DACS4202 Penetration Testing

Enumeration

Dr. Omar Alkadri

 ◈ Network Scanning Concepts
Previously - ◈ Scanning Techniques for Host Discovery
◈ Scanning Techniques for Port Service Discovery
Scanning ◈ Scanning Techniques for OS Discovery
Networks ◈
◈
Techniques Scanning Beyond IDS and Firewall
Network Scanning Countermeasures
 ◈ Enumeration Concepts
◈ NetBIOS Enumeration
◈ SNMP Enumeration and LDAP Enumeration
Overview - ◈ NTP and NFS Enumeration
◈
Enumeration ◈
SMTP and DNS Enumeration
IPsec, VoIP, RPC, Unix/Linux, and SMB
Enumeration
◈ Enumeration Countermeasures
Enumeration
Concepts
Enumeration is the process of extracting usernames,
machine names, network resources, shares, and
services from a system or network.
 Services and Ports to Enumerate 1/5
Port Number Purpose Meaning
TCP/UDP 53 DNS the DNS server uses UDP as a default protocol. In the case of lengthy queries for which
UDP fails, TCP is used as a failover solution. Malware such as ADM worm and Bonk
Trojan uses port 53 to exploit vulnerabilities

TCP/UDP 135 Microsoft RPC Remote Procedure Call (RPC) is a protocol used by a client system to request a service
Endpoint Mapper from a server.
The RPC Endpoint Mapper enables RPC clients to determine the port number currently
assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges
messages over TCP/IP. The incorrect handling of malformed messages causes failure.
This affects the RPC Endpoint Mapper, which listens on TCP/IP port 135.
This vulnerability could allow an attacker to send RPC messages to the RPC Endpoint
Mapper process on a server to launch a denial-of-service (DoS) attack.

UDP 137 NetBIOS Name aka Windows Internet Name Service (WINS), provides a name-resolution service for
Service (NBNS) computers running NetBIOS. NetBIOS name servers maintain a database of the NetBIOS
names for hosts and the corresponding IP address the host is using. NBNS aims to
match IP addresses with NetBIOS names and queries. Attackers usually attack the name
service first.
 Services and Ports to Enumerate 2/5
Port Number Purpose Meaning
TCP 139 NetBIOS Session Service TCP 139 is perhaps one of the most well-known Windows port. It is used to
(SMB over NetBIOS) transfer files over a network. Systems use this port for both null-session
establishment as well as file and printer sharing. A system administrator
considering the restriction of access to ports on a Windows system should
make the restriction of TCP 139 a top priority. An improperly configured TCP
139 port can allow an intruder to gain unauthorized access to critical system
files or the complete file system, resulting in data theft or other malicious
activities.
TCP/UDP 445 Service Message Block Windows supports file-and printer-sharing traffic using the service message
(SMB) over TCP block (SMB) protocol directly hosted on TCP. In earlier OSs, SMB traffic
required the NetBIOS over TCP (NBT) protocol to work on TCP/IP transport.
Directly hosted SMB traffic uses port 445 (TCP and UDP) instead of NetBIOS.

UDP 161 Simple Network Management SNMP is widely used in network management systems to monitor network-
Protocol (SNMP) attached devices such as routers, switches, firewalls, printers, and servers. It
consists of a manager and agents. The agent receives requests on port 161
from the managers and responds to the managers on port 162.
 Services and Ports to Enumerate 3/5
Port Number Purpose Meaning
TCP/UDP 162 SNMP Trap An SNMP trap is an unsolicited message sent from a network device to
a management station, typically to notify of significant events or
issues. It uses TCP/UDP port 162 to send notifications such as
optional variable bindings and the sysUpTime value from an agent to a
manager.
TCP/UDP 389 Lightweight Directory Access LDAP is a protocol for accessing and maintaining distributed directory
Protocol (LDAP) information services over an IP network. By default, LDAP uses TCP or
UDP as its transport protocol over port 389.

TCP 2049 Network File System (NFS) NFS protocol is used to mount file systems on a remote host over a
network, and users can interact with the file systems as if they are
mounted locally. NFS servers listen to its client systems on TCP port
2049. If NFS services are not properly configured, then attackers may
exploit the NFS protocol to gain control over a remote system, perform
privilege escalation, inject backdoors or malware on a remote host,
etc.
TCP 25 Simple Mail Transfer Protocol SMTP is a TCP/IP mail delivery protocol. It transfers email across the
(SMTP) Internet and across local networks. It runs on the connection-oriented
service provided by TCP and uses the well-known port number 25.
 Services and Ports to Enumerate 4/5
Port Number Purpose Meaning
UDP 500 Internet Security Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange
Association and Key (IKE) is a protocol used to set up a security association (SA) in the IPsec protocol suite. It uses
Management Protocol UDP port 500 to establish, negotiate, modify, and delete SAs and cryptographic keys in a virtual
(ISAKMP)/Internet private network (VPN) environment.
Key Exchange (IKE)
TCP 22 Secure Shell (SSH) / Secure Shell (SSH) is a command-level protocol mainly used for managing various networked
Secure File Transfer devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol.
Protocol (SFTP) SSH uses the client/server communication model, and the SSH server, by default, listens to its
client on TCP port 22. Attackers may exploit the SSH protocol by brute-forcing SSH login
credentials.
SFTP, by default, uses port 22, facilitating the secure exchange of data over a single Internet
connection. This designated port for SFTP enhances its security and simplicity compared to
protocols such as FTP/S that require multiple ports for operation. SFTP's reliance on just one port
makes its use more straightforward while it continues to secure data transfers through SSH
encryption. Attackers enumerate SFTP to gather information about user accounts, file and directory
permissions, and the server's configuration
TCP 20/21 File Transfer Protocol FTP is a connection-oriented protocol used for transferring files over the Internet and private
networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or
some dynamic port numbers depending on the server configuration. If attackers identify that FTP
server ports are open, then they perform enumeration on FTP to find information such as the
software version and state of existing vulnerabilities to perform further exploitations such as the
sniffing of FTP traffic and FTP brute-force attacks.
 Services and Ports to Enumerate 5/5

