In my last blog I discussed the techniques regarding how to perform scanning. In fact the tools we used in Linux, the same tools can be used in Windows OS. They are GUI based applications. You can easily install and use in Windows OS if you are clear how to use in Linux OS. Now let’s start with another step after scanning in this series of Cyber Security and Ethical Hacking.
Attention Future Hackers It is mandatory to have a Kali Linux (Parrot OS works too). None other linux distro should be used, because the tools and commands I am going to discuss are installed beforehand in the Kali Linux. In other distros you will have to additionally download and install the packages from internet and various dependencies too. You are understanding the concepts of hacking, so it is mandatory for you to have Kali linux at least.
CAUTION: For practicing hacking always try for these two websites:
For practicing purpose there are other resources too, but as a beginner these two sites are recommended, other ways will also be shared by me once you get the basic concepts, in my upcoming blogs. And since you are practicing hacking, you should not try on some other websites other than the above two websites I mentioned, because you might end up breaking something in other websites, also there are other security techniques implemented on those website which can keep a track on you for doing malicious things and take some legal actions against you.
What is enumeration?
Enumeration is just extraction of extra information regarding the target network, device such as the NetBios name, routing tables, shared resources, user names group names of the target device. With the help of the attackers could find the pre identified vulnerabilities about the target. Following are the possible scenarios during enumeration:
- You get an email. Now you can find the username of the person who sent you the email. You can find the domain name and server used by the sender, who sent you the email. So this is also a type of enumeration.
- Sometimes the routers are configured with default passwords from the company itself, and is remain unchanged. So this makes easier to attack such routers or any device which is configured with default passwords.
- Active Directory enumeration is done. This is a feature in Windows OS, which can be easily bruteforced to get the valid usernames, and their respective passwords can also be cracked.
- Usernames, group names and SID can be extracted by the attacker during enumeration.
Other Enumerations
Some enumeration types I have mentioned above and some are briefly discussed below. The below table is a gist of enumeration types, the important ones are further discussed below this table.
- DNS zone transfer: Generally communication between DNS client and server is done through UDP port 53, but if the size of the message exceeds the limit then the communication is done over TCP port. Some malwares use the same DNS port number 53 to exploit vulnerabilities in DNS server.
- NetBios Name Service: NetBios Name Servers maintain a database of NetBios names for the host and their respective IPs. This service is used when you share the data among Windows OS in LAN, to do name resolutions. That’s why attackers are interested in attacking name servers.
- NetBios Session Service: Service is used during the file transfer in a network in Windows OS. Null sessions are established and resources sharing is done with the help of this service. Attackers try to attack this service to get unauthorized access of critical file system resulting to data theft.
- Simple Network Management Protocol: Protocol simply used for network management, attached to the devices such as firewalls, switches, other services etc. So attacker can get useful information if he is able to intercept the requests and response messages.
- Lightweight Directory Access Protocol: This protocol maintains distributed directory information services over an Internet Protocol network. Basically LDAP enumeration is done in Windows OS.
- Simple Mail Transport Protocol: This protocol is used in transferring emails over internet. This is a connection oriented protocol.
1. NetBios Enumeration
NetBios as discussed earlier is a unique name of the device, which is used during the transmission of data in a network. It is of 16 ASCII characters, out of which 15 characters are used to distinguish device and 16th character is reserved for service or name record type. So during the enumeration of NetBios attacker can get a list of devices belonging to a domain, policies, passwords, services running etc.
Command: nbtstat -[options]
The command is used to see the NetBios name. Just type nbtstat in the command prompt of your windows operating system and you will be able to see various options along with its descriptions. You will surely get the output in terms of netbios names if it is present in your cache. In my case there were no NetBios name present in my cache so I didn’t get any output.
Apart from this you can use various tools for NetBios enumeration. One such tool is NetBios Enumerator. This is a simple tool used for NetBios enumeration with simple GUI and options. Following is the output when I scanned with this tool over an IP range.
So it displayed me the netbios name of the machine which is in the same network and also it displayed me the MAC address of the machine. So in these two ways you can do NetBios enumeration.
