04: Enumeration

Question 1

What is enumeration?

Answer 1

Enumeration involves an attacker creating active connections with a target system and performing directed queries to gain more information about the target

Enumration techniques are conducted in an intranet environment

Question 2

What information can an attacker gain from enumeration?

Answer 2

• Network resources
• Network shares
• Routing tables
• Audit and service settings
• SNMP and FQDN details
• Machine names
• Users and groups
• Applications and banners

Question 3

What are information form enumeration used for?

Answer 3

• Identify points for a system attack
• Perform password attacks

Question 4

Techniques for Enumeration?

Answer 4

• Extract usernames using: Email IDs (fx VVL@energinet.dk)
• Extract information using: default passwords
• Brute force Active Directory (locked out)
• Extract information using: DNS Zone Transfer
• Extract user groups from Windows
• Extract usernames using SNMP

Question 5

Port and services to Enumerate?

Answer 5

• 53: TCP/UDP - Domain Name Systems (DNS) Zone Transfer
• 135: TCP/UDP - Microsoft RPC Endpoint Mapper
• 137: UDP - NetBIOS Name Service (NBNS)
• 139: TCP - NetBIOS Session Service (SMB over NetBIOS)
• 445: TCP/UDP - SMB over TCP (Direct Host)
• 161: UDP - Simple Network Management Protocol (SNMP)
• 389: TCP/UDP: Lightweight Directory Access Protocol (LDAP)
• 2049: TCP - Network File System (NFS)
• 25: TCP - Simple Mail Transfer Protocol (SMTP)
• 162: TCP/UDP - SNMP Trap
• 500: UDP - ISAKMP/Internet Key Exchange (IKE)
• 22: TCP - Secure Shell (SSH)

Question 6

What can an attack obtain from NetBIOS?

Answer 6

• The list of computers that belong to a domain
• The list of shares on the individual hosts in the network
• Policies and passwords

Question 7

What information do you get from a “nbtstat” command?

Answer 7

• NetBIOS names
• Usernames
• Domain names
• MAC addresses

(Can also be done from Nmap)

Question 8

List some PsTools (SysInternals) - Extreme powerful tool

Answer 8

• PsExec: executes processes remotely
• PsFile: shows files opened remotely
• PsGetSid: displays the SID of a computer or user
• PsKill: kills processes by name or process ID
• PsInfo: lists information about a system
• PsList: lists detailed information about processes
• PsLoggedIn - shows who is logged on locally and via resource sharing
• PsPasswd: changes account passwords
• PsShutdown - shuts down and optionally reboots a computer

Question 9

What is the net view command used for?

Question 10

How does SNMP work?

Answer 10

Listen on UDP port 161
- Default password (“Public”/”Private”)
- Clear text password if changed

Use the Nmap snmp-info NSE script against an SNMP remote server to retrieve information related to the hosted SNMP services

Question 11

Tell about LDAP (Lightweight directory access protocol)

Answer 11

• Is an Inter protocol for accessing distributed directory services
• Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory
• A client starts a LDAP session by connecting to a directory system agent (DSA) on TCP port 389 and dthen sends an operation request to the DSA
• Information is transmitted between the client and server using basic encoding rules (BER)

Attackers quiry the LDAP service to gather information, such as valid usernames, adressess, and departmental details, which can be further used to perform attacks

Question 12

Tell abput NTP (Network Time Protocol)?

Answer 12

It uses UDP port 123 as its primary means of communication

Attackers query the NTP server to gather valuable information, such as:
- List of connected hosts
- Clients IP addresses in a netwirk, their system names and OS’s
- Internal IPs can also be obtained if the NTP server is in the demilitarized zone (DMZ)

Question 13

Tell about NFS

Answer 13

• Port 2049
  The NFS system is generally implemented…

Question 14

What are the three build in commands in SMTP?

Answer 14

• VRFY: Validates users
• EXPN: Shows the actual delivery addresses of aliases and mailing lists
• RCPT TO: Define the recipients of a message

SMTP servers respond differently to the commands for valid and invalid users, which means an attacker can determine valid users on the SMTP server.

Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server

Question 15

What can an attacker obtain if the target DNS server allows zone transfer?

Answer 15

• DNS server names
• Hostnames
• Machine names
• Usernames
• IP addresses
• Aliases

Question 16

What is DNSSEC zone walking?

Answer 16

It is a DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured

Question 17

What are IPsec uses for?

Answer 17

Secure communication between VPN end points.

Often a simple scanning for ISAKMP at UDP port 500 can indicate the presence of a VPN gateway

Question 18

Name VoIP attacks?

Answer 18

Dos, Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony and Vishing

VoIP uses SIP protocol to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5060, and 5061

Question 19

Tell about Telnet

Answer 19

Uses port 23, and if open gives access to shared services