Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network. In the enumeration phase, the attacker creates active connections with system and performs directed queries to gain more information about the target. The attackers use the information collected by means of enumeration to identify the vulnerabilities or weak points in the system security, which helps them exploit the target system. It allows the attacker to perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment.
Enumeration allows you to collect the following information:
• Network resources
• SNMP and FQDN details
• Network shares
• Machine names
• Routing tables
• Users and groups
• Audit and service settings
• Applications and banners
During enumeration, attackers may stumble upon a remote IPC share, such as IPC$ in Windows, which they can probe further for null sessions to collect information about other shares and system accounts.
The previous modules highlighted how attackers gather necessary information about a target without really getting on the wrong side of the legal barrier. However, enumeration activities may be illegal depending on the organization policies and any laws that are in effect. As an ethical or pentester, you should always acquire proper authorization before performing enumeration.
Related Product : Certified Ethical Hacker | CEH Certification
Techniques for Enumeration
To extract information about a target :
• Extract user names using email IDs
Every email address contains two parts: the user name and the domain name. The structure of an email address is username@domainname. Consider firstname.lastname@example.org; in this email address, the “abc” (the string of characters preceding the ‘@’ symbol) is the user name and “gmail.com” (the string of characters following the ‘@’ symbol) is the domain name.
• Extract information using default passwords
Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often neglect to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases the task of an attacker in enumerating and exploiting the target system.
• Brute force Active Directory
Microsoft Active Directory is susceptible to a username enumeration at the time of user-supplied input verification. This is a design error in the Microsoft Active Directory implementation. If a user enables the “logon hours” feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid user names. An attacker who succeeds in extracting valid user names can conduct a brute-force attack to crack the respective passwords.
• Extract information using DNS Zone Transfer
A network administrator can use DNS Zone Transfer to replicate Domain Name System (DNS) data across a number of DNS servers, or to back up DNS files. The administrator needs to execute a specific zone transfer request to the name server. If the name server permits zone transfer, it will convert all the DNS names and IP addresses, hosted by that server to ASCII text.
If the network administrators did not configure the DNS server properly, the DNS Zone transfer is an effective method to obtain information about the organization’s network. This information may include lists of all named hosts, sub-zones, and related IP addresses. A user can perform DNS zone transfer using nslookup.
• Extract user groups from Windows
To extract user groups from Windows, the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command line method.
• Extract user names using SNMP
Attack-s can easily guess the read-only or read-write community strings using the SNMP AD to extract user names.
Also Read : What is SNMP Enumeration?
What is NetBIOS?
NetBIOS stands for Network Basic Input Output System. IBM developed it along with Sytek. The primary intention of NetBIOS was developed as Application Programming Interface (API) to enable access to LAN resources by the client’s software.
NetBIOS naming convention starts with 16-ASCII character string used to identify the network devices over TCP/IP; 15-characters are used for the device name, and the 16th character is reserved for the service or name record type.
NetBIOS Enumeration Explained:
NetBIOS software runs on port 139 on the Windows operating system. File and printer service needs to be enabled to enumerate NetBIOS over Windows Operating system. An attacker can perform the below on the remote machine.
- Choose to read or write to a remote machine depending on the availability of shares
- Launch a Denial of Service (DoS) attack on the remote machine
- Enumerate password policies on the remote machine
NetBIOS Enumeration Tools:
What is SNMP?
SNMP stands for Simple Network Management Protocol is an application-layer protocol that runs on User Datagram Protocol (UDP). It is used for managing network devices which run on IP layer like routers. SNMP is based on a client-server architecture where SNMP client or agent is located on every network device and communicates with the SNMP managing station via requests and responses. Both SNMP request and responses are configurable variables accessible by the agent software. SNMP contains two passwords for authenticating the agents before configuring the variables and for accessing the SNMP agent from the management station.
SNMP Passwords are:
- Read Community string are public, and the configuration of the device can be viewed with this password
- Read/Write community string is private, and the configuration of the device can be modified using this password.
SNMP uses a virtual hierarchical database internally for managing the network objects, and it is called Management Information Base (MIB). MIB contains a tree-like structure, and object ID uniquely represents each network object. The network objects can be viewed or modified based on the SNMP passwords.
Default SNMP password allow attackers to view or modify the SMMP configuration settings. Attackers can enumerate SNMP on remote network devices for the following:
- Information about network resources such as routers, shares, devices, etc.
- ARP and routing tables
- Device-specific information
- Traffic statistics etc.
SNMP Enumeration Tools:
What is LDAP?
LDAP Stands for Light Weight Directory Access Protocol and it is an Internet protocol for accessing distributed directory services like Active Directory or OpenLDAP etc. A directory service is a hierarchical and logical structure for storing records of users. LDAP is based on client and server architecture. LDAP transmits over TCP and information is transmitted between client and server using Basic Encoding Rules (BER).
LDAP supports anonymous remote query on the Server. The query will disclose sensitive information such as usernames, address, contact details, Department details, etc.
LDAP Enumeration Tools:
- Softerra LDAP Administrator
What is NTP?
