Enumeration
Creator group
A Windows 2000-specific group, the Creator group is used to grant permissions to users who are members of the same group as the creator of a directory or file.
Attack directory services
A directory service is a database of information that is used for network administration. Some directories are vulnerable to input verification deficiencies. Because of this, they are susceptible to brute force attacks. These attacks are usually automated. The program tries different combinations of usernames and passwords until it finds something that works.
Payload
A packet containing code that helps you achieve the goal of exploiting a vulnerability. A payload in Metasploit refers to an exploit module.
Exploit
A sequence of commands that takes advantage of vulnerability. This is often used to gain control of, create privileged escalation, or create a denial of service attack.
Linux Enumeration
A user account is needed to access a Linux system. When a user account is created, the values are stored in the etc/passwd file. This file is accessible with a text editor. Username Passwords Groups
Username
A username and user ID (UID) are used to identify users. When a username is created, it is given a UID. This number is selected from a range of numbers, typically above 500.
Use default passwords
All devices have default passwords. These passwords are often left in place, providing an easy access point for an attacker.
Everyone
All users are members of this group. It is used to provide wide-range access to resources.
Network
All users that access a system through a network are members of this group. It provides all remote users access to a specific resource.
use
Allows you to choose a module and changes the context to module-specific commands.
set
Allows you to configure options and parameters for the current module.
search
Allows you to search from the Metasploit database based on the given protocol, application, or parameter.
What is a SID?
Although we typically think of the username as being the unique identifier, behind the scenes, Windows actually relies on a security identifier (SID). When a user object is created, Windows assigns it an SID. And, unlike a username, that ID cannot be used again. Why is this necessary? Consider how many times a username could undergo a change. If permissions were tied to a specific name, a new account would have to be created every time. However, since Windows is looking at the SID, you simply adjust the username and maintain the same SID.
Extract email IDs
An email address contains two parts, the username and the domain name.
Groups
Anonymous logon, Batch, Creator group, Creator owner, Everyone, Network
Auxiliary
Auxiliary modules contains a set of programs such as fuzzers, scanners, sniffers, and SQL injection tools to gather information and get a deeper understanding of the target system.
There are five main Metasploit Modules.
Auxiliary, Encoders, Exploit, Payload, Post
Monitor SNMP ports
Block or monitor activity on ports 161 and 162 and any other ports that you have configured for SNMP traffic.
Change default passwords
Change default passwords on all devices and services.
check
Checks if the target system has a vulnerability but does not actually exploit it.
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures, or CVE. is a list of publicly know vulnerabilities that contain an identification number, a description, and at least one public reference for cybersecurity vulnerabilities.
DNS zone restriction
DNS zone restriction ensures that a server provides copies of zone files to only specific servers.
Perform DNS zone transfers
DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to DNS servers. This type of structural data could be valuable to a hacker. It could be used to provide a mapping of the network. To perform a DNS zone transfer, the hacker, pretending to be a client, sends a zone transfer request to the DNS server. The DNS server then sends a portion of its database as a zone to the hacker. This zone may contain a lot of information about the DNS zone network.
Windows Gather Applied Patches
Description: This module will attempt to enumerate which patches are applied to a windows system. Module: post/windows/gather/enum_patches From the msf prompt: msf > use post/windows/gather/enum_patchesmsf post(enum_patches) > show options... show and set options ...msf post(enum_patches) > set session 1msf post(enum_patches) > run
Windows Gather Google Chrome User Data Enumeration
Description: This module will collect user data from Google Chrome and attempt to decrypt sensitive information. Module: post/windows/gather/enum_chrome From the msf prompt: msf > use post/windows/gather/enum_chromemsf post(enum_chrome) > show options... show and set options ...msf post(enum_chrome) > set session 1msf post(enum_chrome) > run
help
Displays a list and description of all available commands.
Passwords
Each account has a password that is encrypted and saved on the computer or on the network.
Encoders
Encoder modules encrypt the payloads/exploits to protect them against signature-based antivirus solutions. Most antivirus will detect payloads and exploits as a viruses so by encrypting them, they have a better chance of not being detected by antivirus.
Enumeration requires...?
Enumeration requires the ethical hacker to understand protocols, ports, and services. Although these items are a prerequisite for this course, we're going to identify the ones that are used for enumeration.
run
Executes, or will run, the current module.
Groups
Groups are used to manage permissions and rights. Group identification numbers (GIDs) are stored in the /etc/passwd file. All users are assigned to the default primary group and can be assigned to additional groups that are called secondary groups. Secondary groups are listed in the /etc/group file.
LDAP Countermeasures
Hardening against Lightweight Directory Access Protocol (LDAP) enumeration can be tricky. Although blocking LDAP port 389 is an option, you can't always block ports, or you'll risk impacting your network. Blocking LDAP ports could prevent your clients from querying necessary services. The best way to secure LDAP is to review and implement the security settings and services available with your server software.
