Enumeration

MSC 2 SEM 3 PAPER 1

Niranjana.S.Karandikar Page 1

ENUMERATION

Vulnerability Assessment and Penetration Testing (VAPT) are two tests done in

order to secure an organization. Vulnerability Assessment includes searching for

vulnerabilities and penetration testing includes exploiting the vulnerabilities with the use

of manual or automated testing.

The following steps are followed in the process of VAPT

1. Reconnaissance

2. Scanning & Enumeration

3. Gaining Access

4. Maintaining Access

5. Clearing Tracks

6. Leaving Backdoors

Enumeration is defined as the process of extracting user names, machine names,

network resources, shares, and services from a system. In the enumeration phase, the

attacker creates active connections to the system and performs directed queries to gain

more information about the target. The attacker uses the gathered information to identify

the vulnerabilities or weak points in system security and then tries to exploit them.

Enumeration techniques are conducted in an intranet environment. It involves making

active connections to the target system. It is possible that the attacker stumbles upon a

remote IPC share, such as IPC $ in Windows, that can be probed with a null session

allowing shares and accounts to be Enumerated.

Penetration testing is much more than just running exploits against vulnerable

systems. In fact a penetration test begins before penetration testers have even made

contact with the victim systems.

As an expert ethical hacker and penetration tester you must know how to

enumerate target networks and extract lists of computers, user names, user groups, ports,

operating systems, machine names, network resources, and services using various

enumeration techniques.

Information Enumerated by Intruders includes:

MSC 2 SEM 3 PAPER 1


Network resources and shares

Users and groups

Routing tables

Auditing and service settings

Machine names

Applications and banners

SNMP and DNS details

Through enumeration, an attacker may gather sensitive information of

organizations if the security is not strong. He or she may then use that sensitive

information to hack and break into the organization's network. If an attacker breaks into

the organization, then the organization potentially faces huge losses in terms of

information, service, or finance. Therefore, to avoid these kinds of attacks, every

organization must test its own security. Testing the security of an organization legally

against enumeration is called enumeration pen testing. Enumeration pen testing is

conducted with the help of the data collected in the reconnaissance phase.

As a pen tester, conduct enumeration penetration tests to check whether the target

network is revealing any sensitive information that may help an attacker to perform a well-

planned attack. Apply all types of enumeration techniques to gather sensitive information

such as user accounts, IP address, email contacts, DNS, network resources and shares,

application information, and much more. Try to discover as much information as possible

regarding the target. This helps you determine the vulnerabilities/weaknesses in the target

organization's security.

Steps in Enumeration

Step l

Find the network range

If you want to break into an organization's network, you should know the network range

first. This is because if you know the network range, then you can mask yourself as a user

falling within the range and then try to access the network. So the first step in enumeration

pen testing is to obtain information about network range. You can find the network range

of target organization with the help of tools such as Whois Lookup.

MSC 2 SEM 3 PAPER 1


Step 2

Calculate the subnet mask

Once you find the network rage of the target network, then calculate the subnet mask

required for the IP range using tools such as Subnet Mask Calculator. You can use the

calculated subnet mask as an input to many of the ping sweep and port scanning tools for

further enumeration, which includes discovering hosts and open ports.

Step 3

Undergo host discovery

Find the important servers connected to the Internet using tools such as Nmap. The Nmap

syntax to find the servers connected to Internet is as follows: nmap - sP .

In place of the network range, enter the network range value obtained in the first step.

Step 4

Perform port scanning

It is very important to discover the open ports and close them if they are not required. This

is because open ports are the doorways for an attacker to break into a target's security

perimeter. Therefore, perform port scanning to check for the open ports on the nodes. This

can be accomplished with the help of tools such as Nmap.

Step 5

Perform DNS enumeration

Perform DNS enumeration to locate all the DNS servers and their records. The DNS servers

provide information such as system names, user names, IP addresses, etc. You can extract

all this information with the help of the Windows utility nslookup.

