Skip to main content
Version: 1.0.2

Enumeration overview

  • Actively engage a system and query it for information.
  • Used to discover vulnerabilities and then exploit them.
  • Information collected include routing tables, users and groups, machine names, network resources.

Common ports and services to enumerate

Enumeration techniques

  • Extracting user names using email ID's
  • Extract information using the default password
    • Identifying OS would tell the default password
    • If no one has changed it can be used to gather more information.
  • DNS enumeration

Windows enumeration

  • Enumerating all shares
    • net share or net view \\serverName /all
  • Enumerating machine configuration through null sessions
    • Null sessions allow for enumeration of Windows machines to access information about the machine configuration.
    • E.g. net use \\target\ipc$ "" /user: "
  • Configurable services and server/workstation settings
    • net config

Windows user account enumeration

Security Identifier (SID)

  • A subject can access an object with given permissions
  • Subject (who)
    • Windows internally identifies entities as "Security Principals" also known as "Subject"s
    • E.g. user accounts, groups, computers and services
  • Subjects are assigned SID (Security Identifier) by the system
  • E.g. S-1-5-21-1852694824-1489621752-332472329-500
  • 📝 Format: S-<revision-level>-<authority-id>-<first-subauthority>-<o-N subauthorities>-<relative identifier(RID)>
    • Authority ID
      • 0 - SECURITY_NULL_SID_AUTHORITY - null group or nobody
      • 1 - SECURITY_WORLD_SID_AUTHORITY - account Everybody
      • 2 - SECURITY_LOCAL_SID_AUTHORITY - group account Local (logged in users)
      • 3 - SECURITY_CREATOR_SID_AUTHORITY - Creator Owner
      • 5 - SECURITY_NT_AUTHORITY - Created by OS
      • There are many more
    • Sub Authority ID
      • 5 - For applications that run under a specific session
      • 6 - When a process authenticates as a service
      • 21 - For SIDs that are not universal but has local significance
      • 32 - Identifies built-in SIDs
      • 80 - Identifies services' SIDs
    • Relative identifier (RID)
      • 500 - Administrator
      • 501 - Guest

Windows user account enumeration tools

  • user2sid and sid2touser: Brings SID value for a given account name and vice versa
    • E.g. user2sid \\SVR1 Guest
    • Getting SID allows enumeration of accounts/groups by changing RID
      • E.g. sid2user \\SVR1 5 21 1928525985 232339646 3462474693 501
        • Returns like Name is Guest, Domain is DEMO, Type of SID is SidTypeUser
        • Syntax: sid2user [\computer_name] authority subauthority_1 …
  • dumpusers: All-in-one tool to dump account names and information
  • GetAcct: Can dump account information as CSV file.
  • From SystemTools:
    • DumpSec: lists all users and the groups they are in
    • Hyena dumps shares and user login names for Windows domain controllers and servers on same network.
  • PsGetSid: Translates SIDs to their display name and vice versa

NetBIOS enumeration

  • NetBIOS (Network Basic Input/Output System) is a unique name of a Windows machine.
  • 📝 Allow computers
    • to communicate with others at the same time
    • to share files and printers
  • Uses SMB (service message block) protocol
    • Network file sharing protocol.
    • 🤗 Was targeted by WannaCry ransomware who traversed the network and injected hosts.
  • Easily exploitable, often used as one of the first scans.
  • Helps to collect: • System name • Username • Domain • Printers • Available shares

NetBIOS enumeration tools

  • nbtstat
    • Proprietary Windows diagnostic tool for NetBIOS over TCP/IP.
    • nbtstat -a <IP or hostname>: shows NetBIOS names
  • net view <IP or hostname> prints available shares such as printers.
  • smb-nat
    • NetBIOS Auditing Tool)
    • nat -o <output file> -u <user-list> -p <password-list> <ip/range> allows you to brute force different usernames and passwords for administrative shares.
  • WinFingerPrint
    • Windows enumeration tool
    • Scan machines in LAN and returns shares, disk information, services, users (SID), groups..

SNMP enumeration

  • Also known as SNMP walking
  • SNMP stands for Simple Network Management Protocol.
  • Used for
    • monitoring networking equipment
    • remotely modifying settings and configs on the equipment
  • Was developed for routers and switches (1988)
    • Extended for linux/windows machines, printers, sensors, power supplies and more...
  • Two kind of community strings:
    • Read community string: read-only.
      • You can collect information such as
        • System name, system uptime, network settings, CPU usage level etc.
    • Read/write community string: read-write (private) to edit configurations
    • 💡 SNMPv3 encrypts the community strings
  • Consists of a manager and an agent
    • Agents are embedded into network devices.
      • Agents send their information to manager using port 162.
      • Data messages are called traps.
    • Manager is installed on a computer.
      • Needs two passwords to access and configure the agents:
        • read community string
        • read/write community string
  • Object identifier (OID)
    • Any device that can be monitored has an OID.
    • E.g. 1.3.6.1.2.1.2.2.1.8
  • Management Information Base (MIB)
    • Text-file that translates numerical OIDs to word-based OIDs.
      • E.g. SYNOLOGY-SYSTEM-MIB::temperature.0
    • You can collect information CPU usage level, disk usage level, network settings using vendor-specific OIDs.
  • Version 1, 2: (❗️ insecure) No encryption, only "community string" and no encryption
  • Version 3: Username + password and encryption

