CEH Ch 4
SMTP syntaxes
Hello - HELO <sending-host> From - MAIL FROM:<from-address> Recipient - RCPT TO:<to-address> Data - DATA Reset - RESET Verify - VRFY<string> Expand - EXPN<string> Help - HELP[string] Quit - QUIT
The following are some NTP enumeration tools:
Nmap (https://nmap.org) Wireshark (https://www.wireshark.org) udp-proto-scanner (https://labs.portcullis.co.uk) NTP Server Scanner (http://www.bytefusion.com)
PRTG Network Monitor Source: https://www.paessler.com
PRTG monitors all systems, devices, traffic, and applications of IT infrastructure by using various technologies such as SNMP, WMI, and SSH.
Extract usernames using SNMP
Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames.
DNSRecon Source: https://github.com
Attackers use DNSRecon to check all NS records of the target domain for zone transfers. As shown in the screenshot, attackers use the following command for DNS zone transfer: dnsrecon -t axfr -d <target domain>
Nmap Source: https://nmap.org
Attackers use the Nmap Scripting Engine (NSE) for discovering NetBIOS shares on a network. The nbstat script of NSE allows attackers to retrieve the target's NetBIOS names and MAC addresses. nmap -sV -v --script nbstat.nse <target IP address>
dig Command
Attackers use the dig command on Linux-based systems to query the DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc. dig ns <target domain> The above command retrieves all the DNS name servers of the target domain. dig @<domain of name server> <target domain> axfr
nslookup Command Source: https://docs.microsoft.com
Attackers use the nslookup command on Windows-based systems to query the DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc. nslookup set querytype=soa <target domain> The above command sets the query type to the Start of Authority (SOA) record to retrieve administrative information about the DNS zone of the target domain certifiedhacker.com. /ls -d <domain of name server>
TCP 179: Border Gateway Protocol (BGP)
BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179.
PsList
PsList is a command-line tool that displays central processing unit (CPU) and memory information or thread statistics.
NFS Enumeration
NFS is a type of file system that enables users to access, view, store, and update files over a remote server. These remote data can be accessed by the client in the same way it is accessed on the local system. The /etc/exports location on the NFS server contains a list of clients allowed to share files on the server.
ntpdate
-4 Force DNS resolution of given host names to the IPv4 namespace -6 Force DNS resolution of given host names to the IPv6 namespace -a key Enable the authentication function/specify the key identifier to be used for authentication -B Force the time to always be slewed -b Force the time to be stepped -d Enable debugging mode -e authdelay Specify the processing delay to perform an authentication function -k keyfile Specify the path for the authentication key file as the string "keyfile"; the default is /etc/ntp/keys -o version Specify the NTP version for outgoing packets as an integer version, which can be 1 or 2; the default is 4 -p samples Specify the number of samples to be acquired from each server, with values ranging from 1-8; the default is 4 -q Query only; do not set the clock -s Divert logging output from the standard output (default) to the system syslog facility -t timeout Specify the maximum wait time for a server response; the default is 1 s -u Use an unprivileged port for outgoing packets -v Be verbose; logs ntpdate's version identification string
The following are some pieces of information an attacker can obtain by querying an NTP server:
-List of hosts connected to the NTP server -Clients IP addresses in the network, their system names, and OSs -Internal IPs, if the NTP server is in the demilitarized zone (DMZ)
Management Information Base (MIB)
-MIB is a virtual database containing a formal description of all the network objects that SNMP manages. It is a collection of hierarchically organized information. It provides a standard representation of the SNMP agent's information and storage. -MIB-managed objects include scalar objects, which define a single object instance, and tabular objects, which define a group of related object instances. OIDs include the object's type (such as counter, string, or address), access level (such as read or read/write), size restrictions, and range information.
The communication process between an SNMP manager and SNMP agent is as follows.