Step 6

Perform NetBIOS enumeration

Perform NetBIOS enumeration to identify the network devices over TCP/IP and to obtain a

list of computers that belong to a domain, a list of shares on individual hosts, and policies

and passwords. You can perform NetBIOS enumeration with the help of tools such as

SuperScan, Hyena, and WinFingerprint.

Step 7

Perform SNMP enumeration

MSC 2 SEM 3 PAPER 1


Perform SNMP enumeration by querying the SNMP server in the network. The SNMP

server may reveal information about user accounts and devices. You can perform SNMP

enumeration using tools such as OpUtils and SolarWinds IP Network Browser.

Step 8

Perform Unix/Linux enumeration

Perform Unix/Linux enumeration using tools such as Enum4linux. You can use commands

such as showmount, Finger , rpfinfo (RPC), and rpcclient etc .to enumerate UNIX network

resources.

Step 9

Perform LDAP enumeration

Perform LDAP enumeration by querying the LDAP service. By querying the LDAP service

you can enumerate valid user names, departmental details, and address details. You can

use this information to perform social engineering and other kinds of attacks. You can

perform LDAP enumeration using tools such as Softerra LDAP Administrator.

Step 10

Perform NTP enumeration

Perform NTP enumeration to extract information such as host connected to NTP server,

client IP address, OS running of client systems, etc. You can obtain this information with the

help of commands such as ntptrace, ntpdc, and ntpq.

Step 11

Perform SMTP enumeration

Perform SMTP enumeration to determine valid users on the SMTP server. You can use tools

such as NetScanTools Pro to query the SMTP server for this information.

Step 12

Document all the findings

The last step in every pen test is documenting all the findings obtained during the test. You

should analyze and suggest countermeasures for your client to improve their security.

MSC 2 SEM 3 PAPER 1


The following techniques are used in Enumeration

Banner Grabbing

Banner grabbing is an activity that is used to determine information about services

that are being run on a remote computer. This technique can be useful to administrators in

cataloging their systems, and ethical hackers can also use it during penetration tests.

Malicious hackers also use banner grabbing, since the technique can reveal compromising

information about the services that are running on a system. The technique works by using

Telnet, or a proprietary program, to establish a connection with a remote machine, after

which a bad request is sent. That will cause a vulnerable host to respond with a banner

message, which may contain information that a hacker could use to further compromise a

system.

In a computer networking context, the term banner typically refers to a message

that a service transmits when another program connects to it. Default banners often consist

of information about a service, such as the version number. The banner for a hypertext

transfer protocol (HTTP) service will typically show the type of server software, version

number, when it was modified last, and other similar information. When a program such as

Telnet is used to intentionally gather this information, it is usually referred to as banner

grabbing.

A few different types of software, including Telnet, NetCat and various proprietary

programs, can be used to perform banner grabbing. Telnet is a type of network protocol

that is used to establish a virtual terminal connection with a remote host. Most operating

systems (OSes) come with the ability to establish Telnet sessions, so that is one of the

primary ways that banner grabbing is performed. Whether Telnet or another program is

used, banners are grabbed by connecting to a host, and then sending a request to a port

that is associated with a particular service, such as port 80 for HTTP.

FTP Enumeration

FTP is File Transfer Protocol. It runs on TCP port 21. It is Less used now. It allows upload of

(malicious) files and often allows anonymous access using any email address.

Type ftp ip address port number

Get banner and determine access. Exploit it!

MSC 2 SEM 3 PAPER 1


Countermeasures

Turn off FTP when not in use.

Secure FTP (SFTP) uses SSH and FTP Secure (FTPS) uses SSL.

Use HTTP for public information access.

TELNET Enumeration

Telnet is a network protocol used on the Internet or local area networks to provide a

bidirectional interactive text-oriented communication facility using a virtual terminal

connection. It runs on port 23 TCP. Used for remote access. It transmits data in clear text. It

often displays host system information and even if it doesn't, the prompt may reveal

system information. May be used for attacking accounts if lockout not used. May reveal

valid usernames from login attempts.

Countermeasures:

Turn off

Use secure shell (SSH) instead

Modify banner messages

Modify error messages

Account locking/drop connection on login failure.

