What is Enumeration | Techniques for Enumeration | TCP/UDP port

 

Module Objectives

In the previous modules, you learned about footprinting and scanning networks. The next phase is enumeration.

This module starts with an introduction to enumeration concepts. The module provides an insight into different techniques for NETBIOS, SNMP, LDAP, NTP, SMTP, DNS, IPsec, VoIP, RPC, and Linux/Unix enumeration. Laterthe module discusses enumeration countermeasures. The module ends with an overview of pen testing steps that an ethical hacker should follow to perform a security assessment of a target.

At the end of this module, you will be able to:

■    Describe the enumeration concepts

■    Explain different techniques for NetBIOS enumeration

■    Explain different techniques for SNMP enumeration

■    Explain different techniques for LDAP enumeration

■    Explain different techniques for NTP enumeration

■    Explain different techniques for SMTP and DNS enumeration

■    Explain other enumerations such as IPsec, VoIP, RPC, and Linux/Unix enumeration

■   Apply enumeration countermeasures

■    Perform enumeration penetration testing

Enumeration Concepts

Each  section  of  this  module  deals  with  different  services  and  ports  to  enumerate.  Before beginning with the actual enumeration process, we will discuss enumeration concepts.

What is Enumeration?

Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network. In the enumeration phase, attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system. It allows attacker perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment.

Enumeration allows you to collect following information:

■    Network resources

■    Network shares

■    Routing tables

■ Audit and service settings

■   SNMP and FQDN details 

■   Machine names

■   Users and groups

■ Applications and banners

During enumeration attackers may stumble upon a remote IPC share, such as IPC$ in Windows, which they can probe further for null sessions to collect information about other shares and system accounts.

The previous modules highlighted how attackers gather necessary information about a target without really getting on the wrong side of the legal barrier. However, enumeration activities may be illegal depending on the organization policies and any laws that are in effect. As an ethical or pen tester, you should always acquire proper authorization before performing enumeration.

Techniques for Enumeration

To extract information about a target:

" Extract user names using email IDs

Every email address contains two parts: the user name and the domain name. The structure of an email address is username@domainname. Consider abc@gmail.com; in this email address, the "abe" (the string of characters preceding the '@' symbol) is the user name and "gmail.com" (the string of characters following the '@' symbol) is the domain name.

■    Extract information using default passwords

Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often neglect to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases the task of an attacker in enumerating and exploiting the target system.

■    Brute force Active Directory

Microsoft Active Directory is susceptible to a username enumeration at the time of user- supplied input verification. This is a design error in the Microsoft Active Directory implementation. If a user enables the "logon hours" feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid user names. An attacker who succeeds in extracting valid user names can conduct a brute-force attack to crack the respective passwords.

■ Extract information using DNS Zone Transfer

A network administrator can use DNS Zone Transfer to replicate Domain Name System (DNS) data across a number of DNS servers, or to back up DNS files. The administrator needs to execute a specific zone transfer request to the name server. If the name server permits zone transfer, it will convert all the DNS names and IP addresses, hosted by that server to ASCII text.

If the network administrators did not configure the DNS server properly, the DNS Zone transfer is an effective method to obtain information about the organization's network. This information may include lists of all named hosts, sub-zones, and related IP addresses. A user can perform DNS zone transfer using nslookup.

■    Extract user groups from Windows

To extract user groups from Windows, the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command line method.

■    Extract user names using SNMP

Attackerscan easily guess the read-only or read-write community strings using the SNMP API to extract user names.

Services and Ports to Enumerate

Transmission   Control   Protocol   (TCP)   and   User   Datagram   Protocol   (UDP)   manage   data communications between terminals in a network.

TCP is a connection-oriented protocol. It is capable of carrying messages or email over the Internet. It provides a reliable multi-process communication service in a multi-network environment. The features and functions of TCP include:

■   Supports acknowledgement for receiving data through sliding window acknowledgement system

■    Provides automatic retransmission of lost or acknowledged data

 ■    Provides addressing and multiplexing data

■    Capability to establish, manage, and terminate the connection

 ■    Offers quality of service transmission

■    Provides congestion management and flow control

UDP is a connectionless protocol, which provides unreliable service. It carries short messages over a computer network.

