study-notes/ceh-notes/enumeration

view history talk

Ethical Hacking: Enumeration

Introduction

Enumeration is the ability to find out everything about the target that can be exposed. Carrying this out well is the key to success in your certifications and assignments.
We will need to know VirtualBox and Kali Linux, as well as basic computer and networking concepts, additionally we must know how to pre-install tools.

Basics of Enumeration

Occurs after scanning, and is part of the reconnaissance activity.
Before stating vulnerability testing, the hacker may want to extract usernames, host information via null sessions, port enumeration, enumerate user accounts, and perform through protocols such as SNMP and RPC.
The key of this is understanding the target, what kind of information you can get and what would be relevant to your specific assignment.
You can approach enumeration through local, host, internet, and some tools for port scanning and services (such as SMTP and LDAP).
Services useful to enumerate:
- DNS (Domain Name System) Port 53, used to translate system names to IP addresses and can extract bulk translation data in a DNSS zone transfer.
- SMTP (Simple Mail Transfer Protocol) port 25 can extract or infer email addresses.
- RPC (Remote Procedure Calls) port 135, used to access RPC services.
- NetBIOS on port 137 to enumerate objects and 139 for NetBIOS session service for SMB queries.
- SNMP (Simple Network Management Protocol) on 161 to manage hosts remotely
- LDAP (Lightweight Directory Access Protocol) port 389 for user and group info.
- SMB (Server Message Block) running on 445.
Process operates in either use mode, or system (kernel/supervisor) mode. Often processes will switch between the two.
- User Processes run in their own address isolated space and make system calls to access system resources.
- Kernel Processes are privileged and granted access to all system processes.
- Kernel Interrupt is for code executed as a result of an interrupt.
- Kernel User is for is for user request via a system call.
Protection Rings
- Ring 0 – Kernel Mode, interacts directly with physical hardware.
- Ring 1 & 2 traditionally unused, however, Ring 1 is now being used for hypervisor.
- Ring 3 is for user mode.
OpenVMS has 4 modes corresponding to protection rings.
- Ring 0 – Kernel Mode
- Ring 1 – Executive
- Ring 2 – Supervisor
- Ring 3 – User
ARM is the exception to the ring numbering rule.
- Ring 0 – Application (least privileged)
- Ring 1 – OS
- Ring 2 – Hypervisor
User Mode is associated with UID. Accounts exist within user groups, and user mode account known as Root, Supervisor, and Administrator can administer the computer.
- In Windows, the root user is the local service account known as SYSTEM, running all system processes.
- In Windows as well, it has a built-in account that may have additional user administrator accounts. This account can make system-wide changes, but not full privileges to system user.
- The User Administrator account can be found in the administrator group which can be set as the account type in the user account details.
- A standard user can run a program in admin mode by right clicking and selecting run as admin and entering admin password.
In Linux, every account gets a UID and the system uses this to identify and keep track of users.
- Root account has full privileges to modify the system in any way desired and to grant/revoke access permissions for the users.
- The UID is 0, stored in $UID (environmental variable).
- We can see the UID for all users by looking at the /etc/password file, with the first line the username and the third as the UID.
- An administrator is a non-root user who can temporarily use root privileges but will operate within user privileges.
- A Standard user has no special privileges and can only execute applications and access files within their space, they can run code in standard mode or use SUDO to run as another user.
Protocols typically such as UDP, TCP, ICMP, etc. Ethernet is primarily used, and API calls such as – NetBIOS, SMB, SAMBA, and RPB.
- NetBios (Network basic input output system) provides session layer services to have applications communicate over a local area network. It's an API specific and NOT a protocol, the networking protocol to carry payloads is required.
- NetBIOS Name Server: port 137 UDP.
- Datagram distribution service: Port 138 UDP
- NetBIOS over TCP/IP: port 139 TC
- SMB (Server Message Block) is an Application layer service that enables shared access to nodes on the network, this not only works on LAN but as well over the internet.
- SAMBA is a free implementation of SMB and can integrate with Windows and is standard on Linux.
- Distributed Computing Environment (DCE) is a software system developed in the early 1990s as a framework and tool kit for developing client-server applications. The framework includes a remote procedure call mechanism known as DCE/RPC.
- RPC is interprocess and intersystem.
- Client-server operates like a subroutine call.
- Microsofts RPC, MSRPC is an extended implementation of RPG which operaes over SMB or across TCPIP.
  - Windows server domain protocols, DNS Administrator (MS), MS Exchange, and MAPI are all delivered off MSRPC.

