search
HomeGitHubPortfolioTwitter/XMediumCont@ct

4 - Enumeration

hashtag
Module 04 - Enumeration

chevron-rightWhat is the Enumeration phase?hashtag

Enumeration is a critical phase in the process of information gathering and vulnerability assessment in the field of cybersecurity. It involves actively probing a target system or network to gather specific and detailed information about the system, its resources, and its configuration. Enumeration typically occurs after network scanning and serves the purpose of providing an in-depth understanding of the target.

Here are the key aspects of enumeration:

  1. User Enumeration: One common aspect of enumeration is the identification of valid usernames on a system. This can be particularly valuable for attackers because knowing valid usernames can be a step toward unauthorized access. For security professionals, it's essential for understanding potential points of entry for attackers.

  2. Network Shares and Resources: Enumeration can uncover shared resources on a network, such as shared folders, printers, and other network-accessible resources. Knowing what is shared and who has access to these resources is vital for both security professionals and attackers.

  3. Group Memberships: Enumeration can reveal the memberships of users in various groups on the target system or network. Understanding group memberships can provide insights into the level of access and privileges users have.

  4. System Information: Enumeration may yield details about the target system, such as the operating system version, hardware specifications, software versions, and other system-specific information. This information can be valuable for assessing vulnerabilities and potential attack vectors.

  5. Service Information: It involves gathering detailed information about the services running on the target system, including version numbers, configurations, and potential vulnerabilities associated with these services.

  6. Port Information: Enumeration can provide more information about open ports and services beyond what was discovered during network scanning. This additional information can be useful for understanding potential attack vectors.

hashtag
Basic command

  • ping www.moviescope.com –f –l 1500 -> Frame size

  • tracert www.moviescope.com -> Determining hop count

hashtag
Ping Sweep

chevron-rightWhat is Ping Sweep?hashtag

Ping Sweep is a network scanning technique used to determine which IP addresses in a range are active or responsive. It involves sending Internet Control Message Protocol (ICMP) echo requests (ping) to a range of IP addresses and then analyzing the responses. When a target IP address responds to the ping request, it indicates that a host is active and reachable.

hashtag
Nmap

  • nmap -sP <Target_IP>/<Subnet>

hashtag
Bash

We can se the 'ping' command on a given subnet range to check host statuses. The goal is to produce a clean output, focusing solely on the IP addresses, by filtering out unnecessary information.

  • ping -c 3 <Target_IP>

Grabbing only IP addresses:

We can automate it creating a bash script (.sh):

hashtag
pingsweep.sh

Save it, change the permissions and make executable:

hashtag
SNMP Enumeration (161)

SNMP enumeration is the process of enumerating the users accounts and devices on a SNMP enabled computer.

SNMP service comes with two passwords, which are used to configure and access the SNMP agent from the management station. They are: Read community string and Read/Write community string. These strings (passwords) come with a default value, which is same for all the systems. They become easy entry points for attackers if left unchanged by administrator.

hashtag
Enumerate SNMP using snmp-check

  • nmap -sU -p 161 <Target IP>

  • snmp-check <Target IP> -> Enumerates SNMP devices, displaying the output in a simple and reader-friendly format.

hashtag
NetBIOS Enumeration (139)

  • nbtstat –a <Target_IP> -> Displays the NetBIOS name table of a remote machine

  • nbtstat –c <Target_IP> -> Lists the contents of the NetBIOS name cache of the remote machine

  • net use -> Connects or disconnects a computer from a shared resource

  • net use \10.10.10.16\e β€œβ€œ\user:””

  • net use \10.10.10.16\e β€œβ€œ/user:””

hashtag
NetBIOS Enumerator

NetBIOS Enumeratornbtenum.sourceforge.netchevron-right

hashtag
Enum4Linux Win Enumeration

Enum4linux is a tool for gathering information from Windows and Samba systems. Security professionals use it to identify vulnerabilities and potential attack vectors. During assessments, they establish connections with the target system to discover weaknesses and enhance system security.

  • enum4linux -u martin -p apple -U <Target_IP> -> Users Enumeration

  • enum4linux -u martin -p apple -o <Target_IP> -> OS Enumeration

  • enum4linux -u martin -p apple -P <Target_IP> -> Password Policy Information

  • enum4linux -u martin -p apple -G <Target_IP> -> Groups Information

  • enum4linux -u martin -p apple -S <Target_IP> -> Share Policy Information (SMB Shares Enumeration

hashtag
Enumeration using Metasploit

  • msfdb init

  • service postgresql start

  • msfconsole

  • msf > db_status

  • nmap -Pn -sS -A -oX Test <Target_IP>24

  • db_import Test

  • hosts -> To show all available hosts in the subnet

  • db_nmap -sS -A <Target_IP>-> To extract services of particular machine

  • services -> to get all available services in a subnet

hashtag
SMB Enumeration

hashtag
SMB Version Enumeration using MSF

  • use scanner/smb/smb_version

  • set RHOSTS 10.10.10.8-16

  • set THREADS 100

  • run

  • hosts -> now exact os_flavor information has been updated

hashtag
Nmap SMB Scripts

  • nmap --script smb-os-discovery.nse -p445 <ip> -> Enumerate os, domain name,etc)

  • nmap --script smb-enum-users.nse -p445 <ip> -> Used to enumerate all users on remote Windows system using SAMR enumeration and LSA bruteforcing

  • nmap -p 445 --script=smb-enum-shares.nse, smb-enum-users.nse 10.10.19.21 -> SMB users and shares

  • smbclient //10.10.19.21/anonymous -> Accessing SMB shares

  • smbget -R smb://10.10.19.21/anonymous -> Downloading SMB files

hashtag
Active Directory LDAP Enumeration

hashtag
ADExplorer

Active Directory Explorer (AD Explorer) is a robust tool for viewing and editing Active Directory (AD). With it, you can effortlessly navigate the AD database, bookmark preferred locations, inspect object properties and attributes without opening dialog boxes, modify permissions, examine an object's schema, and perform complex, saveable searches.

LogoAD Explorer - SysinternalsMicrosoftLearnchevron-right

hashtag
Hyena

Hyena offers comprehensive Active Directory (AD) reporting, featuring built-in tools for customizable queries, filtering, object property management, advanced attribute handling, and numerous other AD administration capabilities.

LogoSystemTools Hyena Software Downloadwww.systemtools.comchevron-right

Other LDAP enumeration tools

  • Softerra

  • LDAP Administrator

  • LDAP Admin Tool

  • LDAP Account Manager

  • LDAP Search

  • JXplorer

Accessing Shared Files

hashtag
Additional Resources

LogoHow to Enumerate SMB with Enum4linux & SmbclientNull Bytechevron-right
LogoA Little Guide to SMB EnumerationHacking Articleschevron-right
LogoPWK Notes: SMB Enumeration Checklist [Updated]0xdf hacks stuffchevron-right
LogoSMB Enumeration for Penetration Testing:Mediumchevron-right
LogoUser Enumeration Part 3 – WindowsRed Siege Information Securitychevron-right
Logosmb-enum-users NSE script β€” Nmap Scripting Engine documentationnmap.orgchevron-right
LogoGitHub - sensepost/UserEnum: Domain user enumeration toolGitHubchevron-right
Logo53 - Pentesting DNS - HackTricksbook.hacktricks.xyzchevron-right
https://securitytrails.com/blog/dns-enumerationsecuritytrails.comchevron-right
LogoBack to Basics: DNS EnumerationMediumchevron-right
Previous3 - Scanning NetworksNext5 - Vulnerability Analysis

Last updated