Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CEH1 > Module04Enumeration > Flashcards

Module04Enumeration Flashcards

1
Q

What is Enumeration?

A

In the enumeration phase, attacker creates active connections with system and performs directed queries to gain more information about the target

Attackers use the extracted information to identify points of system attack and perform password attacks to gain unauthorized access to information system resources

Enumeration techniques are conducted in an intranet environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where are Enumeration techniques are conducted ?

A

Enumeration techniques are conducted in an intranet environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Information Enumerated by Intruders

A
  1. Network resources
  2. Network shares
  3. Routing tables
  4. Audit and service settings
  5. SNMP and FQDN details
  6. Machine names
  7. Users and groups
  8. Applications and banners
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Techniques for Enumeration

A

Extract user names using email IDs

Extract information using default passwords

Brute force Active Directory

Extract information using DNS Zone Transfer

Extract user groups from Windows

Extract user names using SNMP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The features and functions of TCP

A
  1. ### Supports acknowledgement for receiving data through sliding window acknowledgement system
  2. ### Provides automatic retransmission of lost or acknowledged data
  3. ### Provides addressing and multiplexing data
  4. ### Capability to establish, manage, and terminate the connection
  5. ### Offers quality of service transmission
  6. ### Provides congestion management and flow control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

TCP/UDP 53

A

DNS Zone Transfer

The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. In case, the DNS message size exceeds the default size of UDP (512 octets), the response contains only data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol and in case of lengthy queries where UDP fails, uses TCP as a backup failover solution. Some malwares such as ADM worm, Bonk Trojan, etc. use port 53 to exploit vulnerabilities within DNS servers. This can help intruders to launch attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

TCP/UDP 135

A

Microsoft RPC Endpoint Mapper

RPC is a protocol used by a client system to request a service from the server. An end point is the protocol port on which the server listens for the client’s remote procedure calls. RPC end point mapper enables RPC clients to determine the port number currently assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges messages over TCP/IP. Failure results due to the incorrect handling of malformed messages. This affects the RPC end point mapper that listens on TCP/IP port 135. This vulnerability could allow an attacker to send RPC messages to the RPC End point Mapper process on a server, in order to launch a Denial of Service (DoS) attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

UDP137

A

NetBIOS Name Service (NBNS)

NBNS, also known as Windows Internet Name Service (WINS), provides name resolution service for computers running NetBIOS. NetBIOS Name Servers maintain a database of the NetBIOS names for hosts and the corresponding IP address, the host is using.

The job of NBNS is to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first. Typically, NBNS uses UDP 137 as its transport protocol. It can also use TCP 137 as its transport protocol for few operations, though this might never happen in practice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

TCP139

A

NetBIOS Session Service (SMB over NetBIOS)

This is perhaps the most well-known Windows port. It is used to transfer files over a network. Systems use this port for both NULL Session establishment and file and printer sharing. A system administrator considering restricting access to ports on a Windows system should make TCP 139 a top priority. An improperly configured TCP 139 port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

TCP/UDP 445

A

SMB over TCP (Direct Host)

Windows supports file and printer sharing traffic using the Server Message Block (SMB) protocol directly hosted on TCP. In earlier OSs, SMB traffic required the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport. Direct hosted SMB traffic uses port 445 (TCP and UDP) instead of NETBIOS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

UDP 161

A

Simple Network Management protocol (SNMP)

Simple Network Management Protocol (SNMP) is widely used in network management systems to monitor network attached devices such as routers, switches, firewalls, printers, servers, etc. It consists of a manager and agents. The agent receives requests on Port 161 from the managers, and responds to the managers on Port 162

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TCP/UDP 389

A

Lightweight Directory Access Protocol (LDAP)

LDAP is a protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. By default, LDAP uses TCP or UDP as its transport protocol over port is 389.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

TCP/UDP 3268

A

Global Catalog Service

Microsoft’s Global Catalog Server, a domain controller that stores extra information, uses port 3268; its database contains rows for every object in the entire organization instead of rows for only the objects in one domain. Global Catalog allows one to locate objects from any domain without having to know the domain name. LDAP in Global Catalog Server uses port 3268. This service listens to port 3268 through a TCP connection. Administrators use Port 3268 for troubleshooting issues in the Global Catalog by connecting to it using LDP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