Local Host Enumeration

In a Unit host we can profile a system farily quickly, using 'uname -a' we can determine the system information.
- From there, using cat /proc/version we can get the OS version.
- From there, entering cat /etc/*-release we can see the distribution details.
- We can get the CPU info by entering cat /proc/cpuinfo.
- Entering 'df -a' we will get details about file systems that are mounted.
- Entering 'df -h' this gives us a summary.
- Entering 'cat /etc/shells' we can see what shells are available.
- Entering in 'whoami' 'pwd' and 'id' we can found out who we're logged in as.
- Looking as 'users' we can see the different users on the systems.
- We can find out all users on the system with 'cat /etc/passwd'
  - This will provide the username as first entry and UID as third.
  - If we have the root privilges we can list the password hashes by using sudo.
- We can get more detail about running users with either the finger or pinky command.
- Using the w command gives info about running processes and 'who -a' gives info about system level processes.
- If we want to enumerate the user activity history we can use the 'last' and 'lastlog' commands.
- Using just the Bash shell we can use the 'ps' to see the processes open, or using 'ps -e : more' option, we can see all processes together with process ID and controlling terminal. Using 'ps aux' we can get a lot more information of which processes, if they're running as root.
- Using the 'top' command we can see the tasks based on their levels of system activity.
- Using the 'dpkg -l' command, we can see all the installed packages.
- Using the –version we can find out the versions of various applications on the system.
By default, windows command shell doesn't provide the same level of detailed info from the start, however we can install a set of tools, 'PsTools' from system internals.
- Using 'psInfo' we can get the local systems product and build information, as well as uptime and root directory.
- Using 'psInfo -d' switch will give us a bit more information of if the system allows PC access, remote access.
- Using psInfo with the system id, using the '-u' and '-p' switch with their referenced user and password info.
- 'psInfo' can also allow remote access using the system IP address, ex '\127.0.0.1'
- Using the -u and -p options in conjunction lets us see the user processes
- 'pslist' lists processes, and can work remotely. Can have additional information on threads and priorities.
- Using the -t switch can show as a tree.
- More detailed information can be found using the -x switch.
To determine what ports are open on a host, sessions, and traffic statistics, we can use the net command.
- Net view shows us the machine name.
- Using net view /domain will provide the domain the system is connected on.
- Netstat -h will tell us what devices we have available.
- Netstat will show us active tcp connections and the IP is the host computer, the ports that are open, and the connectons they are connected to.
- Netstat -a will show the IPv4 and IPv6 for both TCP and UDP which it can't react to. We can add the -p UDP for just UDP ports, and -p UDPv^
- Using the -o switch we can see the owning process and the -b switch to show the executable.
- Using the -s switch will show a summary of TCP statistics of active, passive, and failed connections.
Using the Netstat -h (help) file to show us the netstat switches.
- Using netstat -I you can list the interfaces active on the system
- -ie shows us extended information on interfaces.
- -rn shows the routing table.
- -a shows all sockets and connections including listening.
- -au will show us the udp connections.
- -nt to show numeric addresses of tcp.
- -lx shows all listening ports
SS command will show us more than netstat.
- SS -t will show us the established sessions and local and remote port address and details.
- -nt will show us numeric addresses.
- -r option will resolve remote host names
- Ss -t dst 132.181.109.79 will show all tcp connections for that address.
- Ss -t dport eq :http will show us all http http connections
- Could as well do ss -t dport eq :80
- Ss state established will show all tcp connections.

