6.1 - Enumeration Overview

 6.1 - Enumeration overview 

 

Key Terms: 

  • Enumeration – A method of gathering information from a system to learn more about its configurations, software, and services 

 

Enumeration 

Enumeration is a less stealthy way of collecting information from a target. The odds of getting caught are much higher so every action must be strategic and precise. This is usually the point where your actions can be considered illegal if done without proper reason and documentation. Enumeration is very specialised to each operating system as there are key differences between them. 

 

Email IDs 

An email address contains 2 parts, the username and the domain name: 

  • username@domainname 


Contacts gathered during the scanning phase should go through extraction to find email addresses that could be used to access systems. 

 

Default Passwords 

A lot of devices use a default factory password such as “admin”. When a device is reset, the default password gets restored and can be used to log onto the device. These devices are often routers and virtual machines. 

 

Brute Force Attack 

A directory service is a database of information that is used for network administration. This is a very valuable target for a hacker to access. Some of these databases are vulnerable to input verification deficiencies where illegal characters or states can be inputted into a typing box to break the system’s code. This means they are susceptible to a brute force attack where an automated program tries different combinations of usernames and passwords until something works. 

 

SNMP and SMTP 

SNMP (simple network management protocol) and SMTP (simple mail transfer protocol) can both be exploited to look for additional usernames. SNMP is used to manage devices like routers, hubs, and switches. It works with an SNMP agent and management station on the application layer of the OSI model. SNMP has 2 default passwords for access, one for public and one for private. If these passwords are not changed, they will have read permissions to username information about network devices, routing tables, network traffic and file shares. SMTP is the protocol most email servers use for email messages. Scanning tools can be used to verify specific email addresses and can even provide a list of all users on a distribution list. 

 

DNS Zone Transfers 

DNS zone transfers are a regular occurrence which makes them another potential target. Zone transfers are designed to provide updated network and access information to the DNS servers. This data is very valuable as it allows the hacker to make a stable map of the target network. 

 

System Policies 

Large systems usually have policies settings to manage how information is handled. If these settings are accessed, a hacker will know a lot more about the target. These techniques vary on the operating systems that are being targeted. 

 

 

Enumerating a Windows System 

A default windows system contains 2 accounts, the administrator, and the guest. The guest user is not enabled in the windows system however it is still a feature. Since windows Vista, the administrator account is disabled by default as the normal everyday user would not need to use the tools provided inside. If this account were used, malware could have access to a lot more processes than if it were disabled. Current windows versions require accounts to be created and administrator permissions must be granted before it can be enabled. This way there is no possibility the user will unintentionally allow an unwanted application or process to run in the background. Windows also comes with other account options to make it easier for businesses to control permissions quickly for their employees. Users can also be assigned to groups with sets of permissions so that the administrator does not have to set them all individually. Windows sets a security identifier (SID) to identify each user individually. This is important as it supports username changes and does not mean that different user accounts must be created to restore normal working. Hackers can access these SIDs to find accounts that may allow access to systems such as the administrator account (SID = 500) and guest account (SID = 501). SIDs can be found in the SAN (security accounts manager), a part of the system registry and stored in LM and MTLN hash formats. For large networks, Microsoft’s active directory manages this data. 

 

List of Important Ports 

 

Port 

Description 

TCP 21 FTP 

Port 21 is used for the File Transfer Protocol (FTP). FTP is used by all operating systems to transfer files between client and server machines. 

TCP 23 Telnet 

Port 23 is used for the Telnet protocol/software. Telnet is used to connect to and run services on remote systems. Because of security concerns, Telnet is not used as frequently as it once was. 

TCP 25 SMTP 

Port 25 is used for the Simple Mail Transfer Protocol (SMTP). SMTP is used to send emails between client and server and between server and server. 

TCP 53 DNS 

Port 53 is used for DNS zone transfers. DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to the DNS servers. 

UDP 53 DNS 

Port 53 is used for UDP queries about IP-to-name and name-to-IP mappings. 

TCP 80 HTTP 

Port 80 is used for Hypertext Transport Protocol. HTTP is used by all web browsers and most web applications. 

TCP 135 RPC 

Port 135 is used by the Remote Procedure Call service in Windows for client-server communications. 

TCP 137 NetBIOS 

Port 137 is used by the NetBIOS Name Server (NBNS.) NBNS is used to associate names and IP addresses of systems and services. 

TCP 139 NetBIOS 

Port 139 is used by the NetBIOS Session Service (SMB over NetBIOS.) SMB over NetBIOS allows you to manage connection between NetBIOS clients and applications. 

TCP 445 SMB over TCP 

Port 445 is used by SMB over TCP. SMB over TCP also known as Direct Host is a service used to improve network access. This service is available in Windows 2000 and newer. 

UDP 161 and 162 SNMP 

Ports 161 and 162 are used by the Simple Network Management Protocol (SNMP.) SNMP is a standard method of managing devices and software from most manufacturers. 

TCP/UDP 389 LDAP 

Port 389 is used by the Lightweight Directory Access Protocol (LDAP.) LDAP is an internet protocol for accessing distributed directory service. If this port is open, it indicates that Active Directory or Exchange may be in use. 

TCP/UDP 3268 Global Catalog Service 

Port 3268 is used by the Global Catalog Service. The Global Catalog Service is used by Windows 2000 and later systems to locate information in Active Directory. 

 

 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more