Module 04: Enumeration Flashcards
What is enumeration?
Enumeration is another pre-attack activity that is part of the scanning phase but involves going a bit further and accessing information on the host. It basically just means listing out very specific details.
Enumeration involves creating an active connection with a target system and performing directed queries to gain more information
Identifying points for system attacks and performing password attacks to gain unauthorized access to a system
What are some examples of information gleaned via enumeration?
- Network Resources: Devices or assets, like printers and servers, available within a network for user access.
2.Network Shares: Folders or files shared across a network, allowing multiple users to access common data.
- Routing Table: A data set that defines the paths network packets take to reach various IP destinations.
- Audit and Service Settings: Configuration details of logging and active services that help manage network security and performance.
- Machine Names: Identifiers for devices on a network, making it easier to recognize and manage individual machines.
- Users and Groups: Accounts and collections of accounts that define access levels and permissions for network resources.
- Applications and Banners: Information about software running on networked systems and their versions, often gathered from service responses.
- SNMP FQDN Details: Information from SNMP (Simple Network Management Protocol) about fully qualified domain names (FQDN) for devices, aiding in network inventory and management.
NetBIOS enumeration
NetBIOS is a unique 16 ASCII character string - 15 for the device and 1 for the service name or record type. It contains a user-friendly name that resolves to an address - an IP address then a MAC address thru ARP. It’s used to identify network devices over TCP/IP.
Attackers use NetBIOS to obtain:
1. List of computers that belong to a domain
2. List of shares on the individual hosts on the network.
3. Policies and passwords.
Example: nbtstat utility in Windows gives NetBIOS name table of a machine, including protocol statistics, NetBIOS name tables, NetBIOS name cache
- nmap allows attackers to receive target NetBIOS names and MAC addresses.
Enumerating user accounts: you can use the Powershell tools suite (part of sys internals suite) which helps control and manage remote systems from the command line.
ie PsExec, PsGetSID, PsLoggeOn. You can execute these processes remotely.
The Net View utility is used to obtain a list of all the shared resources of a remote host or work group (the null user concept has since been disabled)
__________________________________________
NetBIOS (Network Basic Input/Output System)
Description: A protocol enabling applications on separate computers to communicate over a local network.
Enumeration: Attackers can enumerate NetBIOS to list shared resources, machines, and users. NetBIOS is often enumerated on local networks.
Info Gleaned: Identifies computer names, shared folders, user accounts, and workgroups.
Tools:
Kali Commands: nbtscan <IP> and nmap -p 137 --script nbstat <IP></IP></IP>
SNMP enumeration
SNMP (Simple Network Management Protocol)
Description: A protocol for network management, monitoring devices, and configuring systems.
Enumeration: SNMP enumeration allows attackers to access system data and configuration through public or private community strings. Enumeration is done over the local network
Older versions of SNMP (pre v3) have glaring vulnerabilities
MIB (Management Information Base) is maintained on a box and contains hierarchy of object identifiers (long decimal strings)
OIDs map to specific pieces of information such as user accounts on a system, listening ports, process tables. There is a one sized fits all password sent in clear text that is subject to brute force, sniffing
There are tools like the SNMP walk utility where once UDP 161 is found open you can request OIDs, config info, internal port scan.You can use nmap to do a full net stat and enumeration of processes and services, share info, installed software, user accounts
Info Gleaned: Device names, IP addresses, running processes, system configuration, and uptime.
Tools:
Kali Commands: snmpwalk -c public -v1 <IP>, onesixtyone <IP></IP></IP>
LDAP
LDAP is an internet protocol used to interact with distributed directory services
- directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory.
*Any LDAP enumeration tool can connect to the directory system agent on port 389 and once authorized may be able to read info on the datAbase. Attackers query LDAP to gather usernames, addresses, department details etc.
Info is transmitted between client/server using Basic Encoding Rules (BER)
LDAP Enum tools: can do manually with Python and automate with scripts, or use LDAP search
____
LDAP (Lightweight Directory Access Protocol)
- Description: LDAP manages directory services (e.g., user data)
- Enumeration: LDAP enumeration gathers directory information;
- Info Gleaned: LDAP: Usernames, groups, email addresses
Tools:
Kali Commands: enum4linux <IP>
Web Tools: Some LDAP information may be accessible on public directories.</IP>
NTP
NTP = Network Time Protocol, which keeps clocks synced and uses UDP 123. If your system clock is >5 minutes out of sync with your domain controller (Kerberos server) you can’t log in → this can create a Denial of Service
*If you can change the clock settings you can’t rebuild an accurate timeline in logs. You can also set them back to pre-exploitation dates on certificates.
If you can compromise an NTP server you can get a list of connected hosts, internal IPs if in DMZ.