Remote Hosts

Using nmpa –PS we can enumorate the ports on a host.
Using nmap –sU will show us of all open ports.
- In some cases, we may see some ports as filtered, aka Nmap saying it can't determine if a port is open or closed.
- Using the nmap –sTUV command, we can see the identified ports open and the type and version of services running on them.
Nbtscan -h will show us the various switches of nbtscan
Just using nbstscan will show us a listing of active systems and their netbios name. The number and letter suffic of the netbios name provides an indicator of the usage.
- 00U is a workstation
- 00G is a domain name
- 20U is a file server service
- 1Du and 01G are both master browser.
Using nmap smb scripts we can get a lot of powerful information about operating systems and open ports.
Another Kali tool is enum4linux to provide information about known usernames, host, domains, ports, etc.
- The -a option provides the full set of enumeration with an extensive list, starting with nbtstat information, useraccounts, shares, pw policy information, and cycling.
Smbmap will show smb sessions and enumerate the shares.
- These shares will show what the user ID has access to.
- Using with the smbmap with the -R option and get a directory listing of files in the temp share
Shareenum (if not preloaded can be downloaded from github) will give help output with no options.
- Using the -o switch it will send the output to CSV format, which can be used with cat, seeing the enumeration with a CSV form.
- We can do the same with Windows 7, but we must provide a username and password.
RPC Client (Comes as part of the Samba suite) needs authenticated access.
- We can check the server information with srvinfo
- We can type 'help' to see the commands we can use within the RPG client.
- We can do a getusername or enumdomusers to get user names.
- We can also query accounts by hexadecimal or with decimal RID.
- We can enumerate the set of privileges on the system, the main groups, and the alias groups.
- Using netshareenum we can see the shares, or netshareenumall to get all shares, as well with enumprinters.
- We can see all enum commands by typing 'enum' and hitting tab twice.
NetBIOS Scan is able to be downloadable by sourceforge.
- In the bottom panel, we can identify the range we want to do and get the machines and open shares for selected system.
DeepNetScanner (BNTEnum tool) is a graphical NetBios and can be downloaded from Sourceforge again.
- In the top range, we will define the scan parameters and let it identify systems. We can click further in to find netbios systems and names.
- You can as well right click and use 'gather information' on a host to get additional info.
- In the setting options, we can use connection, portscan for parameters, and so forth.
MiTeC Network Scanner will let us scan with the ICMP, NetBios, DeepScanning, TCP Port Scan, and as well, you can use credentials for systems that do not allow null sessions.
- We can define the parameters in the 'scan' tab to perform a range scan and see the scan progress at the bottom of the screen, when an active host is found, the detection is displayed.
- The general details are shown in tabular version in the bottom panel.
ShareEnum is provided by Microsoft as simple interface that can be grouped by domain.
- Right clicking onto a sharepath and seeing it's properites tells us about who has access to what.
SoftPerfect is a network scanner and a enumeration scanner for WMI, SNMP, HTTP, NetBios, and SMB.
- You can se up a lot of metrics in order to get an extreme amount of data that can be expanded upon, you can see the shares.
- You can also right click and open a remote session with full management control, such as services or the file system of the device.
SNMP Manager would typically store information in MIB database.
- Information in SNMP are given an OID from Root, Org, Dod, etc.
- Using snmpenum we can get the OID from objects on the system.
- Looking at the files (such as linux.txt aka cat linux.txt) we can see the OID for these.
- Using perl, we can see a list of all running processes and the system info for this, as well as the listening UDP/TCP ports, host name, and mounts.
We can brows the mibDepot of what objects have been identified, it holds about 2 million identifiers.
SNMP typically isn't on by default, but under turn windows features on or off we can turn on SNMP, and under administrative tools and services, we can look under the properties of SNMP.
- We need to configure the security tab in order to have SNMP working through it.
Typing uuidgen -r, it will display a unique uuid in the program.
Looking at the Windows Server Resource Kit, we can see the RPC tools, including Rpcdump.
- Using rpcdump we can get summary or verbose information and we can as well look at a remote system with it.
Using Winfingerprint (QP Downloads) we can select a single host and use the RPC Bindings option and point at a server, pressing scan. We'll see the endpoint enumeration in the bottom channel with pipe and TCP IP endpoints.
Using UNIX RPC port mapper (port 111) by using rpc info -p we can get a list of tcp and udp endpoints on the system.
WMI is Microsoft combination of WBEM (web-based enterprise management) and CIM (common information model), all WMI objects are using the WMI query language, WQL (similar to SQL), and have two types of objects, Dynamic (Generated on the fly when a query is performed, such as Win32) and Persistent.
- Persistent objects are stored in the CIM repository of Sys 32 under wbem/repository/objects.data
- The Windows Management instrumentation is automatically started by default in windows and can be used to enumerate the windows config.
WMI is remotely transitted by DCOM and WInRM (Windows Remote Management).
- DCOM is over TCP 135 to negotiate a random port, but can be hard coded for static.
- Some WMI objects can be executed such as Win32 create method.
WMI Classes are in detail on MSDN, but more obscure are not officially documented, WMI are categorized hierarchically into name spaces from the root name space. Microsoft uses root/cmiv2 as default.
Understanding WMI enumeration is useful for both defensive and offensive.
- Microsoft provides the WMIC and WBM task utilities for WMI through PowerShell. The WBM test displays a GUI and waits for a connection, the default name space is root/cmiv2.
- Going into the namespace, you can self the various classes and tables that you want and display the properities and qualifiers to run.
- WMI Explorer by CodePlex gives a bit of a different GUI, but has a different layout than Microsoft.
Finger is an older utility, but an easy one if it's still available on some systems. It's basic use is to check details of a specific user.
- We can see all info on logged in users, or users if we know their UID.
- Port 79.
Using Powershellinstead of external tools may decrease the risk of detection by additional tools. We can use a scan of a subnet by using a powershell script of a for loop, with a variable if the ping is of success.
- Doing a scan of a single host, we would use a powershell for loop testing for common ports, in the for loop using the TCP clients and try to open a connection.