TCP 25

A

Simple Mail Transfer Protocol (SMTP)

SMTP is a TCP/IP mail delivery protocol. It transfers email across the Internet and across the local network. It runs on the connection-oriented service provided by Transmission Control Protocol (TCP), and it uses well-known port number 25.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Commands used by SMTP and thier syntax

A

Hello === HELO

From => MAIL FROM:

Recipient => RCPT TO:

Data => DATA

Reset => RESET

Verify => VRFY

Expand => EXPN

Help => HELP[string]

Quit => QUIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TCP/UDP 162

A

SNMP Trap

Simple Network Management Protocol Trap (SNMP Trap) uses TCP/UDP port 162 to receive notifications such as optional variable bindings, sysUpTime value, etc., from agent to manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

UDP 500

A

ISAKMP/Internet Key Exchange (IKE)

Internet Security Association and Key Management Protocol (ISAKMP) / Internet Key Exchange (IKE) is the protocol used to set up a security association (SA) in the IPsec protocol suite. It uses UDP port 500 to establish, negotiate, modify and delete Security Associations (SA) and cryptographic keys in a VPN environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

TCP/UDP 5060, 5061

A

Session Initiation Protocol (SIP)

Session Initiation Protocol (SIP) is a protocol used in the applications of Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other end points.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is NetBIOS Enumeration

A

NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP, 15 characters are used for the device name and the 16th character is reserved for the service or name record type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How to attackers use NetBIOS enumeration to obtain

A
  1. List of computers that belong to a domain
  2. List of shares on the individual hosts in the network
  3. Policies and passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How does NetBIOS Name List look like?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Is NetBIOS name resolution supported by IPv6 ?

A

NetBIOS name resolution is not supported by Microsoft for Internet Protocol Version 6 (IPv6)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is Nbtstat utility do ?

A
  • TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache
  • Run nbtstat command “nbtstat.exe –c” to get the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses
  • Run nbtstat command “nbtstat.exe –a ” to get the NetBIOS name table of a remote computer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which ports and protocols do NetBIOS Use ?

A

NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What information is obtained by attackers using NetBIOS enumeration ?

A
  • List of computers that belong to a domain
  • List of shares on the individual hosts in the network
  • Policies and passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

NetBIOS General

A

to enumerate the NetBIOS names, the remote system must have enabled file and printer sharing. NetBIOS enumeration may enable an attacker to read or write to the remote computer system, depending on the availability of shares, or launch a DoS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Nbstat example

A

nbtstat -c

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Command to get the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses

A

nbtstat.exe –c

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Command to get the NetBIOS name table of a remote computer

A

nbtstat.exe –a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Hyena

A

Hyena manages and secures Windows operating systems. It uses a Windows Explorer-style interface for all operations. It supports management of users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers, print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing. It shows shares and user log on names for Windows servers and domain controllers.

Active Task Matching Options - Added Key match option to Active Task when performing Active Directory update tasks. The new key option allows for any unique directory attribute to be used as a ‘match’ field when updating directory objects.

Group Member Matrix - Presents all members of multiple groups in a simple grid, including direct, indirect (nested), and primary membership

Active Editor Improvements – The new release of Hyena includes new feature enhancements to the Editor, including support for multi-valued attributes, account expiration date, as well as multi-selection and update capabilities.

31
Q

Enumerating User Accounts

A

Enumerating user accounts using PsTools suite helps to control and manage remote systems from the command line

  • PsExec - execute processes remotely
  • PsFile - shows files opened remotely
  • PsGetSid-display the SID of a computer or a user
  • PsKill - kill processes by name or process ID
  • PsInfo - list information about a system
  • PsList - list detailed information about processes
  • PsLoggedOn - see who’s logged on locally and via resource sharing
  • PsLogList - dump event log records
  • PsPasswd - changes account passwords
  • PsShutdown - shuts down and optionally reboots a computer
32
Q

PsExec

A

PsExec is a lightweight telnet-replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful usage include launching interactive command prompts on remote systems and remote-enabling tools like Ipconfig that otherwise do not have the ability to show information about remote systems.

