Module: Enumeration

Enumeration phase attacker creates active connection to system and performs directed quires to gain more information about the target.

Attackers use extracted information to identify system attack points and perform password attack to gain unauthorized access to information system resources.

Enumeration techniques are conducted an intranet environment.

Techniques for enumeration

Extract user names using email IDs.

Extract information using the default passwords.

Extract user names using SNMP.

Brute force active Directory.

Extract user groups from windows.

Extract information using DNS Zone transfer.

SMB

The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. It can also carry transaction protocols for interprocess communication.

o SMB1 – Windows 2000, XP and Windows 2003.

o SMB2 – Windows Vista SP1 and Windows 2008

o SMB2.1 – Windows 7 and Windows 2008 R2

o SMB3 – Windows 8 and Windows 2012.

NetBIOS (Network Basic Input/output System) is a program that allows applications on different computers to communicate within a local area network (LAN).

What is the use of NetBIOS over TCP IP?

NetBIOS over TCP/IP. NetBIOS over TCP/IP (NBT, or sometimes NetBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.

NetBT uses the following TCP and UDP ports:

UDP port 137 (name services)

UDP port 138 (datagram services)

TCP port 139 (session services) NetBIOS over TCP/IP is specified by RFC 1001 and RFC 1002. The Netbt.sys driver is a kernel -mode component that supports the TDI interface.

Nbtstat utility in windows display NetBIOS over tcp/ip (NetBet) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache.

# Nbstat.exe -c

# nbtstat.exe -a -IP address of the target-   (to get the NetBIOS name table of remote computer)

# nbtscan -r 192.168.0.1-254

Nbtstat.exe for windows

Nbtscan for the Linux

For windows tool – Superscan

Scanning for the NetBIOS Service

The SMB NetBIOS32 service listens on TCP ports 139 and 445, as well as several UDP

ports. These can be scanned with tools, such as nmap, using syntax similar to the following:

# nmap -p135,139,445 -r 192.168.0.1-254 –open

DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.

Testing site: http://www.megacorpone.com/

# host -t ns megacorpone.com     – ns for the nameserver of the target website

# host -t mx megacorpone.com    – mx for the mail server of the target website

DNS Zone transfer is the process where a DNS server passes a copy of part of it’s database (which is called a “zone“) to another DNS server. … It’s worth stopping zone transfer attacks, as a copy of your DNS zone may reveal a lot of topological information about your internal network.

# host -l megacorponje.com _input the domain name_

Other methods to DNS enumeration Zone transfer

# dnsrecon -d megacorpone.com -t axfr

# dnsenum megacorpone.com

Null Session

Securing Server Message Block (SMB) Against Null Session Enumeration. Null session functionality within the SMB protocol enables anonymous access to hidden administrative shares on a system. Once a user is connected to a share through a null session, they can enumerate information about the system and environment.

rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. It has undergone several stages of development and stability. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation.

#  rpcclient -U “” -Target IP address-

# help

In this session we are getting access to a server without a password.

Enum4linux

Enum4linux is a tool for enumerating information from Windows and Samba systems. 

# enum4linux -a -Target IP address-

Enumeration DNS

$nmap -T4 -sS -p 53 $IP/24


Enumerate ALL DNS records! Maybe hidden hosts in network recon

$dig -t all target1 target2 target3 @$DNSSERVER


DNS recon (brute force subdomains):

$dnsrecon -d $IP -t std -D /usr/share/wordlists/dnsmap.txt

$dnsenum $DOMAIN

$fierce -dns $DOMAIN -wordlist dictionary.txt

DNS zone transfer

$host -la $DOMAIN. $DNSSERVER

$perl fierce.pl -dns $DOMAIN. -search $HOST

$dig axfr $TARGET @$DNSSERVER

$dnsrecon -d $DOMAIN -t axfr

Enumeration NetBIOS

$nbtscan -r $IP/24

$enum4linux -a $IP

$nmblookup -A $IP

Enumeration SMB / SAMBA

$nmap --script smb-os-discovery --open -p 139 $IP

$nmap --script smb-os-discovery -p 139 --open $IP/24 -oX smb.xml

$smbmap.py -H $IP

$smbmap.py -H $IP -u Guest -R

$smbmap.py -H $IP --upload $FILE $SHARE


Recursive download:

$smbget -a smb://$IP/$FILE -R


Enumerate Users

$python /usr/share/doc/python-impacket-doc/examples/samrdump.py $IP


Enumerate shares

$crackmapexec --shares $IP/24


To list shares

$smbclient -L $IP


or,

$smbmap -H $IP

To connect to a share, shell style

$smbclient //$IP/wwwroot

Enumeration RPC over DC (NULL SESSIONS)

