Enumeration
.docx
School
University of Abertay Dundee**We aren't endorsed by this school
Course
CS102 CMP210
Subject
Information Systems
Date
Dec 26, 2024
Pages
20
Uploaded by HighnessField15871
Note that Information contained in this document is for educational purposes..Network EnumerationexercisesEthical Hacking lab exercise.
Contents1Introduction.........................................................................................................................................11.1What is enumeration?.................................................................................................................11.2Reminder of the virtual network.................................................................................................21.3Run the virtual network...............................................................................................................31.4DNS Enumeration........................................................................................................................31.5Analysing the DNS from Windows...............................................................................................51.6Reverse DNS................................................................................................................................61.7Analysing the DNS from Kali Linux...............................................................................................62Network enumeration using Kali Linux................................................................................................72.1SMB Enumeration using NBTSCAN..............................................................................................72.2Enumerating shares using SMBMAP............................................................................................82.3SMB enumeration using RPCCLIENT............................................................................................92.4SMB Enumeration using POLENUM (Policy Enumerator)..........................................................102.5SMB Enumeration using ENUM4LINUX......................................................................................112.6SMB Enumeration using crackmapexec.....................................................................................113Network enumeration using Windows..............................................................................................123.1NetBIOS Enumeration using nbtstat..........................................................................................123.2SID2USER/USER2SID..................................................................................................................133.3Nbtenum3.3...............................................................................................................................144Other enumeration techniques.........................................................................................................154.1SNMP Enumeration from Kali linux............................................................................................154.2SMTP Enumeration from Kali linux............................................................................................16Research exercises....................................................................................................................................174.3SSH Enumeration.......................................................................................................................174.4Other SMTP Enumeration tool...................................................................................................17.
1 INTRODUCTION1.1WHATISENUMERATION?After the footprinting and scanning phases, an attacker will attempt to obtain more detailed informationabout its intended victim. Enumeration is an “active” process in which more detailed information about the target is sought. As such, many of these activities could (and should) be logged. Note however, that many of these methods would be lost in a “log” as normal behaviour.Much of the information gathered during enumeration may appear harmless, however, once an attackergains a foothold, such as a valid username or access to a share, then it is usually possible to further penetrate the network or system.The type of information enumerated by intruders:Network resources and shares.Users and groups.E-Mail accounts.Policies such as password lockout policies.Enumeration is normally service specific for example DNS Enumeration, NetBIOS Enumeration, Active Directory Enumeration, LDAP Enumeration, SMTP Enumeration, SNMP Enumeration and Firewall Enumeration.Notes: -(1) Unless otherwise stated, any tools that are required for these exercises are held in the folder “Tools”on the desktop.(2) These tools and packages should be evaluated as you complete the exercises. You can decide what criteria you want to use to evaluate each tool but you may want to consider the following: what would you use the tool for? Which tool would be best for a particular task? What features does the tool have? How does the tool work? You should take notes of your evaluations for future reference.1 | P a g e