Syntax: psexec [\computer[,computer2[,…] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-I [session]][-c [-f|-v]][-w [arguments]

33
Q

PsFile

A

PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. The default behavior of PsFile is to list the files on the local system opened by remote systems. Typing a command followed by “-“ displays information on the syntax for the command.

Syntax: psfile [\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]

34
Q

PsGetSid

A

PsGetSid translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. It also displays the SIDs of user accounts and translates a SID into the name that represents it. It works across the network to query SIDs remotely.

Syntax: psgetsid [\computer[,computer[,…] | @file] [-u username [-p password]]] [account|SID]

35
Q

PsKill

A

PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. Running PsKill with a process ID directs it to kill the process of that ID on the local computer. If a process name is specified, PsKill will kill all processes that have that name. One need not install a client on the target computer to use PsKill to terminate a remote process.

Syntax: pskill [-] [-t] [\computer [-u username] [-p password]]

36
Q

PsInfo

A

PsInfo is a command-line tool that gathers key information about local or remote legacy Windows NT/2000 systems, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if it is a trial version, the expiration date. By default, PsInfo shows information for the local system. Specify a remote computer name to obtain information from the remote system.

Syntax: psinfo [[\computer[,computer[,..] | @file [-u user [-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter]

37
Q

PsList

A

PsList is a command-line tool that displays information about process CPU and memory information or thread statistics. Tools in the Resource kits, pstat and pmon, show different types of data but display only the information regarding the processes on the system on which the tools are run.

38
Q

PsLoggedOn

A

PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer or a remote one. If a user name is specified instead of a computer, PsLoggedOn searches the computers in the network neighborhood and reveals if the user currently logged on. PsLoggedOn’s definition of a locally logged on user is one that has a profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name or user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API

Syntax: psloggedon [-] [-l] [-x] [\computername | username]

39
Q

PsLogList

A

The elogdump utility dumps the contents of an Event Log on a local or remote computer. PsLogList is a clone of elogdump except that PsLogList can log in to remote systems in situations where the user’s security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log resides. The default behavior of PsLogList is to display the contents of the System Event Log on the local computer, with visually friendly formatting of Event Log records.

Syntax: psloglist [-] [\computer[,computer[,…] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,…] | -e ID[,ID[,…]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file]

40
Q

PsPasswd

A

PsPasswd can change an account password on local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password. PsPasswd uses Windows password reset APIs, so it does not send passwords over the network in the clear.

Syntax: pspasswd [[\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]

41
Q

PsShutdown

A

PsShutdown can shut down or reboot local or remote computer. It requires no manual installation of client software.

Syntax: psshutdown [[\computer[,computer[,..] | @file [-u user [-p psswd]]] -s|-r|-h|-d|-k|-a|-l|-o [-f] [-c] [-t nn|h:m] [-n s] [-v nn] [-e [u|p]:xx:yy] [-m “message”]

42
Q

How to Enumerate Shared Resources

A

Net View utility is used to obtain a list of all the shared resources of remote host or workgroup

net view \

net view /workgroup:

43
Q

What is SNMP (Simple Network Management Protocol) Enumeration?

A
  • SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP
  • SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer
  • SNMP holds two passwords to access and configure the SNMP agent from the management station
    • Read community string: It is public by default; allows viewing of device/system configuration
    • Read/write community string: It is private by default; allows remote editing of configuration
  • Attacker uses these default community strings to extract information about a device
  • Attackers enumerate SNMP to extract information about network resources such as hosts, routers, devices, shares, etc. and network information such as ARP tables, routing tables, traffic, etc.
44
Q

Working of SNMP

A

GetRequest Used by the SNMP manager to request information from the SNMP agent. 

GetNextRequest Used by the SNMP manager continuously to retrieve all the data stored in the array or table.

GetResponse Used by the SNMP agent to satisfy a request made by the SNMP manager. 