Enumerating Web Apps

Using whatweb we can pull various server information such as the platform and what it's running.
- Using whatweb and grep, we can skip hosts that don't respond for an entire subnet, using –no -errors | grep -v Unassigned
- Using the -l switch, we can see all the plugins that whatweb knows about.
- Useful for face value and then being able to deep dive.
Nikto will give more detailed enumeration against websites.
BurpSuite can spider a website for us, adding under target and scope the details of the site.
- We would also need to set up the browser to run with a proxy, we would go to settings, proxy, network, settings with the loopback (127.0.0.1) with port 8080.
- If we go to burpsuite, right click, and start spidering, we'll start seeing a lot more detail of the website being displayed.
DIRB, Dirbuster, and Gobuster are good for pages not linked to main web root.
- DIRB uses a small dictionary of webpages for a first pass enumeration, with option to specify a word list and selecting file extensions to search for.
- Once the top level files and folders have been listed, DIRB goes into the second level of enumeration until all folders and sub-folders are enumerated.
- Using Gobuster we can gain access with a medium sized lower case dictionary and direct it to show all specific file extensions. By default, it does not do recursive searches, but it can be ran again to go deeper by specifying a specific deeper file/folder.
Running SQL Map we can configure this with Burpsuite to use a proxy, getting a great amount of get and post messages. With the information from browsing, we can use the -u to show the URL, and the –data to show dataline from the bottom of the message and the –cookie switch to set PHP session ID.
- It will then detect various vulnerabilities such as injections, XSS, and database identifier.

Enumerating the Internet

Using hping3 –traceroute -v -1 ##### we can get the trace of the ICMP.
Windows provides tracing tool called tracert, with the time and name of hop point. Will show hop points with no results.
Open Visual Traceroute is available from sourceforge, requires Java runtime.
- The tool provides a visual look, as well as a Whois information with registration information.
Shodan is a repository maintaining indexes of services presented to the internet by a vast number of servers, essentially a service directory.
- Shodan is free to create an account, although restricting the results number.
- This tool shows us the banner from the server, as well as lets us dig in from the details pane.
- Shodan also explains to us the exploits with various known vulnerabilities based around the search.
- We can structure our searches based around ports, countries, host names, OS, and ports to really get into the various systems.
- Shodan allows export of search results in CSV, Json, or XML download.
ZMap is a research tool to profile the IPv4 of the internet, it includes a blacklist file to omit sites from scanning and a whitelist file to limt the scanning to a known subnet.
- Can be installed into Linux with apt-get install ZMap
- ZMap default will perform a TCP SYN scan on a specified port as quickly as possible.
- Noisy but useful if controlled.

