Introduction to Enumeration


The process of obtaining usernames, machine names, shares, network resources, and services from a system or network is known as enumeration. The attacker establishes active connections with the system during this phase to learn more about the target and sends targeted requests. The attacker uses the information gathered by enumeration to find security flaws, allowing them to take advantage of the target system. 


Information like,

  • Network Resources
  • Network Shares
  • Routing Tables
  • Audit and Service Settings
  • SNMP and fully qualified domain name (FQDN) details. 
  • Machine Names
  • Users and Groups
  • Application and Banners
Depending on the organization's policy and the applicable laws, enumeration activities may be prohibited. Before carrying out an enumeration, an ethical hacker or pen tester should always obtain the necessary authorisation. 

Techniques

Extract usernames using email IDs

Every email address contains two parts, a username and a domain name, in the format "username@domainname".

Extract Information using default passwords

Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. This makes it easier for an attacker to identify and take advantage of the target system.

Brute force Active Directory

Microsoft Active Directory is susceptible to username enumeration at the time of user-supplied input verification. Attackers utilise this to compile a list of legitimate usernames. If an attacker manages to retrieve legitimate usernames, they can employ a brute-force attack to break the corresponding passwords.

Extract information using DNS Zone Transfer

The DNS zone transfer might be a useful technique to learn about the network configuration of the company if the network administrator fails to correctly configure the DNS server. Lists of all named hosts, sub-zones, and associated IP addresses may be included in this data. The programs dig and nslookup can be used to transfer DNS zones. 

Extract user groups from Windows

The attacker needs to be registered as a user in the Active Directory to harvest user groups from Windows. The attacker can then utilise the Windows interface or a command-line technique to obtain information from groups that the user is a part of. 

Extract usernames using SNMP

Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames. 

Services and Ports to Enumerate

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) manage data communications between terminals in a network. 
  • TCP/UDP 53: DNS Zone Transfer
  • TCP/UDP 135: Microsoft RPC Endpoint Mapper 
  • UDP 137: NetBIOS Name Service (NBNS)
  • TCP 139: NetBIOS Session Service (SMB over NetBIOS)
  • TCP/UDP 445: SMB over TCP (Direct Host) 
  • UDP 161: Simple Network Management Protocol (SNMP) 
  • TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) 
  • TCP 2049: Network File System (NFS)
  • TCP 25: Simple Mail Transfer Protocol (SMTP)
  • TCP/UDP 162: SNMP Trap
  • UDP 500: Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE)
  • TCP 22: Secure Shell (SSH)
  • TCP/UDP 3268: Global Catalog Service
  • TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)
  • TCP 20/21: File Trasnfer Protocol
  • TCP 23: Telnet
  • UDP 69: Trivial File Transfer Protocol (TFTP)
  • TCP 179: Border Gateway Protocol (BGP)

You might be interested in,

No comments:

Post a Comment