SetRequest Used by the SNMP manager to modify the value of a parameter within the SNMP agent’s Management Information Base (MIB). 

Trap Used by the SNMP agent to inform the pre-configured SNMP manager of a certain event.

Given below is the communication process between the SNMP manager and the SNMP agent

  1. The SNMP manager (Host X, 10.10.2.1) uses the GetRequest command to send a request for the number of active sessions to the SNMP agent (Host Y, 10.10.2.15). To perform this step, the SNMP manager uses the SNMP service libraries such as Microsoft SNMP Management API library (Mgmtapi.dll) or Microsoft WinSNMP API library (Wsnmp32.dll).
  2. The SNMP agent (Host Y) receives the message and verifies if the community string (Compinfo) is present on its MIB, checks the request against its list of access permissions for that community, and verifies the source IP address. 
  3. If the SNMP agent does not find the community string or access permission in the Host Y’s MIB database and the SNMP service is set to send an authentication trap, it sends an authentication failure trap to the specified trap destination, Host Z. 
  4. The master agent component of the SNMP agent calls the appropriate extension agent to retrieve the requested session information from the MIB. 
  5. Using the session information that it retrieved from the extension agent, the SNMP service forms a return SNMP message that contains the number of active sessions and the destination IP address (10.10.2.1) of the SNMP manager, Host X. 
  6. Host Y sends the response to Host X.
45
Q

Management Information Base

A

MIB is a virtual database containing a formal description of all the network objects that SNMP manages. It is a collection of hierarchically organized information. It provides a standard representation of the SNMP agent’s information and storage. MIB elements are recognized using object identifiers. Object ID (OID) is the numeric name given to the object and begins with the root of the MIB tree. The object identifier can uniquely identify the object present in the MIB hierarchy.

  1. MIB is a virtual database containing formal description of all the network objects that can be managed using SNMP
  2. The MIB database is hierarchical and each managed object in a MIB is addressed through Object Identifiers (OIDs)
  3. Two types of managed objects exist: Scalar objects that define a single object instance Tabular objects that define multiple related object instances are grouped in MIB tables
  4. OID includes the type of MIB object such as counter, string, or address; access level such as not-accessible, accessible-for-notify, read-only, or read-write; size restrictions; and range information
  5. SNMP uses the MIB’s hierarchical namespace containing Object Identifiers (OIDs) to translate the OID numbers into a human-readable display
46
Q

SNMP Enumeration Tools

A

OpUtils

Engineer’s Toolset

Others

Nsauditor Network Security Auditor (https://www.nsauditor.com)  Spiceworks Network Monitor (https://www.spiceworks.com)

NetScanTools Pro (https://www.netscantools.com) 

SoftPerfect Network Scanner (https://www.softperfect.com) 

Network Performance Monitor (http://www.solarwinds.com) 

SNMP Informant (https://www.snmp-informant.com) 

OiDViEW SNMP MIB Browser (http://www.oidview.com) 

iReasoning MIB Browser (http://ireasoning.com) 

SNScan (https://www.mcafee.com) 

SNMPCHECK (http://www.nothink.org) 

Net-SNMP (http://www.net-snmp.org) 

Getif (http://www.wtcs.org)

47
Q

What is LDAP Enumeration ?

A

Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services

Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory

A client starts a LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and then sends an operation request to the DSA

Information is transmitted between the client and the server using Basic Encoding Rules (BER)

Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks

48
Q

LDAP Enumeration Tools

A

Softerra LDAP Administrator

Softerra LDAP Administrator is an LDAP administration tool that works with LDAP servers such as Active Directory, Novell Directory Services, Netscape/iPlanet, etc. It browses and manages LDAP directories. Additionally, it provides a wide variety of features essential for LDAP development, deployment, and administration of directories.

Features:

  • It provides directory search facilities, bulk update operations, group membership management facilities, etc.
  • It supports LDAP-SQL, which allows managing LDAP entries using SQL-like syntax.