Applications include:

■   Streaming audio

■   Video and Teleconferencing

Services and TCP/UDP ports to enumerate might include:

■   TCP/UDP 53: DNS Zone Transfer

The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. In case, the DNS message size exceeds the default size of U DP (512 octets), the response contains only data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol and in case of lengthy queries where UDP fails, uses TCP as a backup failover solution. Some malwares such as ADM worm, Bonk Trojan, etc. use port 53 to exploit vulnerabilities within DNS servers. This can help intruders to launch attacks.

■   TCP/UDP 135: Microsoft RPC Endpoint Mapper

Source:/? ftps ://tech net. microsoft.com

RPC is a protocol used by a client system to request a service from the server. An end point is the protocol port on which the server listens for the clients remote procedure calls. RPC end point mapper enables RPC clients to determine the port number currently assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges messages over TCP/IP. Failure results due to the incorrect handling of malformed messages. This affects the RPC end point mapper that listens on TCP/IP port 135. This vulnerability could allow an attacker to send RPC messages to the RPC End point Mapper process on a server, in order to launch a Denial of Service (DoS) attack.

■    UDP137: NetBIOS Name Service (NBNS)

NBNS, also known as Windows Internet Name Service (WINS), provides name resolution service for computers running NetBIOS. NetBIOS Name Servers maintain a database of the NetBIOS names for hosts and the corresponding IP address, the host is using. The job of NBNS is to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first.

Typically, NBNS uses UDP 137 as its transport protocol. It can also use TCP 137 as its transport protocol for few operations, though this might never happen in practice.

■   TCP139: NetBIOS Session Service (SMB over NetBIOS)

This is perhaps the most well-known Windows port. It is used to transfer files over a network. Systems use this port for both NULL Session establishment and file and printer sharing. A system administrator considering restricting access to ports on a Windows system should make TCP 139 a top priority. An improperly configured TCP 139 port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities.

■   TCP/UDP 445: SMB over TCP (Direct Host)

Windows supports file and printer sharing traffic using the Server Message Block (SMB) protocol directly hosted on TCP. In earlier OSs, SMB traffic required the NetBIOS over TCP 

■   TCP/UDP 162: SNMP Trap

Simple Network Management Protocol Trap (SNMP Trap) uses TCP/UDP port 162 to receive notifications such as optional variable bindings, sysUpTime value, etc., from agent to manager.

■    UDP 500: ISAKMP/lnternet Key Exchange (IKE)

Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. It uses UDP port 500 to establish, negotiate, modify and delete Security Associations (SA) and cryptographic keys in a VPN environment.

■   TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)

Session Initiation Protocol (SIP) is a protocol used in the applications of Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other end points.

NetBIOS Enumeration

So far, we have discussed enumeration concepts and resources that provide valuable information. To enumerate the target network, consider NetBIOS first, as it extracts a lot of sensitive information about the target such as users, network shares, etc. This section describes NetBIOS enumeration, the information obtained, and various NetBIOS enumeration tools.

The first step in enumerating a Windows system is to take advantage of the NetBIOS API. NetBIOS stands for Network Basic Input Output System. It was originally an Application Programming Interface (API) for client software to access LAN resources. Windows uses NetBIOS for file and printer sharing. The NetBIOS name is a unique computer name assigned to Windows systems and is a 16 character ASCII string used to identify the network devices over TCP/IP; 15 characters are used for the device name and the 16th is reserved for the service or name record type. NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services). Attackers usually target the NetBIOS service, as it is easy to exploit and runs on Windows systems even when not in use.

Attackers use the NetBIOS enumeration to obtain:

■    List of computers that belong to a domain

■    List of shares on the individual hosts in the network ■    Policies and passwords

An attacker, who finds a Windows OS with port 139 open, can check to see what resources can be accessed or viewed on the remote system. However, to enumerate the NetBIOS names, the remote system must have enabled file and printer sharing. NetBIOS enumeration may enable an  attacker to read or write to the remote computer system, depending on the availability of shares, or launch a DoS.

NetBIOS Enumeration Tools

NetBIOS enumeration tools explore and scan the network within a given range of IP addresses and lists of computers to identify security loop holes or flaws present in networked systems. These tools also enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disksand security event logs.

■ Hyena

Source: https://www.systemtools.com

Hyena manages and secures Windows operating systems. It uses a Windows Explorer­ style interface for all operations. It supports management of users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers, print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing. It shows shares and user log on names for Windows servers and domain controllers.

It displays a graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc.

