Other Enumeration Techniques - IPsec, VoIP, RPC, Unix/Linux User, IPv6, and BGP


The process of obtaining usernames, machine names, shares, network resources, and services from a system or network is known as enumeration. During this phase, the attacker establishes active connections with the system to learn more about the target and sends targeted requests. The attacker uses the information gathered by enumeration to find security flaws, allowing them to exploit the target system. 


IPsec Enumeration

To secure communication between virtual private network (VPN) endpoints, IPsec uses Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulation Security Payload (ESP). To create, negotiate, alter, and remove Security Associations (SA) and cryptographic keys in a VPN environment, the majority of IPsec-based VPNs employ the Internet Security Association and Key Management Protocol (ISAKMP), a component of IKE. A straightforward UDP port 500 checks for ISAKMP can reveal the existence of a VPN gateway. 

Attackers can probe further using a tool, such as ike-scan, to enumerate sensitive information, including encryption and hashing algorithm, authentication type, key distribution algorithm, and SA LifeDuration. 

VoIP Enumeration

VoIP allows voice and video communications over an IP network by utilising the Session Initiation Protocol (SIP) protocol. Typically, UDP/TCP ports 2000, 2001, 5050, and 5061 are used by SIP services. Sensitive information is provided by VoIP enumeration, including IP-PBX systems, VoIP phones and gateways, client software, user-agent IP addresses, and user extensions. Numerous VoIP attacks, including Denial-of-Service (DoS), Session Hijacking, Caller ID spoofing, Eavesdropping, Spamming over Internet Telephony (SPIT), and VoIP phishing (Vishing), can be launched using this information. Tools like svmap can be used to identify SIP devices and PBX servers. Metaspolit's SIP username enumerator (auxiliary/scanner/sip/enumerator) can used as well. 

RPC Enumeration

Remote Procedure Call (RPC) allows clients and servers to communicate in distributed client/server programs. The port mapper service listens on TCP and UDP port 111 to detect endpoints and present clients. Enumerating RPC endpoints enabled attackers to identify vulnerable services on these service ports. Attackers use the following Nmap scan commands to identify the RCP service running on the network: nmap -sR <target IP/network> or nmap -T4 -A <target IP/network>. NetScanTools Pro can be used too to capture RPC information. 

Unix/Linux User Enumeration

Unix/Linux user enumeration is one of the crucial enumeration processes. A list of users is produced by the Unix/Linux user enumeration process, which also includes information on each user's start date, time, hostname, and username. The following command-line utility can be used to perform Unix/Linux user enumeration.
  • /usr/bin/rusers: Displays a list of users who are logged on to remote machines or machines on a local network.
  • rwho: Displays a list of users who are logged on to hosts on the local network. 
  • finger: Displays information about system users, such as login name, real name, terminal name, idle time, login time, office location, and office phone numbers. Command: finger @<IP>. Once you get usernames. finger <username>@<IP>

IPv6 Enumeration

The IPv6 addressing protocol helps to identify computer systems by providing their location and other details. It also helps to route data between computers on a network. Attackers enumerate target hosts using IPv6 to gain their IPv6 addresses. They then scan the list of IP addresses to find different security issues. By using this information attackers can launch various attacks such as SYN flood attacks, DNS amplification attacks, and DDoS attacks. 

Tools

  • Enyx (github.com) is an enumeration tool that fetches the IPv6 address of a machine through SNMP. Command: python enyx.py 2c public <target IP>
  • IPv6 Hackit (ipv6hackit.sourceforge.net)

BGP Enumeration

A routing protocol called Border Gateway Protocol (BGP) is used to communicate reachability and routing data across various autonomous systems (AS) connected to the Internet. utilising tools like Nmap and BGP Toolkit, attackers execute BGP enumeration to find the IPv4 prefixes published by the AS number and the routing path that the victim is utilising. Attackers perform a variety of attacks against the target using this information, including DoS attacks, BGP hijacking attacks, and man-in-the-middle assaults. 

You might be interested in,

We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible. 

No comments:

Post a Comment