Enumerate IPsec
IPsec uses ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between virtual private network (VPN) endpoints. Using enumeration tools, hackers can pull sensitive information such as the encryption and hashing algorithm, authentication type, and key distribution algorithm.
What is it like when Metasploit installed on Linux system?
If Metasploit is installed on a Linux system, you can launch msfconsole by just typing it at the prompt. Another option is to launch it from the application menu.
Windows Enumeration
In Windows, a user account is an object that contains information about a user, the user access level, groups the user is a member of, and user access privileges. The default Windows installation includes two primary user accounts, the administrator and the guest. There are also a few other built-in accounts that are designed to run background processes as needed. These include local service, network service, and system.
Exploit
In the Metasploit Framework, exploit modules are used to target vulnerabilities and access systems via payloads.
Payload
In the Metasploit Framework, the payload module contains code that runs remotely. Payload modules help you achieve the desired goal of attacking the target system. This can be an interactive shell or help you maintain a backdoor for example.
Vulnerability
It is a flaw, hole, or weakness in the design or code of the target that makes it vulnerable to exploitation leading to the possible disclosure of confidential information.
Retrieve system policies
Large networks, especially enterprise environments, frequently have policy settings in place to determine how security matters are handled. If you're able to gain access to these settings, you will know more about your target. The technique will vary depending on the operating system that you are targeting.
Digital signatures
Modern systems include digital signatures that help with DNS zone restriction.
Enumeration Processes
Now that you have been able to establish active connections, you can gather information about usernames, group names, machine names, routing tables, network shares, applications, and more. Unlike the more passive phases of reconnaissance and scanning, we are moving into a more active approach to information gathering. The odds of getting caught are even higher now. You'll want every action to be strategic and precise. It's also important to note that although you're still only gathering information, you're at the point where your actions could be considered illegal. Make sure your permission documentation is in order.
NULL session
Null sessions are created when no credentials are used to connect to a Windows system. They are designed to allow clients access to limited types of information across a network. These sessions can be exploited to find information about users, groups, machines, shares, and host SIDs. A hacker can enter net use //hostname/ipc$ \\hostname\ipc$ "" /user:"" to connect to a system. A hacker can use the command net view \\hostname to display shares available on a system. The command net use s: \\hostname\shared folder name allows a hacker to connect to and view one of these shares.
TCP 135 RPC
Port 135 is used by the Remote Procedure Call service in Windows for client-server communications.
TCP 137 NetBIOS
Port 137 is used by the NetBIOS Name Server (NBNS.) NBNS is used to associate names and IP addresses of systems and services.
TCP 139 NetBIOS
Port 139 is used by the NetBIOS Session Service (SMB over NetBIOS.) SMB over NetBIOS allows you to manage connection between NetBIOS clients and applications.
TCP 21 FTP
Port 21 is used for the File Transfer Protocol (FTP). FTP is used by all operating systems to transfer files between client and server machines.
TCP 23 Telnet
Port 23 is used for the Telnet protocol/software. Telnet is used to connect to and run services on remote systems. Because of security concerns, Telnet is not used as frequently as it once was.
TCP 25 SMTP
Port 25 is used for the Simple Mail Transfer Protocol (SMTP). SMTP is used to send emails between client and server and between server and server.
TCP/UDP 3268 Global Catalog Service
Port 3268 is used by the Global Catalog Service. The Global Catalog Service is used by Windows 2000 and later systems to locate information in Active Directory.
TCP/UDP 389 LDAP
Port 389 is used by the Lightweight Directory Access Protocol (LDAP.) LDAP is an internet protocol for accessing distributed directory service. If this port is open, it indicates that Active Directory or Exchange may be in use.
TCP 445 SMB over TCP
Port 445 is used by SMB over TCP. SMB over TCP also known as Direct Host is a service used to improve network access. This service is available in Windows 2000 and newer.
TCP 53 DNS
Port 53 is used for DNS zone transfers. DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to the DNS servers.
UDP 53 DNS
Port 53 is used for UDP queries about IP-to-name and name-to-IP mappings.
TCP 80 HTTP
Port 80 is used for Hypertext Transport Protocol. HTTP is used by all web browsers and most web applications.
UDP 161 and 162 SNMP
Ports 161 and 162 are used by the Simple Network Management Protocol (SNMP.) SNMP is a standard method of managing devices and software from most manufacturers.
info
Provides detailed information about the selected module including options, targets, and other information.
PsTools
PsTools is a suite of very powerful tools that allow you to manage local and remote Windows systems. The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, or view and control services.
Enumerate RPC
Remote Procedure Call (RPC) allows client and server to communicate in distributed client/server programs. Enumerating RPC endpoints enable hackers to identify any vulnerable services on these service ports. You can use the following nmap scan commands to identify RPC services running on the network: nmap -sR IP/network map -T4 -A IP/network
Remove SNMP agent
Remove the SNMP agent or turn off the SNMP service completely.
unset
Removes, or resets, previously set parameters.
How does SID let you know more about an account?