Features:

o Active Task Matching Options - Added Key match option to Active Task when performing Active Directory update tasks. The new key option allows for any unique directory attribute to be used as a 'match' field when updating directory objects.

o  Group  Member  Matrix  -  Presents  all  members  of  multiple  groups  in  a  simple  grid, including direct, indirect (nested), and primary membership o Active Editor Improvements - The new release of Hyena includes new feature enhancements to the Editor, including support for multi-valued attributes, account expiration date, as well as multi-selection and update capabilities.

Some of the enumeration tools are listed below:

■    Nsauditor Network Security Auditor (https://www.nsauditor.com)

■    NetScanTools Pro (https://www.netscantools.com)

■   SoftPerfect Network Scanner (https://www.softperfect.com)

■   SuperScan (https://www.mcafee.com)

■    NetBIOS Enumerator (http://nbtenum.sourceforge.net)

■    Nbtscan (http://www.unixwiz.net)

■    IP Tools (https://www.ks-soft.net)

■    MegaPing (http://www.magnetosoft.com)

Enumerating User Accounts Sou rce: https://docs. microsoft.com

Enumerating user accounts using PsTools suite helps to control and manage remote systems from the command line.

Commands for enumerating user accounts include:

■    PsExec

PsExec is a lightweight telnet-replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful usage include launching interactive command prompts on remote systems and remote-enabling tools like Ipconfig that otherwise do not have the ability to show information about remote systems. 

■    PsFile

PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. The default behavior of PsFile is to list the files on the local system opened by remote systems. Typing a command followed by" displays information on the syntax for the command.

■ Ps Gets id

PsGetSid translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. It also displays the SIDs of user accounts and translates a SID into the name that represents it. It works across the network to query SIDs remotely.

■    Pslnfo

Pslnfo is a command-line tool that gathers key information about local or remote legacy Windows NT/2000 systems, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if it is a trial version, the expiration date. By default, Pslnfo shows information for the local system. Specify a remote computer name to obtain information from the remote system.

■    PsList

PsList is a command-line tool that displays information about process CPU and memory information or thread statistics. Tools in the Resource kits, pstat and pmon, show different types of data but display only the information regarding the processes on the system on which the tools are run.

■    PsLoggedOn

PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer or a remote one. If a user name is specified instead of a computer, PsLoggedOn searches the computers in the network neighborhood and reveals if the user currently logged on. PsLoggedOn's definition of a locally logged on user is one that has a profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEYJJSERS key. For each key that has a name or user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API.

■    PsLogList

The elogdump utility dumps the contents of an Event Log on a local or remote computer. PsLogList is a clone of elogdump except that PsLogList can log in to remote systems in situations where the user's security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log resides. The default behavior of PsLogList is to display the contents of the System Event Log on the local computer, with visually friendly formatting of Event Log records.

■    PsPasswd

PsPasswd can change an account password on local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password. PsPasswd uses Windows password reset APIs, so it does not send passwords over the network in the clear.

■    PsShutdown

PsShutdown can shut down or reboot local or remote computer. It requires no manual installation of client software.

Enumerating Shared Resources Using Net View

Net View is a command line utility that displays a list of computer or network resources. It displays a list of computers in the specified workgroup or shared resources available on the specified computer.

Usage:

net view \\<computemame>

Where<computername> is the name of a specific computer, whose resources you want to view Or

net view /workgroup:<workgroupname>

<workgroupname> is the name of the workgroup, whose shared resources you want to view 

SNMP Enumeration

This section describes SNMP enumeration, information extracted via SNMP enumeration, and various SNMP enumeration tools used to enumerate user accounts and devices on a target system. SNMP (Simple Network Management Protocol) is an application layer protocol that runs on UDP and maintains and manages routers, hubs, and switches on an IP network. SNMP agents run on Windows and UNIX networks on networking devices.

SNMP enumeration is the process of creating a list of the user's accounts and devices on a target computer using SNMP. SNMP employs two types of software components for communication. They are the SNMP agent and SNMP management station. The SNMP agent is located on the networking device, and the SNMP management station communicates with the agent.

