Enumeration is defined as a
process which establishes an active
connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
Enumeration is used to gather
the below
Usernames, Group names
Hostnames
Network shares and services
IP tables and routing tables
Service settings and Audit
configurations
Application and banners
SNMP and DNS Details
Significance of enumeration:
Enumeration is often
considered as a critical phase in Penetration testing as the outcome of
enumeration can be used directly for exploiting the system.
Enumeration classification:
Enumeration can be performed
on the below -)
NetBios Enumeration
SNMP Enumeration
LDAP Enumeration
NTP Enumeration
SMTP Enumeration
DNS Enumeration
Windows Enumeration
UNIX /Linux Enumeration
The rest of the article explains
each one of the above enumeration along with tools and controls for preventing
the same.
What is NetBIOS?
NetBIOS stands for Network
Basic Input Output System. IBM developed it along with Sytek. The primary
intention of NetBIOS was developed as Application Programming Interface (API)
to enable access to LAN resources by the client’s
software.
NetBIOS naming convention
starts with 16-ASCII character string used to identify the network devices over
TCP/IP; 15-characters are used for the device name, and the 16th character is
reserved for the service or name record type.
NetBIOS Enumeration
Explained:
NetBIOS software runs on port
139 on Windows operating system. File and printer service needs to be enabled
to enumerate NetBIOS over Windows Operating system. An attacker can perform the
below on the remote machine.
Choose to read or write to a
remote machine depending on the availability of shares
Launch a Denial of Service
(DoS) attack on the remote machine
Enumerate password policies
on the remote machine
NetBIOS Enumeration Tools:
The following table shows the
list of tools to perform NetBIOS Enumeration:
Sl.no Name of the tool Web
Links
01 Nbtstat www.technet.microsoft.com
02 SuperScan http://www.mcafee.com/in/downloads/free-tools/superscan.aspx
03 Hyena http://www.systemtools.com/hyena/
04 Winfingerprint https://packetstormsecurity.com/files/38356/winfingerprint-0.6.2.zip.html
05 NetBIOS enumerator http://nbtenum.sourceforge.net/
NetBIOS Security controls:
The following are the
security controls to prevent NetBIOS enumeration attacks
Minimize the attack surface
by minimizing the unnecessary service like Server Message Block (SMB).
Remove File and Printer
sharing in Windows OS.
What is SNMP?
SNMP stands for Simple
Network Management Protocol is an application-layer protocol that runs on User
Datagram Protocol (UDP). It is used for managing network devices which run on
IP layer like routers. SNMP is based on a client-server architecture where SNMP
client or agent is located on every network device and communicates with the
SNMP managing station via requests and responses. Both SNMP request and
responses are configurable variables accessible by the agent software. SNMP
contains two passwords for authenticating the agents before configuring the
variables and for accessing the SNMP agent from the management station.
SNMP Passwords are:
Read Community string are
public, and configuration of the device can be viewed with this password
Read/Write community string
are private, and configuration of the device can be modified using this
password.
SNMP uses virtual
hierarchical database internally for managing the network objects, and it is
called Management Information Base (MIB). MIB contains tree like structure, and
object ID uniquely represents each network object. The network objects can be
viewed or modified based on the SNMP passwords.
SNMP Enumeration:
Default SNMP password allow
attackers to view or modify the SMMP configuration settings. Attackers can
enumerate SNMP on remote network devices for the following:
Information about network
resources such as routers, shares, devices, etc.
ARP and routing tables
Device specific information
Traffic statistics etc.
SNMP Enumeration Tools:
The following table shows the
list of tools to perform SNMP Enumeration:
Sl.no Name of the tool Web
Links
01 OpUtils https://www.manageengine.com/products/oputils/
02 SolarWinds http://www.solarwinds.com/
03 SNScan http://www.mcafee.com/us/downloads/free-tools/snscan.aspx
04 SNMP Scanner http://www.secure-bytes.com/snmp-scanner.php
05 NS Auditor http://www.nsauditor.com/
SMTP Security controls:
The following are the
security controls to prevent SNMP enumeration attacks
Minimize the attack surface
by removing the SNMP agents where not needed
Change default public
community string
Upgrade to SNMPv3 which
encrypts the community strings and messages
Implement group policy for
additional restriction on anonymous connections
Implement firewall to
restrict unnecessary connections
Implement IPSec filtering
Block access to TCP/UDP ports
161
Encrypt and authenticate
using IPSEC
What is LDAP?
LDAP Stands for Light Weight
Directory Access Protocol and it is an Internet protocol for accessing
distributed directory services like Active Directory or OpenLDAP etc. A
directory service is a hierarchical and logical structure for storing records
of users. LDAP is based on client and server architecture. LDAP transmits over
TCP and information is transmitted between client and server using Basic
Encoding Rules (BER).
LDAP Enumeration:
LDAP supports anonymous
remote query on the Server. The query will disclose sensitive information such
as usernames, address, contact details, Department details, etc.
LDAP Enumeration Tools:
The following table shows the
list of tools to perform LDAP Enumeration:
Sl.no Name of the tool Web
Links
01 Softerra LDAP Administrator http://www.ldapadministrator.com/
02 Jxplorer http://jxplorer.org/
03 active directory domain services management pack for system
center https://www.microsoft.com/en-in/download/details.aspx?id=21357
04 LDAP Admin Tool http://www.ldapadmin.org/
05 LDAP Administrator tool https://sourceforge.net/projects/ldapadmin/
LDAP Security controls:
The following are the
security controls to prevent LDAP enumeration attacks
Use SSL to encrypt LDAP
communication
Use Kerberos to restrict the
access to known users
Enable account lockout to
restrict brute forcing
What is NTP?