NTP stands for Network Time protocol designed to synchronize clocks of networked computers. NTP can achieve accuracies of 200 milliseconds or better in local area networks under ideal conditions. NTP can maintain time to within ten milliseconds (1/100 second) over the Internet. NTP is based on agent-server architecture where agent queries the NTP server, and it works on User Datagram Protocol (UDP) and well-known port 123.
An attacker can enumerate the following information by querying NTP server.
- List of hosts connected to the NTP server
- Internal Client IP addresses, Hostnames and Operating system used.
NTP Enumeration Tools:
What is SMTP?
SMTP stands for Simple Mail Transfer Protocol and it is designed for electronic mail (E-Mail) transmissions. SMTP is based on client-server architecture and works on Transmission Control Protocol (TCP) on well-known port number 25. SMTP uses Mail Exchange (MX) servers to send the mail to via the Domain Name Service, however, should an MX server not detected; SMTP will revert and try an A or alternatively SRV records.
SMTP provides three built-in commands
- VRFY– validate users on the SMTP servers
- EXPN– Delivery addresses of aliases and mailing lists
- RCPT TO– Defines the recipients of the message
SMTP servers respond differently to the commands mentioned above, and SMTP enumeration is possible due to varied responses. Attackers can determine the valid users on the SMTP servers with the same technique.
SMTP Enumeration Tools:
- NetScan Tools Pro
- SMTP User Enum
What is DNS?
DNS stands for Domain Name Service, and it is primarily designed as hierarchical decentralized distributed naming systems for computers, services, or any resource connected to the network. DNS resolves hostnames to its respective IP addresses and vice versa. DNS internally maintains a database for storing the records. The following are the most commonly used record types in DNS.
- Start of Authority (SOA),
- IP addresses (A and AAAA),
- SMTP mail exchangers (MX),
- Nameservers (NS),
- Pointers for reverse DNS lookups (PTR), and
- Domain name aliases (CNAME)
DNS works on both UDP and TCP on well-known port number 53. It uses UDP for resolving queries and TCP for zone transfers. DNS zone transfer allows DNS databases to replicate the portion of the database from the primary server to the secondary server. DNS zone transfer must only be allowed by other validated secondary DNS servers acting as clients.
DNS enumeration is possible by sending zone transfer request to the DNS primary server pretending to be a client. It reveals sensitive domain records in response to the request.
DNS Enumeration Tools:
- DNS Dumpster
- DNS Recon
The most common technique used to search users names and machine name of the target system which hacker do most to find victims. Infosavvy gives training on Certified Ethical Hacking in which covers one module on Enumeration. Do CEHv10 Training and Certification from Infosavvy in Banglore Location.
People also ask Question
1. What is the default password policy Active Directory?
2. What does Do not allow anonymous enumeration of SAM accounts default?
3. Where are password requirements in Active Directory?
4. Do not allow any shares to be accessed anonymously?
Learn CEH & Think like hacker
- What is Ethical Hacking? & Types of Hacking
- 5 Phases of Hacking
- 8 Most Common Types of Hacker Motivations
- What are different types of attacks on a system
- Scope and Limitations of Ethical Hacking
- TEN Different Types Of Hackers
- What is the Foot-printing?
- Top 12 steps for Foot printing Penetration Testing
- Different types of tools with Email Foot printing
- What is “Anonymizer” & Types of Anonymizers
- Top DNS Interrogation Tools
- What is SNMP Enumeration?
- Top vulnerability scanning tools
- Information Security of Threat
- Foot printing tools:
- What is Enumeration?
- Network Security Controls
- What is Identity and Access Management?
- OWASP high TEN web application security risks
- Password Attacks
- Defend Against Key loggers
- Defend Against Spyware
- Covering Tracks
- Covering Track on Networks
- Everything You Need To Know About Sniffing – Part 1
- Everything You Need To Know About Sniffing – Part 2
- Learn more about GPS Spyware & Apparatuses
- Introduction of USB Spyware and It’s types
- 10 Types of Identity Theft You Should Know About
- Concepts of Denial-of-Service Attack & Distributed Denial of Service Attack
- Most Effective Ways to Overcome Impersonation on Social Networking Site’s Problem
- How Dynamic Host Configuration Protocol (DHCP) Works
- DHCP Request/Reply Messages
- DHCP Starvation Attack
- Rogue DHCP Server Attack
- IOS Switch Commands
- Web Server Concept
- Web Server Attacks
- Web Server Attack Tools
- Web Server Security Tools
- 6 Quick Methodology For Web Server Attack
- Learn Skills From Web Server Foot Printing / Banner Grapping
- The 10 Secrets You Will Never Know About Cyber Security And Its Important?
- Ways To Learn Finding Default Content Of Web Server Effectively
- How will Social Engineering be in the Future
- Understand The Background Of Top 9 Challenges IT Leaders Will Face In 2020 Now
- Learning Good Ways To Protect Yourself From Identity Theft
- Anti-phishing Tools Guide
This Blog Article Written by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com