Scribd
Upload
19 views

NWHK CHAP4-Network Hacking - Enumeration v.1

The document discusses network enumeration techniques. It describes enumeration as the process of identifying active services on a target system to discover potential vulnerabilities. It covers various enumeration methods like RPC, RMI, SMB, NetBIOS, SNMP, and LDAP enumeration. Tools discussed include nmap, Metasploit, nmblookup, and others for gathering service information, usernames, shares, and other details for analysis of attack surfaces.

Uploaded by

shemanthram
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

NWHK CHAP4-Network Hacking - Enumeration v.1

The document discusses network enumeration techniques. It describes enumeration as the process of identifying active services on a target system to discover potential vulnerabilities. It covers various enumeration methods like RPC, RMI, SMB, NetBIOS, SNMP, and LDAP enumeration. Tools discussed include nmap, Metasploit, nmblookup, and others for gathering service information, usernames, shares, and other details for analysis of attack surfaces.

Uploaded by

shemanthram
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Topic 4 – ET0741

Network Hacking
(Enumeration)

ET0741 Network Hacking


Official (Open)

OBJECTIVES

▪ Descript the concept of enumeration


▪ Explain the different techniques for service
enumeration
▪ Explain the different countermeasure to
enumeration

ET0741 Network Hacking


Official (Open)

Concepts of Enumeration
▪ Process of identifying active services to a
target system to discover potential attack
surface or vector.
▪ List of username and groups
▪ Hostname
▪ Running services
▪ Application banners
▪ etc

ET0741 Network Hacking


Official (Open)

Service Enumeration
▪ To determine the services running on a
target
▪ Extract running service information
▪ nmap -sV [IP address]
▪ Use the extracted service information to
search for vulnerabilities and exploits
▪ Exploits Database
(https://www.exploit-db.com/) POC: Proof of concept

▪ Google Search
▪ VulDB (https://vuldb.com/)
ET0741 Network Hacking
Official (Open)

Service Enumeration
▪ Enumeration can be performed on the
following
▪ RPC enumeration
▪ RMI enumeration
▪ SMB enumeration
▪ NetBIOS enumeration
▪ SNMP enumeration
▪ LDAP enumeration

ET0741 Network Hacking


Official (Open)

Remote Procedure Calls


▪ Service to allow remote systems to utilise resources
across the network
These services to do not appear on my system
▪ Sharing storage but appears on a separate remote system.
Makes request.
▪ Sharing of printers
▪ Etc
▪ Common implementation of RPC program calls is
portmap or rpcbind
▪ Portmapper assigns port number to a service
▪ Application programs uses port mapper to
determine port assigned
▪ Directory service

ET0741 Network Hacking


Official (Open)

Remote Procedure Calls

Portmapper is like HelpDesk of a mall:


Tells directions etc

ET0741 Network Hacking


Official (Open)

Remote Procedure Calls


In summary:
▪ Registration of the mapping (RPC program
number/ port number) when the RPC server
starts and tells the Portmapper that the port
number 2049 for nfs is associated with the
RPC program number 1003.
▪ Client RPC client asks the Portmapper about
the port associated with the program number
1003 (nfs), so it can connect to the server
https://www.ithands-on.com/2020/10/networking-101-nfs-network-file-system.html

ET0741 Network Hacking


Official (Open)

RPC Enumeration Tool


▪ Metasploit Sunrpc Scanner

metasploit is a framework
Framework: Encompasses multiple softwares

Version 4 preferred because tcp version 4 got ack mssg. So it is more reliable
over WAN but for local can still use LAN.

ET0741 Network Hacking


Official (Open)

Remote Method Invocation

▪ Remote Procedure Calls in Java


▪ Portmapper of Java is rmiregistry
▪ Programs running RMI will register with
rmiregistry program
▪ Any service can check rmiregistry for
services.

