omotam img

Skip to main content
  1. Posts/

CEH v10: 04 Enumeration

··775 words·4 mins·

Enumeration is the process of extracting user names, machine names, network resources, shares and services from a system.

NOTE: This may cross legal boundaries, you must have proper permission to perform these actions.

Basic #

  • initiates active connection with the target

  • direct queries are generated

  • enumerated information:

    • routing information
    • SNMP information
    • DNS information
    • machine name
    • user information
    • group information
    • application and banners
    • network sharing information
    • network resources

Email #

  • Extract useful information (username, domain, ..)

Default password #

  • sometimes the default credentials didn’t changed

Active Directory (AD) #

  • Centralized command and control of domain users, computers, printers
  • Brute force or generating queries to LDAP
  • Ports:
    • TCP / UDP 389
  • Information from LDAP:
    • Username
    • Address
    • Credentials
    • Privileges information

Lightweight Directory Access Protocol (LDAP) #

  • Accessing and maintaining distributed directory information services in a hierarchical and logical structure
  • Allowing the sharing of information like user, system, network services, etc. throughout the network
  • Provides a central place to store usernames and passwords
  • Apps and services connect to LDAP to validate users
  • Client initiates an LDAP session bt sending an operation request to Directory System Agent (DSA)
  • Communication between client and server uses Basic Encoding Rules (BER)
  • Port:
    • TCP 389
  • Directory services using LDAP:
    • Active Directory
    • Open Directory
    • Oracle iPlanet
    • OpenLDAP

Simple Network Management Protocol (SNMP) #

  • Allow management of devices (routers, servers, …)
  • Manage network performance
  • Find, troubleshoot, solve problems
  • Design, plan for network growth
  • Application layer protocol
  • Ports:
    • UDP 161
    • UDP 162 (Trap)
  • Three element: -SNMP manager: - A software running on the management station - Display collected information
    • SNMP agent:
      • A software running on the network nodes
      • Different components are monitored (CPU, RAM, …)
    • Management Information Base (MIB):
      • A collection of information organized hierarchically in a virtual database
      • 2 types:
        • Scaler: single object instance
        • Tabular: multiple related object instance
  • Use default community strings or guess to extract information
  • Community strings:
    • Used for authentication
    • Types:
      • read-only (read only information from a device)
      • read-write (read information, modify settings)
      • trap
  • SNMP Trap:
    • Initiated by the SNMP agent
    • Report an issue
  • Information from SNMP:
    • Host
    • Devices
    • Shares
    • Network information
  • Versions:
    • v1:
      • No support for encryption and hashing
      • Plain text community string
    • v2:
      • No support for encryption and hashing
      • Some function added (i.e. get data in bulk from agents)
    • v3:
      • Support encryption (DES)
      • Support hashing (MD5 or SHA)
      • 3 model:
        • NoAuthNoPriv: no encrypt and no hashing
        • AuthNoPriv: no encrypt, just hashing
        • AuthPriv: encryption + hashing used

DNS Zone Transfer #

  • Zone transfer is a process to update DNS server, copy containing database record to another DNS server
  • Ports:
    • UDP 53 (DNS queries)
    • TCP 53 (DNS Zone Transfer)
  • Information from DNS zone transfer process:
    • Locating DNS server
    • DNS records
    • Hostname
    • IP address
    • Username
  • Tool:
    • Linux: nslookup, dig, host

Example:

host -t axfr zonetransfer.me nsztm1.digi.ninja.

Network Basic Input/Output System (NetBIOS) #

  • Allows communication between different application on different system within LAN
  • Uses a 16 ASCII Character string to identify devices
  • The initial 15 chars is identifying the device, the last char identify the service
  • Session layer protocol
  • Ports:
    • UDP 137 (name services)
    • UDP 138 (datagram services)
    • TCP 139 (session services)
  • Information from NetBIOS:
    • List of machines within a domain
    • File sharing
    • Printer sharing
    • Username
    • Group information
    • Password
    • Policies
  • NetBIOS names are classified into the following types:
    • Unique
    • Group
    • Domain name
    • Internet group
    • Multihomed
  • Tools: -Windows: nbtstat -Linux: nbtscan

Network Time Protocol (NTP) #

  • Synchronize the clocks across the hosts and network devices
  • A lot of services rely on clock settings (logging, login, …)
  • Application layer protocol
  • Port:
    • UDP 123
  • Based on UTC
  • Stratum:
    • Distance between NTP server and device
    • Like TTL
    • Start from 1 and increases by every hop
  • Attacker may change time to mislead forensic team, who investigate the events (change timestamp)
  • Version 3 and above:
    • Support a cryptographic authentication technique between NTP peers
    • Without authentication, the client do not authenticate the server as a secure source, if the legitimate server goes down, a fake NTP server can replace the real
  • Information from NTP:
    • Host information
    • Client information (IP, machine name, OS)
    • Network information
  • Tool:
    • Linux: ntpdc, ntptrace, ntpq, nmap, wireshark

Simple Mail Transfer Protocol (SMTP) #

  • Ensures mail communication between Email servers
  • Application layer protocol
  • Port:
    • TCP 25 (Unencrypted)
    • TCP 587 (TLS)
  • Enumeration with Telnet
  • Commands:
    • HELO: identify domain name of the sender
    • EXPN: verify Mailbox on localhost
    • MAIL FROM: identify sender of the email
    • RCPT TO specify the message recipients
    • SIZE: specify maximum supported size
    • DATA: define data
    • RSET: reset connection and buffer of SMTP
    • VRFY: verify the availability of Mail server
    • HELP: show help
    • QUIT: terminate session

Countermeasures #

  • Advanced security softwares
  • Updated version of protocols
  • Strong security protocols
  • Unique and difficult password
  • Strong encrypted communications
  • Disable unnecessary ports