-Command line utilities for NTP: npt trace, htpdc, ntpg
___________
NTP (Network Time Protocol)
Description: NTP synchronizes clocks across systems
Enumeration: NTP enumeration may reveal the time configuration.
Info Gleaned: NTP: Server versions, time offsets
Tools: Kali Commands: ntpdc -c monlist <IP></IP>
NFS
(Network File System) Enumeration
NFS is a protocol that allows file sharing across a network, enabling users to access files on a remote server as if they were on their own local drive.
NFS relies on the RPC mechanism to manage communication between the client and server, allowing it to make requests and retrieve data from a shared filesystem.
RPC (Remote Procedure Call) is a protocol that allows a program to request a service or function from a program on another computer within the same network.
NFS System is generally implemented on the computer network where the centralization of data is required for critical resources (Linux/Unix). Runs on port 2049
NFS enum allows attackers to identify the exported directories, list of clients connected to the NFS server along with their IP addresses, and shared data associated with the IP addresses.
TOOLS:
- RPC-scan communicates RPC services and checks misconfigurations in scans
- Super-enum includes a script that does the basic enum of any open port
On Microsoft boxes we list the share via SMB protocol
SMB
Server Message Block is similar to NFS in that it’s a protocol used to share files and resources across a network. SMB is primarily used in Windows while NFS is used primarily in Unix/Linux.
SMTP
SMPT is used for sending email via port 25 by default (there are also SSL/TLS versions)
Provides 3 built-in commands that can assist in identifying user accounts on its servers
1) VRFY (Verify): Checks if a specified username or email address exists on the mail server, confirming whether the account is valid.
2) EXPN (Expand): Reveals the actual list of recipients for a mailing list, providing insight into all user accounts associated with the list.
3) RCPT (Recipient): Used in the SMTP conversation to specify the recipient of an email, which can be leveraged to identify valid addresses by observing server responses.
These commands help attackers enumerate user accounts by confirming valid email addresses or expanding group lists.
What is IPSec and how does IPSEC enumeration work?
IPsec (Internet Protocol Security) is a suite of protocols designed to secure IP communications by encrypting and authenticating data sent over a network. It’s commonly used in VPNs (Virtual Private Networks) to create secure connections over public networks, providing confidentiality, integrity, and authentication of data between endpoints.
IPsec (Internet Protocol Security) is a suite of protocols designed to secure IP communications by encrypting and authenticating data sent over a network. It’s commonly used in VPNs (Virtual Private Networks) to create secure connections over public networks, providing confidentiality, integrity, and authentication of data between endpoints.
– How IPsec Works in VPNs –
VPN Role: In a VPN, IPsec secures the “tunnel” that encrypts and authenticates data as it moves between two networks or devices, often used in site-to-site and remote-access VPNs.
Components: IPsec uses protocols like IKE (Internet Key Exchange) for setting up security associations and ESP (Encapsulating Security Payload) for data encryption and authentication.
– IPsec Enumeration –
IPsec enumeration is the process of gathering information about IPsec configurations on a target network, such as IKE versions, encryption settings, and potential weaknesses. This information can reveal VPN endpoints and configurations that may have vulnerabilities.
IPSec connection negotiation requires ground rules: tunnel mode, authentication method, handshake etc
*utilities like ike-scan can complete that handshake and enumerate things required foor the connection
Port 500 for IKE*
Other tools:
- nmap ike probing
- ike-scan tool sends IKE requests to identify VPN endpoints, supported encryption algorithms, and authentication methods; - Wireshark can captureIPsec negotiation packets (usually on port 500 for IKE) can reveal protocol details and, in some cases, weak configurations.
Information Gleaned
- IPsec Version: Determines if it’s IPsec IKEv1 or IKEv2.
- Supported Encryption/Hashing Algorithms: Helps in identifying weaker algorithms that might be vulnerable.
- Pre-shared Key Configuration: Reveals if weak authentication methods, like PSKs, are in use, which can be exploited in certain attacks.
DNS zone transfer
A DNS zone transfer is when a DNS server shares its zone file—essentially a directory of all the domain’s IP addresses, subdomains, mail servers, and other DNS records—with another server. It’s like transferring a detailed map of the domain’s structure.
If a DNS server for example.com allows zone transfers, someone could run: dig axfr @dnsserver.example.com example.com
If the server is misconfigured to allow this transfer, it would return the full list of DNS records, including subdomains like mail.example.com or vpn.example.com, and the IP addresses associated with each.
DNS zone enumeration is the process of gathering DNS records for a domain to map out its infrastructure. Attackers attempt zone transfers or other DNS queries to find:
- Subdomains: Revealing additional services (e.g., admin.example.com).
