Many Of The Protocols Do Not Encrypt Data While Traveling Across The Network So We Can Sniff In A Network In Order To Gather More Data.
Enumeration Is Used To Gather Following Data :
• Running Services
• Service Version
• Hostnames
• IP Adresses
• Operating System
• Network Resources
• SNMP Data
• IP Tables
• Passwords Policies
• Users and Groups
• Networks and shared paths
• Route Tables
• Applications and Banners
• Points Of Entry
Enumeration Depends On The Services That The Systems Offer, Following Services Is Used To Enumerate System.
Network Time Protocol Is A Protocol Designed To Synchronize Clocks Of Networked Computers. Now Obviously These Computers Talking To Each Other To Synchronize Their Time, Which Opens Them Up For Enumeration. NTP Uses UDP Port 123.
Hosts & IP Adresses
Sys Name & OS
nmap -sU -p 123 --script=ntp-info <target>
Monlist Is A Remote Command In Older Version Of NTP That Sends The Requester A List Of The Last 600 Hosts Who Have Connected To That Server. For Attackers The Monlist Query Is A Great Reconnaissance Tool. For A Localized NTP Server It Can Help To Build A Network Profile.
nmap -sU -p 123 -Pn -n --script=ntp-monlist <target>
SNMP Enumeration
The Simple Network Management Protocol Is Used To Manage And Monitor Hardware Devices Connected To A Network. If Passwords Are Not Changed They Can Be Used By An Attacker To Enumerate SNMP As SNMP Manager.User Accounts And Devices
nmap -sU -p 137 --script snmp-brute <target>
SMB Enumeration
The Server Message Block Protocol Is a Network File Sharing Protocol That Allows Applications on a Computer to Read and Write to Files and to Request Services From Server Programs in a Computer Network. The SMB Protocol Can Be Used on Top of Its TCP/IP Protocol or Other Network Protocols. Using the SMB Protocol, User Can Access Files or Other Resources at a Remote Server. This Allows Applications to Read, Create, and Update Files on the Remote Server. It Can Also Communicate With Any Server Program That Is Set Up to Receive an SMB Client Request.
nmap -p 445 --script smb-os-discovery 192.168.1.0/24
nmap -sV -p 445 --script smb-brute 192.168.1.101
The Server Message Block Protocol Is a Network File Sharing Protocol That Allows Applications on a Computer to Read and Write to Files and to Request Services From Server Programs in a Computer Network. The SMB Protocol Can Be Used on Top of Its TCP/IP Protocol or Other Network Protocols. Using the SMB Protocol, User Can Access Files or Other Resources at a Remote Server. This Allows Applications to Read, Create, and Update Files on the Remote Server. It Can Also Communicate With Any Server Program That Is Set Up to Receive an SMB Client Request.
nmap -p 445 --script smb-os-discovery 192.168.1.0/24
nmap -sV -p 445 --script smb-brute 192.168.1.101
Active Directory Enumeration
Enumerating Windows Active Directory Via LDAP (Lightweight Directory Access Protocol), TCP/UDP 389 And 3268. Active Directory Contains User Accounts And Additional Information About Accounts On Windows PC's.
ad-ldap-enum
BGP Enumeration
BGP Is designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.
BGP Is Used By Routers To Help Them Guide Packets To Their Destinations. It makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator and is involved in making core routing decisions. It Can Be Used To Find All The Networks Associated With A Particular Corporation.
nmap --script asn-query --script-args dns=8.8.8.8 <target>
BGPSimple
Enumerating Windows Active Directory Via LDAP (Lightweight Directory Access Protocol), TCP/UDP 389 And 3268. Active Directory Contains User Accounts And Additional Information About Accounts On Windows PC's.
ad-ldap-enum
BGP Enumeration
BGP Is designed to exchange routing and reachability information among autonomous systems (AS) on the Internet.
BGP Is Used By Routers To Help Them Guide Packets To Their Destinations. It makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator and is involved in making core routing decisions. It Can Be Used To Find All The Networks Associated With A Particular Corporation.
nmap --script asn-query --script-args dns=8.8.8.8 <target>
BGPSimple
SMTP Enumeration
SMTP Is A Protocol Which Is Used To Deliver Emails Across The Internet, SMTP Protocol Moves Your Email Using DNS MX Records To Identify Server That It Needs To Forward Or Store An Email, It Also Works Very Closely With MTA (Mail Transfer Agents) To Make Sure It Sends An Email To Right Computer As Well As Right Email Inbox.
Once The Email Gets Inside Of Our Network It Typically Uses Protocol (POP, IMAP) To Deliver The Email Internally, But Externally On The Internet It Uses SMTP.
By Simply Sending An Email Message To A Non-Existent Address At A Target Domain Often Reveals Useful Internal Network Information Through A Non-Delivery Notification (NDN).