-The SNMP manager (Host X, 10.10.2.1) uses the GetRequest command to send a request for the number of active sessions to the SNMP agent (Host Y, 10.10.2.15). -The SNMP agent (Host Y) receives the message and verifies if the community string (Compinfo) is present on its MIB, checks the request against its list of access permissions for that community, and verifies the source IP address. -If the SNMP agent does not find the community string or access permission in Host Y's MIB database and the SNMP service is set to send an authentication trap, it sends an authentication failure trap to the specified trap destination, Host Z. -The master agent component of the SNMP agent calls the appropriate extension agent to retrieve the requested session information from the MIB. -Using the session information retrieved from the extension agent, the SNMP service forms a return SNMP message that contains the number of active sessions and the destination IP address (10.10.2.1) of the SNMP manager, Host X. -Host Y sends the response to Host X.
Its syntax is as follows: ntpdc [-ilnps] [-c command] [hostname/IP_address]
-c Following argument interpreted as an interactive format command; multiple -c options may be given -i Force ntpdc to operate in the interactive mode -l Obtain a list of peers known to the server(s); this switch is equivalent to -c listpeers -n Output all host addresses in the dotted-quad numeric format, rather than host names -p Print a list of the peers as well as a summary of their states; this is equivalent to -c peers -s Print a list of the peers as well as a summary of their states; this is equivalent to -c peers Print a list of the peers as well as a summary of their states, but in a slightly different format than the -p switch; this is equivalent to -c dmpeers.
Its syntax is as follows: ntpq [-inp] [-c command] [host/IP_address]
-c Following argument is an interactive format command; multiple -c options may be given -d Debugging mode -i Force ntpq to operate in the interactive mode -n Output all host addresses in the dotted-quad numeric format, rather than host names -p Print a list of the peers as well as a summary of their states ntpq> version ntpq [email protected] ntpq> host current host is localhost
Its syntax is as follows: ntptrace [-n] [-m maxhosts] [servername/IP_address]
-n Do not print host names and show only IP addresses; may be useful if a name server is down -m maxhosts Set the maximum number of levels up the chain to be followed
Extract information using DNS Zone Transfer
A network administrator can use DNS zone transfer to replicate DNS data across several DNS servers or back up DNS files. For this purpose, the administrator needs to execute a specific zone-transfer request to the name server. If the name server permits zone transfer, it will convert all the DNS names and IP addresses hosted by that server to ASCII text. If the network administrators did not configure the DNS server properly, the DNS zone transfer can be an effective method to obtain information about the organization's network. This information may include lists of all named hosts, sub-zones, and related IP addresses. A user can perform DNS zone transfer using nslookup and dig commands.
NTP and NFS Enumeration
Administrators often overlook the Network Time Protocol (NTP) server when considering security. The Network File System (NFS) is used for the management of remote file access.
TCP/UDP 162: SNMP Trap
An SNMP trap uses TCP/UDP port 162 to send notifications such as optional variable bindings and the sysUpTime value from an agent to a manager.
Commonly used SNMP enumeration
Commonly used SNMP enumeration tools include OpUtils (https://www.manageengine.com) and Network Performance Monitor (https://www.solarwinds.com).
The major MIBs are .as follows:
DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts HOSTMIB.MIB: Monitors and manages host resources LNMIB2.MIB: Contains object types for workstation and server services MIB_II.MIB: Manages TCP/IP-based Internet using a simple architecture and system WINS.MIB: For the Windows Internet Name Service (WINS)
DNS Cache Snooping
DNS cache snooping is a type of DNS enumeration technique in which an attacker queries the DNS server for a specific cached DNS record. By using this cached record, the attacker can determine the sites recently visited by the user. Attackers use the following two DNS cache snooping methods to snoop on a target domain.
DNS Enumeration Using Zone Transfer
DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. In most cases, the primary DNS server maintains a backup or secondary server for redundancy, which holds all the information stored in the primary server. then attackers can perform DNS zone transfer to obtain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, etc. assigned within a target domain.
TCP 2049: Network File System (NFS)
NFS protocol is used to mount file systems on a remote host over a network, and users can interact with the file systems as if they are mounted locally. NFS servers listen to its client systems on TCP port 2049.
NTP Enumeration Commands
NTP enumeration commands such as ntpdate, ntptrace, ntpdc, and ntpq ntpdate This command collects the number of time samples from several time sources. Its syntax is as follows: ntpdate [-46bBdqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout] [ -U user_name] server [...]
Enumerating User Accounts Source: https://docs.microsoft.com
Enumerating user accounts using the PsTools suite helps in controlling and managing remote systems from the command line. The following are some commands for enumerating user accounts.
What is Enumeration?
Enumeration is the process of extracting usernames, machine names, network resources, shares, and services from a system or network. In the enumeration phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target.
Extract usernames using email IDs
Every email address contains two parts, a username and a domain name, in the format "username@domainname."
Techniques for Enumeration
Extract usernames using email IDs Extract information using default passwords Brute force Active Directory Microsoft Active Extract information using DNS Zone Transfer Extract user groups from Windows Extract usernames using SNMP
TCP 20/21: File Transfer Protocol
FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration.
The following are some additional NetBIOS enumeration tools:
Global Network Inventory (http://www.magnetosoft.com) Advanced IP Scanner (http://www.advanced-ip-scanner.com) Hyena (https://www.systemtools.com) Nsauditor Network Security Auditor (https://www.nsauditor.com)
NTP Enumeration Tools
NTP enumeration tools are used to monitor the working of NTP and SNTP servers in the network and help in the configuration and verification of connectivity from the time client to the NTP servers.
NTP Enumeration
NTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its primary means of communication.
NetBIOS
Name, NetBIOS Code, Type, Information Obtained <host name> <00> UNIQUE Hostname <domain> <00> GROUP Domain name <host name> <03> UNIQUE Messenger service running for the computer <username> <03> UNIQUE Messenger service running for the logged-in user <host name> <20> UNIQUE Server service running <domain> <1D> GROUP Master browser name for the subnet <domain> <1B> UNIQUE Domain master browser name, which identifies the primary domain controller (PDC) for the domain. <domain> <1E> GROUP Browser service elections
UDP 500: Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE)
Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE) is a protocol used to set up a security association (SA) in the IPsec protocol suite.
The following are some additional LDAP enumeration tools:
LDAP Admin Tool (https://www.ldapsoft.com) LDAP Account Manager (https://www.ldap-account-manager.org) LDAP Search (https://securityxploded.com) JXplorer (http://www.jxplorer.org) Active Directory Explorer (AD Explorer) (https://docs.microsoft.com)
TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
LDAP is a protocol for accessing and maintaining distributed directory information services over an IP network.
SMTP Enumeration
Mail systems commonly use SMTP with POP3 and IMAP, which enable users to save messages in the server mailbox and download them from the server when necessary. SMTP uses mail exchange (MX) servers to direct mail via DNS. It runs on TCP port 25, 2525, or 587.
Extract information using default passwords
Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases an attacker's task of enumerating and exploiting the target system.
Brute force Active Directory
Microsoft Active Directory is susceptible to username enumeration at the time of user-supplied input verification. This is a design error in the Microsoft Active Directory implementation. If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid usernames. An attacker who succeeds in extracting valid usernames can conduct a brute-force attack to crack the respective passwords.
TCP/UDP 3268: Global Catalog Service
Microsoft's Global Catalog server, a domain controller that stores extra information, uses port 3268. Its database contains rows for every object in the entire organization, instead of rows for only the objects in one domain.
TCP/UDP 445: SMB over TCP (Direct Host)
Module 04 Page 268 Windows supports file-and printer-sharing traffic using the SMB protocol directly hosted on TCP. In earlier OSs, SMB traffic required the NetBIOS over TCP (NBT) protocol to work
UDP 137: NetBIOS Name Service (NBNS)
NBNS, also known as the Windows Internet Name Service (WINS), provides a name-resolution service for computers running NetBIOS. NetBIOS name servers maintain a database of the NetBIOS names for hosts and the corresponding IP address the host is using.