Other Tools

  • LDAP Admin Tool (https://www.ldapsoft.com) 
  • LDAP Account Manager (https://www.ldap-account-manager.org) 
  • LDAP Search (http://securityxploded.com) 
  • JXplorer (http://www.jxplorer.org) 
  • Active Directory Explorer (https://docs.microsoft.com)
  • LDAP Admin (http://www.ldapadmin.org) 
  • LDAP Administration Tool (https://sourceforge.net) 
  • OpenLDAP (https://www.openldap.org) 
  • ad-ldap-enum (https://github.com) 
  • LEX - The LDAP Explorer (http://www.ldapexplorer.com) 
  • LDAP Browser/Editor (https://www.novell.com)
49
Q

What is NTP Enumeration ?

A

Administrators often overlook the Network Time Protocol (NTP) server in terms of security. However, if queried properly, it can provide valuable network information to the attackers. Therefore, it is necessary to know what information an attacker can obtain about a network through NTP enumeration. This section describes NTP enumeration, information extracted via NTP enumeration, various NTP enumeration commands, and NTP enumeration tools.

NNTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its primary means of communication. NTP can maintain time to within 10 milliseconds (1/100 seconds) over the public Internet. It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions.

Attacker queries NTP server to gather valuable information such as: 

  • List of hosts connected to NTP server 
  • Clients IP addresses in a network, their system names and OSs 
  • Internal IPs can also be obtained if NTP server is in the DMZ
50
Q

NTP Enumeration Commands

A
  1. ntpdate This command collects the number of time samples from a number of time sources.
  2. ntptrace This command determines from where the NTP server gets time and follows the chain of NTP servers back to its prime time source.
  3. ntpdc This command queries the ntpd daemon about its current state and requests changes in that state.
  4. ntpq This command monitors NTP daemon ntpd operations and determine performance.
51
Q

NTP Enumeration Tools

A

PRTG Network Monitor includes SNTP Sensor monitors, a Simple Network Time Protocol (SNTP) server that shows response time of the server and time difference in comparison to the local system time

Nmap (https://nmap.org)

Wireshark (https://www.wireshark.org)

udp-proto-scanner (https://labs.portcullis.co.uk)

NTP Time Server Monitor (https://www.meinbergglobal.com)

52
Q

Whats is SMTP Enumeration

A

SMTP provides 3 built-in-commands:

  • VRFY - Validates users
  • EXPN - Tells the actual delivery addresses of aliases and mailing lists
  • RCPT TO - Defines the recipients of the message

SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server

Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server

Administrators and pen testers can perform SMTP enumeration using command-line utilities such as telnet, netcat, etc. or by using tools such as Metasploit, Nmap, NetScanTools Pro, smtp-user-enum, etc., to collect a list of valid users, delivery addresses, recipients of the message, etc.

53
Q

SMTP Enumeration Tools

A

NetScanTools Pro

NetScanTools Pro’s SMTP Email Generator and Email Relay Testing Tools are designed for testing the process of sending an email message through an SMTP server and performing relay tests by communicating with a SMTP server

mtp-user-enum

It is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail) Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands

54
Q

Other SMTP enumeration tools include

A

Telnet (https://technet.microsoft.com) 

Vanquish (https://github.com) 

MX Toolbox (https://mxtoolbox.com)

55
Q

DNS Enumeration Using Zone Transfer

A

DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. The attacker performs DNS zone transfer enumeration to locate the DNS server and records of the target organization. Through this process, an attacker gathers valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets. In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server. To perform DNS zone transfer enumeration, the attacker can use tools such as nslookup, DNSstuff, etc.

To perform a DNS zone transfer, the attacker sends a zone transfer request to the DNS server pretending to be a client; the DNS server then sends a portion of its database as a zone to you. This zone may contain a lot of information about the DNS zone network.