ET0741 Network Hacking


https://image1.slideserve.com/2172277/rmi-architecture-l.jpg
Official (Open)

RMI Enumeration Tool


▪ Metasploit RMI Scanner

ET0741 Network Hacking


Official (Open)

Server Message Block (SMB)

▪ Most common implementation of RPC


▪ Used on Windows network for
▪ File sharing
▪ Network management
▪ System administration
▪ Etc.

ET0741 Network Hacking


Official (Open)

Server Message Block (SMB)


▪ Application layer protocol
▪ Can be used with different protocols at lower
OSI layers.
▪ Over TCP on port 445
▪ Over NetBIOS on UDP 137 and 138
▪ NetBIOS over TCP on TCP 137 and 139
▪ Netbios for name resolution
▪ Authentication is not always necessary
▪ Support for null authentication
▪ No username
▪ No password ET0741 Network Hacking
Official (Open)

SMB Enumeration Tool


▪ Windows built-in tool nbtstat

ET0741 Network Hacking


Official (Open)

SMB Enumeration Tool


▪ Kali with Samba package install.
▪ Use nmblookup (-S: node status –B: broadcast)

ET0741 Network Hacking


Official (Open)

SMB Enumeration Tool


▪ NetBIOS suffixes
No need memorise this

Source: https://en.wikipedia.org/wiki/NetBIOS

ET0741 Network Hacking


Official (Open)

NetBIOS Enumeration Tool


▪ Nmap
▪ Use Nmap Scripting Engine(NSE) to discover
NetBIOS shares on a network.
▪ Scripts folder /usr/share/nmap/scripts/
nmap –sV –v –script nbstat.nse <ip address>

ET0741 Network Hacking


Official (Open)

NetBIOS Enumeration Tool


▪ Enumerate SMB shares
nmap –sV –v –script smb-enum-shares.nse <ip address>

3 levels of verbosity:
v
vv
vvv

the $ is for admin shares

ET0741 Network Hacking


Official (Open)

NetBIOS Enumeration Tool


▪ NetBIOS Enumerator
▪ Windows and open source tool
▪ Explore and scan network to identify security
vulnerabilities

ET0741 Network Hacking


Official (Open)

SNMP Enumeration Tool


▪ Simple Network Management Protocol (SNMP)
▪ widely used in network management for network
monitoring
▪ administrative computer is called manager
▪ managed system with software component called
(Port 161)
agent

Alerts us on link outage


(Port 162)

ET0741 Network Hacking https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol


Official (Open)

SNMP Enumeration Tool

▪ Application layer protocol uses UDP port 161


and 162
▪ 3 versions (v1/v2c and v3)
▪ Information is stored in management information
bases (MIBs)
▪ data structures, using Abstract Syntax Notation
One (ASN.1)
▪ Each node or data element gets an object
identifier (OID) e.g. iso.3.6.1.2.1.1.1.0
resolves the device name

ET0741 Network Hacking


Official (Open)

SNMP Enumeration Tool

▪ Scan for SNMP enabled network devices to


monitor, diagnose and troubleshoot security
issues.
▪ Snmpwalk
▪ Snmpcheck
▪ SoftPerfect Network Scanner
(https://www.softperfect.com/products/networ
kscanner/)

ET0741 Network Hacking


Official (Open)

LDAP Enumeration

▪ Lightweight Directory Access Protocol use to


access directory listing e.g. AD or other
directory services. Link for Active directory between 2 different OS
▪ Uses ports TCP 389 for LDAP
▪ TCP 636 for LDAPS
▪ Softerra LDAP Administrator
(https://www.ldapadministrator.com/download.htm)
▪ Jxplorer
(http://jxplorer.org/)

ET0741 Network Hacking


Official (Open)

Summary

▪ Process of enumeration is to gather


information further up the network stack
instead of IP addresses and ports.
▪ Operations of RPC
▪ Covered the usage of different enumeration
tools for Windows and Linux targets for
various services.

ET0741 Network Hacking

You might also like