SMTP Enumeration

Simple Mail Transport Protocol works on port number 25 TCP.SMTP is a service that can be

found in most infrastructure penetration tests. This service can help the penetration tester

to perform username enumeration via the EXPN and VRFY commands if these commands

have not been disabled by the system administrator. There are a number of ways which

this enumeration through the SMTP can be achieved and there will be explained in this

article.

The role of the EXPN command is to reveal the actual address of users aliases and lists of

email and VRFY which can confirm the existance of names of valid users.

The SMTP enumeration can be performed manually through utilities like telnet and netcat

or automatically via a variety of tools like metasploit,nmap and smtp-user-enum.

Countermeasures

MSC 2 SEM 3 PAPER 1


Configure to turn off VRFY and EXPN, or

Configure to require authentication/privileges to use them

DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their corresponding

records for an organization. A company may have both internal and external DNS servers

that can yield information such as usernames, computer names, and IP addresses of

potential target systems. There are a lot of tools that can be used to gain information for

performing DNS enumeration. The examples of tool that can be used for DNS enumeration

are NSlookup, DNSstuff, American Registry for Internet Numbers (ARIN), and Whois. To

enumerate DNS, you must have understanding about DNS and how it works.

The list of DNS record provides an overview of types of resource records (database

records) stored in the zone files of the Domain Name System (DNS). The DNS implements a

distributed, hierarchical, and redundant database for information associated with Internet

domain names and addresses. In these domain servers, different record types are used for

different purposes. The following list describes the common DNS record types and their

use:

A (address)Maps a host name to an IP address

SOA (Start of Authority)Identifies the DNS server responsible for the domain

information

CNAME (canonical name)Provides additional names or aliases for the address

record

MX (mail exchange)Identifies the mail server for the domain

SRV (service)Identifies services such as directory services

PTR (pointer)Maps IP addresses to host names

NS (name server)Identifies other name servers for the domain

DNS Zone Transfer is typically used to replicate DNS data across a number of DNS servers,

or to back up DNS files. A user or server will perform a specific zone transfer request from

a name server If the name server allows zone transfers to occur, all the DNS names and

IP addresses hosted by the name server will be returned in human-readable ASCII text.

MSC 2 SEM 3 PAPER 1


TFTP Enumeration

Trivial File Transfer Protocol (TFTP) runs on port number 69 is a simple, lock-step, file transfer protocol which allows a client to get or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a Local Area Network. TFTP has been used for this application because it is very simple to implement. It May allow download of sensitive file (e.g., /etc/passwd, /etc/shadow, network device configuration files, etc.) Countermeasures

Turn off, if possible Wrap in TCP wrapper to restrict access Limit access to /tftpboot/ directory Block at border firewall

HTTP Enumeration

Hyper Text Transfer Protocol runs on TCP port 80. While enumerating the HTTP method

can be found out as well as web pages for offline viewing can also be downloaded.

Countermeasures

Change the banner and use IIS Lockdown tool which disables features which are not

necessary.

MSRPC Enumeration

Microsoft Remote Procedure Call (MSRPC) runs on TCP 135. RPC is a portmapper for

windows. It gives list of services with version and IP/protocol/port info. The following tool

can be used for enumerating MSRPC --Winfingerprint tool (sourceforge)

Countermeasures

Restrict outside access

Require use of VPN for external access

Use OWA (Outlook Web Access) for remote mail access

SNMP Enumeration

Simple Network Management Protocol runs on UDP 161. Simple Network Management

Protocol (SNMP) is an "Internet-standard protocol for managing devices on IP networks".

Devices that typically support SNMP include routers, switches, servers, workstations,

printers, modem racks and more.

Countermeasures

Remove or disable SNMP agents on hosts

MSC 2 SEM 3 PAPER 1


Use obscure community names (e.g., NOT public or private)

Block port 161 at all perimeter network access devices

Restrict access to specific IP addresses

Use SNMPv3 (more secure)

Set Registry to permit only authorized access

FINGER Enumeration

Finger runs on TCP/UDP 79 .It reveals logged-in users, idle times and user infomation

given from public file information.

