Enumeration
Welcome to the Enumeration module. This note will guide you thru all the methodologies that I used while preparing for the CEH (Practical) exam.
Introduction
Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. The gathered information is used to identify the vulnerabilities or weak points in system security and try to exploit them in the system gaining phase.
Enumeration belongs to the first phase of Ethical Hacking, i.e., “Information Gathering”. This is a process where the attacker establishes an active connection with the victim and try to discover as many attack vectors as possible, which can be used to exploit the systems further.
Enumeration can be used to gain information on
Network shares
SNMP data, if they are not secured properly
IP tables
Usernames of different systems
Passwords policies lists
Enumerations depend on the services that the systems offer. They can be −
DNS enumeration
NTP enumeration
SNMP enumeration
Linux/Windows enumeration
SMB enumeration
netBIOS
NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. There are different types of commands and tools to enumerate netBIOS.
nbtstat
Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache.
This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information.
This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.
To display all the NETBIOS name tables of the Remote Windows Computer
<1B>
UNIQUE
Domain master browser
<1C>
UNIQUE
Domain controller
<1D>
GROUP
Master browser for subnet
<00>
UNIQUE
Hostname
<00>
GROUP
Domain name
<03>
UNIQUE
Service running on system
<20>
UNIQUE
Server service running
NETBIOS Enumerator
NetBIOS Enumerator tool is a GUI based windows tool used to enumerate the information of the windows remote machine
Pass the IP range to scan and then the work starts
Nmap
Port 137 is utilized by the NetBIOS Name service.
Port 139 is used by SMB dialects that communicate over NetBIOS.
SNMP
Simple Network Management Protocol (SNMP) is a networking protocol used for the management and monitoring of network-connected devices in Internet Protocol networks. It is an application layer protocol in the OSI model framework. Typically, the SNMP protocol is implemented using the User Datagram Protocol (UDP).
Simple Network Management Protocol (SNMP) lives on Port number: 161
snmp-check
snmp-check is a tool used to check whether the respective server is vulnerable to SNMP Attacks.
If the server is vulnerable then the snmp-check enumerate the information of that machine.
SoftPerfect Network Scanner
SNMP SoftPacket Network Scanner is a GUI based windows tool.
Steps to initialize:
Click options menu → Remote SNMP→ Mark All/None.
Pass the IPV4 Range on the input field and start scanning.
LDAP
LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol used for directory services authentication. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.
Lightweight Directory Access Protocol (LDAP) lives on Port number: 389
Lightweight Directory Access Protocol / Secure (LDAP/S) lives on Port number: 636
AD Explorer
AD Explorer is a Windows tool used to enumerate a domain that has LDAP misconfiguration.
Use this tool to get the data of the Active Directory.
Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
NFS
The Network File System (NFS) is a mechanism for storing files on a network. It is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local.
Network File System (NFS) runs on port number: 2049
Nmap Script
SuperEnum
Super Enum is a Linux based tool
Steps:
Create a file "Target.txt" and add the target IP address.
Run script
RPC Scan
Tool to communicate with RPC services and check misconfigurations on NFS shares
RPC Scan is a Linux based tool
DNS
DNS, or the Domain Name System, translates human-readable domain names (for example, www.google.com) to machine-readable IP addresses (for example, 142.251.42.68).
A few example tools for DNS Enumeration are:
Dig
nslookup
dnsrecon
RPC
In distributed computing, a remote procedure call is when a computer program causes a procedure to execute in a different address space, which is coded as if it were a normal procedure call, without the programmer explicitly coding the details for the remote interaction.
Remote Procedure Calls (RPC) lives on port number: 111
SMB
In computer networking, Server Message Block, one version of which was also known as Common Internet File System, is a communication protocol for providing shared access to files and printers between nodes on a network. It also provides an authenticated inter-process communication mechanism.
Simple Message Block (SMB) lives on port number: 139, 445
Nmap Scripts
SMBMap
SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.
SMBClient
smbclient is a client that can 'talk' to an SMB/CIFS server. Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on.
My suggestion is to use Nmap to discover the SMP, RPC, FTP
Global Network Inventory
Global Network Inventory is a powerful and flexible software and hardware inventory system that can be used as an audit scanner in an agent-free and zero deployment environment. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc.
This tool is a GUI based windows tool that has the ability to enumerate lots of information and display it to us.
If you are done with all the tools and have no clue about the target then go with this tool.
Enum4Linux
Enum4linux is an enumeration tool capable of detecting and extracting data from Windows and Linux operating systems, including those that are Samba (SMB) hosts on a network. Enum4linux is capable of discovering the following: Password policies on a target. The operating system of a remote target.
Last updated