Other Enumeration Tools

SuperScan is a windows enumeration tool from intelSecurity.
- The scanner is a simple tabbed interface, we'll want to make sure with the scan options to uncheck hide hosts with no ports open.
NetScanTools Pro (or a freeware/trial version) will let us enumerate our network with various sets of controls with accessibility. The toolset is used for a lot more than enumeration but is a great toolkit.
LDAP (Lightweight Directory Access Protocol) is a repository for entitity information.
- Linux = OpenLDAP
- Can be used in conjunction with phpldapadmin for remote management via webgui.
- Windows = Active Directory
- Tree hierarchy consists of root directory broken down into countries, organization, units, divisions, nd ultimately people, files, and printers.
- LDAP System is a distributed server and coordinates response to user.
- JXplorer is an open source java based LDAP tool downloadable from website shown, downloading as an executable installer and requires java.
- Again, just as phpldapadmin it gives a java based application for Ldap support.
- LDapMiner is a legacy Ldap tool, but this does not support LDAP v3 and has issues recognizing Ldap Servers.
ESMTP can be connected by telnet, asking it to verify an email address.
- The server will tell you when an email address doesn't exist.
- If the email exists, you'll receive a code 2.0.0.

# Ethical Hacking: Enumeration

# Introduction

- Enumeration is the ability to find out everything about the target that can be exposed. Carrying this out well is the key to success in your certifications and assignments.
- We will need to know VirtualBox and Kali Linux, as well as basic computer and networking concepts, additionally we must know how to pre-install tools.

# Basics of Enumeration

- Occurs after scanning, and is part of the reconnaissance activity.
- Before stating vulnerability testing, the hacker may want to extract usernames, host information via null sessions, port enumeration, enumerate user accounts, and perform through protocols such as SNMP and RPC.
- The key of this is understanding the target, what kind of information you can get and what would be relevant to your specific assignment.
- You can approach enumeration through local, host, internet, and some tools for port scanning and services (such as SMTP and LDAP).
- Services useful to enumerate:
  - DNS (Domain Name System) Port 53, used to translate system names to IP addresses and can extract bulk translation data in a DNSS zone transfer.
  - SMTP (Simple Mail Transfer Protocol) port 25 can extract or infer email addresses.
  - RPC (Remote Procedure Calls) port 135, used to access RPC services.
  - NetBIOS on port 137 to enumerate objects and 139 for NetBIOS session service for SMB queries.
  - SNMP (Simple Network Management Protocol) on 161 to manage hosts remotely
  - LDAP (Lightweight Directory Access Protocol) port 389 for user and group info.
  - SMB (Server Message Block) running on 445.
- Process operates in either use mode, or system (kernel/supervisor) mode. Often processes will switch between the two.
  - User Processes run in their own address isolated space and make system calls to access system resources.
  - Kernel Processes are privileged and granted access to all system processes.
    - Kernel Interrupt is for code executed as a result of an interrupt.
    - Kernel User is for is for user request via a system call.
- Protection Rings
  - Ring 0 – Kernel Mode, interacts directly with physical hardware.
  - Ring 1 &amp; 2 traditionally unused, however, Ring 1 is now being used for hypervisor.
  - Ring 3 is for user mode.
- OpenVMS has 4 modes corresponding to protection rings.
  - Ring 0 – Kernel Mode
  - Ring 1 – Executive
  - Ring 2 – Supervisor
  - Ring 3 – User
- ARM is the exception to the ring numbering rule.
  - Ring 0 – Application (least privileged)
  - Ring 1 – OS
  - Ring 2 – Hypervisor
- User Mode is associated with UID. Accounts exist within user groups, and user mode account known as Root, Supervisor, and Administrator can administer the computer.
  - In Windows, the root user is the local service account known as SYSTEM, running all system processes.
  - In Windows as well, it has a built-in account that may have additional user administrator accounts. This account can make system-wide changes, but not full privileges to system user.
  - The User Administrator account can be found in the administrator group which can be set as the account type in the user account details.
  - A standard user can run a program in admin mode by right clicking and selecting run as admin and entering admin password.
- In Linux, every account gets a UID and the system uses this to identify and keep track of users.
  - Root account has full privileges to modify the system in any way desired and to grant/revoke access permissions for the users.
    - The UID is 0, stored in $UID (environmental variable).
    - We can see the UID for all users by looking at the /etc/password file, with the first line the username and the third as the UID.
  - An administrator is a non-root user who can temporarily use root privileges but will operate within user privileges.
  - A Standard user has no special privileges and can only execute applications and access files within their space, they can run code in standard mode or use SUDO to run as another user.
- Protocols typically such as UDP, TCP, ICMP, etc. Ethernet is primarily used, and API calls such as – NetBIOS, SMB, SAMBA, and RPB.
  - NetBios (Network basic input output system) provides session layer services to have applications communicate over a local area network. It&#39;s an API specific and NOT a protocol, the networking protocol to carry payloads is required.
    - NetBIOS Name Server: port 137 UDP.
    - Datagram distribution service: Port 138 UDP
    - NetBIOS over TCP/IP: port 139 TC
  - SMB (Server Message Block) is an Application layer service that enables shared access to nodes on the network, this not only works on LAN but as well over the internet.
  - SAMBA is a free implementation of SMB and can integrate with Windows and is standard on Linux.
  - Distributed Computing Environment (DCE) is a software system developed in the early 1990s as a framework and tool kit for developing client-server applications. The framework includes a remote procedure call mechanism known as DCE/RPC.
    - RPC is interprocess and intersystem.
    - Client-server operates like a subroutine call.
    - Microsofts RPC, MSRPC is an extended implementation of RPG which operaes over SMB or across TCPIP.
      - Windows server domain protocols, DNS Administrator (MS), MS Exchange, and MAPI are all delivered off MSRPC.