Almost all the network infrastructure devices such as routers, switches, etc. contain an SNMP agent for managing the system or devices. The SNMP management station sends requests to the agent;  after  receiving  the  request,  the  agent  replies.  Both  requests  and  replies  are  the configuration  variables  accessible  by  the  agent  software.  SNMP  management  stations  send requests to set values to some variables. Traps let the management station know if anything has happened at the agent's side, such as a reboot, interface failure, or any other abnormal event. SNMP  contains  two  passwords  that  for  configuring  and  accessing  the  SNMP  agent  from  the management station. The two SNMP passwords are:

■    Read community string:

o Configuration of the device or system can be viewed with the help of this password, o These strings are public.

■    Read/write community string:

o Configuration on the device can be changed or edited using this password, o These strings are private.

When administrators leave the community strings at the default setting, attacker can use these default community strings (passwords) for changing or viewing the configuration of the device or system. Attackers enumerate SNMP to extract information about network resources such as hosts, routers, devices, shares, etc., and network information such as ARP tables, routing tables, device specific information, and traffic statistics.

Commonly  used  SNMP  enumeration  tools  include  SNMPUTIL  (http://www.wtcs.org)  and  IP Network Browser (https://www.solarwinds.com).

Working of SNMP

SNMP  uses  a  disturbed  architecture  comprising  SNMP  managers,  SNMP  agents,  and  several related components. Commands associated with SNMP include:

■   GetRequest

Used by the SNMP manager to request information from the SNMP agent. ■   GetNextRequest

Used by the SNMP manager continuously to retrieve all the data stored in the array or table.

■   GetResponse

Used by the SNMP agent to satisfy a request made by the SNMP manager. ■   SetRequest

Used by the SNMP manager to modify the value of a parameter within the SNMP agents Management Information Base (MIB).

■   Trap

Used by the SNMP agent to inform the pre-configured SNMP manager of a certain event.

Given below is the communication process between the SNMP manager and the SNMP agent:

■ The SNMP manager (Host X, 10.10.2.1) uses the GetRequest command to send a request for the number of active sessions to the SNMP agent (HostY, 10.10.2.15). To perform this step, the SNMP manager uses the SNMP service libraries such as Microsoft SNMP Management API library (Mgmtapi.dll) or Microsoft WinSNMP API library (Wsnmp32.dll).

■ The SNMP agent (Host Y) receives the message and verifies if the community string (Compinfo) is presenton its MIB, checks the request against its list of access permissions for that community, and verifies the source IP address.

■ If the SNMP agent does not find the community string or access permission in the Host Y's MIB database and the SNMP service is set to send an authentication trap, it sends an authentication failure trap to the specified trap destination, Host Z.

■    The master agent component of the SNMP agent calls the appropriate extension agent to retrieve the requested session information from the MIB.

■ Using the session information that it retrieved from the extension agent, the SNMP service forms a return SNMP message that contains the number of active sessions and the destination IP address (10.10.2.1) of the SNMP manager, HostX.

■    Host Y sends the response to Host X.

Management Information Base (MIB)

MIB is a virtual database containing a formal description of all the network objects that SNMP manages. It is a collection of hierarchically organized information. It provides a standard representation of the SNMP agents information and storage. MIB elements are recognized using object identifiers. Object ID (OID) is the numeric name given to the object and begins with the root of the MIB tree. The object identifier can uniquely identify the object present in the MIB hierarchy.

MIB-managed objects include scalar objects that define a single object instance and tabular objects that define a group of related object instances. OIDs include the object's type (such as counter, string, or address), access level (such as read or read/write), size restrictions, and range information. The SNMP manager converts the OID numbers into a human-readable display using MIB as a codebook.

A user can access the contents of the MIB using a web browser either by entering the IP address and Lseries.mib or by entering DNS library name and Lseries.mib. For example, http://IP.Address/Lseries.mib or http://library_name/Lseries.mib.Microsoft provides the list of MIBs that are installed with the SNMP Service in the Windows resource kit. The major ones are:

■    DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts ■    HOSTMIB.MIB: Monitors and manages host resources

■    LNMIB2.MIB: Contains object types for workstation and server services ■   WINS.MIB: For Windows Internet Name Service

SNMP Enumeration Tools

SNMP enumeration tools are used to scan a single IP address or a range of IP addresses of SNMP enabled network devices in order to monitor, diagnose, and troubleshoot security threats.

■ OpUtils

Source: https://www.manageengine.com

OpUtils is switch port and IP address management software. It contains a collection of tools that network engineers can use to monitor, diagnose, and troubleshoot networking issues. Using OpUtils one can manage IP address, map switch ports, detect rogue devices, monitor bandwidth usage, monitor DHCP server, backup Cisco config files, view SNMP traps sent from network devices, get MAC IP list, troubleshoot the network, etc.

