4 - Enumeration

Module 04 - Enumeration

What is the Enumeration phase?

Enumeration is a critical phase in the process of information gathering and vulnerability assessment in the field of cybersecurity. It involves actively probing a target system or network to gather specific and detailed information about the system, its resources, and its configuration. Enumeration typically occurs after network scanning and serves the purpose of providing an in-depth understanding of the target.

Here are the key aspects of enumeration:

  1. User Enumeration: One common aspect of enumeration is the identification of valid usernames on a system. This can be particularly valuable for attackers because knowing valid usernames can be a step toward unauthorized access. For security professionals, it's essential for understanding potential points of entry for attackers.

  2. Network Shares and Resources: Enumeration can uncover shared resources on a network, such as shared folders, printers, and other network-accessible resources. Knowing what is shared and who has access to these resources is vital for both security professionals and attackers.

  3. Group Memberships: Enumeration can reveal the memberships of users in various groups on the target system or network. Understanding group memberships can provide insights into the level of access and privileges users have.

  4. System Information: Enumeration may yield details about the target system, such as the operating system version, hardware specifications, software versions, and other system-specific information. This information can be valuable for assessing vulnerabilities and potential attack vectors.

  5. Service Information: It involves gathering detailed information about the services running on the target system, including version numbers, configurations, and potential vulnerabilities associated with these services.

  6. Port Information: Enumeration can provide more information about open ports and services beyond what was discovered during network scanning. This additional information can be useful for understanding potential attack vectors.

Basic command

  • ping www.moviescope.com โ€“f โ€“l 1500 -> Frame size

  • tracert www.moviescope.com -> Determining hop count

Ping Sweep

What is Ping Sweep?

Ping Sweep is a network scanning technique used to determine which IP addresses in a range are active or responsive. It involves sending Internet Control Message Protocol (ICMP) echo requests (ping) to a range of IP addresses and then analyzing the responses. When a target IP address responds to the ping request, it indicates that a host is active and reachable.

Nmap

  • nmap -sP <Target_IP>/<Subnet>

Bash

We can se the 'ping' command on a given subnet range to check host statuses. The goal is to produce a clean output, focusing solely on the IP addresses, by filtering out unnecessary information.

  • ping -c 3 <Target_IP>

Grabbing only IP addresses:

# -c number of packets sent, grep to consider only strings with 64 bytes, cut to remove whitespaces,
#tr to remove ":" symbol and > to export the results to a .txt file 
ping -c 3 <Target_IP> | grep "64" | cut -d " " -f 4 | tr -d ":" ; > iptest.txt

We can automate it creating a bash script (.sh):

pingsweep.sh

#!/bin/bash 
 
if [ "$1" == "" ]
then
echo "[-] You forgot the IP address!"
echo "[-] Syntax: ./ipsweep.sh 10.10.10"

else
for ip in `seq 1 254`; do 
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
fi

Save it, change the permissions and make executable:

chmod 770 pingweep.sh
chmod +x pingweep.sh

#Test it out
./pingweep.sh 10.0.2 > ping-results.txt
cat ping-results.txt

SNMP Enumeration (161)

SNMP enumeration is the process of enumerating the users accounts and devices on a SNMP enabled computer.

SNMP service comes with two passwords, which are used to configure and access the SNMP agent from the management station. They are: Read community string and Read/Write community string. These strings (passwords) come with a default value, which is same for all the systems. They become easy entry points for attackers if left unchanged by administrator.

nmap โ€“sU โ€“p 161 <Target_IP> #-sU: UDP port scan
nmap -sU -p 161 --script=snmp-brute <Target_IP>
msfconsole #run msfconsole
use auxiliary/scanner/snmp/snmp_login
set RHOSTS and exploit
use auxiliary/scanner/snmp/snmp_enum
set RHOSTS and exploit

Enumerate SNMP using snmp-check

  • nmap -sU -p 161 <Target IP>

  • snmp-check <Target IP> -> Enumerates SNMP devices, displaying the output in a simple and reader-friendly format.