1.2REMINDEROFTHEVIRTUALNETWORKA diagram of the scenario is shown below. Us as attackers are on the left of the diagram and our target network is on the right: -. i.e. We have a Window machine and a Kali linux machine that we can use to attack the network. Imagine we are sitting in a room within the target company and are about to perform our test. The virtual machines are: - Tutorial – Server1= 192.168.10.1Tutorial – Server2 = 192.168.10.2Tutorial – Client1 = 192.168.10.10Kali = 192.168.10.253Your main Windows desktop = 192.168.10.2542 | P a g eClientsServersE-Mail AddressesUser namesMachine namesTarget Network192.168.10.1, 192.168.10.2, 192.168.10.10Kali Linux192.168.10.253Your Windows Desktop192.168.10.254
1.3RUNTHEVIRTUALNETWORKFrom the desktop, run Hyper-V Manager.We will interrogate Server1and Server2so startBOTHof these machines from the snapshot Booted.Also run the Kali Linux virtual machine. When connecting to this, use the RDP link from the desktop so that you can use copy and paste.Note: - If you have any problems with RDP then reboot Kali and try again1.4DNS ENUMERATION.The basic job of a DNS server is to hold the IP address of a name (e.g. it would hold “www.abertay.ac.uk”is “193.60.160.153”). This is termed a forward lookup. A backwardlookup is the reverse of this. This hasbeen covered in previous lectures (conduct some research to find out information about DNS if you are unsure). A screenshot of the Windows 2008 Server DNS Server snap-in is shown below: -3 | P a g e
In the above example, the domain is named ALAN and there are client computers on the network named alan, llanelli, lucy4 etc. Their corresponding IP addresses are 192.168.0.235, 192.168.0.244 etc. Records have different attributes associated with it (see below): -“A” record An address (A) record maps a server’s host name to its IP address. There may be many different names associated with an IP address. The A record (address record, or host record) maps a domain name to an IP address on the Internet.“MX” RecordThis record maps the SMTP E-Mail server. When someone sends an E-Mail to xxx@abertay.ac.uk, the IP address for the “abertay.ac.uk” mail server is obtained by searching DNS for the MX record. i.e. what is the server that will deal with E-Mail?NSThe first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates that this DNS name server is the best source of information for the data within this DNS domain.CNAMECNAME records (Canonical Name records) act as aliases for hostnames. One IP address may have severalnames (aliases) associated with it. E.g. www.bbc.net.uk and www.bbc.co.uk are the same IP address (212.58.227.78 at this time).DNS Zone transfersA DNS transfer will take place from the Primary to the Secondary DNS servers (meaning that the servers should always contain identical records). The transfer will take place at pre-defined intervals. DNS zone transfers have several potential security issues, though they are easily rectified by proper configuration of the DNS software. The data contained in an entire DNS zone may be sensitive in nature. Individually, DNS records are not sensitive, but if a malicious entity obtains a copy of the entire DNS zone for a domain, they may have a complete listing of all hosts in that domain. An indication that DNS zone transfers are possible is by seeing Port 53 TCP is open (rather than UDP). This was the case from our scans.Notes: - DNS Zone transfers are TCP (Connection orientated), unlike normal DNS requests whichare UDP.Windows Servers are easy to misconfigure, and this misconfiguration is common innetworks.4 | P a g e
1.5ANALYSINGTHEDNS FROMWINDOWSThe nslookup command essentially performs forward and reverse DNS lookups (name to IP address = forward and IP address to name = reverse). The DNS server that is queried can be altered within the command shell using the server command.From your main Windows desktop, run a command prompt and type:- nslookupManual enumeration is simply a case of typing in the IP address and the name will be returnedNow set the server to the correct DNS of target network. server 192.168.10.1 Then enumerate the DNS names of192.168.10.1192.168.10.2192.168.10.20192.168.10.25 Note that the names give a clue as to what the machine corresponding to the IP address is and does.DNS Zone transfers can be attempted server 192.168.10.1set type=anyls -d uadtargetnet.comIf the server has a DNS Zone Transfer Misconfiguration, then it will show all DNS records.In the same way, try a Zone transfer from the server 192.168.10.2 (you should find that it’s notmisconfigured so you get no information).5 | P a g e
1.6REVERSEDNSIn a similar way, we can try find out information about the network by guessing if a machine name exists. For example, try sales.uadtargetnet.comemail.uadtargetnet.com1.7ANALYSINGTHEDNS FROMKALILINUXIf you haven’t done so already, make sure that Kali linux is running and then connect to it using RDP.DNS Zone transfersA zone transfer can be attempted from Kali linux using the digcommand (if the server allows zone transfers).dig axfr @192.168.10.1 uadtargetnet.comdig axfr @192.168.10.2 uadtargetnet.comor the host commandhost -t axfr uadtargetnet.com 192.168.10.1host -t axfr uadtargetnet.com 192.168.10.2Note that the command nslookupis also available from linuxNote the relevance of this.If we could get the entire DNS for say Abertay Uni, we could tell by the names what the machines do.6 | P a g e
2 NETWORKENUMERATIONUSINGKALILINUX2.1SMB ENUMERATIONUSINGNBTSCANThe Server Message Block protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.Nbtscan is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and is also a first step in finding open shares. The basic command is: -nbtscan 192.168.10.1The v switch means verbose.nbtscan 192.168.10.1 -vThe following command scans a C-class network. Prints results using the colon as field separatornbtscan -v -s : 192.168.10.1The output should be similar to the following: - The following link will help you interpret the output from the Remote Machine Name Table that nbtstat has produced for you: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961857(v=technet.10)7 | P a g e
2.2ENUMERATINGSHARESUSINGSMBMAPA network share is essentially a folder on a machine that can be accessed by others. These shares may be also be folders that a user shares. Juicy information can often be found in these e.g. passwords.txt.An example from some years ago – a B Sc Ethical Hacking student found a folder that had been accidentally shared on a lecturers laptop. It contained bank their account details. To find the share folders on a machine, smbmap -u test -p test123 -H 192.168.10.1Note that the $ indicates that the share is not visible by normal browsing. ADMIN$, C$ (C drive), IPC$ arestandard shares created by a Windows machine.From your main windows desktop, browse the pubic shares on the machine by entering \\192.168.10.1in a folder (enter test/test123when prompted). Now get and examine the shares from 192.168.10.2Reference: -https://tools.kali.org/information-gathering/smbmap8 | P a g e
2.3SMB ENUMERATIONUSINGRPCCLIENT RPCclient is an excellent tool for enumerating all aspects of SMB on a Windows network. If we have a valid user account, we can enumerate a lot of information. In this case, use our account details of testand a password of test123. Run the client using: -rpcclient -U "test" 192.168.10.1 Try the following useful commands (take notes): -helpsrvinfoquerydominfoenum then hit TAB twice to show all the enum functionsenumdomusersenumalsgroups builtinenumalsgroups domainlookupnames administratorslookupnames administratorA SID (Security Identifier) is a structure of variable length that uniquely identifies an Active directory object in all Windows operating systems. A valid SID looks like the following: -S-1-5-21-8915387-1645822062-181928000-500 The final field indicates the RID. The administrator account will always have a RID of 500 (regardless of whether it has been renamed. The following command will display the Administrator username.queryuser 500Reference http://support.microsoft.com/kb/q243330/9 | P a g e
2.4SMB ENUMERATIONUSINGPOLENUM (POLICYENUMERATOR)Polenum is a python script which extracts the password policy information on a windows machine. This allows a non-windows (Linux, Mac OSX, BSD etc..) user to query the password policy of a remote windows box without the need to have access to a windows machine.Run a terminal in Kali linux and typepolenum test:test123@192.168.10.1 The “account lockout duration” and Account lockout has not been set. We also have the Minimum Password length as 0 characters. This server clearly has issues!!Also note that the real policy is often different from that advertised.10 | P a g e
2.5SMB ENUMERATIONUSINGENUM4LINUX Enum4linux is an excellent tool for enumerating information from Windows and SMB/Samba systems. There are many switches. A full tutorial and an explanation of the switches can be found at https://labs.portcullis.co.uk/tools/enum4linux/From a terminal, run the following commands and examine the information (ignore any concatenation errors):- enum4linux -U -u test -p test123 192.168.10.1enum4linux -G -u test -p test123 192.168.10.1enum4linux -S -u test -p test123 192.168.10.1enum4linux -a -u test -p test123 192.168.10.1 The following line will run all enumerations and takes a few minutes to run.enum4linux -a -u test -p test123 192.168.10.1 >/root/Desktop/enum.txtExamine the file on the Kali linux desktop and save for future reference.2.6SMB ENUMERATIONUSINGCRACKMAPEXECCrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of largeActive Directory networks. It has a lot of functionality and we will use it in future weeks. To get basic help, crackmapexec smb --helpThe syntax for obtaining the users is: - crackmapexec smb 192.168.10.1 -u 'test' -p 'test123' --usersAlso, try the following switches.--sharesenumerate shares and access--sessionsenumerate active sessions--disksenumerate disks--groupsenumerate domain groups11 | P a g e
--pass-poldump password policy12 | P a g e
3 NETWORKENUMERATIONUSINGWINDOWS.3.1NETBIOS ENUMERATIONUSINGNBTSTATThere are several in-built commands within Windows that allow us to enumerate. These can be useful if you are part of a domain and you can’t install tools easily.nbtstat is a Windows diagnostic tool for NetBIOS over TCP/IP. It is included in several versions of Microsoft Windows. Its primary design is to help troubleshoot NetBIOS name resolution problems.From a command prompt under Windows, typenbtstat -A 192.168.10.1Again, the output can be deciphered using https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961857(v=technet.10)To view shares, type net view \\192.168.10.1 /AllTry the following useful commands: - net user /domainnet user A.George /domainwmic useraccountnet group "Domain Computers" /domainnet group "Domain Controllers" /domain13 | P a g e
