Hacking Monks: Enumeration in Hacking

Enumeration is defined as a process which establishes an active
connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.

Enumeration is used to gather the below

Usernames, Group names

Hostnames

Network shares and services

IP tables and routing tables

Service settings and Audit configurations

Application and banners

SNMP and DNS Details

Significance of enumeration:

Enumeration is often considered as a critical phase in Penetration testing as the outcome of enumeration can be used directly for exploiting the system.

Enumeration classification:

Enumeration can be performed on the below -)

NetBios Enumeration

SNMP Enumeration

LDAP Enumeration

NTP Enumeration

SMTP Enumeration

DNS Enumeration

Windows Enumeration

UNIX /Linux Enumeration

The rest of the article explains each one of the above enumeration along with tools and controls for preventing the same.

What is NetBIOS?

NetBIOS stands for Network Basic Input Output System. IBM developed it along with Sytek. The primary intention of NetBIOS was developed as Application Programming Interface (API) to enable access to LAN resources by the client’s software.

NetBIOS naming convention starts with 16-ASCII character string used to identify the network devices over TCP/IP; 15-characters are used for the device name, and the 16th character is reserved for the service or name record type.

NetBIOS Enumeration Explained:

NetBIOS software runs on port 139 on Windows operating system. File and printer service needs to be enabled to enumerate NetBIOS over Windows Operating system. An attacker can perform the below on the remote machine.

Choose to read or write to a remote machine depending on the availability of shares

Launch a Denial of Service (DoS) attack on the remote machine

Enumerate password policies on the remote machine

NetBIOS Enumeration Tools:

The following table shows the list of tools to perform NetBIOS Enumeration:

Sl.no Name of the tool Web Links

01 Nbtstat www.technet.microsoft.com

02 SuperScan http://www.mcafee.com/in/downloads/free-tools/superscan.aspx

03 Hyena http://www.systemtools.com/hyena/

04 Winfingerprint https://packetstormsecurity.com/files/38356/winfingerprint-0.6.2.zip.html

05 NetBIOS enumerator http://nbtenum.sourceforge.net/

NetBIOS Security controls:

The following are the security controls to prevent NetBIOS enumeration attacks

Minimize the attack surface by minimizing the unnecessary service like Server Message Block (SMB).

Remove File and Printer sharing in Windows OS.

What is SNMP?

SNMP stands for Simple Network Management Protocol is an application-layer protocol that runs on User Datagram Protocol (UDP). It is used for managing network devices which run on IP layer like routers. SNMP is based on a client-server architecture where SNMP client or agent is located on every network device and communicates with the SNMP managing station via requests and responses. Both SNMP request and responses are configurable variables accessible by the agent software. SNMP contains two passwords for authenticating the agents before configuring the variables and for accessing the SNMP agent from the management station.

SNMP Passwords are:

Read Community string are public, and configuration of the device can be viewed with this password

Read/Write community string are private, and configuration of the device can be modified using this password.

SNMP uses virtual hierarchical database internally for managing the network objects, and it is called Management Information Base (MIB). MIB contains tree like structure, and object ID uniquely represents each network object. The network objects can be viewed or modified based on the SNMP passwords.

SNMP Enumeration:

Default SNMP password allow attackers to view or modify the SMMP configuration settings. Attackers can enumerate SNMP on remote network devices for the following:

Information about network resources such as routers, shares, devices, etc.

ARP and routing tables

Device specific information

Traffic statistics etc.

SNMP Enumeration Tools:

The following table shows the list of tools to perform SNMP Enumeration:

Sl.no Name of the tool Web Links

01 OpUtils https://www.manageengine.com/products/oputils/

02 SolarWinds http://www.solarwinds.com/

03 SNScan http://www.mcafee.com/us/downloads/free-tools/snscan.aspx

04 SNMP Scanner http://www.secure-bytes.com/snmp-scanner.php

05 NS Auditor http://www.nsauditor.com/

SMTP Security controls:

The following are the security controls to prevent SNMP enumeration attacks

Minimize the attack surface by removing the SNMP agents where not needed

Change default public community string

Upgrade to SNMPv3 which encrypts the community strings and messages

Implement group policy for additional restriction on anonymous connections

Implement firewall to restrict unnecessary connections

Implement IPSec filtering

Block access to TCP/UDP ports 161

Encrypt and authenticate using IPSEC

What is LDAP?

LDAP Stands for Light Weight Directory Access Protocol and it is an Internet protocol for accessing distributed directory services like Active Directory or OpenLDAP etc. A directory service is a hierarchical and logical structure for storing records of users. LDAP is based on client and server architecture. LDAP transmits over TCP and information is transmitted between client and server using Basic Encoding Rules (BER).

LDAP Enumeration:

LDAP supports anonymous remote query on the Server. The query will disclose sensitive information such as usernames, address, contact details, Department details, etc.