Features:

o IP Address Management - Scan IPv4 & IPv6 subnets in the network to identify the available and used IP Addresses.

o Switch Port Management - Scan all the switches in your network and map the switch ports to devices down to its physical location.

o Detect Rogue Devices - Identify the rogue device intrusions and block their access, o Network Tools - Monitor the critical servers in the network for availability and alert

for immediate attention. ■ Engineer's Toolset

Source: http://www.solarwinds.com

IP Network Browser application in the Engineer's Toolset performs network discovery on a single subnet or a range of subnets using ICMP and SNMP. It scans a single IP, IP address range, or subnet and displays network devices in real time, providing immediate access to detailed information about the devices on network.

On a Cisco router, the application will determine the current IOS version and release, as well as identify cards installed into the slots, the status of each port, and ARP tables. When it discovers a Windows server, it returns information including interface status, bandwidth utilization, services running, and even details on installed software.

Features:

o  Automated  network  discovery-  Discover  your  entire  network,  including  equipment, MAC to IP address relationships, Switch Port mapping, and more.

o Real time monitoring and alerting- Monitor and receive alerts in real time on network availability and health.

o  Powerful  diagnostics-  Perform  robust  network  diagnostics  for  faster  troubleshooting and quick resolution of complex network issues.

o  Enhanced  network  security-  Simulate  attacks  on  your  network  to  identify  security vulnerabilities.

o   Configuration   and   log   management-   Configure   devices   on   your   network   and troubleshoot any config issues with specialized tools.

Some of the SNMP enumeration tools include:

■    Nsauditor Network Security Auditor (https://www.nsauditor.com) 

■   Spiceworks Network Monitor (https://www.spiceworks.com)

■    NetScanTools Pro (https://www.netscantools.com)

■ SoftPerfect Network Scanner (https://www.softperfect.com)

■ Network Performance Monitor (http://www.solarwinds.com)

■   SNMP Informa nt (https://www.snmp-informant.com)

■    OiDViEW SNMP MIB Browser (http://www.oidview.com)

■    iReasoning MIB Browser (http://ireasoning.com)

■   SNScan (https://www.mcafee.com)

■   SNMPCHECK (http://www.nothink.org)

■    Net-SNMP (http://www.net-snmp.org)

■   Getif (http://www.wtcs.org)

LDAP Enumeration

Various protocols enable communication and manage data transfer between network resources. All of these protocols carry valuable information about network resources along with the data. An external user who is able to enumerate that information by manipulating the protocols, can break into the network and may misuse the network resources. The Lightweight Directory Access Protocol (LDAP) is one such protocol that accesses the directory listings. This section focuses on LDAP enumeration, information extracted via LDAP enumeration, and LDAP enumeration tools.

LLDAP is an Internet protocol for accessing distributed directory services. LDAP accesses directory listings within an Active Directory or from other directory services. LDAP is a hierarchical or logical form of a directory, similar to a company's org chart. Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory. It uses DNS for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a Directory System Agent (DSA) typically on TCP port 389 and sends an operation request to the DSA. Basic Encoding Rules (BER) transmits information between the client and the server.

One  can anonymously query the LDAP service  for sensitive  information such as user names, addresses, departmental details, server names, etc., which an attacker can use to launch attacks.

LDAP Enumeration Tools

There are many LDAP enumeration tools that access the directory listings within Active Directory or other directory services. Using these tools, attackers can enumerate information such as valid user names, addresses, departmental details, etc. from different LDAP servers.

■   Softerra LDAP Administrator

Source: http://www.Idapadministrator.com

Softerra LDAP Administrator is an LDAP administration tool that works with LDAP servers such as Active Directory, Novell Directory Services, Netscape/iPlanet, etc. It browses and manages LDAP directories. Additionally, it provides a wide variety of features essential for LDAP development, deployment, and administration of directories.

