CEH Module 4: Enumeration
ntpq command
A command that can query the state of an NTP server or client. Monitors it's performance
SMTP (Simple Mail Transfer Protocol)
A communications protocol that enables sending email from a client to a server or between servers.
TCP (Transmission Control Protocol)
A connection-oriented, guaranteed-delivery. protocol used to send data packets between computers over a network like the Internet. Guaranteed packet delivery
FTP (File Transfer Protocol)
A protocol used to move files and folders over a network or the Internet.
SMB (Server Message Block)
Allows devices to communicate with remote computers or servers. let's you share files. Ex Laptop sending print request to company printer.
snmp-check
Allows hackers to enumerate the SNMP devices and place the output in a very human-readable and friendly format.
NTP (Network Time Protocol)
An Internet protocol that enables synchronization of computer clock times in a network of computers by exchanging time signals.
Simple Network management protocol (SNMP) Enumeration
Attacker enumerate SNMP to extract information about network resources, such as host, routers, devices, and shares, and network information such as ARP tables, routing tables, and traffic.
dig command
Can resolve a Fully Qualified Domain Name (FQDN) to an IP address on UNIX hosts.
DSA (LDAP) Discovery System Agent
Clients start an LDAP session by connecting to a directory system agent (DSA)
nbstat
Command used to display the name and status of local or remote computers.
SMTP RCPT TO
Defines/specifies the recipient of the message.
BGP Enumeration
Gain AS information to launch man in the middle, BGP hijacking DOS attacks
VoIP Enumeration
Gains sensitive information such as VoIP gateway/servers, IP-PBX systems, client software (softphones)/VoIP phones User-agent IP addresses and user extensions.
(Server message block) SMB Enumeration
Helps attackers grab OS banners Helps attackers find vulnerabilities that can be used to exploit the server.
NetBIOS Enumerater
Helps to find details such as NetBios names, Usernames, Domain names, and MAC address
Network Basic Input Output System (NetBIOS) Enumeration.
It allows computers to communication over a LAN and allows them to share files and printers. Attackers use the NetBIOS enumeration to obtain: List of computers that belong to a domain. List of shares on the individual hosts on the network Policies and passwords
LDAP enumeration tools
JXplorer- an open source Java application that allows you to browse and search any LDAP directory. LDAP Admin Tool LDAP Account manager LDAP Search Active Directory Explorer (AD Explorer)
MIB
Management Information Base virtual database listing all the network objects that can be managed using SNMP
ntpdc
Monitors operation of the NTP daemon, ntpd
NFS
Network File System Is a client/server application that lets a user view, store, and update files on a remote computer as though they were on the user's own computer.
rwho
Only on Unix/Linux Displays a list of users who are logged in to hosts on the local network
rusers
Only on Unix/Linux Provides a list of users who are logged on to remote machines or machines on local network.
Softerra LDAP Administrator
Provides profile information for users listed within AD
PsTools
PsTools is a suite of very powerful tools that allow you to manage local and remote Windows systems. The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, or view and control services.
NFS Enumeration Tools
RPCScan- Communicates with RPC services and checks errors on NFS shares. SuperEnum-does the basic enumeration of any open port along with screenshots.
SNMP passwords
Read Community String- public and allows for viewing of device/system configuration. Read/write community string- Private by default, allows for remote editing of configuration.
SoftPerfect Network Scanner
Retrieves practically any information about network devices via WMI, SNMP, HTTP, SSH, and Powershell.
BER (Basic Encoding Rules)
Rules that dictate how information between the client and server are transmitted.
SMTP EXPN
Shows actual delivery addresses of messages.
NetScanTools Pro
Test the process of sending an email message through SMTP server.
(Domain Name System) DNS Enumeration
The process of using easily accessible DNS records to find out the target network's internal hosts. Enumerating the number of domains and sub-domains can reveal how large or small the organization may be.
Why Enumerate LDAP?
This protocol has access to active directory services. Enumerating LDAP may return information about usernames, addresses, servers, and other sensitive information which can help the attacker perform an attack.
Why Enumerate NTP
To get list of Connected Host IP addresses System names Operating Systems Internal IP's
NetScanTools Pro
Tool that allows you to test the process of sending an email message through an SMTP server.
net view (command)
Used to obtain a list of all the shared resources of a remote host or workgroup. netview \\<computername>
SMTP vrfy command
Verify users
(Domain Name System Security Extensions) DNSSEC Zone Walking
a DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured.
smtp-user-enum
a tool for enumerating OS-level user accounts on Solaris via the SMTP service (Sendmail).
smtp-user-enum
a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail).
SNMP uses managers and:
agents
sudo (super user do)
allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. temporary elevates privileges
Why Enumerate NFS
allows attackers to Identify the exported directories. List of clients connected to the NFS server. IP addresses Shared data
SNMPcheck
allows you to enumerate the SNMP devices and places the output in a very human readable friendly format.
UDP (User Datagram Protocol)
connectionless protocol that does not require a connection to send a packet and does not guarantee that the packet arrives at its destination
(Remote procedure call) RPC Enumeration
discovers what services are running on what port numbers.
finger
displays information about users on a remote system, including things such as last log-in time and username. It is primarily used in Linux.
ntptrace
follows the chain of NTP servers back to their master time source.
IPsec Enumeration
is a technique where attackers enumerate sensitive information such as encryption and hashing algorithm, authentication type, key distribution algorithm, and Security associations Life Duration.
BGP (Border Gateway Protocol)
is the routing protocol for the Internet. Much like the post office processing mai
Command to receive a specific target's MAC address and NetBIOS name.
nbstat NSE script
Command for Netbios name of remote computer
nbstate -a <IP address>
Command to view the Netbios name of a (specific) remote computer
nbstate -a <IP address>
Command to view stored NetBIOS names on computer
nbtstat -c
(linPEAS) Linux local Privilege Escalation Awesome Script
script that searches for possible paths to escalate privileges on Linux/Unix
NTP (Network Time Protocol)
synchronization of computer clock times in a network of computers by exchanging time signals. UDP 123
Enumeration
the process of extracting usernames, machine names, and network information for malicious intent.
Why Enumerate SMTP
to collect list of users on the SMTP server. it's performed by inspecting the responses to VRFY, EXPN, and RCPT TO