2. Enumerating User Accounts
This can be easily done if you can easily connect to the target device. And you just need the PsTools. These are developed by Microsoft, and is a collection of tools that can provide a lot of information about the device. You can download the tool from here. Just unzip it and try executing from the command prompt on your computer or similarly the attacker can take the tools in the pendrive and try them on target device by lending the device from the victim for some time. PsTools contains a set of small utility applications that help in gaining various information regarding the device. Some of these are:
- PsGetSid: Display the SID of user
- PsFile: Shows remotely opened files
- PsInfo: Provides various information about the system
- PsPasswd: Changes the password of account
- PsList: Provides details of processes running in the system
- PsKill: Kills any process with process ID
- PsLoggedOn: Provides information regarding who are logged on locally and via resource sharing
2. SNMP Enumeration
By this, the attacker tries enumerating user accounts and devices on a target device using SNMP. SNMP holds two passwords to access and configure the SNMP agent from management station. Also the information regarding the hosts, routers, devices, ARP tables etc. can be extracted by enumeration.
Working of SNMP
1. GET request [SNMP manager requests SNMP agent]
2. GET next request [SNMP manager keeps on retrieving data stored in array]
3. GET response [SNMP agent resolves request made by SNMP manager] 4. SET request [SNMP manager tries to modify parameter within SNMP agent's Management Information Base]
5. Trap [SNMP agent informs SNMP manager of a certain event]The SNMP enumeration tools are easily available in the internet, some of them are as follows:
- OpUtils
- Engineer’s Toolset
- NetScan Tools Pro
- SNScan
- SNMP Informant
3. LDAP Enumeration
LDAP protocol is used to access distributed directory services, mainly done in Windows operating system. Client created a connection oriented LDAP session with Directory System Agent. Communication is done between client and server using Basic Encoding Rules. Through LDAP enumeration, attacker can get valid user names, addresses etc.
The LDAP enumeration can be done with the following tools, and these are present in internet:
- LDAP admin tool.
- LDAP account manager
- Softerra LDAP administrator
- LDAP search
- Active directory explore
4. NTP Enumeration
Network Time Protocol is a UDP protocol which is used to synchronize the time of devices over a network. Attacker can get the information about a network through NTP enumeration. The information like:
- List of hosts connected to NTP server.
- IP addresses of clients in a network.
- Device names and OS of devices connected in a network.
There are certain commands in linux, which could help in NTP enumeration:
- ntptrace: Traces the chain of NTP servers.
- ntpdc: Monitors operation of ntpd.
- ntpdate: Collects number of time samples from a number of time sources.
Syntax: The above commands can be used with various options, which you will easily get by just typing the command and pressing enter key. Your linux machine might not have some of ntp commands installed, so you can install them using apt-get install [command to install].
The various tools to do NTP enumeration are:
- PRTG network monitor
- NTP time server monitor
4. SMTP Enumeration
The protocol is used to send the emails, that too in plain text. There is no encryption method. The enumeration helps the attackers to get the list of valid users on SMTP servers. There are three built-in commands for SMTP-
1. VRFY [Validates users]
2. EXPN [Tells actual delivery addresses of aliases and mailing lists] 3. RCPT TO [Defines the recipients of the message]Following are the tools for SMTP enumeration:
- NetScan Tools pro
- SMTP-USER-ENUM
The basic aim of enumeration is to get some extra information about the device or network or service. So it is a bit different from the footprinting. Nowadays there are many different ways of getting such enumeration, so this step is not difficult as it seems to be. You might get this step a bit boring, but when once you start getting some extra information you will find it interesting. Again it’s just a way of extracting some extra information about the target.
This blog was all about different types of enumeration, how it can be done, different tools that could be used in enumeration. So till now we are able to gain as much information possible about the target by footprinting, scanning and enumeration.
Now in the next blog I will start how to get into the system by exploiting the vulnerabilities of the target system.
Social Media Links: LinkedIn | GitHub | Instagram | Twitter
Visit My Website: https://cybergeeks.website/
Originally published at https://github.com.