Features:

o  It  provides  directory  search  facilities,  bulk  update  operations,  group  membership management facilities, etc.

o It supports LDAP-SQL, which allows managing LDAP entries using SQL-like syntax. Some of the LDAP enumeration tools are listed below:

■    LDAP Admin Tool (https://www.ldapsoft.com)

■    LDAP Account Manager (https://www.ldap-account-manager.org)

 ■    LDAP Search (http://securityxploded.com)

■   JXplorer (http://www.jxplorer.org)

■   Active Directory Explorer (https://docs.microsoft.com)

■    LDAP Admin (http://www.ldapadmin.org)

■    LDAP Administration Tool (https://sourceforge.net)

 ■    Open LDAP (https://www.openldap.org)

■   ad-ldap-enum (https://github.com)

■    LEX - The LDAP Explorer (http://www.ldapexplorer.com) 

■    LDAP Browser/Editor (https://www.novell.com)

NTP Enumeration

Administrators often overlook the Network Time Protocol (NTP) server in terms of security. However, if queried properly, it can provide valuable network information to the attackers. Therefore, it is necessary to know what information an attacker can obtain about a network through NTP enumeration. This section describes NTP enumeration, information extracted via NTP enumeration, various NTP enumeration commands, and NTP enumeration tools.

NNTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its primary means of communication. NTP can maintain time to within 10 milliseconds (1/100 seconds) over the public Internet. It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions.

Attacker queries NTP server to gather valuable information such as:

■    List of hosts connected to NTP server

■    Clients IP addresses in a network, their system names and OSs

 ■    Internal IPs can also be obtained if NTP server is in the DMZ

NTP Enumeration Tools

NTP enumeration tools are used to monitor working of NTP and SNTP servers present in the network and also help in the configuration and verification of connectivity from the time client to the NTP servers.

■    PRTG Network Monitor

Source: https://www.paessler.com

PRTG monitors all systems, devices, traffic and applications of the IT infrastructure using various technologies such as SNMP, WMI, SSH, etc. PRTG Network Monitor includes SNTP Sensor monitors, a Simple Network Time Protocol (SNTP) server that shows response time of the server and time difference in comparison to the local system time.

Some of the NTP enumeration tools include:

■    Nmap (https://nmap.org}

■   Wireshark (https://www.wireshark.org]

■    udp-proto-scanner (https://labs.portcullis.co.uk)

■    NTP Time Server Monitor (https://www.meinbergglobal.com)

SMTP and DNS Enumeration

This section describes enumeration techniques to extract information related to network resources. It also covers DNS enumeration techniques that obtain information about DNS servers and the network infrastructure of the organization. The section discusses both SMTP and DNS enumeration techniques. This section will familiarize you with SMTP enumeration, how to get a list of valid users on the SMTP server, SMTP enumeration tools, DNS Zone Transfer Enumeration, etc.

SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server. Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.

Administrators and pen testers can perform SMTP enumeration using command-line utilities such as telnet, netcat, etc. or by using tools such as Metasploit, Nmap, NetScanTools Pro, smtp- user-enum, etc., to collect a list of valid users, delivery addresses, recipients of the message, etc

SMTP Enumeration Tools

SMTP enumeration tools are used to perform username enumeration. Attackers can use the usernames obtained from this enumeration to launch further attacks on other systems in the network.

■    NetScanTools Pro

Source: https://www.netscantools.com

NetScanTools Pro's SMTP Email Generator tool tests the process of sending an email message through an SMTP server. It can extract all the common email header parameters including confirm/urgent flags. NetScanTools Pro supports SMTP Authentication, either basic or using STARTTLS with username and password for servers requiring it. This tool includes the ability to send email attachments. It can save the email session to a log file and then display the log file showing the communications between NetScanTools Pro and the SMTP server.

NetScanTools Pro's Email Relay Testing Tool performs relay testing by communicating with an SMTP server. The report includes a log of the communications between NetScanTools Pro and the target SMTP server. The relay test report displays as either text or as HTML in a browser.

■   smtp-user-enum

Source: http://pentestmonkey.net

smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands, smtp-user-enum simply needs to be passed on to a list of users and at least one target running an SMTP service.

Some of the SMTP enumeration tools include: 

■ Telnet (https://technet.microsoft.com) 

■ Vanquish (https://github.com)

■    MX Toolbox (https://mxtoolbox.com)

DNS Enumeration Using Zone Transfer

DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. The attacker performs DNS zone transfer enumeration to locate the DNS server and records of the target organization. Through this process, an attacker gathers valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets. In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server. To perform DNS zone transfer enumeration, the attacker can use tools such as nslookup, DNSstuff, etc.

To perform a DNS zone transfer, the attacker sends a zone transfer request to the DNS server pretending to be a client; the DNS server then sends a portion of its database as a zone to you. This zone may contain a lot of information about the DNS zone network.