It is a process for locating the DNS server and the records of a target network

An attacker can gather valuable network information such as DNS server names, host names, machine names, user names, IP addresses, etc. of the potential targets

In DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server

56
Q

What is IPsec Enumeration

A
  • IPsec uses ESP (Encapsulation Security Payload), AH (Authentication Header) and IKE (Internet Key Exchange) to secure communication between virtual private network (VPN) end points
  • Most IPsec based VPNs use Internet Security Association and Key Management Protocol (ISAKMP), a part of IKE, to establish, negotiate, modify, and delete Security Associations (SA) and cryptographic keys in a VPN environment
  • A simple scanning for ISAKMP at UDP port 500 can indicate the presence of a VPN gateway
  • Attackers can probe further using a tool such as ike-scan to enumerate the sensitive information including encryption and hashing algorithm, authentication type, key distribution algorithm, SA LifeDuration, etc.
57
Q

Commands for IPSec Enumeration

A

nmap –sU –p 500

ike-scan –M

58
Q

ike-scan can perform the following functions

A

ike-scan can perform the following functions

Discovery: Determine which hosts in a given IP range are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan.

Fingerprinting: Determine which IKE implementation the hosts are using, and in some cases determine the version of software that they are running. This is done in two ways: firstly by UDP backoff fingerprinting which involves recording the times of the IKE response packets from the target hosts and comparing the observed retransmission backoff pattern against known patterns; and secondly by Vendor ID fingerprinting which compares Vendor ID payloads from the VPN servers against known vendor id patterns.

Transform Enumeration: Find which transform attributes are supported by the VPN server for IKE Phase-1 (e.g. encryption algorithm, hash algorithm, etc.).

User Enumeration: For some VPN systems, discover valid VPN usernames.

Pre-Shared Key Cracking: Perform offline dictionary or brute-force password cracking for IKE Aggressive Mode with Pre-Shared Key authentication. This uses ike-scan to obtain the hash and other parameters, and psk-crack (which is part of the ike-scan package) to perform the cracking.

59
Q

VoIP Enumeration

A

VoIP is the advanced technique that has replaced traditional PSTN in both corporate and home environments. VoIP uses internet infrastructure to establish the connection for voices, data also travels on the same network; however, VoIP is vulnerable to TCP/IP attack vectors. SIP (Session Initiation Protocol) is one of the protocols used by VoIP in performing voice calls, video calls, etc. over and IP network. This SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061. Attackers use Svmap and Metasploit tools to perform VoIP enumeration. VoIP enumeration provide sensitive information such as VoIP gateway/servers, IP-PBX systems, client software (softphones)/VoIP phones User-agent IP addresses and user extensions, etc. to the attacker. This information can be used to launch various VoIP attacks such as Denial-of-Service (DoS), Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony (SPIT), VoIP phishing (Vishing), etc.

  • VoIP uses SIP (Session Initiation Protocol) protocol to enable voice and video calls over an IP network
  • SIP service generally uses UDP/TCP ports 2000, 2001, 5050, 5061
  • VoIP enumeration provide sensitive information such as VoIP gateway/servers, IP-PBX systems, client software (softphones) /VoIP phones User-agent IP addresses and user extensions
  • This information can be used to launch various VoIP attacks such as Denial-of-Service (DoS), Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony (SPIT), VoIP phishing (Vishing), etc.
60
Q

Svmap

A

Svmap is a free and Open Source scanner to identify sip devices and PBX servers on a target network. It can also be helpful for systems administrators when used as a network inventory tool. Svmap was designed to be faster than the competition by specifically targeting SIP over UDP.

Svmap can:

  • Identify SIP devices and PBX servers on default and non-default ports
  • Scan large ranges of networks
  • Scan just one host on different ports, looking for a SIP service on that host or just multiple hosts on multiple ports
  • Take previous scan results as input, allowing you to only scan known hosts running SIP
  • Use different scanning methods (make use of REGISTER instead of OPTIONS request)
  • Get all the phones on a network to ring at the same time (using INVITE as method)
  • Randomly scan internet ranges
  • Resume previous scans
61
Q

RPC Enumeration

A

RPC (Remote Procedure Call) is a technology used for creating distributed client/server programs. RPC allows client and server to communicate in distributed client/server programs. It is an inter-process communication mechanism, which enables data exchange in between different processes. In general, RPC consists of components like client, server, endpoint, endpoint mapper, client stub and server stub along with various dependencies.

