Enumeration Concepts

Enumeration Concepts
Introduction to Enumeration :-

The result of the scanning phase and leads us to

the enumeration phase

The goal of enumeration is to paint a fairly

complete picture of the target

To identify valid user accounts or poorly-protected

resource shares using active connections to
systems

Enumeration means to specify individually

Enumeration in the ethical hacking world

Enumeration Concepts
Introduction to Enumeration :-

Specific targets determined

Identification of Services / open

ports

Operating System Enumeration

Enumeration Concepts
Introduction to Enumeration :-

• Banner grabbing
• Responses to various protocol
Methods (ICMP &TCP) commands
• Port / Service Scans – TCP
Connect, TCP SYN, TCP FIN, etc.

• Nmap, FScan, Hping, Firewalk,

Tools netcat, tcpdump, ssh, telnet,
SNMP Scanner
Enumeration Concepts
Steps involved in performing enumeration

1 • Check For Live Systems

2 • Check For Open Ports
3 • Scan Beyond IDS
4 • Perform Banner Grabbing
5 • Scan For Vulnerabilities
6 • Draw Network Diagrams
7 • Prepare Proxies
Enumeration Concepts
Enumerating techniques

Obtaining Active Directory information and identifying

vulnerable user accounts

Discovering NetBIOS name enumeration with NBTscan

Using snmputil for SNMP enumeration

Employing Windows DNS queries

Establishing null sessions and connections

-d dump packets, print whole packet content
-h print human-readable name of services
NetBIOS, SNMP, LDAP Enumeration
NetBIOS, SNMP, LDAP Enumeration
Common Network Services
SNMP FTP

BGP Telnet

Active Directory LDAP SMTP

Unix RPC DNS

rwho, rusers TFTP

NIS Finger

SQL Resolution Service HTTP

Oracle TNS MSRPC

NFS NetBIOS Name Service

IPsec/IKE SMB Null Session

NetBIOS, SNMP, LDAP Enumeration
1. NetBIOS Enumeration

o NetBIOS Enumeration is a computing

activity in which usernames and info on
groups, shares, and services of
networked computers are salvaged.

o There are several Graphical User

Interface (GUI) tools as well as
Command Line Interface (CLI) tools
available.
NetBIOS, SNMP, LDAP Enumeration
2. SNMP Enumeration

o It stands for Simple Network Monitoring Protocol (SNMP).

o It is used to manage and monitor hardware devices connected to a

network.

o There are three distinct components:

1. Network Management System
2. SNMP Agents
3. Managed devices
 m
v
r
•m
S
ie
u

NetBIOS, SNMP, LDAP Enumeration

N
d
q
n
M
e
u
i
P
s
e
c
s
a
m
a
t
a
s
e
n
s
a
tv
w
SNMP Agent g
a
i
e
n
a
t
rd
h
a
S
SNMP k
rN
S
Manager n
d
M
N
o
P
M
w
rP
Management e
t
a
p
o
Information p
b
rr
Base (MIB) o
e
io
u
s
t
te
s
o
Traps n
c
a
tS
o
c
a
N
l
tM
iP
v
o
in
a
tg
io
e
e
fn
s
t
NetBIOS, SNMP, LDAP Enumeration

3. LDAP
Enumeration

It tends to be
It is a used to
It stands for tied into the
access
Lightweight Domain Name
directory
Directory System to
listings within
Access allow fast
Active
Protocol resolution of
Directory
queries
Enumeration Countermeasures
Enumeration Countermeasures
Enumeration Countermeasures are :-

Configure web servers to prevent indexing of

directories

To prevent potential social engineering and

war dialing attacks

Configure all name servers to disallow DNS

zone transfers to untrusted hosts

To prevent reverse DNS sweeping from being

effective

Ensure that HINFO and other novelty records

don't appear in DNS zone files
Enumeration Countermeasures
SNMP Countermeasures are :-

Access to
If shutting
null
off SNMP is
Upgrade to sessions
not an
SNMP3, pipes, null
option, Implement
Turn off which sessions
then the Group
the SNMP encrypts shares,
change Policy
service password and IPsec
the default security
and filtering
public option
messages should
communit
also be
y name
restricted
Enumeration Countermeasures
LDAP Countermeasures are :-

Select a
Use basic username
Use SSL
authentication to different from the
technology to
limit access to email id and
encrypt the traffic
known users only enable account
lockout
Hping3: the Heavy Artillery
 First, let’s see how we can make hping3 act like ping. The following command will cause the utility
to transmit an ICMP request and receive a reply:
hping3 -1 <domain name>

Next, let’s check to see if there is a firewall blocking ping requests. We can do this by attempting to
get a packet with an ACK flag sent to the target. In this example the switches used are -A for ACK, -V
for verbose, -p followed by a target port number, and –s for the port on the source computer where
the packet will originate. In this example port 80 on the target and port 5050 on the attacker system
are used:
hping3 -c 1 -V -p 80 -s 5050 -A <domain name>
If this command receives a reply, then the system is alive and the port target is open. (-c count)
hping3 -c 1 -V -p 80 -s 5050 -A ibrict.edu.om
Hping3: the Heavy Artillery
 Create an ACK packet and send it to port 80 on the victim:
hping3 –A <target IP address> -p 80
hping3 –A 192.168.1.5-p 80

• Create a SYN scan against different ports on a victim:

hping3 -8 50-56 –S <target IP address> -V
hping3 -8 50-56 –S 192.168.1.5 -V
hping3 -8 50-56 –S 192.168.1.5 -V

-S --syn set SYN -R --rst set RST

flag flag
hping3 –F –P -U 192.168.1.5 -p 80

 Create a packet with FIN, URG, and PSH flags set and send it to port
80 on the victim:
hping3 –F –P -U <target IP address> -p 80
hping3 –F –P -U 192.168.1.5 -p 80

hping3 --xmas 192.168.1.5 -p 80

-X --xmas set X unused flag (0x40)