$rpcclient -U "" -c enumdomusers $IP

$rpcclient -U "" $IP -N -c "lsaquery"

$rpcclient -U "" $IP -N -c "lookupnames Guest"

$rpcclient -U "" $IP -N -c "lookupnames Administrator"

Afterwards check https://github.com/trustedsec/ridenum.git

Enumeration RPC

Port 111 rpcbind

$rpcinfo $IP

$rpcinfo -p $IP

OS

$xprobe2 $IP

$nmap -O $IP

Domain Controller

$nmap -sS -T4 -p 3268 --open $IP/24

How to recognize a DC in a windows environment

DC Method 1: Netbios

If port 137 (TCP-UDP) open, a DC uses as a netbios suffixes:

  • For unique names: <1B> Domain Master Browser (PDC)
  • For group names: <1C> Domain Controllers for a domain

DC Method 2: Global Catalog Service

  • Use nmap
  • As a Active Directory Server open ports 3268 and 3269 (SSL) for the Global Catalog Service (LDAP protocol).
  • Attention: LDAP protocol uses 389 and 636 (SSL).

DC Method #3

From the Windows machine:

C:>echo %logonserver%

C:>nltest /dclist:$DOMAIN

DC Method #4

msf>use post/windows/gather/enum_domain

msf>set SESSION 1

msf>run

HTTP / WebDAV

Enumeration HTTP

The following tools are useful to enumerate paths and files inside webservers, they operate in a similar way as a web crawler or web spider.

$nmap --open -sV -p 80,8080,443,8000 -O $IP/24


Virtual domains

$nmap --open --script=hostmap -p 80 $IP


TRACE method

$nmap --open --script=http-trace -p 80 $IP


Enumerate userdir:

$nmap --open --script=http-userdir-enum $IP


Nikto scanner:

$nikto -host http://$IP


Dirb scanner:

$dirb http://$IP


For WordPress:

$wpscan http://$IP


For Joomla:

$joomscan http://$IP


Gobuster (https://github.com/OJ/gobuster):

$gobuster -u https://$DOMAIN -w /usr/share/dirb/wordlists/common.txt

$gobuster -u https://$DOMAIN -c 'session=123456' -t 50 -w /usr/share/dirb/wordlists/common.txt -x .php,.html

Enumeration WebDAV

$davtest -cleanup -url http://$IP

$cadaver http://$IP

    dav:/> put webshell.txt
    dav:/> copy webshell.txt ws.asp

SNMP

$nmap -p 161 --script snmp-enum $IP

$snmp-check $IP


Very useful

$snmp-check -v2c -c public $IP

$python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP $IP

$onesixtone -w 0 $IP


For scanning

$onesixtyone -c <community> -i <ip_list_file>


For enumeration low level (MIB)

$snmpwalk -c public -v1 $IP


SNMP on different port:

root #snmpwalk -v 2c -c public $IP:666

root #snmp-check -p 6492 $IP

LDAP

$ldapwhoami

$ldapsearch -H ldap://$IP/

$ldapsearch -x -h $IP -s base

SSH

$TOOLS/enumSSH

$nmap --script ssh-hostkey -p 22 $IP/24 --open -sS

$ssh-keyscan $IP

$./TOOLS/ssh-vulnkey $IP TOOLS/ssh-blacklist/blacklist.all

FTP

$nmap --script=ftp* $IP

SMTP

$nmap --open --script smtp-enum-users -sS -p 25 -sV $IP/24

TFTP

$nmap --open -sU -p 69 $IP/24

NFS

$showmount -e $IP

$showmount -a $IP

$mount.nfs $IP:$DIR $LOCALDIR

NTP

Show clients that have queried this server:

$ntpdc -n -c monlist $IP

$nmap -sU -p 123 --script=ntp-info $ip

TLS / SSL

$sslscan $IP

$nmap -sV --script ssl-enum-ciphers -p 443 $IP

Redis-server

$(printf "info\r\n"; sleep 1) | netcat 192.168.45.67 6379

SSDP server

$tcpdump -n -A host $IP & perl -e 'print "M-SEARCH * HTTP/1.1\r\nHost:239.255.255.250:1900\r\nST:upnp:rootdevice\r\nMan:\"ssdp:discover\"\r\nMX:3\r\n\r\n"' > /dev/udp/$IP/1900

memcached

$echo "stats"

$ netcat $IP 11211

$echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | netcat -u $IP 11211

elasticsearch

$echo -ne "GET / HTTP/1.0\r\n\r\n" | netcat 192.168.45.67 9200

avahi-daemon / mDNS

$dig +short -p 5353 -t ptr _services._dns-sd._udp.local @$IP

Mongo

$mongo --host $IP

RDP

rdp-sec-check

LEAVE A REPLY

Please enter your comment!
Please enter your name here