NFS Enumeration Tools
NFS enumeration tools scan a network within a given range of IP addresses or a single IP address to identify the NFS services running on it. These tools also assist in obtaining a list of RPC services using portmap, a list of NFS shares, and a list of directories accessible through NFS; further, they allow downloading a file shared through the NFS server.
nbtstat [-a RemoteName] [-A IP Address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [Interval]
Nbtstat Parameter, Function -a RemoteName, Displays the NetBIOS name table of a remote computer, where RemoteName is the NetBIOS computer name of the remote computer -A IP Address, Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer -c, Lists the contents of the NetBIOS name cache, the table of NetBIOS names and their resolved IP addresses -n, Displays the names registered locally by NetBIOS applications such as the server and redirector -r, Displays a count of all names resolved by a broadcast or WINS server -R, Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file -RR, Releases and re-registers all names with the name server -s, Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names -S, Lists the current NetBIOS sessions and their status with the IP addresses Interval, Re-displays selected statistics, pausing at each display for the number of seconds specified in Interval
Nbtstat Utility Source: https://docs.microsoft.com
Nbtstat is a Windows utility that helps in troubleshooting NETBIOS name resolution problems. The nbtstat command removes and corrects preloaded entries using several case-sensitive switches.
NetBIOS Enumerator Source: http://nbtenum.sourceforge.net
NetBIOS Enumerator is an enumeration tool that shows how to use remote network support and to deal with some other web protocols, such as SMB.
NetScanTools Pro Source: https://www.netscantools.com
NetScanTools Pro's SMTP Email Generator tool tests the process of sending an email message through an SMTP server.
Module Objectives
Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), Network Time Protocol (NTP), Network File System (NFS), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Internet Protocol Security (IPsec), Voice over Internet Protocol (VoIP), remote procedure call (RPC), Linux/Unix, Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), Server Message Block (SMB), Internet Protocol version 6 (IPv6), and Border Gateway Protocol (BGP) enumeration
The following are some additional SNMP enumeration tools:
Network Performance Monitor (https://www.solarwinds.com) OpUtils (https://www.manageengine.com) PRTG Network Monitor (https://www.paessler.com) Engineer's Toolset (https://www.solarwinds.com)
In particular, enumeration allows the attacker to collect the following information:
Network resources Network shares Routing tables Audit and service settings SNMP and fully qualified domain name (FQDN) details Machine names Users and groups Applications and banners
PsExec
PsExec is a lightweight Telnet replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-I [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
PsFile
PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. psfile [\\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
PsGetSid
PsGetSid translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. psgetsid [\\computer[,computer[,...] | @file] [-u username [-p password]]] [account|SID]
PsKill
PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. pskill [-] [-t] [\\computer [-u username] [-p password]] <process name | process id>
PsLoggedOn
PsLoggedOn is an applet that displays both the locally logged-in users and users logged in via resources for either the local computer or a remote one. If a username is specified instead of a computer, PsLoggedOn searches the computers in the network neighborhood and reveals if the user currently logged in. psloggedon [-] [-l] [-x] [\\computername | username]
PsPasswd
PsPasswd can change an account password on local or remote systems, and administrators can create batch files that run PsPasswd on the computers they manage to perform a mass change of the administrator password. pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]
PsShutdown
PsShutdown can shut down or reboot a local or remote computer. It requires no manual installation of client software. The syntax of the PsShutdown command is as follows: psshutdown [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] -s|-r|-h|-d|-k|-a|-l|-o [-f] [-c] [-t nn|h:m] [-n s] [-v nn] [-e [u|p]:xx:yy] [-m "message"]
TCP/UDP 135: Microsoft RPC Endpoint Mapper Source: https://technet.microsoft.com
RPC is a protocol used by a client system to request a service from a server. An endpoint is the protocol port on which the server listens for the client's RPCs. The RPC Endpoint Mapper enables RPC clients to determine the port number currently assigned to a specific RPC service.
RPCScan Source: https://github.com
RPCScan communicates with RPC services and checks misconfigurations on NFS shares. Python3 rpc-scan.py 10.10.10.19 --rpc
SNMP contains the following two passwords for configuring and accessing the SNMP agent from the management station.
Read Community String o The configuration of the device or system can be viewed with the help of this password. o These strings are public. Read/Write Community String o The device configuration can be changed or edited using this password. o These strings are private.
SMTP Enumeration Tools
SMTP enumeration tools are used to perform username enumeration. Attackers can use the usernames obtained from this enumeration to launch further attacks on other systems in the network.
TCP 25: Simple Mail Transfer Protocol (SMTP)
SMTP is a TCP/IP mail delivery protocol. It transfers email across the Internet and across local networks. It runs on the connection-oriented service provided by TCP and uses the well-known port number 25.
SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands
SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users; therefore, valid users on the SMTP server can be determined. Attackers can directly interact with SMTP via the Telnet prompt and collect a list of valid users on the SMTP server. Administrators and pen testers can perform SMTP enumeration using command-line utilities such as Telnet and netcat or by using tools such as Metasploit, Nmap, NetScanTools Pro, and smtp-user-enum to collect a list of valid users, delivery addresses, message recipients, etc.
SNMP Enumeration
SNMP allows network administrators to manage network devices from a remote location. However, SNMP has many security vulnerabilities, such as a lack of auditing. Attackers may take advantage of these vulnerabilities to perform account and device enumeration. SNMP is an application-layer protocol that runs on UDP and maintains and manages routers, hubs, and switches on an IP network. SNMP agents run on Windows and Unix networks on networking devices.
SNMP Enumeration Tools
SNMP enumeration tools are used to scan a single IP address or a range of IP addresses of SNMP-enabled network devices to monitor, diagnose, and troubleshoot security threats.
UDP 161: Simple Network Management Protocol (SNMP)
SNMP is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, and servers.
TCP 22: Secure Shell (SSH)
Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol.
Snmpcheck (snmp_enum Module) Source: http://www.nothink.org
Snmpcheck is an open-source tool distributed under the GNU General Public License (GPL). Its goal is to automate the process of gathering information on any device with SNMP support (Windows, Unix-like, network appliances, printers, etc.). Parrot linux
SoftPerfect Network Scanner Source: https://www.softperfect.com
SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve practically any information about network devices via Windows Management Instrumentation (WMI), SNMP, Hypertext Transfer Protocol (HTTP), SSH, and PowerShell. GUI
Softerra LDAP Administrator Source: https://www.ldapadministrator.com
Softerra LDAP Administrator is an LDAP administration tool that works with LDAP servers such as Active Directory, Novell Directory Services, and Netscape/iPlanet. It browses and manages LDAP directories.
SuperEnum Source: https://github.com
SuperEnum includes a script that performs the basic enumeration of any open port.
TCP 139: NetBIOS Session Service (SMB over NetBIOS)
TCP 139 is perhaps the most well-known Windows port. It is used to transfer files over a network. Systems use this port for both null-session establishment as well as file and printer sharing.
Services and Ports to Enumerate
TCP include the following: Supports acknowledgement for receiving data through a sliding window acknowledgement system Offers automatic retransmission of lost or acknowledged data Allows addressing and multiplexing of data A connection can be established, managed, or terminated Offers quality-of-service transmission Offers congestion management and flow control UDP include the following: Audio streaming Videoconferencing and teleconferencing
UDP 69: Trivial File Transfer Protocol (TFTP)
TFTP is a connectionless protocol used for transferring files over the Internet. TFTP depends on connectionless UDP; therefore, it does not guarantee the proper transmission of the file to the destination.
TCP/UDP 53: DNS Zone Transfer
The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. If the DNS message size exceeds the default size of UDP (512 octets), the response contains only the data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response.
TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)
The Session Initiation Protocol (SIP) is a protocol used in Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other endpoints.
TCP 23: Telnet
The Telnet protocol is used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format.
PsLogList
The elogdump utility dumps the contents of an Event Log on a local or remote computer. PsLogList is a clone of elogdump except that PsLogList can log in to remote systems in situations where the user's security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log is stored. psloglist [-] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog>
NetBIOS Enumeration
The first step in enumerating a Windows system is to take advantage of the NetBIOS API. NetBIOS was originally developed as an API for client software to access local area network (LAN) resources. Windows uses NetBIOS for file and printer sharing. The NetBIOS name is a unique 16-character ASCII string assigned to Windows systems to identify network devices over TCP/IP; 15 characters are used for the device name, and the 16th is reserved for the service or record type. NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services).