3.2SID2USER/USER2SIDA SID (Security Identifier) is a structure of variable length that uniquely identifies an Active directory object in all Windows. A valid SID looks like the following: -S-1-5-21-8915387-1645822062-181928000-500Browse the following article (it shows the structure of a SID). http://support.microsoft.com/kb/q243330/The last number is particularly important to a hacker. The number for an Administrator is always 500, Guest is 501, “domain users” is always 513. The last group will alwaysexist.It is common for a sysadmin to rename the Administrator account. The packages user2sid and sid2user can be used in the following way to show the user name: - C:\>net use \\99.99.99.99\IPC$ "" /u:""C:\>User2sid \\99.99.99.99 "domain users"This gives an output similar to the following: -S-1-5-21-8915387-1645822062-181928000-513Number of subauthorities is 5Domain is TESTDOMAINLength of SID in memory is 28 bytesType of SID is SidTypeGroupNow we want to know the Administrator’s account name. We add in the SID with a 500at the end (instead of a 513).C:\>sid2user \\99.99.99.99 5 21 8915387 1645822062 181928000 500The files user2sid.exe and sid2user.exe are in C:\Users\student\Desktop\tools on your Azure machine.Shut down Client1. Run the following exercise from your main Windows desktopWe will now create a session as our valid user (credentials test/test123) Run a command prompt, Start, cmd.14 | P a g e
cd \Users\student\Desktop\toolsnet use \\192.168.10.1\resources enter username as testenter password as test123user2sid.exe \\192.168.10.1 "domain users"Note:- You need to know the name of a valid sharename(rather than user$) if you are not on a machineconnected to the domain. Challenge: - Now use sid2userto get the name of the administrator and the guest. (You will need to look at the syntax in the explanation above).3.3NBTENUM3.3There are several NetbIOS enumeration tools that can be used but nbtenum3.3 gives an excellent formatted web page output . A valid user account is required (in this case, test/test123). On your main Windows machine, we will attempt to enumerate via netbios using NBTenum3.3. Run a command prompt and run the scan against Server2. cd \Users\student\Desktop\tools\NBTEnum33nbtenum.exe -q 192.168.10.1 192.168.10.1\test test123This creates a file 192.168.10.1.htmlin the nbtenum3.3 folder. Examine this file.Also, save this file for later use.15 | P a g e
4 OTHERENUMERATIONTECHNIQUES4.1SNMP ENUMERATIONFROMKALILINUXOne of the most common enumeration techniques is via SNMP (Simple Network Management Protocol).This protocol runs on routers, switches, firewalls and other network devices. It is also common for the protocol to run on servers (E.g. Windows 2008 Server and 2003 Server). Note that SNMP can be enumerated from anywhere on the Internet (if misconfigured). SNMP is perhaps themost common misconfigured protocol that is used for enumeration.There are two community names commonly used (mostly by default): -Private (Read-write access) Public (Read only access). Enumerating systems via the SNMP public community string gives a lot of useful information. For On a Windows system – some of the MIB variables can be found in the following places: -RUNNING PROCESSES1.3.6.1.2.1.25.4.2.1.2INSTALLED SOFTWARE1.3.6.1.2.1.25.6.3.1.2SYSTEM INFO1.3.6.1.2.1.1.1HOSTNAME1.3.6.1.2.1.1.5DOMAIN1.3.6.1.4.1.77.1.4.1UPTIME1.3.6.1.2.1.1.3USERS1.3.6.1.4.1.77.1.2.25SHARES1.3.6.1.4.1.77.1.2.27DISKS1.3.6.1.2.1.25.2.3.1.3SERVICES1.3.6.1.4.1.77.1.2.3.1.1LISTENING TCP PORTS1.3.6.1.2.1.6.13.1.3.0.0.0.0LISTENING UDP PORTS1.3.6.1.2.1.7.5.1.2.0.0.0.0On a Linux system: -RUNNING PROCESSES1.3.6.1.2.1.25.4.2.1.2SYSTEM INFO1.3.6.1.2.1.1.116 | P a g e
HOSTNAME1.3.6.1.2.1.1.5MOUNTPOINTS1.3.6.1.2.1.25.2.3.1.3RUNNING SOFTWARE PATHS1.3.6.1.2.1.25.4.2.1.4LISTENING UDP PORTS1.3.6.1.2.1.7.5.1.2.0.0.0.0LISTENING TCP PORTS1.3.6.1.2.1.6.13.1.3.0.0.0.0Snmpcheck under Kali linux allows you to enumerate the useful SNMP devices and places the output in ahuman readable friendly format. Note: - You will only get output IF the public string is enabled.Run the tool against the servers to see if they are vulnerable.snmp-check -c public 192.168.10.1snmp-check -c public 192.168.10.2Examine the information gained. 4.2SMTP ENUMERATIONFROMKALILINUXSeveral methods exist that can be used to abuse SMTP to enumerate valid E-Mails and addresses, namely VRFY, EXPN, and RCPT TO. The procedure consists of trying potentially valid e-mail addresses. This can be made easier using Google Hacking to find potential E-mail addresses or by previous enumeration methods.From Linux, we could create a file of potentially valid usernames and use smtp-user-enumto test. To prove the concept, we will try a single user to see if their e-mail exists. Under Kali Linux, type the following from a terminal.smtp-user-enum -M RCPT -u A.George -t 192.168.10.1You should see from the output that the user A.George exists.17 | P a g e
RESEARCHEXERCISES4.3SSH ENUMERATIONhttps://github.com/nccgroup/ssh_user_enum4.4OTHERSMTP ENUMERATIONTOOLSwaks http://www.jetmore.org/john/code/swaks/latest/doc/ref.txt18 | P a g e