4 - Enumeration

Module 04 - Enumeration

What is the Enumeration phase?

Enumeration is a critical phase in the process of information gathering and vulnerability assessment in the field of cybersecurity. It involves actively probing a target system or network to gather specific and detailed information about the system, its resources, and its configuration. Enumeration typically occurs after network scanning and serves the purpose of providing an in-depth understanding of the target.

Here are the key aspects of enumeration:

User Enumeration: One common aspect of enumeration is the identification of valid usernames on a system. This can be particularly valuable for attackers because knowing valid usernames can be a step toward unauthorized access. For security professionals, it's essential for understanding potential points of entry for attackers.
Network Shares and Resources: Enumeration can uncover shared resources on a network, such as shared folders, printers, and other network-accessible resources. Knowing what is shared and who has access to these resources is vital for both security professionals and attackers.
Group Memberships: Enumeration can reveal the memberships of users in various groups on the target system or network. Understanding group memberships can provide insights into the level of access and privileges users have.
System Information: Enumeration may yield details about the target system, such as the operating system version, hardware specifications, software versions, and other system-specific information. This information can be valuable for assessing vulnerabilities and potential attack vectors.
Service Information: It involves gathering detailed information about the services running on the target system, including version numbers, configurations, and potential vulnerabilities associated with these services.
Port Information: Enumeration can provide more information about open ports and services beyond what was discovered during network scanning. This additional information can be useful for understanding potential attack vectors.

Basic command

ping www.moviescope.com –f –l 1500 -> Frame size
tracert www.moviescope.com -> Determining hop count

Ping Sweep

What is Ping Sweep?

Ping Sweep is a network scanning technique used to determine which IP addresses in a range are active or responsive. It involves sending Internet Control Message Protocol (ICMP) echo requests (ping) to a range of IP addresses and then analyzing the responses. When a target IP address responds to the ping request, it indicates that a host is active and reachable.

Nmap

nmap -sP <Target_IP>/<Subnet>

Bash

We can se the 'ping' command on a given subnet range to check host statuses. The goal is to produce a clean output, focusing solely on the IP addresses, by filtering out unnecessary information.

ping -c 3 <Target_IP>

Grabbing only IP addresses:

# -c number of packets sent, grep to consider only strings with 64 bytes, cut to remove whitespaces,
#tr to remove ":" symbol and > to export the results to a .txt file 
ping -c 3 <Target_IP> | grep "64" | cut -d " " -f 4 | tr -d ":" ; > iptest.txt

We can automate it creating a bash script (.sh):

pingsweep.sh

#!/bin/bash 
 
if [ "$1" == "" ]
then
echo "[-] You forgot the IP address!"
echo "[-] Syntax: ./ipsweep.sh 10.10.10"

else
for ip in `seq 1 254`; do 
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi

Save it, change the permissions and make executable:

chmod 770 pingweep.sh
chmod +x pingweep.sh

#Test it out
./pingweep.sh 10.0.2 > ping-results.txt
cat ping-results.txt

SNMP Enumeration (161)

SNMP enumeration is the process of enumerating the users accounts and devices on a SNMP enabled computer.

SNMP service comes with two passwords, which are used to configure and access the SNMP agent from the management station. They are: Read community string and Read/Write community string. These strings (passwords) come with a default value, which is same for all the systems. They become easy entry points for attackers if left unchanged by administrator.

nmap –sU –p 161 <Target_IP> #-sU: UDP port scan
nmap -sU -p 161 --script=snmp-brute <Target_IP>
msfconsole #run msfconsole
use auxiliary/scanner/snmp/snmp_login
set RHOSTS and exploit
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS and exploit

Enumerate SNMP using snmp-check

nmap -sU -p 161 <Target IP>
snmp-check <Target IP> -> Enumerates SNMP devices, displaying the output in a simple and reader-friendly format.

NetBIOS Enumeration (139)

nbtstat –a <Target_IP> -> Displays the NetBIOS name table of a remote machine
nbtstat –c <Target_IP> -> Lists the contents of the NetBIOS name cache of the remote machine
net use -> Connects or disconnects a computer from a shared resource
net use \10.10.10.16\e ““\user:””
net use \10.10.10.16\e ““/user:””

NetBIOS Enumerator

Enum4Linux Win Enumeration

Enum4linux is a tool for gathering information from Windows and Samba systems. Security professionals use it to identify vulnerabilities and potential attack vectors. During assessments, they establish connections with the target system to discover weaknesses and enhance system security.

enum4linux -u martin -p apple -U <Target_IP> -> Users Enumeration
enum4linux -u martin -p apple -o <Target_IP> -> OS Enumeration
enum4linux -u martin -p apple -P <Target_IP> -> Password Policy Information
enum4linux -u martin -p apple -G <Target_IP> -> Groups Information
enum4linux -u martin -p apple -S <Target_IP> -> Share Policy Information (SMB Shares Enumeration

Enumeration using Metasploit

msfdb init
service postgresql start
msfconsole
msf > db_status
nmap -Pn -sS -A -oX Test <Target_IP>24
db_import Test
hosts -> To show all available hosts in the subnet
db_nmap -sS -A <Target_IP>-> To extract services of particular machine
services -> to get all available services in a subnet

SMB Enumeration

SMB Version Enumeration using MSF

use scanner/smb/smb_version
set RHOSTS 10.10.10.8-16
set THREADS 100
run
hosts -> now exact os_flavor information has been updated

Nmap SMB Scripts

nmap --script smb-os-discovery.nse -p445 <ip> -> Enumerate os, domain name,etc)
nmap --script smb-enum-users.nse -p445 <ip> -> Used to enumerate all users on remote Windows system using SAMR enumeration and LSA bruteforcing
nmap -p 445 --script=smb-enum-shares.nse, smb-enum-users.nse 10.10.19.21 -> SMB users and shares
smbclient //10.10.19.21/anonymous -> Accessing SMB shares
smbget -R smb://10.10.19.21/anonymous -> Downloading SMB files

Active Directory LDAP Enumeration

ADExplorer

Active Directory Explorer (AD Explorer) is a robust tool for viewing and editing Active Directory (AD). With it, you can effortlessly navigate the AD database, bookmark preferred locations, inspect object properties and attributes without opening dialog boxes, modify permissions, examine an object's schema, and perform complex, saveable searches.

AD Explorer - Windows Sysinternalsdocsmsft

Hyena

Hyena offers comprehensive Active Directory (AD) reporting, featuring built-in tools for customizable queries, filtering, object property management, advanced attribute handling, and numerous other AD administration capabilities.

SystemTools Hyena Software Download

Other LDAP enumeration tools

Softerra
LDAP Administrator
LDAP Admin Tool
LDAP Account Manager
LDAP Search
JXplorer

Accessing Shared Files

# List All Shared Resources
net view  <IP>

# Connect to Shared Resource
net use
net use \\10.10.10.1\e ""\user:""
net use \\10.10.10.1\e ""/user:""

Additional Resources

How to Enumerate SMB with Enum4linux & SmbclientWonderHowTo

A Little Guide to SMB Enumeration - Hacking ArticlesHacking Articles

PWK Notes: SMB Enumeration Checklist [Updated]0xdf hacks stuff

SMB Enumeration for Penetration Testing:Medium

User Enumeration Part 3 – WindowsRed Siege Information Security

smb-enum-users NSE script — Nmap Scripting Engine documentation

GitHub - sensepost/UserEnum: Domain user enumeration toolGitHub

https://securitytrails.com/blog/dns-enumerationsecuritytrails.com

Previous3 - Scanning Networks Next5 - Vulnerability Analysis

Last updated 1 year ago