Enumeration

Objectives

Understanding Enumeration Concepts, Understanding different techniques for NetBIOS enumeration, Understanding Different Techniques for SNMP enumeration, Understanding different techniques for LDAP enumeration, Understanding different techniques for NTP enumeration, Understanding different techniques for SMTP and DNS Enumeration, Enumeration countermeasures, Overview of enumeration pen testing

Enumeration Concepts

  • In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information. Uses this information to identify system attack points and perform password attacks
    • Conducted in an intranet environment
  • Techniques for Enumeration
    • Extract user names using email IDs
    • Extract user names using SNMP
    • Extract user groups from windows
    • Extract information using the default passwords
    • Brute force active directions
    • Extract information using DNS Zone Transfer
  • Popular Ports to Enumerate
    • TCP/UDP 53 - DNS Zone Transfer
    • TCP/UDP 135 - Microsoft EPC Endpoint Manager
    • UDP 137 - NetBIOS Name Service (NBNS)
    • TCP 139 - SMB over NetBIOS
    • TCP/UDP 445 - SMB over TCP (direct host)
    • UDP 161 - Simple Network Management Protocol (SNMP)
    • TCP/UDP 389 - Lightweight Directory Access Protocol (LDAP)
    • TCP/UDP 3268 - Global Catalog Service
    • TCP 25 - Simple Mail Transfer Protocol (SMTP)
    • TCP/UDP 162 - SNMP Trap

NetBIOS Enumeration

  • NetBIOS name is a unique 16 ASCII string used to identify the network devices (15 of it are device name, 16 is reserved for service or name record type)
  • Nbtstat utility displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables/cache
  • Net View utility is used to obtain a list of all the shared resources of remote hosts or workgroup

SNMP Enumeration (simple network Management protocol enumeration)

  • SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP
  • SNMP contains a manager and agent. Agends are embedded on every network, manager installed on a seperate computer
  • SNMP has two passwords
    • Attacker uses default community strings to extract info
    • Uses it to extract information about network resources such as hosts, routers, devices, shares
  • Management Information Base (MIB)
    • MIB is a virtual database containing formal description of all the network objects managed using SNMP

LDAP Enumeration

  • LDAP is an internet protocol for accessing distributed directory services
  • Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc

NTP Enumeration

  • Network Time Protocol (NTP) is designed to synchronize clocks of networked computers
  • Uses UDP port 123
  • Can use it to find important information on a network
  • Can use Nmap, Wireshark

SMTP and DNS Enumeration

  • SMTP has 3 built-in commands
    • VRFY - Validates users
    • EXPN - Tells actual delivery addresses of aliasses and mailing lists
    • RCPT TO - Defines the recipients of the message
  • SMTP servers respond differently to these commands
  • Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP Server

Enumeration Countermeasures

  • SNMP countermeasures
    • Remove SNMP agent on turn off the SNMP service (block 161)
    • Change default community string name
    • Upgrade to SNMP3, which encrypts passwords/messages
    • Implement additional security option called “additional restrictions for anonymous connections”
    • Ensure that the access to null session pipes, null session shares, and IPsec filtering are restricted
  • DNS countermeasures
    • Disable DNS zone transfers to the untrusted hosts
    • Make sure private hosts and their IP addresses are not published into DNS zone files of public DNS server
    • Use premium DNS registration services to hide sensitive information
    • Use standard network admin contacts for dns registrations in order to avoid social engineering attacks
  • SMTP countermeasures
    • Ignore email messages to unknown recipients
    • Disable open relay features
    • Do not include sensitive mail server and local host information in mail responses
  • LDAP countermeasures
    • Restrict access to active directory by using software such as citrix
    • Enable account lockout
    • Use SSL technology for LDAP traffic
  • Enumeration Pen Testing
    • Used to identify valid user accounts or poorly protected resource shares
    • Information can be users and groups, network resources
    • Used in combination with data collected in reconnaissance phase
    • Steps in Enumeration Pen Testing
      • Find the network range
      • Calculate the subnet mask
      • Undergo host discovery
      • Perform port scanning
      • Perform NetBIOS enumeration
      • Perform SNMP enumeration
      • Perform LDAP enumeration
      • Perform NTP enumeration
      • Perform SMTP enumeration
      • Perform DNS enumeration
      • Document all findings

results matching ""

    No results matching ""