What is enumeration?
Enumeration involves an attacker creating active connections with a target system and performing directed queries to gain more information about the target
Enumration techniques are conducted in an intranet environment
What information can an attacker gain from enumeration?
- Network resources
- Network shares
- Routing tables
- Audit and service settings
- SNMP and FQDN details
- Machine names
- Users and groups
- Applications and banners
What are information form enumeration used for?
- Identify points for a system attack
- Perform password attacks
Techniques for Enumeration?
- Extract usernames using: Email IDs (fx VVL@energinet.dk)
- Extract information using: default passwords
- Brute force Active Directory (locked out)
- Extract information using: DNS Zone Transfer
- Extract user groups from Windows
- Extract usernames using SNMP
Port and services to Enumerate?
- 53: TCP/UDP - Domain Name Systems (DNS) Zone Transfer
- 135: TCP/UDP - Microsoft RPC Endpoint Mapper
- 137: UDP - NetBIOS Name Service (NBNS)
- 139: TCP - NetBIOS Session Service (SMB over NetBIOS)
- 445: TCP/UDP - SMB over TCP (Direct Host)
- 161: UDP - Simple Network Management Protocol (SNMP)
- 389: TCP/UDP: Lightweight Directory Access Protocol (LDAP)
- 2049: TCP - Network File System (NFS)
- 25: TCP - Simple Mail Transfer Protocol (SMTP)
- 162: TCP/UDP - SNMP Trap
- 500: UDP - ISAKMP/Internet Key Exchange (IKE)
- 22: TCP - Secure Shell (SSH)
What can an attack obtain from NetBIOS?
- The list of computers that belong to a domain
- The list of shares on the individual hosts in the network
- Policies and passwords
What information do you get from a “nbtstat” command?
- NetBIOS names
- Usernames
- Domain names
- MAC addresses
(Can also be done from Nmap)
List some PsTools (SysInternals) - Extreme powerful tool
- PsExec: executes processes remotely
- PsFile: shows files opened remotely
- PsGetSid: displays the SID of a computer or user
- PsKill: kills processes by name or process ID
- PsInfo: lists information about a system
- PsList: lists detailed information about processes
- PsLoggedIn - shows who is logged on locally and via resource sharing
- PsPasswd: changes account passwords
- PsShutdown - shuts down and optionally reboots a computer
What is the net view command used for?
How does SNMP work?
Listen on UDP port 161
- Default password (“Public”/”Private”)
- Clear text password if changed
Use the Nmap snmp-info NSE script against an SNMP remote server to retrieve information related to the hosted SNMP services
Tell about LDAP (Lightweight directory access protocol)
- Is an Inter protocol for accessing distributed directory services
- Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory
- A client starts a LDAP session by connecting to a directory system agent (DSA) on TCP port 389 and dthen sends an operation request to the DSA
- Information is transmitted between the client and server using basic encoding rules (BER)
Attackers quiry the LDAP service to gather information, such as valid usernames, adressess, and departmental details, which can be further used to perform attacks
Tell abput NTP (Network Time Protocol)?
It uses UDP port 123 as its primary means of communication
Attackers query the NTP server to gather valuable information, such as:
- List of connected hosts
- Clients IP addresses in a netwirk, their system names and OS’s
- Internal IPs can also be obtained if the NTP server is in the demilitarized zone (DMZ)
Tell about NFS
- Port 2049
The NFS system is generally implemented…
What are the three build in commands in SMTP?
- VRFY: Validates users
- EXPN: Shows the actual delivery addresses of aliases and mailing lists
- RCPT TO: Define the recipients of a message
SMTP servers respond differently to the commands for valid and invalid users, which means an attacker can determine valid users on the SMTP server.
Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server
What can an attacker obtain if the target DNS server allows zone transfer?
- DNS server names
- Hostnames
- Machine names
- Usernames
- IP addresses
- Aliases
What is DNSSEC zone walking?
It is a DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured
What are IPsec uses for?
Secure communication between VPN end points.
Often a simple scanning for ISAKMP at UDP port 500 can indicate the presence of a VPN gateway
Name VoIP attacks?
Dos, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony and Vishing
VoIP uses SIP protocol to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5060, and 5061
Tell about Telnet
Uses port 23, and if open gives access to shared services
