Enumeration Hacking Phase

Enumeration In Ethical Hacking

This phase Enumeration is done after scanning. As in scanning the hacker collects information about the active targets, ports, services etc.


It is this phase where the hacker will make active connections to the target system and then try collecting more details information using queries etc. The goal is to get more details information about the target that needs to be compromised.

Information such as, usernames, machine names, share paths etc are collected in this phase. The attacker access possible open share files mainly the remote IPC share which can be accessed using IPC$ in Windows.

The information that is enumerated by the attacker is :

–          Users and Groups

–          Networks and shared paths

–          Hostnames

–          Route Tables

–          Service Settings

–          SNMP port scanning and DNS Details

–          Applications and Banners

In windows Operating System, the use of many tool is done to enumerate NetBIOS names with commands like:

  • Net accounts
  • Net config server
  • Net config workstation
  • Net view

And many such commands.

net accounts

Net config server: this command gives details of the Server name, NetBIOS name and information about user logged on, OS Version etc.

net config sever

Net config Workstation: this command gives details of the workstation name, NetBIOS name and information about user logged on, OS Version etc.

net config workstation

Net view:  command will display shared folder information.

C:\ net view \\<hostname> /domain:<domainname>

net view

DumpSec is a tool that is used for NetBIOS enumeration, which uses the net use command and connects to a target system, as null user.

Another tool SMB Auditing is used for auditing passwords for Windows SMB (Server Message Block)

NBTSTAT is another command line tool in Windows that displays some important information about a system.

nbstat

The below output shows the hostname, IP address

nbstat n

To enumerate user accounts, some tools like : PsExec, PsFile, PsKill, PsList, PsPasswd are used.

SNMP Enumeration

With the use of SNMP user accounts and hosts are enumerated. SNMP consists of a manager and an agent. The agents are installed on the network devices and the manager software is installed on a different machine.

SNMP makes use of password but known as Community string in SNMP. Using this community string the agents can be configured from a remote machine as well. The community strings are of two types:

Read Community String: By default this is public and can be used to view the device configuration.

Read / Write Community String:  By default this is private and can be used to edit or modify device configuration.

SNMP uses MIB (Management Information Base) which is a database that has the description of network objects that SNMP can manage.

The objects in the MIB are called OIDs or Object Identifiers. These can be wither Scalar (single object) or Tabular (multiple objects in tables)

Some MIB are as below:

DHCP.MIB:- Traffic between DHCP servers and remote hosts are monitored

WINS.MIB:- To be used for WINS Server

HOSTMIB.MIB:-To manage and monitor hosts

SNMPUtil is one such tool that is used for SNMP enumeration.  OpUtils , SolarWinds IP Network Browser, GetIf, SNMP Scanner etc  are also some other tools.

Linux Enumeration

In Linux to make use of enumeration the command like below are used:

Finger:  Using this command you can view the home directory of a user, the login time, idle time etc.

Rpcinfo: This will help enumeration of The Remote Procedure Calls which can then get control over the applications.

rootstation


Showmount: This command shows the mounted directories and shared directories on the host. The remotely mounted clients will be displayed when run the showmount command

LDAP Enumeration

LDAP or Light Weight Directory Access Protocol is a Directory service protocol which is hierarchical in structure.

When a client connects to a DSA (Directory System Agent) on the port 389 by sending an operation request to DSA, a LDAP session is formed.

The Basic Encoding Rules or BER is used for transmission of information between client and server.

A hacker would generate queries towards the LDAP service to collect information about valid users, groups, departments etc.

Some tools like: Softerra LDAP enumerator, LDAP Admin Tool, LEX : LDAP Explorer etc are used for LDAP Enumeration.

NTP Enumeration

NTP is a Network Time Protocol, which is mainly used for synchronization of clocks on the devices. This is an ignored protocol but this protocol can also help in extracting some information from the devices.

NTP uses Port 123 and is extremely good at accuracies for synchronization where the accuracy can be about 200 microseconds.

A hacker can query the NTP server and collect information about:

  • Connected hosts to that NTP server
  • The System Names in the network and their IP addresses and Operating System information

Command like below can be used for ntp enumeration.

a)      ntptrace: this command give information about frm where the NTP server is updating its time.

ntptrace

b) ntpdc: This command queries the ntpd daemon and can get current state of the daemon and also change its state.

munja

munjal 2

monlist

c) ntpq: To determine ntpd daemon and find the performance.

munjal 3

munjal 4

SMTP Enumeration

SMTP uses port 25 and is used for sending of emails. It has the below built-in commands:

a)      VRFY:  this is used to validate users

b)     EXPN: this will inform the delivery address

c)      RCPT TO: the recipients of the message are defined here

The attacker usually Telnets to the SMTP server and then makes use of the command to get information from the server.

Tools like NetScanTools Pro can be used for SMTP enumeration.

DNS Enumeration

The main tools used here is Nslookup. Using DNS enumeration the attacker’s motive is to find location of the DNS server and find records of the server.  If the attacker get in deep he may also collect a copy of the Zone file for a domain.

nslookup

The below screenshot show all the command that can be used with NSLOOKUP.

screenshots

Countermeasures

To avoid any enumeration on SNMP, do not keep the agent on devices that do not need it and also disable SNMP services

Keep strong “community strings” or passwords and do not allow null sessions to be created. Block access to DNS enumeration, makes sure zone transfer to unknown host is disabled.

For SMTP, beware of opening emails from unknown persons.

LDAP allow only authenticated users to access it. Also make use of SSL for traffic being transmitted.

Read more

Read more