CEHv12-04 - Enumeration
Actively engage a system and query it for information, in order to discover vulnerabilities and then exploit them. Information collected include routing tables, users and groups, machine names, network resources.
NetBIOS and SMB enumeration
NetBIOS (Network Basic Input/Output System) is a unique name of a Windows machine. Easily exploitable, often used as one of the first scans.
- Uses:
- Allows computers to communicate with others at the same time, or share files and printers
- Network file sharing protocol uses SMB (service message block) protocol (it was targeted by WannaCry ransomware who traversed the network and injected hosts).
- Information retrieved:
- System name.
- Username.
- Domain.
- Printers.
- Available shares.
Tools:
- Nmap:
sudo nmap -A -T5 -n -Pn -p 445 8.8.8.8 - nbtstat: proprietary Windows diagnostic tool for NetBIOS over TCP/IP.
nbtstat -a <IP or hostname>: shows NetBIOS namesnet view <IP or hostname>: prints available shares such as printers.
- smb-nat: NetBIOS Auditing Tool.
nat -o <output file> -u <user-list> -p <password-list> <ip/range>allows you to brute force different usernames and passwords for administrative shares.
- WinFingerPrint: Windows enumeration tool. Scan machines in LAN and returns shares, disk information, services, users (SID), groups.
SNMP enumeration
SNMP stands for Simple Network Management Protocol. It was developed for routers and switches (1988), and later was extended for linux/windows machines, printers, sensors, power supplies and more…
Uses:
- monitoring networking equipment
- remotely modifying settings and configs on the equipment
Community strings types: (SNMPv3 encrypts the community strings)
- Read community string: read-only: you can collect information such as System name, system uptime, network settings, CPU usage level, etc (estimated time of completion).
- Read/write community string: read-write (private) to edit configurations
Components:
- Agents are embedded into network devices:
- Agents send their information to manager using port 162.
- Data messages are called traps.
- Manager is installed on a computer:
- Needs two passwords to access and configure the agents:
- read community string
- read/write community string
- Needs two passwords to access and configure the agents:
- Agents are embedded into network devices:
Object identifier (OID): any device that can be monitored has an OID (e.g.
1.3.6.1.2.1.2.2.1.8).Management Information Base (MIB): text-file that translates numerical OIDs to word-based OIDs (e.g.
SYNOLOGY-SYSTEM-MIB::temperature.0).- You can collect information CPU usage level, disk usage level, network settings using vendor-specific OIDs.
Versions:
- Version 1, 2: (insecure!) No encryption, only “community string” and no encryption
- Version 3: Username + password and encryption
Tools:
- onesixtyone:
onesixtyone 8.8.8.8 - snmpcheck:
snmpcheck 8.8.8.8 -c public. - nmap:
sudo nmap -sU -p 161 --script snmp-win32-users.nse 8.8.8.8 snmpwalk: enumerates ports in SNMP agent and finds out UDP port sending traffic to manager (snmpwalk -c public -v1 <agent IP address>).- **
snmp-check: you can find out the version usingsnmp-check <IP address> -v <version 1 or 2c>. Gives much more information like routing tables, storage information, users etc. snmp-get:- Retrieve specific OID information from target using
-o(e.g.snmpget -v 1 -c public system.sysName.0). - SNMP community string for SNMP v1/v2c (e.g.
sysName.0for system name).
- Retrieve specific OID information from target using
- onesixtyone:
LDAP enumeration
LDAP stands for Lightweight Directory Access Protocol, used by on-premises Active Directory (Microsoft). It can be utilized in a brute force or social engineering attacks.
Structure: hierarchical (e.g. domain > child-domains > organizational units > users / groups / computers).
Retrieved information: usernames, addresses, servers, and other sensitive information.
Tools:
- LDAP3 specs.
- Jxplorer.
- LDAP Admin Tool.
- LDAP administrator.
- LDAP search:
ldpasearch -LLL -x -H ldap://8.8.8.8 -b '' -s base'(objectclass=*). It is also includede in nmap. - LDP.exe.
- Softerra LDAP Administrator.
net useto show list of connected resources and logged-in user accounts.
Countermeasures:
- Use over encrypted and secure protocols e.g. by e.g.
- LDAP over SSL/TLS
- Also known as LDAPS
- SSL/TLS is negotiated before LDAP protocol begins.
- LDAP over StartTLS
- STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using TLS.
- Communication is only encrypted after the connection is established.
- LDAP over SSL/TLS
- Use NTLM or Basic authentication
- Select a username different from your email address
- Use over encrypted and secure protocols e.g. by e.g.
NTP enumeration
NTP (Network Time Protocol) is to synchronize computer clocks (e.g. machines in same domain in Active Directory must have same GMT clocks). It uses UDP 123. Usually companies have authority of time-source on their on-premises, it synchronizes to internet and everything else synchronizes to it. It is important for routers / switches to have logs with right timestamps.
Target accuracy:
- 10 ms over the public internet
- 200 ms or better on a local area network
Information retrieved:
- List of hosts connected to NTP server.
- Clients IP addresses, system names and operating systems..
- Internal IP addresses can be acquired if the NTP server is on the DMZ.
Tools:
ntpdate: synchronize date, use debug flag to gte more info (ntpdate -d 8.8.8.8).ntptrace: traces NTP servers back to the primary source, you may indicate a single remote host with the flag (nttrace -r 8.8.8.8).ntpq: monitors NTP daemon ntpd operations and determines performance. It is interative a provides lots of information.ntpdc: monitors operation of the NTP daemon, ntpd.- Other tools include: NTP Time Server Monitor, NTP server Scanner, Nmap • Wireshark, AtomSync, NTPQuery, PresenTense NTP Auditor, PresenTense Time Server, PresenTense Time Client, Lan Time Analyser…
NFS enumeration
Network File System, similar to mounting a hard drive for centralizing data (UDP port 2049).
- Tools:
1 | # example mpunt nfs drive |
SMTP enumeration
SMTP = Simple Mail Transfer Protocol (port: 25) is the protocol used for sending/receiving e-mails. It is used by clients talk to SMTP server, and SMTP servers to talk to other servers.
Components:
- SMTPS is SMTP over TLS (port: 587), like HTTPS is HTTP over TLS.
- SMTP can also run with STARTTLS (port: 467):
- Compared to running over TLS, it encrypts communication AFTER the communication is established.
- STARTTLS is also known as opportunistic TLS as it would fall back to unencrypted communication if server does not support it.
MX records (Mail eXchange records are used to direct emails sent to domain) on DNS may help find SMTP servers.
Information retreived: it allows to validate e-mail addresses to ensure they exist:
- One another: Go to provider → try creating account with that e-mail.
- Large collection of e-mails can be sold or used for phishing.
- Many e-mail senders (e.g. AWS Simple Email Service) blocks you if you send e-mails that will not reach the targets (idea: create fake accounts in cloud providers → ask to increase soft limits → enumerate per accounts).
Commands:
VRFY: validates e-mail address that actually existsEXPN: tells the actual delivery address of aliases and mailing listsRCPT TO: Defines recipients of the messages- Some admins may turn off
VRFYandEXPN, but notRCPT TO(or no one can receive e-mail)
Tools:
- Nmap.
- NetScanTools Pro SMTP Server Tests Tool Description
- Used to perform tests sending e-mails
smtp-user-enum- Enumerates OS-level user accounts on Solaris
- Inspects responses to
VRFY,EXPNandRCPT TOstmpy-user-enum -M <command> -U <list of emails> -t <SMTP server>
1 | npm -T5 -n -Pn -p 25 bee-box metasploitable |