Countermeasures

Turn off

Block port 79

Restrict access

Restrict info given

Vulnerability Scanners

Vulnerability Scanners are the automated tools that scan web applications to look for

known security vulnerabilities such as cross-site scripting, SQL injection, command

execution, directory traversal and insecure server configuration. A large number of both

commercial and open source tools are available and and all these tools have their own

strengths and weaknesses.

The following tools can be used for Enumeration:

NMAP

Methodology

Perform scans to find hosts with NetBIOS ports open (135,137-139, 445)

Do an nbtstat scan to find generic information (computer names, user names, ]MAC

addresses) on the hosts.

Create a Null Session to these hosts to gain more information

Perform nmap -O scan

Run the command nbtstat -A IPAddress

In the command prompt, type net use \\X.X.X.X\IPC$ /u: (where X.X.X.X is die address of die host machine, and there are no spaces between the double quotes).

MSC 2 SEM 3 PAPER 1


Confirm it by issuing a general net use command to see connected null sessions from your host.

SuperScan

SuperScan is a TCP port scanner, pinger, and resolver. The tool's features include extensive

Windows host enumeration capability, TCP SYN scanning, and UDP scanning.

Methodology

Perform a NetBIOS enumeration. NetBIOS enumeration is carried out to obtain:

List of computers that belong to a domain

List of shares on the individual hosts on the network

Find out Policies and passwords

Overview of NetBIOS Enumeration

1. The purpose of NetBIOS enumeration is to gather information, such as:

a. Account lockout threshold

b. Local groups and user accounts

c. Global groups and user accounts

2. Restrict anonymous bypass routine and also password checking:

a. Checks for user accounts with blank passwords

b. Checks for user accounts with passwords that are same as the Usernames in

lower case.

Superscan results comprise of the following:

Performing Enumeration Types:

Null Session

MAC Address

Work Station Type

Users

Groups

Domain

Account Policies

Registry

Enumerating NetBIOS Using the NetBIOS Enumerator Tool

This tool scans a range of IP addresses for the following:

Machine Name

NetBIOS Names

User Name

MSC 2 SEM 3 PAPER 1


Domain

MAC Address

Round Trip Time (RTT)

Enumerating a Network Using SoftPerfect Network Scanner

SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS, and SNMP

scanner with a modern interface and many advanced features.

NetBIOS enumeration is carried out to detect:

Hardware MAC addresses across routers

Hidden shared folders and writable ones

Internal and external IP address

This tool scans a range of IP addresses for the following:

IP Address

Host Names

MAC Address

Response Time

Enumerating a Network Using Solar Winds Toolset

The Solar Winds Toolset provides the tools yon need ns a network engineer or network consultant to get your job done. Toolset includes best-of-breed solutions that work sit/ply and precisely, providing the diagnostic, performance, and bandwidth measurements you want, without extraneous, unnecessary features.

Solar Winds scans an IP Address for the following:

Interfaces Services Accounts Shares Hub Ports TCP/IP Network Routes

Enumerating the System Using Hyena

Hyena uses an Explorer-style interface for operations, including right mouse click

popup context menus for all objects. Management of users, groups (both local and global),

shares, domains, computers, services, devices, events, files, printers and print jobs,

MSC 2 SEM 3 PAPER 1


sessions, open files, disk space, user rights, messaging, expo/ting job scheduling, processes,

and printing are all supported.

This tool helps in the following:

Users information in the system

Services running in the system

Local Connections

Users

Local Group

Shares

Sessions

Services

Events

User Rights

Performance

Registry

References

CEH v8 slides, EC Council

http://www.hackillusion.com/what-is-enumeration-in-ethical-hacking/

http://tutorialof.blogspot.in/p/enumeration.html

http://www.ehacking.net/2011/04/scanning-and-enumeration-second-step-of.html

http://www.sans.org/reading-room/whitepapers/hackers/fundamentals-computer-

hacking-956

Documents

Enumeration