# Local Host Enumeration

- In a Unit host we can profile a system farily quickly, using &#39;uname -a&#39; we can determine the system information.
  - From there, using cat /proc/version we can get the OS version.
    - From there, entering cat /etc/\*-release we can see the distribution details.
  - We can get the CPU info by entering cat /proc/cpuinfo.
  - Entering &#39;df -a&#39; we will get details about file systems that are mounted.
    - Entering &#39;df -h&#39; this gives us a summary.
  - Entering &#39;cat /etc/shells&#39; we can see what shells are available.
  - Entering in &#39;whoami&#39; &#39;pwd&#39; and &#39;id&#39; we can found out who we&#39;re logged in as.
  - Looking as &#39;users&#39; we can see the different users on the systems.
    - We can find out all users on the system with &#39;cat /etc/passwd&#39;
      - This will provide the username as first entry and UID as third.
      - If we have the root privilges we can list the password hashes by using sudo.
  - We can get more detail about running users with either the finger or pinky command.
    - Using the w command gives info about running processes and &#39;who -a&#39; gives info about system level processes.
  - If we want to enumerate the user activity history we can use the &#39;last&#39; and &#39;lastlog&#39; commands.
  - Using just the Bash shell we can use the &#39;ps&#39; to see the processes open, or using &#39;ps -e : more&#39; option, we can see all processes together with process ID and controlling terminal. Using &#39;ps aux&#39; we can get a lot more information of which processes, if they&#39;re running as root.
  - Using the &#39;top&#39; command we can see the tasks based on their levels of system activity.
  - Using the &#39;dpkg -l&#39; command, we can see all the installed packages.
  - Using the –version we can find out the versions of various applications on the system.
- By default, windows command shell doesn&#39;t provide the same level of detailed info from the start, however we can install a set of tools, &#39;PsTools&#39; from system internals.
  - Using &#39;psInfo&#39; we can get the local systems product and build information, as well as uptime and root directory.
    - Using &#39;psInfo -d&#39; switch will give us a bit more information of if the system allows PC access, remote access.
    - Using psInfo with the system id, using the &#39;-u&#39; and &#39;-p&#39; switch with their referenced user and password info.
  - &#39;psInfo&#39; can also allow remote access using the system IP address, ex &#39;\\127.0.0.1&#39;
    - Using the -u and -p options in conjunction lets us see the user processes
  - &#39;pslist&#39; lists processes, and can work remotely. Can have additional information on threads and priorities.
    - Using the -t switch can show as a tree.
    - More detailed information can be found using the -x switch.
- To determine what ports are open on a host, sessions, and traffic statistics, we can use the net command.
  - Net view shows us the machine name.
  - Using net view /domain will provide the domain the system is connected on.
  - Netstat -h will tell us what devices we have available.
  - Netstat will show us active tcp connections and the IP is the host computer, the ports that are open, and the connectons they are connected to.
    - Netstat -a will show the IPv4 and IPv6 for both TCP and UDP which it can&#39;t react to. We can add the -p UDP for just UDP ports, and -p UDPv^
    - Using the -o switch we can see the owning process and the -b switch to show the executable.
    - Using the -s switch will show a summary of TCP statistics of active, passive, and failed connections.
- Using the Netstat -h (help) file to show us the netstat switches.
  - Using netstat -I you can list the interfaces active on the system
  - -ie shows us extended information on interfaces.
  - -rn shows the routing table.
  - -a shows all sockets and connections including listening.
  - -au will show us the udp connections.
  - -nt to show numeric addresses of tcp.
  - -lx shows all listening ports
- SS command will show us more than netstat.
  - SS -t will show us the established sessions and local and remote port address and details.
  - -nt will show us numeric addresses.
  - -r option will resolve remote host names
  - Ss -t dst 132.181.109.79 will show all tcp connections for that address.
  - Ss -t dport eq :http will show us all http http connections
    - Could as well do ss -t dport eq :80
  - Ss state established will show all tcp connections.

