfers to untrusted hosts
    • Make sure private hosts/IPS are not published in zone transfers
    • Use premium DNS services that hide sensitive info
  • SMTP:
    • Ignore email messages to unknown recipients
    • Not to include sesnitive mail server and host info in mail responses
    • Disable open relay feature
    • Limit the number of accepted connections
  • LDAP:
    • Use SSL or STARTTLS to encrypt traffic
    • Select user name different than your email address and enable account lockout
  • SMB (Server Message Block):
    • Provides shared access to files, etc.
    • Disable SMB protocol on Web and DNS servers, Internet facing servers
    • Disable ports TCP 139 and TCP 445
    • Restrict anonymous access
17
Q

What is NSF enumeration?

A

NFS is a type of file system that enables users to access, view, store, and update files over a remote server. Enables attackers to identify exported directories, list of clients connected to the NFS server along with their IP addresses, and the shared data associated with the IP addresses.

  • Tools: RPCScan, SuperEnum
18
Q

What is DNS Cache Snooping?

A

A DNS enumeration technique whereby an attacker queries the DNS server for a specific cached DNS record. The attacker can determine the sites recently visited by the user.

  • Non-Recursive: Send a non-recursive query by setting the Recursion Desired (RD) bit in the query header to zero
  • Recursive: Attackers send a recursive query to determine the time the DNS record resides in the cache.
19
Q

What is DNSSEC Zone Walking?

A

A DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured. The info can assist the attacker in building a host network map.

20
Q

what is Telnet and SMB enumeration?

A
  • If Telnet is found open, attackers can access shared info like hardware and software info
  • SMB enum helps attackers to perform OS banner grabbing on the target
21
Q

What is FTP and TFTP Enumeration?

A
  • FTP transfers data in plain text between the sender and receiver
  • TFTP can be used to extract files stored on the remote server.
22
Q

What is BGP (Border Gateway Protocol) Enumeration?

A

Can be used to discover the IPv4 prefixes announced by the AS number and routing path followed by the target