Other Enumeration Techniques

This section will familiarize you with IPsec, VoIP, RPC, and Unix/Linux user enumerations.

IPsec Enumeration

IPsec is the most commonly implemented technology for both gateway-to-gateway (LAN-to-LAN) and host to gateway (remote access) enterprise VPN solutions. IPsec provides data security by employing various components like ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between VPN end-points.

Most IPsec based VPNs use ISAKMP (Internet Security Association Key Management Protocol), a part of IKE, to establish, negotiate, modify and delete Security Associations (SA) and cryptographic keys in a VPN environment.

Attacker can perform a simple direct scanning for ISAKMP at UDP port 500 with tools like Nmap, etc. to acquire the information related to the presence of a VPN gateway.

You can enter the following command to perform Nmap scan for checking the status of isakmp over port 500:

#  nmap -sU -p 500 <target IP address>

Attackers can probe further using fingerprinting tools such as ike-scan to enumerate the sensitive information including encryption and hashing algorithm, authentication type, key distribution algorithm, SA LifeDuration, etc. In this type of scan, specially crafted IKE packets with ISAKMP header are sent to the target gateway and the responses are recorded.

An initial IPsec VPN discovery with ike-scan tool is discussed below: #  ike-scan -M <target gateway IP address>

■ ike-scan

Source: https://github.com   ike-scan  discovers  IKE  hosts  and  can  also  fingerprint  them  using  the  retransmission backoff pattern.  ike-scan can perform the following functions:

o Discovery: Determine which hosts in a given IP range are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.

o Fingerprinting: Determine which IKE implementation the hosts are using, and in some cases determine the version of software that they are running. This is done in two ways: firstly by UDP backoff fingerprinting which involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; and secondly by Vendor ID fingerprinting which compares Vendor ID payloads from the VPN servers against known vendor id patterns.

o Transform Enumeration: Find which transform attributes are supported by the VPN server for IKE Phase-1 (e.g. encryption algorithm, hash algorithm, etc.).

o User Enumeration: For some VPN systems, discover valid VPN usernames.

o Pre-Shared Key Cracking: Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses ike-scan to obtain the hash and other parameters, and psk-crack (which is part of the ike-scan package) to perform the cracking.

VoIP Enumeration

VoIP is the advanced technique that has replaced traditional PSTN in both corporate and home environments. VoIP uses internet infrastructure to establish the connection for voices, data also travels on the same network; however, VoIP is vulnerable to TCP/IP attack vectors. SIP (Session Initiation Protocol) is one of the protocols used by VoIP in performing voice calls, video calls, etc. over and IP network. This SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061.

Attackers use Svmap and Metasploit tools to perform VoIP enumeration. VoIP enumeration provide sensitive information such as VoIP gateway/servers, IP-PBX systems, client software (softphones)/VolP phones User-agent IP addresses and user extensions, etc. to the attacker. This information can be used to launch various VoIP attacks such as Denial-of-Service (DoS), Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony (SPIT), VoIP phishing (Vishing), etc.

■ Svmap

Source: https://github.com

Svmap is a free and Open Source scanner to identify sip devices and PBX servers on a target network. It can also be helpful for systems administrators when used as a network inventory tool. Svmap was designed to be faster than the competition by specifically targeting SIP over UDP.

Svmap can:

o Identify SIP devices and PBX servers on default and non-default ports o Scan large ranges of networks

o Scan just one host on different ports, looking for a SIP service on that host or just multiple hosts on multiple ports

o Take previous scan results as input, allowing you to only scan known hosts running SIP o Use different scanning methods (make use of REGISTER instead of OPTIONS request) o Get all the phones on a network to ring at the same time (using INVITE as method)

o Randomly scan internet ranges o Resume previous scans

RPC Enumeration

RPC (Remote Procedure Call) is a technology used for creating distributed client/server programs.

RPC allows client and server to communicate in distributed client/server programs. It is an inter­ process communication mechanism, which enables data exchange in between different processes. In general, RPC consists of components like client, server, endpoint, end point mapper, client stub and server stub along with various dependencies.

The portmapper service listens on TCP and UDP port 111 in order to detect the endpoints and present clients details of listening RPC services. Enumerating RPC endpoints enable attackers to identify any vulnerable services on these service ports. In networks protected by firewalls and other security establishments, this portmapper is often filtered. Therefore, attackers scan high port ranges to identify RPC services that are open to direct attack.

