MOD4: Enumeration

Question 1

What is enumeration?

Answer 1

Enumeration involves an attacker creating ACTIVE CONNECTIONS with a target system and performing queries to gain more info about the target.

Question 2

Enumeration techniques are conducted in an intranet environment.
True/False.

Answer 2

True.

Question 3

Why type of information would attackers extract from enumeration?

Answer 3

• identify points for a system attack and perform password attacks to gain unauthorized access to information system resources.

ex. 
network resources
routing tables
machine names
users and groups
applications and banners

Question 4

What are some techniques for enumeration?

Answer 4

• extract usernames using email IDs
• brute force AD
• extract user groups from windows
• extract info using default passwords
• extract info using DNS Zone transfer
• extract usernames using SNMP

Question 5

What port does this service run on:

DNS Zone Transfer

Answer 5

TCP/UDP 53

Question 6

What port does this service run on:

NetBIOS Name Service (NBNS)

Answer 6

UDP 137

Question 7

What port does this service run on:

SNMP (Simple Network Management Protocol)

Answer 7

UDP 161

Question 8

What port does this service run on:

LDAP (Lightweight Directory Access Protocol)

Answer 8

LDAP uses TCP/UDP 389
Secure LDAP uses port 636

FYI-> LDAP = domain controllers!

Question 9

What port does this service run on:

NFS (Network File System)

Answer 9

TCP 2049

Question 10

What port does this service run on:

SMTP (Simple Mail Transfer Protocol)

Answer 10

TCP 25

Question 11

What port does this service run on:

SSH (Secure Shell)

Answer 11

TCP 22

Question 12

What port does this service run on:

Internet Key Exchange (IKE)

Answer 12

UDP 500

Most likely VPN endpoints!

Question 13

Attackers use the NetBIOS enumeration to obtain:

a) list of computers belonging to a domain
b) list of shares on the individual hosts in the network
c) policies and passwords
d) all of the above

Answer 13

d) all of the above

Question 14

NetBIOS name is a unique 16 ASCII character string to identify the network devices over TCP/IP. 15 characters are used for the device name, and the 16th character is reserved for the service or name record type.
True/False.

Answer 14

TRUE.

Question 15

NetBIOS name resolution is not supported by Microsoft for IPv6.
True / False.

Answer 15

True.

Question 16

Using the PsTools suite, what information can be retrieved when using ‘psgetsid’?

Answer 16

If you use ‘psgetsid s-1-5-21-_____-______-_____- _____ (The next 3 are unique to the system. After that, you’ll either get either of the follow for the 4th set.
500 - which means administrator
501- which means guest
1000 or up - which are accounts added to OS after installation

ex.
psgetsid S-1-5-21-_____-_____-_____-500

Question 17

Using the PsTools suite, what information can be retrieved when using ‘psloggedon’?

Answer 17

Will show you who’s logged on locally.

Question 18

SNMP (Simple Network Management Protocol) enumeration is the process of enumerating user accounts and devices on a target system using SNMP.
True/False.

Answer 18

True.

Question 19

SNMP consists of a manager and an agent. What do each of them do?

Answer 19

Agents are embedded on every network device, and the manager is installed on a separate computer.

Question 20

SNMP holds 2 passwords to access and configure the SNMP agent from the management station. What are they?

Answer 20

1) Read community string (this is public by default - it allows for viewing of device/system configuration)
2) Read/write community string (this is private by default - it allows remote editing of configuration)

Question 21

SNMP: What type of information can attackers extract from SNMP?

Answer 21

Attackers use the default community strings to extract information about a device.
Attackers enumerate SNMP to extract info about:
- network resources (such as hosts, routers, devices and shares)
- network info (such as ARP tables, routing tables and traffic)

Question 22

What is LDAP ?

Answer 22

LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services.
Directory services may provide any organized set of records, often in hierarchical and logical structure (such as corporate email directory).

Question 23

What is NTP?

Answer 23

NTP (Network Time Protocol) is designed to synchronize the clocks of networked computers.
It uses UDP port 123 as the primary means of communication.

Question 24

What type of information can attackers gather from a NTP server query?

Answer 24

• list of connected hosts
• clients IP addresses in a network, their system names and OSs
• Internal IPs (if the NTP server is in the DMZ)

Question 25

What is NFS?

Answer 25

NFS (Network File System) is generally implemented on the computer network, where the centralization of data is required for critical resources.
FYI - NFS enumeration allows attackers to identify exported directories, list of clients connected to the NFS server along with their IP addresses and the shared data associated with the IP address.

Question 26

What is SMTP?

Answer 26

Simple Mail Transfer Protocol.
(It’s used for sending emails).
Attackers can directly interact with SMTP via the TELNET prompt and collect a list of valid users on the SMTP server.

Question 27

What tool can be used for attackers to perform DNS zone transfers?

Answer 27

nslookup
DNSRecon
dig

Question 28

What can attackers leverage from a DNS server that allows zone transfers?

Answer 28

To obtain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, etc assigned within a target domain.

Question 29

What is DNSSEC zone walking?

Answer 29

A technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone in not properly configured.
Can use DNSRecon for this.

Question 30

Public and Private records should never co-exist in DNS.

True / False.

Answer 30

True.

Two separate zone files, separated by a firewall or use split DNS.

Question 31

What is IPsec used for?

Answer 31

To authenticate OR to authenticate and encrypt data.

So when you identify an IPsec listener, you’re looking for UDP port 500 which is the internet key exchange.

Question 32

Which protocol does VoIP use?

Answer 32

VoIP uses Session Initiation Protocol (SIP) protocol to enable voice and video calls over an IP network.
SIP service generally uses UDP/TCP ports 2000,2001,5050, and 5061.

Question 33

What is RPC?

Answer 33

Remote Procedure Call (RPC) allows clients and servers to communicate in distributed client/server programs.
Enumerating RPC endpoints enables Attackers to identify any vulnerable services on these ports.

Question 34

What is TELNET?

Answer 34

Old school clear text remote admin port. If found, attackers can authenticate to the system, and find out hardware and software info of the target.

Question 35

What is FTP?

Answer 35

File Transfer Protocol.
FTP transfers data in plain text between the sender and the receiver, which can lead to critical information, such as usernames and passwords being leaked.
Attackers can use NMAP to scan and enumerate on PORT 21 by running FTP services.

Question 36

What is BGP?

Answer 36

Border Gateway Protocol.
It is a routing protocol used to exchange routing and reachability info between different autonomous systems present on the internet.
Enumerating on BGP allows attackers to discover IPv4 prefixes.

Question 37

What protocol is used to poison routing tables?

Answer 37

BGP (Border Gateway Protocol)

Question 38

What is the latest version of SNMP?

Answer 38

SNMP3 - it encrypts passwords and messages

Question 39

By default, LDAP traffic is transmitted securely.

True / False.

Answer 39

False.

By default, LDAP traffic is transmitted UNSECURED. Use SSL to encrypt the traffic.

Question 40

What port is used by SMB?

Answer 40

ports TCP 139 and 445 are used by SMB protocol.

FYI - SMB = Server Message Block

Question 41

What port is used by NFS?

Answer 41

PORT 2049

FYI - NFS (Network File System)