NTP stands for Network Time protocol
designed to synchronize clocks of networked computers. NTP can achieve
accuracies of 200 milliseconds or better in local area networks under ideal
conditions. NTP can maintain time to within ten milliseconds (1/100 second)
over the Internet. NTP is based on agent-server architecture where agent
queries the NTP server, and it works on User Datagram Protocol (UDP) and
well-known port 123.
NTP Enumeration:
An attacker can enumerate the
following information by querying NTP server.
List of hosts connected to
the NTP server
Internal Client IP addresses,
Hostnames and Operating system used.
NTP Enumeration Tools:
The following table shows the
list of tools to perform NTP Enumeration:
Sl.no Name of the tool Description
/ web lInks
01 ntptrace Query
to determine from where the NTP server updates its time and traces the chain of
NTP servers from a source
02 ntpdc Query the ntp
Deamon about its current state and to request changes in the state
03 Ntpq Monitors NTP
daemon ntpd operations and determine performance
NTP Security controls:
The following are the
security controls to prevent NTP enumeration attacks
Restrict the usage of NTP and
enable the use of NTPSec where possible
Filter the traffic with
IPTables
Enable logging for the
messages and events
What is SMTP?
SMTP stands for Simple Mail
Transfer Protocol and it is designed for electronic mail (E-Mail)
transmissions. SMTP is based on client-server architecture and works on
Transmission Control Protocol (TCP) on well-known port number 25. SMTP uses Mail
Exchange (MX) servers to send the mail to via the Domain Name Service, however,
should an MX server not detected; SMTP will revert and try an A or
alternatively SRV records.
SMTP Enumeration:
SMTP provides three built-in
commands
VRFY –
validate users on the SMTP servers
EXPN –
Delivery addresses of aliases and mailing lists
RCPT TO – Defines the recipients of the message
SMTP servers respond
differently to the commands mentioned above, and SMTP enumeration is possible
due to varied responses. Attackers can determine the valid users on the SMTP
servers with the same technique.
SMTP Enumeration Tools:
The following table shows the
list of tools to perform SMTP Enumeration:
Sl.no Name of the tool Description
/ web lInks
01 NetScan Tools Pro http://www.netscantools.com/nstpromain.html
02 SMTP User Enum http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum
SMTP Security controls:
The following are the
security controls to prevent SMTP enumeration attacks
Ignore email responses from
unknown recipients
Disable open relay
functionality
Prune any sensitive
information like mail server and localhost in the mail responses
What is DNS?
DNS stands for Domain Name
Service, and it is primarily designed as hierarchical decentralized distributed
naming systems for computers, services, or any resource connected to the
network. DNS resolves hostnames to its respective IP addresses and vice versa.
DNS internally maintains a database for storing the records. The following are
the most commonly used record types in DNS.
Start of Authority (SOA),
IP addresses (A and AAAA),
SMTP mail exchangers (MX),
Nameservers (NS),
Pointers for reverse DNS
lookups (PTR), and
Domain name aliases (CNAME)
DNS works on both UDP and TCP
on well-known port number 53. It uses UDP for resolving queries and TCP for
zone transfers. DNS zone transfer allows DNS databases to replicate the portion
of the database from primary server to the secondary server. DNS zone transfer
must only be allowed by other validated secondary DNS servers acting as
clients.
DNS Enumeration:
DNS enumeration is possible
by sending zone transfer request to the DNS primary server pretending to be a
client. It reveals sensitive domain records in response to the request.
DNS Enumeration Tools:
The following table shows the
list of tools to perform DNS Enumeration:
Sl.no Name of the tool Description
/ web lInks
01 nslookup https://centralops.net/co/
02 DNS Dumpster https://dnsdumpster.com/
03 DNS Recon http://tools.kali.org/information-gathering/dnsrecon
DNS Security controls:
The following are the
security controls to prevent DNS enumeration attacks
Configure DNS servers not to
send DNS zone transfers to unauthenticated hosts.
Ensure DNS zone transfers do
not contain HINFO information
Ensure to trim DNS zone files
to prevent revealing unnecessary information
Windows Enumeration:
Windows Operations system can
be enumerated with multiple tools from Sysinternals. Many more sysinternal
tools can be downloaded from the following URL
https://technet.microsoft.com/en-in/sysinternals/bb545021.aspx. The following
list is the list of some important utilities.
Sl.no Name of the tool Description
/ web lInks
01 PsExec Execute processes
on remote machine
02 PsFile Displays list of
files opened remotely.
03 PsGetSid Translate
SID to display name and vice versa
04 PsKill Kill processes
on local or remote machine
05 PsInfo Displays
installation, install date, kernel build, physical memory, processors type and
number, etc.
06 PsList Displays
process, CPU, Memory, thread statistics
07 PsLoggedOn Displays
local and remote logged users
08 PsLogList View
Event logs
Windows Security controls:
The following are the
security controls to prevent Windows enumeration attacks
Minimize the attack surface
by removing any unnecessary or unused service
Ensure Windows Firewall is
configured to restrict the access
UNIX or Linux Enumeration:
UNIX or Linux Operating
System can be enumerated with multiple command line utilities provided by the
OS. Below is the list of utilities.
Sl.no Name of the tool Description
/ web lInks
01 Finger Enumerate users
on remote machine
02 rpcInfo Enumerate Remote
procedure call
03 rpcclient Enumerate
Usernames on Linux
04 showmount Enumerate
list of shared directories
05 Enum4Linux https://labs.portcullis.co.uk/tools/enum4linux/
LINUX Security controls:
The following are the
security controls to prevent Linux enumeration attacks
Minimize the attack surface
by removing any unnecessary or unused service
Ensure IPTables is configured
to restrict the access.
Other posts -
Other posts -
No comments:
Post a Comment