NetBIOS Enumeration (139)

  • nbtstat โ€“a <Target_IP> -> Displays the NetBIOS name table of a remote machine

  • nbtstat โ€“c <Target_IP> -> Lists the contents of the NetBIOS name cache of the remote machine

  • net use -> Connects or disconnects a computer from a shared resource

  • net use \10.10.10.16\e โ€œโ€œ\user:โ€โ€

  • net use \10.10.10.16\e โ€œโ€œ/user:โ€โ€

NetBIOS Enumerator

NetBIOS Enumerator

Enum4Linux Win Enumeration

Enum4linux is a tool for gathering information from Windows and Samba systems. Security professionals use it to identify vulnerabilities and potential attack vectors. During assessments, they establish connections with the target system to discover weaknesses and enhance system security.

  • enum4linux -u martin -p apple -U <Target_IP> -> Users Enumeration

  • enum4linux -u martin -p apple -o <Target_IP> -> OS Enumeration

  • enum4linux -u martin -p apple -P <Target_IP> -> Password Policy Information

  • enum4linux -u martin -p apple -G <Target_IP> -> Groups Information

  • enum4linux -u martin -p apple -S <Target_IP> -> Share Policy Information (SMB Shares Enumeration

Enumeration using Metasploit

  • msfdb init

  • service postgresql start

  • msfconsole

  • msf > db_status

  • nmap -Pn -sS -A -oX Test <Target_IP>24

  • db_import Test

  • hosts -> To show all available hosts in the subnet

  • db_nmap -sS -A <Target_IP>-> To extract services of particular machine

  • services -> to get all available services in a subnet

SMB Enumeration

SMB Version Enumeration using MSF

  • use scanner/smb/smb_version

  • set RHOSTS 10.10.10.8-16

  • set THREADS 100

  • run

  • hosts -> now exact os_flavor information has been updated

Nmap SMB Scripts

  • nmap --script smb-os-discovery.nse -p445 <ip> -> Enumerate os, domain name,etc)

  • nmap --script smb-enum-users.nse -p445 <ip> -> Used to enumerate all users on remote Windows system using SAMR enumeration and LSA bruteforcing

  • nmap -p 445 --script=smb-enum-shares.nse, smb-enum-users.nse 10.10.19.21 -> SMB users and shares

  • smbclient //10.10.19.21/anonymous -> Accessing SMB shares

  • smbget -R smb://10.10.19.21/anonymous -> Downloading SMB files

Active Directory LDAP Enumeration

ADExplorer

Active Directory Explorer (AD Explorer) is a robust tool for viewing and editing Active Directory (AD). With it, you can effortlessly navigate the AD database, bookmark preferred locations, inspect object properties and attributes without opening dialog boxes, modify permissions, examine an object's schema, and perform complex, saveable searches.

LogoAD Explorer - Windows Sysinternalsdocsmsft

Hyena

Hyena offers comprehensive Active Directory (AD) reporting, featuring built-in tools for customizable queries, filtering, object property management, advanced attribute handling, and numerous other AD administration capabilities.

LogoSystemTools Hyena Software Download

Other LDAP enumeration tools

  • Softerra

  • LDAP Administrator

  • LDAP Admin Tool

  • LDAP Account Manager

  • LDAP Search

  • JXplorer

Accessing Shared Files

# List All Shared Resources
net view  <IP>

# Connect to Shared Resource
net use
net use \\10.10.10.1\e ""\user:""
net use \\10.10.10.1\e ""/user:""

Additional Resources

LogoHow to Enumerate SMB with Enum4linux & SmbclientWonderHowTo
LogoA Little Guide to SMB Enumeration - Hacking ArticlesHacking Articles
LogoPWK Notes: SMB Enumeration Checklist [Updated]0xdf hacks stuff
LogoSMB Enumeration for Penetration Testing:Medium
LogoUser Enumeration Part 3 โ€“ WindowsRed Siege Information Security
LogoGitHub - sensepost/UserEnum: Domain user enumeration toolGitHub
Logo53 - Pentesting DNSHackTricks
Previous3 - Scanning NetworksNext5 - Vulnerability Analysis

Last updated