- IP Addresses: Identifying servers or endpoints for targeted attacks.
- Mail Servers: Noting where email servers are located.
- Internal Network Info: Sometimes revealing internal, non-public servers if misconfigured.
SMB
SMB (Server Message Block) is a network protocol used primarily on Windows systems for file and printer sharing, as well as for communication between devices in a network. SMB allows users to access files, printers, and shared resources on other devices within a network.
How SMB Works
- Client-Server Model: SMB operates in a client-server model where a client requests access to a resource on a server, and the server responds based on permissions.
- Authentication: Users must authenticate with a username and password, which determines the level of access to files, folders, or devices on the server.
- Ports: SMB commonly uses ports 445 (direct SMB over TCP/IP) and 139 (NetBIOS over TCP/IP) for communication.
SMB ENUMERATION
SMB enumeration is the process of probing an SMB server to gather information about available resources, users, shares, and configurations. This is often done in the reconnaissance phase of a penetration test to identify valuable targets and resources.
INFORMATION FROM SMB ENUMERATION
- Shared Folders: Lists of shared directories and files, which may contain sensitive information.
- Users and Groups: Information about user accounts and groups, which can help attackers identify potential access points.
- Access Permissions: Permission levels on shared resources, showing which users have read, write, or full access.
- System Information: Details like the OS version and hostname, which may indicate vulnerabilities.
- Open Sessions: Information on active sessions and the users connected to the server.
TOOLS
enum4linux: A popular tool specifically designed for SMB enumeration, gathering information on shared folders, users, groups, and more.
Command: enum4linux -a <target></target>
smbclient: Acts like an FTP client for SMB, allowing you to list shares and access specific files if permissions allow.
Command: smbclient -L //<target>
Nmap: Nmap has built-in SMB enumeration scripts that can identify shares, users, and version details.</target>
Command: nmap -p 139,445 –script smb-enum-shares,smb-enum-users <target>
Metasploit: Metasploit’s auxiliary modules have SMB enumeration capabilities to gather information on shares, users, and other configurations.</target>
Example Module: auxiliary/scanner/smb/smb_enumshares
CrackMapExec: A post-exploitation tool that can enumerate SMB shares, users, and permissions, often used to escalate access.
Command: crackmapexec smb <target> -u <username> -p <password></password></username></target>
Primary Microsoft endpoints. Attackers can perform OS banner grabbing
What is DNSSEC, and DNSSEC zone walking?
DNSSEC (Domain Name System Security Extensions) is a security feature for DNS that adds digital signatures to DNS records, verifying their authenticity. It ensures that when you look up a domain (like example.com), the response you get is authentic and hasn’t been tampered with by an attacker. It helps against sniffing and snooping as well.
DNSSEC Zone Walking
DNSSEC Zone Walking is a technique where an attacker can list all DNS records in a DNSSEC-protected zone by exploiting a feature called NSEC (Next Secure Record), which is meant to prove that a domain doesn’t exist. This process can unintentionally reveal all subdomains in the zone, exposing potentially sensitive domain names and internal resources that wouldn’t normally be visible.
When you request a DNS record that doesn’t exist, DNSSEC provides an NSEC record to prove it. This record lists the next valid domain in the sequence (like “This domain doesn’t exist, but here are the domains before and after it: a.example.com and c.example.com”).
Iterative Requests: By making successive queries and collecting NSEC records, an attacker can see which domains exist between each pair. Over time, this allows the attacker to “walk” through the entire DNS zone, revealing all subdomains.
Complete Enumeration: After gathering all NSEC records, the attacker can create a complete list of all valid domain names in the zone, even those that were meant to stay private.
TOOLS
- LDNS
- DNSRecon
- dns-sec-enum.use nmap script
VoIP enumeration
VOIP is a session initiation protocol that enables voice and video calls over an IP network → can be exposed to the outside world
- Not encrypted by default, can capture and play back as an mp3 file
- SIP services uses TCP/UDP 2000, 2001, 5060, 5061 → you can find VoIP gateways/servers, VOIP phones etc
RPC enumeration
RPC (Remote Procedure Call) is a protocol that allows one computer to execute code or request services on another computer over a network, as if it were calling a local function.
A common real-life use case for RPC is in Windows environments, where it’s used extensively for tasks like remote management, file sharing, and printer sharing. For example, Windows uses RPC to allow administrators to remotely manage services, retrieve system information, or run programs on another computer within the same network, making it a backbone for many networked Windows services.
___
Remote Procedure Call (RPC) allows clients and servers to communicate in distributed client/server programs
→ unsecured RPC endpoints can be scanned and are highly vulnerable
Linux user enumeration:
- rusers
-rwho
-finger: displays info on system user
→ similar to PSLoggedOn
