Chapter 3 - Scanning and Enumeration (Enumeration) Flashcards
Define enumeration
listing the items we find within a specific target
In enumeration we move to a more active state and are finding things like open shares and user account information
Windows security terms
Security Identifier (SID)
Resource Identifier (RID)
SID - identifies user, group, computer accounts and follows a specific format
RID - a portion of the SID. Starts at 500 for the admin account. Guest is 501. All users created for the system start at 1000 and increment
Linux uses UID and GUID in a similar way. viewable in the /etc/passwd file
SID Format
S revision number authority value domain or computer indicator RID
This SID shows an admin account because the RID is 500:
S-1-5-21-3874928736-367528774-1298337465-500
If the RID was -1014 we know it’s for the 14th user account created
Location of Windows password database
c:\windows\system 32\config\SAM
SAM database holds all local passwords
Linux enumeration commands
finger
rpcinfo
rpcclient
showmount
finger - provides info on user and host machine
rpcinfo and rpcclient - provide info on RPC environment
showmount - displays all shared directories
Define Banner Grabbing
sending unsolicited request to an open port to see what if any default message (banner) is returned. This can indicate a potential vulnerability
Telnet is a common tool for this
ECC defines 2 types of banner grabbing
active
passive
Active - sending specially crafted packets to systems and comparing responses to determine the OS
Passive - reading error messages, sniffing network traffic or looking at page extensions
NetBIOS Enumeration commands
nbtstat
nbtstat -n
nbtstat -A
nbtstat -c
nbtstat
shows list of switches to use for command
nbtstat -n
shows your local netbios table
nbtstat -A ipaddress
shows a remote systems netbios table
nbtstat -c
shows the cache
NetBIOS Codes, Type, Meaning
1B 1C 1D 00 03 20
<1B>UNIQUE
Domain master browser
<1C>UNIQUE
Domain controller
<1D>GROUP
Master browser for the subnet
<00>UNIQUE
Hostname
<00>GROUP
Domain name
<03> UNIQUE
Service running on the system
<20> UNIQUE
Server service running
SNMP Enumeration Terms
Manager
Agents
MIB
OID
Manager makes requests of SNMP agents that call for specific information about a device
Agents look at the MIB on the device and respond to requests
MIB (Mgmt Info Base) holds variety of info about the device
OIDs are Object Identifiers that are numeric IDs in the MIB
SNMP Enumeration Terms
Scalar managed object
Tabular managed object
Community string
Scalar - single object
Tabular - multiple related objects that can be grouped together in MIB tables
community string is a form of password. Can be read-only or read-write (SNMP GET or SNMP SET)
SNMP Community String security details
SNMP v1 sends string in clear text
SNMP v3 encrypts them
SNMP Enumeration Tools
Engineer’s toolset (solar winds)
SNMP Scanner (secure-bytes.com)
OpUtils 5 (managengine.com)
SNScan
LDAP Enumeration Terms
Port and Protocol
DSA
BER
Lightweight Directory Access Protocol is designed to be queried
Uses TCP 389
client connects to the Directory System Agent (DSA)
DSA return an answer using Basic Encryption Rules (BER)
NTP Enumeration
Port and Protocol
UDP 123
Querying NTP server can provide info about list of systems connected, possibly IP addresses of internal systems (if an internal NTP server)
Can use Nmap and Wireshark to query NTP Servers. Also Atomsync and NTP Server Scanner
