Enumeration Flashcards
Enumeration extracted information such as:
- network shares
- network resources
- routing tables
- audit and service settings
- SNMP & DNS details
- Machine names
- Users & groups ( and user last log in)
- Application and banners
Enumeration techniques are conducted in what type of environment?
intranet
What is enumeration?
The attacker creates an active connection to a vulnerable system and performs direct queries to gain info about the target
Attacker then uses the info to 1- identify system attack points and 2- perform password attacks, to gain unauthorized acess
list some services and ports to enumerate
TCP port 25: SMTP TCP port 53: DNS transfer zone TCP port 21: FTP TCP port 23: telenet TCP 135 : used by email client to connect to email services (RPC) Remote Procedure Call TCP 138: NetBIOS datagram service TCP 137: NetBIOS name service TCP 139: NetBIOS session service TCP/UDP 445 SMB (service message block ) UDP 161: SNMP network mangment protocol
What is SMB protocol?
SIMPLE MESSAGE BLOCK is a microsoft application layer protocol for file and print sharing functions for LAN manger
What is NBSS (NetBIOS session service)?
is a method to connect two computers for transmitting large messages ( located in session layer)
what is NetBIOS?
is a program that allows applications on a different computers to communicate within a LAN
explian what is NetBIOS name and what it is consists of?
is a unique 16 ASCII character string used to identify the network devices
first 15 char: device name
the 16th char: service type
Attackers use NetBIOS ro obtain what info?
- list of computers that belong to a domain
- list of shares on the individual hosts (in the network)
- polices and passwords
what is RPC? and what port?
Remote procedure call an interprocess communication mechanism allows a program running on one host to run code on a remote host. uses port 135 tcp
What commands can be used for NetBIOS emmunartion?. mention for win and linux
Windows:
nbtstat -a [ip]
Linux:
nbtscan [ip]
or
nmblookup -A
what happens when you use firweall rules for port 137?
when you use nbtstat or nbtscan it will show that the hst is not uo ( it has been blocked by the firewall)
what is a NULL session attack?
uses vulnerblity in SMB for creating connection, by default they areenabled in windows 2000 and windows NT
why is a null session attack possible?
because it uses SMB that has trust for any kind of relationship between devices in a network
what command to establish null session? in win and Linux
windows: net
net use \[ip]\IPC$ “ “ /u:” “
Linux: smbclient
smbclient -L [ip]
what command used to show ip adress and shares on remote system & to list
net view \[ip]
what command used to eumnertate SMB shares on both win & linux ?
enum4linux -a
use -a option to get all oinfo
what is the command used for DNS enumeration? (not nmap)
host -t ns [ip]
for name server records
host -t mx
for mail exchange brecords (email servers)
host -t a
a records that tranlate human to ip in IPv4
host -t aaa
same as a records but for IPv6
host -t soa
start of authority that contains 1- primary DNS name 2- serial number and if the serial no for primery is higher than secondary a zone tranfer will be instiated
what is the nmap command used for DNS enumartion
nmap T4 -p 53 –script dns-brute [target]
In SNMP, the default community string for read-only is____ and the default community string for read-write is ____
public,private
what command is used in SNMP to query network device for tree of information? and what command query info in human friendly format?
snmpwalk, snmp-check
what command to uses to manilpate snmp info?
snmpset
what are the two types of community strings?
1- read only
allow to query network devices and read information. no modfication allowed
2-read write
changes to device are allowed
a virtual database contains a formal description of all network objects that can be managed using SNMP is caleed___
Management Information base (MIB), it is hierarchal and each managed object is addressed through object identifiers (OID)