Default Ports:
SMTP Server (Outgoing Messages)
Non-Encrypted - AUTH - Port: 25 (or 587)
Secure (TLS) - StartTLS - Port: 587
Secure (SSL) - SSL - Port: 465
POP3 Server (Incoming Messages)
Non-Encrypted - AUTH - Port: 110
Secure (SSL) - SSL - Port: 995
VRFY Verify, If A User Exists
EXPN Expand, Show All Recipients Of An address
RCPT TO Sets The Destination Address Of The Email
VRFY Verify, If A User Exists
EXPN Expand, Show All Recipients Of An address
RCPT TO Sets The Destination Address Of The Email
FINGER Enumeration
Finger Is A Utility In Linux Operating System, By Using It You Can Check The Information Of Any User From Remote Or Local Command Line Interface.
Finger Is A Utility In Linux Operating System, By Using It You Can Check The Information Of Any User From Remote Or Local Command Line Interface.
TFTP Enumeration
Trivial File Transport Protocol Uses Udp Which Is Not Secure. It Pros And Sys Admins Typically Use TFTP For Transfer Files Remotely , Remotetly Boot System And Backup Conf, Files. By Sniffing On A TFTP Traffic We Can All Of This.
RPC Enumeration
Remote Procedure Call (RPC) Is A Protocol That One Program Can Use To Request A Service From A Program Located In Another Computer On A Network Without Having To Understand The Network's Details. By Querying An MSRPC Endpoint We Can Get List Of Services That Is Running On The Target System.
NetBIOS Enumeration
NetBIOS (Network Basic Input/Output System) Is A Program That Allows Applications On Different Computers To Communicate Within A Local Area Network (LAN). NetBIOS Software Runs On Port 139 On Windows Operating System. File And Printer Service Needs To Be Enabled To Enumerate NetBIOS.
SSH Enumeration
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.
osueta
ssh_user_enum
nmap --script ssh2-enum-algos target
The Process Of Determining The Operating System Used By A Host On A Network. By Analysing Packets From A Host On A Network By Following :
IP TTL values
IP ID values
TCP Window size
TCP Options SYN and SYN+ACK
DHCP Requests
ICMP Requests
HTTP Packets (User-Agent field).
Running Services
Open Port Patterns.
Banner Grabbing
Banner Grabbing Provides Important Information About What Type And Version Of Software Is Running. Telnet Is An Easy Way To Do This Banner Grabbong For FTP, SMTP, HTTP, And Others.
Telnet <Target>
Some Extra Enumration Scripts :
HOSTMAP : nmap -p 80 --script hostmap-bfk.nse scanme.nmap.org
TRACEROUTE : nmap --traceroute --script traceroute- geolocation.nse -p 80 scanme.nmap.org
FTP : nmap --script ftp-brute -p 21
ftp <ftp server ip/ftp.server.com>
SSH : nmap --script ssh2-enum-algos <target>
HTTP : nmap -sV --script=http-userdir-enum <target>
nmap --script http-enum 192.168.1.52
nmap --script -http-enum --script-args http- enum.basepath='pub/' 192.168.1.52
nmap --script http-title -sV -p 80 192.168.1.0/24
TELNET : nmap -p 23 <ip> --script telnet-encryption
TFTP : nmap -sU -p 69 --script tftp-enum.nse --script-args
tftp-enum.filelist=customlist.txt <host>
tftp-enum.filelist=customlist.txt <host>
RPN : nmap --script=msrpc-enum <target>
Enumeration Countermeasures
- Disable Directory Indexing That Don’T Contain Index.Html Or (Default.Asp).
- Use Robots.txt To Prevent Indexing On Search Engine.
- Use A Centralized Network Admin Contact Detail In WHOIS Databases To Prevent Social Engineering Attacks.
- Disallow DNS Zone Transfers To Untrusted Hosts
- Remove Nonpublic IP Address And Hostname Details In DNS Zone Files
- PTR Records Should Only Be Used If Absolutely Needed (For SMTP Mail Servers And Other CriticaL Systems That Need To Resolve Both Ways).
- Ensure That Unnecessary Records (E.G. HINFO) Don’T Appear In DNS Zone Files.
- Configure SMTP Servers To Not Send Non-Delivery Notifications To Prevent Attackers From Enumerating The Internal Mail Servers And Configuration.
- Consider And Review Your IPV6 Networks And DNS Configuration (If Any).
Tools :
Linux :
SuperScan
WinFingerprint
IP-Tools
NetBIOS Enumerator
Hyena
Linux :
- NEET - Network Enumeration and Exploitation Tool
- Reconnoitre (DNS, SNMP)
- Bluto-Old (use it first)
- subdomains enumeration tool
- web-sorrow
- HTTPrint (Banner Gabing Server Fingerprinting)
- IKE scan (VPN Fingerprinting)
SuperScan
WinFingerprint
IP-Tools
NetBIOS Enumerator
Hyena
Sid2Username (User2SID, SID2User)
JXplorer (Open source LDAP Browser)
MIB Browser (SNMP Managment Information Base)
No comments:
Post a Comment