SID identifiers can help you know more about the account. For example, if you find an account ending in 500, then you've found the built-in administrator account. If you find an account ending in 501, you've found the built-in guest account. The Windows Security Accounts Manager (SAM) is a part of the system registry and stores all usernames and passwords. The passwords are not saved in plain text, of course, but are encrypted in LM and NTLM hash formats. For larger networks, Microsoft's Active Directory manages this data.
Exploit SMTP
Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages. Scanning tools and commands can be used to verify the existence of specific email addresses. They can even provide a list of all users on a distribution list.
Split DNS
Splitting the DNS into internal and external groups provides an added layer of security.
SuperScan
SuperScan can be used to enumerate information from a Windows host. Information can be gathered on the following: NetBIOS name table, services, NULL session, trusted domains, MAC addresses, logon sessions, workstation type, account policies, users, and groups.
finger
The Linux finger command provides information about a user. Use finger -s username to obtain the specified user's login name, real name, terminal name and write status, idle time, login time, office location, and office phone number. You can use finger -s to obtain the same information about all users on a system. Use finger -l user@host to obtain information about all users on a remote system.
Metasploit
The Metasploit framework is a tool that allows cybersecurity professionals to perform reconnaissance, scanning, enumeration, and exploit vulnerabilities for applications, networks, various operating systems and more. Metasploit mainly focuses on pre-exploitation and post-exploitation pentesting tasks. It is also useful with vulnerability research and discovering exploits during development. Metasploit comes pre-installed on some Linux distributions including Kali Linux and Parrot OS. The main way to interact with Metasploit is with msfconsole. This is a shell like interface that allows the user to interact with Metasploit.
Exploit SNMP
The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station. The agent is found on the device that is being managed, and the SNMP management station serves as the communication point for the agent. SNMP has two configuration passwords by default, one for public access, and one for private access. The public community string includes the configuration of the device or system. The private read/write community string provides read and write access to the device configuration. If the passwords were not changed from the default, a hacker will have access to these strings and therefore have access to usernames, information about network devices, routing tables, network traffic, and file shares.
Administrator
The administrator account has gone through quite a few changes as the operating system has evolved. In earlier versions of Windows, the administrator account was enabled by default. However, in more recent releases, Windows Vista and beyond, the administrator account has been disabled by default. This change was made primarily for security purposes. The administrator account was often used as a normal user account and, as a result, the everyday user had unlimited access to permissions that the user didn't necessarily know what to do with. If malware or other applications were running in the background, those programs also had access to those unlimited permissions. As you can imagine, that doesn't end well. Current versions of Windows require user accounts to be created. Although you can enable administrator privileges to the account, additional permission needs to be granted when elevated administrator privileges are needed. This way, the user cannot unintentionally allow an unwanted application or process to run in the background.
Creator owner
The file or directory creator is a member of this group. By default, all releases after Windows 2000 use this group to grant permissions to the creator of the file or directory.
Guest
The guest account has been part of Windows for quite some time. By design, this account has remained pretty much the same and is meant to be used only in very limited circumstances. Although included in the Windows installation, it is not enabled by default.
SMTP Countermeasures
The most basic way to counteract Simple Mail Transfer Protocol (SMTP) exploitation is to simply ignore messages to unknown recipients instead of sending back error messages. Additionally, you'll want to configure your server to block open SMTP relaying.
Post
The post-exploitation module will help you to pivot deeper and gather further information about the target. For example, post-exploitation could be used to dump the password hashes and look for user credentials that can be used to exploit the targeted system further.
How many exploits currently can be used as part of Metasploit?
There are over two thousand exploits currently that can be used as part of Metasploit. Below are just a few examples.
SNMP Countermeasures
There are several countermeasures for attacks on Simple Network Management Protocol (SNMP) processes: Monitor SNMP ports Remove SNMP agent Update SNMP Change default passwords Run SNScan
System
This account provides almost unlimited access to the local machine.
Local service
This account provides high-level access to the local machine, but only limited access to the network.
Network service
This account provides normal access to the network, but provides only limited access to the local machine.
exit
This exits msfconsole
Batch
This group is used to run scheduled batch tasks.
Anonymous logon
This group provides anonymous access to resources, typically on a web server or web application.
Run SNScan
Use SNScan, a utility that detects network SNMP devices that are vulnerable to attack.
DNS Countermeasures
Use the following countermeasures to mitigate attacks that target your Domain Name System (DNS) vulnerabilities: DNS zone restriction Digital signatures Split DNS
Update SNMP
Verify that you are running the most recent version of SNMP at all times.
Enumerate VoIP
VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5060, 5061.
show options
When a module is selected, you can use show options to display the settings that are available.
show
Will display information about the module name and options for the current module.
How does windows provide an efficient way of managing user access?
Windows provides an efficient way of managing user control access. Users can be assigned to groups and permissions can be assigned to these groups. You can create your own groups based on departments, locations, or other methods. Microsoft also includes a few preconfigured user groups. These groups can be used as-is or modified to suit your needs.
Enumeration Tools
finger, NULL session, PsTools, SuperScan