LDAP Enumeration Tools:

The following table shows the list of tools to perform LDAP Enumeration:

Sl.no Name of the tool Web Links

01 Softerra LDAP Administrator http://www.ldapadministrator.com/

02 Jxplorer http://jxplorer.org/

03 active directory domain services management pack for system center https://www.microsoft.com/en-in/download/details.aspx?id=21357

04 LDAP Admin Tool http://www.ldapadmin.org/

05 LDAP Administrator tool https://sourceforge.net/projects/ldapadmin/

LDAP Security controls:

The following are the security controls to prevent LDAP enumeration attacks

Use SSL to encrypt LDAP communication

Use Kerberos to restrict the access to known users

Enable account lockout to restrict brute forcing

What is NTP?

NTP stands for Network Time protocol designed to synchronize clocks of networked computers. NTP can achieve accuracies of 200 milliseconds or better in local area networks under ideal conditions. NTP can maintain time to within ten milliseconds (1/100 second) over the Internet. NTP is based on agent-server architecture where agent queries the NTP server, and it works on User Datagram Protocol (UDP) and well-known port 123.

NTP Enumeration:

An attacker can enumerate the following information by querying NTP server.

List of hosts connected to the NTP server

Internal Client IP addresses, Hostnames and Operating system used.

NTP Enumeration Tools:

The following table shows the list of tools to perform NTP Enumeration:

Sl.no Name of the tool Description / web lInks

01 ntptrace Query to determine from where the NTP server updates its time and traces the chain of NTP servers from a source

02 ntpdc Query the ntp Deamon about its current state and to request changes in the state

03 Ntpq Monitors NTP daemon ntpd operations and determine performance

NTP Security controls:

The following are the security controls to prevent NTP enumeration attacks

Restrict the usage of NTP and enable the use of NTPSec where possible

Filter the traffic with IPTables

Enable logging for the messages and events

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol and it is designed for electronic mail (E-Mail) transmissions. SMTP is based on client-server architecture and works on Transmission Control Protocol (TCP) on well-known port number 25. SMTP uses Mail Exchange (MX) servers to send the mail to via the Domain Name Service, however, should an MX server not detected; SMTP will revert and try an A or alternatively SRV records.

SMTP Enumeration:

SMTP provides three built-in commands

VRFY – validate users on the SMTP servers

EXPN – Delivery addresses of aliases and mailing lists

RCPT TO – Defines the recipients of the message

SMTP servers respond differently to the commands mentioned above, and SMTP enumeration is possible due to varied responses. Attackers can determine the valid users on the SMTP servers with the same technique.

SMTP Enumeration Tools:

The following table shows the list of tools to perform SMTP Enumeration:

Sl.no Name of the tool Description / web lInks

01 NetScan Tools Pro http://www.netscantools.com/nstpromain.html

02 SMTP User Enum http://pentestmonkey.net/tools/user-enumeration/smtp-user-enum

SMTP Security controls:

The following are the security controls to prevent SMTP enumeration attacks

Ignore email responses from unknown recipients

Disable open relay functionality

Prune any sensitive information like mail server and localhost in the mail responses

What is DNS?

DNS stands for Domain Name Service, and it is primarily designed as hierarchical decentralized distributed naming systems for computers, services, or any resource connected to the network. DNS resolves hostnames to its respective IP addresses and vice versa. DNS internally maintains a database for storing the records. The following are the most commonly used record types in DNS.

Start of Authority (SOA),

IP addresses (A and AAAA),

SMTP mail exchangers (MX),

Nameservers (NS),

Pointers for reverse DNS lookups (PTR), and

Domain name aliases (CNAME)

DNS works on both UDP and TCP on well-known port number 53. It uses UDP for resolving queries and TCP for zone transfers. DNS zone transfer allows DNS databases to replicate the portion of the database from primary server to the secondary server. DNS zone transfer must only be allowed by other validated secondary DNS servers acting as clients.

DNS Enumeration:

DNS enumeration is possible by sending zone transfer request to the DNS primary server pretending to be a client. It reveals sensitive domain records in response to the request.

DNS Enumeration Tools:

The following table shows the list of tools to perform DNS Enumeration:

Sl.no Name of the tool Description / web lInks

01 nslookup https://centralops.net/co/

02 DNS Dumpster https://dnsdumpster.com/

03 DNS Recon http://tools.kali.org/information-gathering/dnsrecon

DNS Security controls:

The following are the security controls to prevent DNS enumeration attacks

Configure DNS servers not to send DNS zone transfers to unauthenticated hosts.

Ensure DNS zone transfers do not contain HINFO information

Ensure to trim DNS zone files to prevent revealing unnecessary information

Windows Enumeration:

Windows Operations system can be enumerated with multiple tools from Sysinternals. Many more sysinternal tools can be downloaded from the following URL https://technet.microsoft.com/en-in/sysinternals/bb545021.aspx. The following list is the list of some important utilities.

Sl.no Name of the tool Description / web lInks

01 PsExec Execute processes on remote machine

02 PsFile Displays list of files opened remotely.

03 PsGetSid Translate SID to display name and vice versa

04 PsKill Kill processes on local or remote machine

05 PsInfo Displays installation, install date, kernel build, physical memory, processors type and number, etc.

06 PsList Displays process, CPU, Memory, thread statistics

07 PsLoggedOn Displays local and remote logged users

08 PsLogList View Event logs

Windows Security controls:

The following are the security controls to prevent Windows enumeration attacks

Minimize the attack surface by removing any unnecessary or unused service