The process of obtaining usernames, machine names, shares, network resources, and services from a system or network is known as enumeration. The attacker establishes active connections with the system during this phase to learn more about the target and sends targeted requests. The attacker uses the information gathered by enumeration to find security flaws, allowing them to take advantage of the target system.
Information like,
- Network Resources
- Network Shares
- Routing Tables
- Audit and Service Settings
- SNMP and fully qualified domain name (FQDN) details.
- Machine Names
- Users and Groups
- Application and Banners
Techniques
Extract usernames using email IDs
Every email address contains two parts, a username and a domain name, in the
format "username@domainname".
Extract Information using default passwords
Many online resources provide a list of default passwords assigned by
manufacturers to their products. Users often ignore recommendations to change
the default usernames and passwords provided by the manufacturer or developer
of a product. This makes it easier for an attacker to identify and take advantage of the
target system.
Brute force Active Directory
Microsoft Active Directory is susceptible to username enumeration at the time
of user-supplied input verification. Attackers utilise this to compile a list of legitimate usernames. If an
attacker manages to retrieve legitimate usernames, they can employ a
brute-force attack to break the corresponding passwords.
Extract information using DNS Zone Transfer
The DNS zone transfer might be a useful technique to learn about the network
configuration of the company if the network administrator fails to correctly
configure the DNS server. Lists of all named hosts, sub-zones, and associated
IP addresses may be included in this data. The programs dig and nslookup can
be used to transfer DNS zones.
Extract user groups from Windows
The attacker needs to be registered as a user in the Active Directory to
harvest user groups from Windows. The attacker can then utilise the Windows
interface or a command-line technique to obtain information from groups that
the user is a part of.
Extract usernames using SNMP
Attackers can easily guess read-only or read-write community strings by using
the SNMP application programming interface (API) to extract usernames.
Services and Ports to Enumerate
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) manage
data communications between terminals in a network.
- TCP/UDP 53: DNS Zone Transfer
- TCP/UDP 135: Microsoft RPC Endpoint Mapper
- UDP 137: NetBIOS Name Service (NBNS)
- TCP 139: NetBIOS Session Service (SMB over NetBIOS)
- TCP/UDP 445: SMB over TCP (Direct Host)
- UDP 161: Simple Network Management Protocol (SNMP)
- TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
- TCP 2049: Network File System (NFS)
- TCP 25: Simple Mail Transfer Protocol (SMTP)
- TCP/UDP 162: SNMP Trap
- UDP 500: Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE)
- TCP 22: Secure Shell (SSH)
- TCP/UDP 3268: Global Catalog Service
- TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)
- TCP 20/21: File Trasnfer Protocol
- TCP 23: Telnet
- UDP 69: Trivial File Transfer Protocol (TFTP)
- TCP 179: Border Gateway Protocol (BGP)
You might be interested in,
- Phases of Hacking
- NetBIOS Enumeration
- SNMP Enumeration
- LDAP Enumeration
- NTP, NFS and SMTP Enumeration
- DNS Enumeration
- Telnet, SMB, FTP and TFTP Enumeration
- Other Enumeration Techniques (IPSec, VoIP, RPC, Unix/Linux, IPv6, and BGP)
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment