Enumeration

Question 1

Enumeration extracted information such as:

Answer 1

• network shares
• network resources
• routing tables
• audit and service settings
• SNMP & DNS details
• Machine names
• Users & groups ( and user last log in)
• Application and banners

Question 2

Enumeration techniques are conducted in what type of environment?

Answer 2

intranet

Question 3

What is enumeration?

Answer 3

The attacker creates an active connection to a vulnerable system and performs direct queries to gain info about the target

Attacker then uses the info to 1- identify system attack points and 2- perform password attacks, to gain unauthorized acess

Question 4

list some services and ports to enumerate

Answer 4

TCP port 25: SMTP
TCP port 53: DNS transfer zone 
TCP port 21: FTP
TCP port 23: telenet 
TCP 135 : used by email client to connect to email services (RPC) Remote Procedure Call 
TCP 138: NetBIOS datagram service 
TCP 137: NetBIOS name service 
TCP 139: NetBIOS session service
TCP/UDP 445 SMB (service message block )
UDP 161: SNMP network mangment protocol

Question 5

What is SMB protocol?

Answer 5

SIMPLE MESSAGE BLOCK is a microsoft application layer protocol for file and print sharing functions for LAN manger

Question 6

What is NBSS (NetBIOS session service)?

Answer 6

is a method to connect two computers for transmitting large messages ( located in session layer)

Question 7

what is NetBIOS?

Answer 7

is a program that allows applications on a different computers to communicate within a LAN

Question 8

explian what is NetBIOS name and what it is consists of?

Answer 8

is a unique 16 ASCII character string used to identify the network devices
first 15 char: device name
the 16th char: service type

Question 9

Attackers use NetBIOS ro obtain what info?

Answer 9

• list of computers that belong to a domain
• list of shares on the individual hosts (in the network)
• polices and passwords

Question 10

what is RPC? and what port?

Answer 10

Remote procedure call an interprocess communication mechanism allows a program running on one host to run code on a remote host. uses port 135 tcp

Question 11

What commands can be used for NetBIOS emmunartion?. mention for win and linux

Answer 11

Windows:
nbtstat -a [ip]
Linux:
nbtscan [ip]

or
nmblookup -A

Question 12

what happens when you use firweall rules for port 137?

Answer 12

when you use nbtstat or nbtscan it will show that the hst is not uo ( it has been blocked by the firewall)

Question 13

what is a NULL session attack?

Answer 13

uses vulnerblity in SMB for creating connection, by default they areenabled in windows 2000 and windows NT

Question 14

why is a null session attack possible?

Answer 14

because it uses SMB that has trust for any kind of relationship between devices in a network

Question 15

what command to establish null session? in win and Linux

Answer 15

windows: net

net use \[ip]\IPC$ “ “ /u:” “

Linux: smbclient

smbclient -L [ip]

Question 16

what command used to show ip adress and shares on remote system & to list

Answer 16

net view \[ip]

Question 17

what command used to eumnertate SMB shares on both win & linux ?

Answer 17

enum4linux -a

use -a option to get all oinfo

Question 18

what is the command used for DNS enumeration? (not nmap)

Answer 18

host -t ns [ip]
for name server records
host -t mx
for mail exchange brecords (email servers)
host -t a
a records that tranlate human to ip in IPv4
host -t aaa
same as a records but for IPv6
host -t soa
start of authority that contains 1- primary DNS name 2- serial number and if the serial no for primery is higher than secondary a zone tranfer will be instiated

Question 19

what is the nmap command used for DNS enumartion

Answer 19

nmap T4 -p 53 –script dns-brute [target]

Question 20

In SNMP, the default community string for read-only is____ and the default community string for read-write is ____

Answer 20

public,private

Question 21

what command is used in SNMP to query network device for tree of information? and what command query info in human friendly format?

Answer 21

snmpwalk, snmp-check

Question 22

what command to uses to manilpate snmp info?

Answer 22

snmpset

Question 23

what are the two types of community strings?

Answer 23

1- read only
allow to query network devices and read information. no modfication allowed
2-read write
changes to device are allowed

Question 24

a virtual database contains a formal description of all network objects that can be managed using SNMP is caleed___

Answer 24

Management Information base (MIB), it is hierarchal and each managed object is addressed through object identifiers (OID)

Question 25

what is LDAP?

Answer 25

Lightweight Directory Acess Protocol is for acessing and maintaing dirubted directory information sercvies in a heirarlical and logial structure.

LDAP provides a central place to store usernames and passord so apps and services uses it to identify users

Question 26

What command is used for LDAP?

Answer 26

enum4linux -U -O 
-U to get userlist 
-M to get machine list 
-s to get sharelist 
-G to get group and member list 
-P passord policy info
see slide 61 for more