You  can  use  the  following  Nmap  scan  commands  to  identify  the  RPC service running on  the network.

#  nmap -sR <target IP/network> #  nmap -T4 -A <target IP/network>

Additionally, you can also use tools like NetScanTools Proto capture the RPC information of the target network.

Unix/Linux User Enumeration

One of the important step for conducting an enumeration is to perform Unix/Linux user enumeration. Unix/Linux user enumeration provides list of users along with details like user name, host name, start date and time of each session, etc.

You can use following command line utilities to perform UNIX / Linux user enumeration:

■ rusers

rusers displays a list of users who are logged on to remote machines or machines on local network. It displays output similar to who, but for the hosts/systems on the local network.

Syntax:/usr/bin/rusers [-a] [-1] [-u| -h| -i] [Host ...] Where,

o -a: Gives a report for a machine even if no users are logged in o -h: Sorts alphabetically by host name

o -I: Gives a longer listing similar to the who command o -u: Sorts by number of users

o -i: Sorts by idle time

■    rwho

rwho displays a list of users who are logged in to hosts on the local network. It produces output similar to who command which contains information about user name, host name, and start date and time of each session for all machines on the local network running the rwho daemon.

Syntax: rwho [ -a] where,

o -a: Includes all users. Without this flag, users whose sessions are idle an hour or more are not included in the report.

■   finger

finger  displays  information  about  system  users  such  as  user's  login  name,  real  name, terminal name, idle time, login time, office location and office phone numbers.

Syntax: finger [-1]            [-m]     [-p]      [-s] [user ...] [user@host . ..] Where,

o -s: Displays user's login name, real name, terminal name, idle time, login time, office location and office phone number.

o -I: Produces a multi-line format displaying all of the information described for the -s option as well as the user's home directory, home phone number, login shell, mail status, and the contents of the files ".plan ” ".project " ".pgpkey " and ".forward " from the user's home directory.

o  -p:  Prevents  the  -I  option  of  finger  from  displaying  the  contents  of  the  ".plan  " ".project" and ".pgpkey " files.

o -m: Prevent matching of user names.

Enumeration Countermeasures

So far, we have described enumeration techniques and tools used to extract valuable information from the target. Now let us discuss countermeasures that can prevent attackers from enumerating sensitive information from the network or host. This section focuses on how to avoid information leakage through SNMP, DNS, SMTP, LDAP, and SMB enumeration.

The  following  countermeasures  can  prevent  information  leakage  through  SNMP,  DNS,  SMTP, LDAP, and SMB enumeration.

SNMP Enumeration

■    Remove the SNMP agent or turn off the SNMP service

■    If shutting off SNMP is not an option, then change the default community string names 

■    Upgrade to SNMP3, which encrypts passwords and messages

■    Implement the Group Policy security option called "Additional restrictions for anonymous connections"

■    Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted

■    Block access to TCP/UDP ports 161

■    Do not install the management and monitoring Windows component unless it is required. ■    Encrypt or authenticate using IPSEC

DNS Enumeration 

■    Disable the DNS zone transfers to the untrusted hosts

■    Make sure that the private hosts and their IP addresses are not published into DNS zone files of public DNS server

■    Use premium DNS registration services that hide sensitive information such as host information (HINFO) from public

■    Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks

■    Prune DNS zone files to prevent revealing unnecessary information SMTP Enumeration Countermeasures

Configure SMTP servers to:

■    Ignore email messages to unknown recipients

■    Not to include sensitive mail server and local host information in mail responses ■    Disable open relay feature

■    Limit the number of accepted connections from a source in order to prevent brute force attacks

■    Disable EXPN, VRFY, and RCPT TO commands, or restrict them to authentic users ■    Ignore emails to unknown recipients by configuring SMTP servers

LDAP Enumeration

■    By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic

■   Select a user name different from your email address and enable account lockout ■    Restrict the access to Active Directory by using software such as Citrix

SMB Enumeration 

Common sharing services or other unused services may prove to be doorways for attackers to break into a network's security. Server Message Block (SMB) is a protocol that provides shared access to files, serial ports, printers, and communications between nodes on a network. If this service is running on a network, then there is a high risk of enumeration via SMB. Since web and DNS servers do not require this protocol, it is advisable to disable it on them. SMB protocol can