Working of SNMP
The following are some commands associated with SNMP. GetRequest: Used by the SNMP manager to request information from an SNMP agent GetNextRequest: Used by the SNMP manager continuously to retrieve all the data stored in an array or table GetResponse: Used by an SNMP agent to satisfy a request made by the SNMP manager SetRequest: Used by the SNMP manager to modify the value of a parameter within an SNMP agent's management information base (MIB) Trap: Used by an SNMP agent to inform the pre-configured SNMP manager of a certain event
ttackers use NetBIOS enumeration to obtain the following:
The list of computers that belong to a domain The list of shares on the individual hosts in a network Policies and passwords An attacker who finds a Windows system with port 139 open can check to see which resources can be accessed or viewed on a remote system. However, to enumerate the NetBIOS names, the remote system must have enabled file and printer sharing.
nbstat -a
The nbtstat command "nbtstat -a <IP address of the remote machine>" can be executed to obtain the NetBIOS name table of a remote computer.
nbstat -c
The nbtstat command "nbtstat -c" can be executed to obtain the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses.
LDAP Enumeration Tools
There are many LDAP enumeration tools that access the directory listings within Active Directory or other directory services.
NetBIOS Enumeration Tools
These tools also enumerate operating systems (OSs), users, groups, Security Identifiers (SIDs), password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks and security event logs, etc.
ntptrace
This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network.
ntpq
This command monitors the operations of the NTP daemon ntpd and determines performance.
ntpdc
This command queries the ntpd daemon about its current state and requests changes in that state.
SMTP provides the following three built-in commands.
VRFY: Validates users $ telnet 192.168.168.1 25 VRFY Jonathan 250 Super-User <Jonathan@NYmailserver> VRFY Smith 550 Smith... User unknown EXPN: Displays the actual delivery addresses of aliases and mailing lists $ telnet 192.168.168.1 25 EXPN Jonathan 250 Super-User <Jonathan@NYmailserver> EXPN Smith 550 Smith... User unknown RCPT TO: Defines the recipients of the message $ telnetl 192.168.168.1 25 (telnet 192.168.168.1 25) RCPT TO:Ryder 250 Ryder... Recipient ok RCPT TO: Smith 550 Smith... User unknown
LDAP Enumeration
Various protocols enable communication and manage data transfer between network resources. All these protocols carry valuable information about network resources along with the data. An external user who successfully enumerates that information by manipulating the protocols can break into the network and may misuse the network resources. The Lightweight Directory Access Protocol (LDAP) is one such protocol that accesses the directory listings. typically on TCP port 389, and sends an operation request to the DSA. The Basic Encoding Rules (BER) format is used to transmit information between the client and server.
Enumerating Shared Resources Using Net View
net view \\<computername> net view \\<computername> /ALL net view /domain net view /domain:<domain name>
rpcinfo command to scan the target IP address for an open NFS port (port 2049) and the NFS services running on it:
rpcinfo -p 10.10.10.16
PsInfo
sInfo is a command-line tool that gathers key information about local or remote legacy Windows NT/2000 systems, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, installation date of the system, and expiration date in the case of a trial version. psinfo [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter]
As shown in the screenshot, an attacker runs the following command to view the list of shared files and directories:
showmount -e 10.10.10.16
smtp-user-enum Source: http://pentestmonkey.net
smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. smtp-user-enum.pl [options] (-u username|-U file-of-usernames) (-t host|-T file-of-targets) smtp-user-enum has the following options: o -m n: Maximum number of processes (default: 5) o -M mode: Specify the SMTP command to use for username guessing from among EXPN, VRFY, and RCPT TO (default: VRFY) o -u user: Check if a user exists on the remote system o -f addr: Specify the from email address to use for "RCPT TO" guessing (default: [email protected]) -D dom: Specify the domain to append to the supplied user list to create email addresses (default: none) o -U file: Select the file containing usernames to check via the SMTP service o -t host: Specify the server host running the SMTP service o -T file: Select the file containing hostnames running the SMTP service o -p port: Specify the TCP port on which the SMTP service runs (default: 25) o -d: Debugging output o -t n: Wait for a maximum of n seconds for the reply (default: 5) o -v: Verbose o -h: Help message
SMTP and DNS Enumeration
the DNS servers and network infrastructure of the target organization. The section discusses both SMTP and DNS enumeration techniques, covering SMTP enumeration, the process of obtaining a list of valid users on an SMTP server, SMTP enumeration tools, DNS zone transfer enumeration, DNS cache snooping, and DNS zone walking.
Extract user groups from Windows
the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command-line method.
