MOD4: Enumeration Flashcards
What is enumeration?
Enumeration involves an attacker creating ACTIVE CONNECTIONS with a target system and performing queries to gain more info about the target.
Enumeration techniques are conducted in an intranet environment.
True/False.
True.
Why type of information would attackers extract from enumeration?
- identify points for a system attack and perform password attacks to gain unauthorized access to information system resources.
ex. network resources routing tables machine names users and groups applications and banners
What are some techniques for enumeration?
- extract usernames using email IDs
- brute force AD
- extract user groups from windows
- extract info using default passwords
- extract info using DNS Zone transfer
- extract usernames using SNMP
What port does this service run on:
DNS Zone Transfer
TCP/UDP 53
What port does this service run on:
NetBIOS Name Service (NBNS)
UDP 137
What port does this service run on:
SNMP (Simple Network Management Protocol)
UDP 161
What port does this service run on:
LDAP (Lightweight Directory Access Protocol)
LDAP uses TCP/UDP 389
Secure LDAP uses port 636
FYI-> LDAP = domain controllers!
What port does this service run on:
NFS (Network File System)
TCP 2049
What port does this service run on:
SMTP (Simple Mail Transfer Protocol)
TCP 25
What port does this service run on:
SSH (Secure Shell)
TCP 22
What port does this service run on:
Internet Key Exchange (IKE)
UDP 500
Most likely VPN endpoints!
Attackers use the NetBIOS enumeration to obtain:
a) list of computers belonging to a domain
b) list of shares on the individual hosts in the network
c) policies and passwords
d) all of the above
d) all of the above
NetBIOS name is a unique 16 ASCII character string to identify the network devices over TCP/IP. 15 characters are used for the device name, and the 16th character is reserved for the service or name record type.
True/False.
TRUE.
NetBIOS name resolution is not supported by Microsoft for IPv6.
True / False.
True.
Using the PsTools suite, what information can be retrieved when using ‘psgetsid’?
If you use ‘psgetsid s-1-5-21-_____-______-_____- _____ (The next 3 are unique to the system. After that, you’ll either get either of the follow for the 4th set.
500 - which means administrator
501- which means guest
1000 or up - which are accounts added to OS after installation
ex.
psgetsid S-1-5-21-_____-_____-_____-500
Using the PsTools suite, what information can be retrieved when using ‘psloggedon’?
Will show you who’s logged on locally.
SNMP (Simple Network Management Protocol) enumeration is the process of enumerating user accounts and devices on a target system using SNMP.
True/False.
True.
SNMP consists of a manager and an agent. What do each of them do?
Agents are embedded on every network device, and the manager is installed on a separate computer.
SNMP holds 2 passwords to access and configure the SNMP agent from the management station. What are they?
1) Read community string (this is public by default - it allows for viewing of device/system configuration)
2) Read/write community string (this is private by default - it allows remote editing of configuration)
SNMP: What type of information can attackers extract from SNMP?
Attackers use the default community strings to extract information about a device.
Attackers enumerate SNMP to extract info about:
- network resources (such as hosts, routers, devices and shares)
- network info (such as ARP tables, routing tables and traffic)
What is LDAP ?
LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services.
Directory services may provide any organized set of records, often in hierarchical and logical structure (such as corporate email directory).
What is NTP?
NTP (Network Time Protocol) is designed to synchronize the clocks of networked computers.
It uses UDP port 123 as the primary means of communication.
What type of information can attackers gather from a NTP server query?
- list of connected hosts
- clients IP addresses in a network, their system names and OSs
- Internal IPs (if the NTP server is in the DMZ)