Port Number Purpose Meaning

TCP 23 Telnet The Telnet protocol is used for managing various networked devices remotely. It is an
unsecure protocol because it transmits login credentials in the cleartext format.
Therefore, it is mostly used in private networks. The Telnet server listens to its clients
on port 23. Attackers can take advantage of the Telnet protocol to perform banner
grabbing on other protocols such as SSH and SMTP, brute-forcing attacks on login
credentials, port-forwarding attacks, etc.
UDP 69 Trivial File Transfer TFTP is a connectionless protocol used for transferring files over the Internet. TFTP
Protocol (TFTP) depends on connectionless UDP; therefore, it does not guarantee the proper
transmission of the file to the destination. TFTP is mainly used to update or upgrade
software and firmware on remote networked devices. It uses UDP port 69 for
transferring files to a remote host. Attackers may exploit TFTP to install malicious
software or firmware on remote devices.
TCP 179 Border Gateway BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables
Protocol (BGP) and for efficiently processing Internet traffic. BGP routers establish sessions on TCP
port 179. The misconfiguration of BGP may lead to various attacks such as dictionary
attacks, resource-exhaustion attacks, flooding attacks, and hijacking attacks.
 NetBIOS
Enumeration
 NetBIOS
NetBIOS was originally developed as an API for client software to access local area
network (LAN) resources. Windows uses NetBIOS for file and printer sharing.
To enumerate the NetBIOS names, the remote system must have enabled file and
printer sharing.
NetBIOS enumeration may allow an attacker to read or write to a remote computer
system, depending on the availability of shares, or launch a DoS attack.
 Netstat Parameters and their respective
functions
Nbtst Parameters Functions
-a Displays the NetBIOS name table of a remote computer, where RemoteName is the remote computer’s
<RemoteName> NetBIOS computer name.

Displays the NetBIOS name table of a remote computer, as specified by the remote computer’s IP address
-A <IPaddress>
(in dotted decimal notation).

Lists the contents of the NetBIOS name cache, the table of NetBIOS names and their resolved IP
-c
addresses

-n Displays the names registered locally by NetBIOS applications such as the server and redirector

-r Displays the total number of names resolved by a broadcast or WINS server.

Removes all #PRE entries from LMHOSTS and clears the name cache.
-R (C:\Windows\System32\drivers\etc\lmhosts) was used for name-to-IP address mapping in networks that
rely on NetBIOS, particularly before the widespread adoption of DNS.

-RR All names are released and reregistered with the name server.

The NetBIOS sessions table is listed, with destination IP addresses converted to computer NetBIOS
-s
names.

-S Lists the current NetBIOS sessions, along with their status and IP addresses.

Displays selected statistics again, pausing for the amount of time specified in Interval between each
Interval
display.
Net View is a command-line utility that displays
a list of computers in a specified workgroup or
shared resources available on a specified
computer.
SNMP & LDAP
Enumeration
nmap -p 389 --script ldap-brute --script-args ldap.base="dc=nmap,dc=org" <target>
NTP and NFS
Enumeration
SMTP and DNS
Enumeration
Status 250 is
Success
Status 550 is
Failure
A DNS Zone Transfer is a mechanism used in the Domain Name System (DNS) to replicate DNS data from one DNS server to another.
It ensures consistency and synchronization of DNS records between authoritative servers, primarily between a primary/master DNS server and
one or more secondary/slave DNS servers.
 Recursive DNS Query Non-Recursive DNS Query

A recursive query asks a DNS server to perform the full resolution A non-recursive query asks a DNS server to respond only with
process on behalf of the client and return the final answer. If the DNS the information it already knows or has cached. The server does
server doesn’t already have the requested information cached, it not query other DNS servers to resolve the domain name. If the
queries other DNS servers (such as root servers, TLD servers, or requested record isn’t in its cache, the server responds with a
authoritative servers) until it finds the answer. failure or a referral to another server.

Process:
1. A client (e.g., your browser or application) sends a recursive Process:
query to a DNS resolver (e.g., your ISP’s DNS server or a public 1. A client sends a non-recursive query to a DNS server.
resolver like Google DNS). 2. The server:
2. If the resolver already has the requested record in its cache, it • Checks its cache or local zone file for the requested DNS
immediately returns the answer. record.
3. If the resolver doesn’t have the record cached, it queries other • If the record exists in the cache, the server returns the answer.
DNS servers in the hierarchy (root servers → TLD servers → • If the record doesn’t exist, the server responds with a referral
authoritative servers) to resolve the domain name. to another DNS server or an error (e.g., "not found").
4. Once it finds the answer, it returns it to the client and caches the
result for future queries.
 IPsec, VoIP, RPC,
Unix/Linux, and SMB
Enumeration
 Enumeration
Countermeasures
 ◈ Enumeration Concepts
◈ NetBIOS Enumeration
◈ SNMP Enumeration and LDAP Enumeration
◈ NTP and NFS Enumeration
Summary ◈ SMTP and DNS Enumeration
◈ IPsec, VoIP, RPC, Unix/Linux, and SMB
Enumeration
◈ Enumeration Countermeasures
Questions?
 Thank You For
Listening
See You in The Labs