Enumeration is defined as a process which establishes an active connection to the target hosts to discover potential attack vectors in the system, and the same can be used for further exploitation of the system.
Enumeration is used to gather the below
- Usernames, Group names
- Hostnames
- Network shares and services
- IP tables and routing tables
- Service settings and Audit configurations
- Application and banners
- SNMP and DNS Details
Significance of enumeration:
Enumeration is often considered as a critical phase in Penetration testing as the outcome of enumeration can be used directly for exploiting the system.
Enumeration classification:
Enumeration can be performed on the below.
- NetBios Enumeration
- SNMP Enumeration
- LDAP Enumeration
- NTP Enumeration
- SMTP Enumeration
- DNS Enumeration
- Windows Enumeration
- UNIX /Linux Enumeration
The rest of the document explains each one of the above enumeration along with tools and controls for preventing the same.
What is NetBIOS?
NetBIOS stands for Network Basic Input Output System. IBM developed it along with Sytek. The primary intention of NetBIOS was developed as Application Programming Interface (API) to enable access to LAN resources by the client’s software.
NetBIOS naming convention starts with 16-ASCII character string used to identify the network devices over TCP/IP; 15-characters are used for the device name, and the 16th character is reserved for the service or name record type.
NetBIOS Enumeration Explained:
NetBIOS software runs on port 139 on Windows operating system. File and printer service needs to be enabled to enumerate NetBIOS over Windows Operating system. An attacker can perform the below on the remote machine.
- Choose to read or write to a remote machine depending on the availability of shares
- Launch a Denial of Service (DoS) attack on the remote machine
- Enumerate password policies on the remote machine
NetBIOS Enumeration Tools:
The following table shows the list of tools to perform NetBIOS Enumeration:
| Sl.no | Name of the tool | Web Links |
| 01 | Nbtstat | www.technet.microsoft.com |
| 02 | SuperScan | http://www.mcafee.com/in/downloads/free-tools/superscan.aspx |
| 03 | Hyena | http://www.systemtools.com/hyena/ |
| 04 | Winfingerprint | https://packetstormsecurity.com/files/38356/winfingerprint-0.6.2.zip.html |
| 05 | NetBIOS enumerator | http://nbtenum.sourceforge.net/ |
NetBIOS Security controls:
The following are the security controls to prevent NetBIOS enumeration attacks
- Minimize the attack surface by minimizing the unnecessary service like Server Message Block (SMB).
- Remove File and Printer sharing in Windows OS.
What is SNMP?
SNMP stands for Simple Network Management Protocol is an application-layer protocol that runs on User Datagram Protocol (UDP). It is used for managing network devices which run on IP layer like routers. SNMP is based on a client-server architecture where SNMP client or agent is located on every network device and communicates with the SNMP managing station via requests and responses. Both SNMP request and responses are configurable variables accessible by the agent software. SNMP contains two passwords for authenticating the agents before configuring the variables and for accessing the SNMP agent from the management station.
SNMP Passwords are:
- Read Community string are public, and configuration of the device can be viewed with this password
- Read/Write community string are private, and configuration of the device can be modified using this password.
SNMP uses virtual hierarchical database internally for managing the network objects, and it is called Management Information Base (MIB). MIB contains tree like structure, and object ID uniquely represents each network object. The network objects can be viewed or modified based on the SNMP passwords.
SNMP Enumeration:
Default SNMP password allow attackers to view or modify the SMMP configuration settings. Attackers can enumerate SNMP on remote network devices for the following:
- Information about network resources such as routers, shares, devices, etc.
- ARP and routing tables
- Device specific information
- Traffic statistics etc.
SNMP Enumeration Tools:
The following table shows the list of tools to perform SNMP Enumeration:
| Sl.no | Name of the tool | Web Links |
| 01 | OpUtils | https://www.manageengine.com/products/oputils/ |
| 02 | SolarWinds | http://www.solarwinds.com/ |
| 03 | SNScan | http://www.mcafee.com/us/downloads/free-tools/snscan.aspx |
| 04 | SNMP Scanner | http://www.secure-bytes.com/snmp-scanner.php |
| 05 | NS Auditor | http://www.nsauditor.com/ |
SMTP Security controls:
The following are the security controls to prevent SNMP enumeration attacks
- Minimize the attack surface by removing the SNMP agents where not needed
- Change default public community string
- Upgrade to SNMPv3 which encrypts the community strings and messages
- Implement group policy for additional restriction on anonymous connections
- Implement firewall to restrict unnecessary connections
- Implement IPSec filtering
- Block access to TCP/UDP ports 161
- Encrypt and authenticate using IPSEC
What is LDAP?
LDAP Stands for Light Weight Directory Access Protocol and it is an Internet protocol for accessing distributed directory services like Active Directory or OpenLDAP etc. A directory service is a hierarchical and logical structure for storing records of users. LDAP is based on client and server architecture. LDAP transmits over TCP and information is transmitted between client and server using Basic Encoding Rules (BER).
LDAP Enumeration:
LDAP supports anonymous remote query on the Server. The query will disclose sensitive information such as usernames, address, contact details, Department details, etc.
LDAP Enumeration Tools:
The following table shows the list of tools to perform LDAP Enumeration:
| Sl.no | Name of the tool | Web Links |
| 01 | Softerra LDAP Administrator | http://www.ldapadministrator.com/ |
| 02 | Jxplorer | http://jxplorer.org/ |
| 03 | active directory domain services management pack for system center | https://www.microsoft.com/en-in/download/details.aspx?id=21357 |
| 04 | LDAP Admin Tool | http://www.ldapadmin.org/ |
| 05 | LDAP Administrator tool | https://sourceforge.net/projects/ldapadmin/ |
LDAP Security controls:
The following are the security controls to prevent LDAP enumeration attacks
- Use SSL to encrypt LDAP communication
- Use Kerberos to restrict the access to known users
- Enable account lockout to restrict brute forcing
What is NTP?
NTP stands for Network Time protocol designed to synchronize clocks of networked computers. NTP can achieve accuracies of 200 milliseconds or better in local area networks under ideal conditions. NTP can maintain time to within ten milliseconds (1/100 second) over the Internet. NTP is based on agent-server architecture where agent queries the NTP server, and it works on User Datagram Protocol (UDP) and well-known port 123.
No comments:
Post a Comment