SNMP enumeration tools

  • snmpwalk
    • Enumerates ports in SNMP agent and finds out UDP port sending traffic to manager.
    • snmpwalk -c public -v1 <agent IP address>
    • Starts listening to the port.
  • snmp-check
    • You can find out the version using snmp-check <IP address> -v <version 1 or 2c>
      • Gives much more information like routing tables, storage information, users etc.
  • snmp-get
    • Retrieve specific OID information from target using -o
    • SNMP community string for SNMP v1/v2c.
      • E.g. sysName.0 for system name
    • E.g. snmpget -v 1 -c public system.sysName.0

LDAP enumeration

LDAP

  • LDAP stands for Lightweight Directory Access Protocol
  • Used by on-premises Active Directory (Microsoft)
  • 📝 Hierarchical e.g. domain > child-domains > organizational units > users / groups / computers.
  • May return information about usernames, addresses, servers, and other sensitive information.
    • could be utilized in a brute force or social engineering attacks.

LDAP enumeration countermeasures

  • Use over encrypted and secure protocols e.g. by e.g.
    • LDAP over SSL/TLS
      • Also known as LDAPS
      • SSL/TLS is negotiated before LDAP protocol begins.
    • LDAP over StartTLS
      • STARTTLS is a way to take an existing insecure connection and upgrade it to a secure connection using TLS.
      • Communication is only encrypted after the connection is established.
  • Use NTLM or Basic authentication
  • Select a username different from your email address

LDAP enumeration tools

NTP enumeration

NTP

  • 📝 NTP (Network Time Protocol) is to synchronize computer clocks.
  • E.g. machines in same domain in Active Directory must have same GMT clocks.
  • Uses UDP 123
  • Target accuracy
    • 10 ms over the public internet
    • 200 ms or better on a local area network
  • 🤗 Usually companies have authority of time-source on their on-premises, it synchronizes to internet and everything else synchronizes to it.
    • Important for routers / switches to have logs with right timestamps.
  • Attackers query NTP for
    • List of hosts connected to NTP server
    • Clients IP addresses, system names and operating systems.
    • Internal IP addresses can be acquired if the NTP server is on the DMZ

NTP enumeration tools

  • ntptrace: traces NTP servers back to the primary source.
  • ntpdc: monitors operation of the NTP daemon, ntpd
  • ntpq: monitors NTP daemon ntpd operations and determines performance.
  • Other tools include: • NTP Time Server Monitor • NTP server Scanner • Nmap • Wireshark • AtomSync • NTPQuery, • PresenTense NTP Auditor • PresenTense Time Server • PresenTense Time Client • Lan Time Analyser...

SMTP enumeration

SMTP

  • SMTP = Simple Mail Transfer Protocol (port: 25)
  • Protocol used for sending/receiving e-mails.
    • Used by clients talk to SMTP servers
    • Used also by SMTP servers to talk to other servers.
  • Secure/encrypted protocols include:
    • SMTPS is SMTP over TLS (port: 587)
      • 🤗 Like HTTPS is HTTP over TLS
    • SMTP can also run with STARTTLS (port: 467)
      • Compared to running over TLS, it encrypts communication AFTER the communication is established.
      • STARTTLS is also known as opportunistic TLS as it would fall back to unencrypted communication if server does not support it.
  • See MX records to find SMTP servers
  • Allows to validate e-mail addresses to ensure they exist
    • 🤗 One another: Go to provider → try creating account with that e-mail.
    • 🤗 Large collection of e-mails can be sold or used for phishing.
    • 🤗 Many e-mail senders (e.g. AWS Simple Email Service) blocks you if you send e-mails that will not reach the targets.
      • One idea is to create fake accounts in cloud providers → ask to increase soft limits → enumerate per accounts

SMTP enumeration through SMTP commands

  • VRFY: validates e-mail address that actually exists
  • EXPN: tells the actual delivery address of aliases and mailing lists
  • RCPT TO: Defines recipients of the messages
  • ❗ Some admins may turn off VRFY and EXPN, but not RCPT TO (or no one can receive e-mail)

SMTP enumeration through tools

Brute forcing Active Directory

  1. Get admin user with SID 500
    • Get-ADUser -Filter * | where { $_.SID -like "*-500" }
  2. Brute-force its credentials
    • E.g. if user is admin@cloudarchitecture.io:
      • net use \\%computername% "PasswordTest1" /u:admin@cloudarchitecture.io
      • net use \\%computername% "PasswordTest2" /u:admin@cloudarchitecture.io
      • ...