The portmapper service listens on TCP and UDP port 111 in order to detect the endpoints and present clients details of listening RPC services. Enumerating RPC endpoints enable attackers to identify any vulnerable services on these service ports. In networks protected by firewalls and other security establishments, this portmapper is often filtered. Therefore, attackers scan high port ranges to identify RPC services that are open to direct attack

Remote Procedure Call (RPC) allows client and server to communicate in distributed client/server programs

Enumerating RPC endpoints enable attackers to identify any vulnerable services on these service ports

62
Q

RPC Enumeration commands

A

nmap -sR

nmap -T4 –A

63
Q

Unix/Linux User Enumeration

A

One of the important step for conducting an enumeration is to perform Unix/Linux user enumeration. Unix/Linux user enumeration provides list of users along with details like user name, host name, start date and time of each session, etc.

64
Q

rusers

A

Displays a list of users who are logged on to remote machines or machines on local network

Syntax: /usr/bin/rusers [-a] [-l] [-u| -h| -i] [Host …]

65
Q

rwho

A

Displays a list of users who are logged in to hosts on the local network

Syntax: rwho [-a]

66
Q

finger

A

Displays information about system users such as user’s login name, real name, terminal name, idle time, login time, office location and office phone numbers

Syntax: finger [-l] [-m] [-p] [-s] [user …] [user@host …]

67
Q

Enumeration Countermeasures

A

So far, we have described enumeration techniques and tools used to extract valuable information from the target. Now let us discuss countermeasures that can prevent attackers from enumerating sensitive information from the network or host. This section focuses on how to avoid information leakage through SNMP, DNS, SMTP, LDAP, and SMB enumeration. The following countermeasures can prevent information leakage through SNMP, DNS, SMTP, LDAP, and SMB enumeration.

68
Q

SNMP Countermeasures

A
  • Remove the SNMP agent or turn off the SNMP service
  • If shutting off SNMP is not an option, then change the default community string names
  • Upgrade to SNMP3, which encrypts passwords and messages
  • Implement the Group Policy security option called “Additional restrictions for anonymous connections”
  • Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted
69
Q

DNS Countermeasures

A

Disable the DNS zone transfers to the untrusted hosts

Make sure that the private hosts and their IP addresses are not published in DNS zone files of public DNS server

Use premium DNS registration services that hide sensitive information such as host information (HINFO) from public

Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks

70
Q

SMTP Counter measures

A
  1. Ignore email messages to unknown recipients
  2. Not to include sensitive mail server and local host information in mail responses
  3. Disable open relay feature
  4. Limit the number of accepted connections from a source in order to prevent brute force attacks
71
Q

LDAB Countermeasures

A

By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic

Select a user name different from your email address and enable account lockout

72
Q

SMB Countermeasures

A

Common sharing services or other unused services may prove to be doorways for attackers to break into a network’s security. Server Message Block (SMB) is a protocol that provides shared access to files, serial ports, printers, and communications between nodes on a network. If this service is running on a network, then there is a high risk of enumeration via SMB. Since web and DNS servers do not require this protocol, it is advisable to disable it on them. SMB protocol can be disabled by uninstalling the Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks properties of Network and Dial-up Connections. On servers that are accessible from the internet, also known as bastion hosts, SMB can be disabled by uninstalling the same two properties of the TCP/IP properties dialog box. One other way of disabling SMB protocol on bastion hosts, without explicitly disabling it, is by blocking the ports which are used by the SMB service. These are TCP 139 and TCP 445 ports. Since disabling SMB services is not always a feasible option, there are other countermeasures that can be taken against SMB enumeration. Windows registry can be configured to limit anonymous access from internet to just a specified set of files. These files and folders are specified in Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This configuration involves adding the RestrictNullSessAccess parameter to the registry key: KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters The RestrictNullSessAccess parameter takes binary values with 1 denoting enabled, and 0 denoting disabled. Setting this parameter to 1 or enabled restricts access of anonymous users to just the files specified in the Network access settings.

Disable SMB protocol on Web and DNS Servers

Disable SMB protocol on Internet facing servers

Disable ports TCP 139 and TCP 445 used by the SMB protocol

Restrict anonymous access through RestrictNullSessAccess parameter from the Windows Registry

73
Q
A

CEH1 (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions