CEHv10 Enumeration

DNS enumeration countermeasures:

Disable the DNS zone transfers to the untrusted hosts Make sure that the private hosts and their IP addresses are not published into DNS zone files of public DNS server Use premium DNS registration services that hide sensitive information such as host information (HINFO) from public Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks Prune DNS zone files to prevent revealing unnecessary information

Techniques for Enumeration

Extract user names using email IDs Extract information using default passwords Brute force Active Directory -Microsoft Active Directory is susceptible to a username enumeration at the time of user-supplied input verification. -If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages. Extract information using DNS Zone Transfer Extract user groups from Window Extract user names using SNMP

SNMP enumeration countermeasures:

Remove the SNMP agent or turn off the SNMP service If shutting off SNMP is not an option, then change the default community string names Upgrade to SNMP3, which encrypts passwords and messages Implement the Group Policy security option called "Additional restrictions for anonymous connections" Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted Block access to TCP/UDP ports 161 Do not install the management and monitoring Windows component unless it is required. Encrypt or authenticate using IPSEC

LDAP Enumeration Tools

Softerra LDAP Administrator - It browses and manages LDAP directories. Additionally, it provides a wide variety of features essential for LDAP development, deployment, and administration of directories. LDAP Admin Tool LDAP Account Manager LDAP Search JXplorer Active Directory Explorer LDAP Admin LDAP Administration Tool OpenLDAP ad-ldap-enum LEX - The LDAP Explorer LDAP Browser/Editor

Services and Ports to Enumerate

TCP/UDP 53: DNS Zone Transfer TCP/UDP 135: Microsoft RPC Endpoint Mapper UDP137: NetBIOS Name Service (NBNS) TCP139: NetBIOS Session Service (SMB over NetBIOS) UDP 161: Simple Network Management protocol (SNMP) TCP/UDP 389: Lightweight Directory Access Protocol (LDAP TCP/UDP 3268: Global Catalog Service TCP 25: Simple Mail Transfer Protocol (SMTP) TCP/UDP 162: SNMP Trap UDP 500: ISAKMP/Internet Key Exchange (IKE) TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)

RPC Enumeration

(Remote Procedure Call) is a technology used for creating distributed client/server programs. -allows client and server to communicate in distributed client/server programs. It is an inter-process communication mechanism Generally consists of components like client, server, endpoint, endpoint mapper, client stub and server stub along with various dependencies. You can use the following Nmap scan commands to identify the RPC service running on the network. - nmap -sR <target IP/network> - nmap -T4 -A <target IP/network>

where does rusers on Unix/linux live?

/usr/bin/rusers

NetBIOS Codes

00- Hostname (unique)/ Domain name (Group) 03- Messager service running for the computer/individual loggein-user (Unique) 20 - Server Service running (Unique) 1D- Master browser name for the subnet (Group) 1B - Domain master browser name, identifies the Primary domain controller (PDC) for that domain (Unique)

the steps to enumeration:

1. define network range 2. calculate subnet mask 3. host discovery 4. port scanning 5. NetBIOS enumeration 6. SNMP " 7. LDAP " 8. NTP " 9. SMTP " 10. DNS " 11. IPsec, VoIP, LInux, etc. 12. Document findings

how big is NetBIOS name?

15 characters, 16th is reserved for service/name record type

default size of UDP

512 bytes

Nbstat Utility

A Windows utility that helps in troubleshooting NETBIOS name resolution problems. -a RemoteName -Displays the NetBIOS name table of a remote computer -A IpAddress -NetBIOS name table of a remote computer, specified by the IP address -c -Lists the contents of the NetBIOS name cache, -n -Displays the names registered locally by NetBIOS applications such as the server and redirector -r - Displays a count of all names resolved by broadcast or WINS server. -R - Purges the name cache and reloads all #PRE entries from LMHOSTS -RR - Releases and reregisters all names with the name server. -s -Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names -S - Lists the current NetBIOS sessions and their status with the IP addresses Interval - Redisplays selected statistics, pausing the number of seconds specified in Interval between each display.

What is svmap?

A free and Open Source scanner to identify sip devices and PBX servers on a target network. -It can also be helpful for systems administrators when used as a network inventory tool. -was designed to be faster than the competition by specifically targeting SIP over UDP. scans VoiP networks, looks for hosts and PBX servers svmap <target network range> svmap 192.168.0.1/24

NTP Enumeration

Attacker queries NTP server to gather valuable information such as: List of hosts connected to NTP server Clients IP addresses in a network, their system names and OSs Internal IPs can also be obtained if NTP server is in the DMZ NTP enumeration commands include -ntpdate -collects the number of time samples from a number of time sources. - ntptrace -determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source. -ntpdc, -queries the ntpd daemon about its current state and requests changes in that state. -ntpq -monitors NTP daemon ntpd operations and determine performance.

SMTP Enumeration Countermeasures

Configure SMTP servers to: Ignore email messages to unknown recipients Not to include sensitive mail server and local host information in mail responses Disable open relay feature By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic Select a user name different from your email address and enable account lockout Restrict the access to Active Directory by using software such as Citrix

TCP/UDP 53

DNS Zone Transfer -DNS message size exceeds the default size of UDP (512 octets) -this approach, the DNS server uses UDP as a default protocol and in case of lengthy queries where UDP fails, uses TCP as a backup failover solution. -Some malwares such as ADM worm, Bonk Trojan, etc. use port 53 to exploit vulnerabilities within DNS servers.

SMB enumeration countermeasures

Disable it on Web and DNS servers Disable it on any internet-facing servers Disable ports TCP 139 and TCP 445

nbstat -r

Displays a count of all names resolved by broadcast or WINS server.

nbtstat -c

Displays the NetBIOS name cache of the local computer, resolved names

nbstat -n

Displays the names registered locally by NetBIOS applications such as the server and redirector

Net View

Enumerating Shared Resource -a command line utility that displays a list of computer or network resources. It displays a list of computers in the specified workgroup or shared resources available on the specified computer.

TCP/UDP 3268

Global Catalog Service -Global Catalog allows one to locate objects from any domain without having to know the domain name.

NetBIOS Enumeration Tools

Hyena Nsauditor Network Security Auditor NetScanTools Pro SoftPerfect Network Scanner SuperScan NetBIOS Enumerator Nbtscan IP Tools MegaPing

what is IKE-scan?

IPsec enumeration

what is IPC$

Inter Process Communication ($ denotes share)

UDP 500

Internet Security Association and Key Management (ISAKMP), Internet Key Exchange (IKE) -the protocol used to set up a security association (SA) in the IPsec protocol suite. -Used to negotiate, modify and delete Security Associations (SA) and cryptographic keys in a VPN environment.

TCP/UDP 389

LDAP (Lightweight Directory Access Protocol) -LDAP is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

what is SoftTerra?

LDAP enumeration/management tool

rusers

Linux command -displays a list of users who are logged on to remote machines or machines on local network. It displays output similar to who, but for the hosts/systems on the local network.

Finger

Linux emumaration command -displays information about system users such as user's login name, real name, terminal name, idle time, login time, office location and office phone numbers.

Nbstat -s

Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names

nbstat -S

Lists the current NetBIOS sessions and their status with the IP addresses

SMTP Enumeration

Mail systems commonly use SMTP with POP3 and IMAP that enables users to save the messages in the server mailbox and download them occasionally from the server. SMTP uses Mail Exchange (MX) servers to direct the mail via DNS.

what is MIB in SNMP?

Management Information Database -containing formal descriptions of all the network objects being managed by SNMP Microsoft provides the list of MIBs that are installed with the SNMP Service in the Windows resource kit The major ones are: DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts HOSTMIB.MIB: Monitors and manages host resources LNMIB2.MIB: Contains object types for workstation and server services WINS.MIB: For Windows Internet Name Service

TCP/UDP 135

Microsoft RPC (Remote Procedure Call) -RPC is a protocol used by a client system to request a service from the server. - This vulnerability could allow an attacker to send RPC messages to the RPC End point Mapper process on a server, in order to launch a Denial of Service (DoS) attack.

what is PRTG network monitor?

NTP management tool

UDP 137

NetBIOS Name Service -NBNS, also known as Windows Internet Name Service (WINS), provides name resolution service for computers running NetBIOS. -The job of NBNS is to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first.

TCP 139

NetBIOS Session Service (SMB over NetBIOS) -It is used to transfer files over a network. -Systems use this port for both NULL Session establishment and file and printer sharing. -An improperly configuration of this port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities

what is Hyena?

NetBIOS enumeration tool -It supports management of users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers, print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing. It shows shares and user log on names for Windows servers and domain controllers

SMTP Enumeration Tools

NetScanTools Pro's -SMTP Email Generator tool tests the process of sending an email message through an SMTP server. -It can extract all the common email header parameters including confirm/urgent flags. smtp-user-enum -a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). -Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. Telnet Vanquish MX Toolbox

DNS Enumeration Tools

Nslookup DNSstuff

what is an OID in SNMP?

Object ID -is the numeric name given to the object and begins with the root of the MIB tree. -can uniquely identify the object present in the MIB hierarchy

NTP Enumeration Tools

PRTG Network Monitors - monitors all systems, devices, traffic and applications of the IT infrastructure using various technologies such as SNMP, WMI, SSH, etc. Nmap Wireshark udp-proto-scanner NTP Time Server Monitor

nbstat -RR

Releases and reregisters all names with the name server.

how to restrict anonymous access to SMB

RestrictNullAccess parameters found in Windows registry: KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

TCP/UDP 5060, 5061

SIP, Session Initiation Protocol -a protocol used in the applications of Internet telephony for voice and video calls -It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other end points. (5060 is for clear, 5061 is encrypted with TLS, video/voice calls)

TCP/UDP 445

SMB over TCP (Direct Host) -Windows supports file and printer sharing traffic using the Server Message Block (SMB) protocol directly hosted on TCP

TCP 25

SMTP (Simple Mail Transfer Protocol) -SMTP is a TCP/IP mail delivery protocol. -It runs on the connection-oriented service provided by Transmission Control Protocol (TCP)

UDP 161

SNMP (Simple Network Management Protocol) -monitor network attached devices such as routers, switches, firewalls, printers, servers, etc. -The agent receives requests on this port from the managers, and responds to the managers on Port 162

TCP/UDP 162

SNMP (Trap) - Simple Network Management Protocol Trap -uses TCP/UDP port 162 to receive notifications such as optional variable bindings, sysUpTime value, etc., from agent to manag

what is Oputils?

SNMP enumeration service A switch port and IP address management software. -It contains a collection of tools that network engineers can use to monitor, diagnose, and troubleshoot networking issues. -can manage IP address, map switch ports, detect rogue devices, monitor bandwidth usage, monitor DHCP server, backup Cisco config files, view SNMP traps sent from network devices, get MAC IP list, troubleshoot the network, etc.

VoIP Enumeration

The advanced technique that has replaced traditional PSTN in both corporate and home environments. This SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061. Attackers use Svmap and Metasploit tools to perform VoIP enumeration

IPsec Enumeration

The most commonly implemented technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions. Provides data security by employing various components like ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between VPN end-points Most IPsec based VPNs use ISAKMP (Internet Security Association Key Management Protocol), a part of IKE, cryptographic keys in a VPN environment Attacker can perform a simple direct scanning for ISAKMP at UDP port 500 with tools like Nmap, etc. nmap -sU -p 500 10.10.10.11 -perform Nmap scan for checking the status of isakmp over port 500

LDAP enumeration countermeasures

Use SSL or START to encrypt it (unencrypted by default) Select username different from email Enable account lockout

SNMP: Trap

Used by the SNMP agent to inform the pre-configured SNMP manager of a certain event.

IKE-scan

Used for Ipsec Enumeration -discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern -Can be used for discovery, Fingerprinting, Transfrom Enumaration, User Enumeration and Preshared cracking ike-scan -M <target gateway Ip address> -IPsec VPN discovery with ike-scan

DNS Enumeration Using Zone Transfer

Zone transfer is the process transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. -Done to locate the DNS server and records of the target organization Through this process, an attacker gathers valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets.

SNMP: getnextrequest

continuously grabs info from the agent for all data

what is SMTP RCPT

defines recipients of messages

what is a DSA?

directory system agent, answers LDAP requests

nbtstat -a [remote name]

get the NetBIOS name table of remote computer using hostname

NetBIOS code: 1D

group, master browser name for the subnet

NetBIOS code: 00

host name or domain name, can be unique or group

what kinds of info can you get by querying the NTP server?

host names, IP's, operating systems

how can you get internal IP addresses by querying the NTP server?

if the NTP server is in the DMZ

what is a NetBIOS null session?

logging in without username/password, basically with admin privileges

SNMP: getrequest

manager requests info from the SNMP agent -used to send request

what is a PBX?

private box exchange, business telephone network that uses LAN or WAN instead of PSTN circuit switches

Unix/Linux User Enumeration

provides list of users along with details like user name, host name, start date and time of each session, etc. Commands used for this -rusers -rwho -finger

what is ntpupdate?

queries NTP server and has a bunch of switches

two types of SNMP passwords:

read community string (public) -Configuration of the device or system can be viewed with the help of this password. read/write community string (private) -Configuration on the device can be changed or edited using this password.

linux- command that displays a list of users who are logged in to hosts on the local network

rwho

NetBIOS code: 20

server service running

LDAP enumeration

service to gather information such as valid user names, addresses, departmental details, and so on that can be further used to perform attacks. -Directory services may provide any organized set of records such as corporate e-mail directory, often in a hierarchical and logical structure

what is SPIT

spamming over internet telephony

NetBIOS Enumeration

stands for Network Basic Input Output System -16 character ASCII string used to identify the network devices over TCP/IP; 15 characters are used for the device name and the 16th is reserved for the service or name record type Used For List of computers that belong to a domain List of shares on the individual hosts in the network Policies and passwords Attackers usually target the NetBIOS service, as it is easy to exploit and runs on Windows systems even when not in use.

what is SMTP EXPN

tells the actual addresses of aliases or mailing groups

SNMP enumeration

the process of creating a list of the user's accounts and devices on a target computer using SNMP. Attackers this enumerate to extract information about network resources such as hosts, routers, devices, shares, etc., and network information such as ARP tables, routing tables, device specific information, and traffic statistics.

Enumeration

the process of extracting user names, machine names, network resources, shares, and services from a system or network. ALoows you to collect Network resources, Network shares, Routing tables, Audit and service settings, SNMP and FQDN details, Machine names, Users and groups, Applications and banners

what is ntptrace

traces the hops an NTP server makes to get its time info from the prime server

NetBIOS code: 1B

unique, identifies primary domain controller (PDC)

NetBIOS code: 03

unique, messenger service running on that computer or for the logged-in user

SNMP Enumeration Tools

used to scan a single IP address or a range of IP addresses of SNMP enabled network devices in order to monitor, diagnose, and troubleshoot security threats. OpUtils Enigneers Toolset Nsauditor Network Security Auditor Net-SNMP Spiceworks Network Monitor NetScanTools Pro OiDViEW SNMP MIB Browser

how does IPSec work?

uses Authentication Headers, Encapsulation Security Payload, and IKE to secure connection between two endpoints

nbtstat -A [IP addr]

uses IP address to display NetBIOS cache of remote machine

Enumerating User Accounts

using PsTools suite helps to control and manage remote systems from the command line PsExec - is a lightweight telnet-replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsFile - command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. PsGetSid - translates SIDs to their display name and vice versa PsKill - is a kill utility that can kill processes on remote systems and terminate processes on the local computer. PsInfo - is a command-line tool that gathers key information about local or remote legacy Windows NT/2000 systems PsList - is a command-line tool that displays information about process CPU and memory information or thread statistics. PsLoggedOn - is an applet that displays both the locally logged on users and users logged on via resources for either the local computer or a remote one PsLogLis - The elogdump utility dumps the contents of an Event Log on a local or remote computer. PsPasswd - can change an account password on local or remote systems, enabling administrators to create batch file PsShutdown - can shut down or reboot local or remote computer. It requires no manual installation of client software

what is SMTP VRFY

validates users