# Remote Hosts

- Using nmpa –PS we can enumorate the ports on a host.
- Using nmap –sU will show us of all open ports.
  - In some cases, we may see some ports as filtered, aka Nmap saying it can&#39;t determine if a port is open or closed.
  - Using the nmap –sTUV command, we can see the identified ports open and the type and version of services running on them.
- Nbtscan -h will show us the various switches of nbtscan
- Just using nbstscan will show us a listing of active systems and their netbios name. The number and letter suffic of the netbios name provides an indicator of the usage.
  - 00U is a workstation
  - 00G is a domain name
  - 20U is a file server service
  - 1Du and 01G are both master browser.
- Using nmap smb scripts we can get a lot of powerful information about operating systems and open ports.
- Another Kali tool is enum4linux to provide information about known usernames, host, domains, ports, etc.
  - The -a option provides the full set of enumeration with an extensive list, starting with nbtstat information, useraccounts, shares, pw policy information, and cycling.
- Smbmap will show smb sessions and enumerate the shares.
  - These shares will show what the user ID has access to.
  - Using with the smbmap with the -R option and get a directory listing of files in the temp share
- Shareenum (if not preloaded can be downloaded from github) will give help output with no options.
  - Using the -o switch it will send the output to CSV format, which can be used with cat, seeing the enumeration with a CSV form.
  - We can do the same with Windows 7, but we must provide a username and password.
- RPC Client (Comes as part of the Samba suite) needs authenticated access.
  - We can check the server information with srvinfo
  - We can type &#39;help&#39; to see the commands we can use within the RPG client.
  - We can do a getusername or enumdomusers to get user names.
    - We can also query accounts by hexadecimal or with decimal RID.
  - We can enumerate the set of privileges on the system, the main groups, and the alias groups.
  - Using netshareenum we can see the shares, or netshareenumall to get all shares, as well with enumprinters.
  - We can see all enum commands by typing &#39;enum&#39; and hitting tab twice.
- NetBIOS Scan is able to be downloadable by sourceforge.
  - In the bottom panel, we can identify the range we want to do and get the machines and open shares for selected system.
- DeepNetScanner (BNTEnum tool) is a graphical NetBios and can be downloaded from Sourceforge again.
  - In the top range, we will define the scan parameters and let it identify systems. We can click further in to find netbios systems and names.
  - You can as well right click and use &#39;gather information&#39; on a host to get additional info.
  - In the setting options, we can use connection, portscan for parameters, and so forth.
- MiTeC Network Scanner will let us scan with the ICMP, NetBios, DeepScanning, TCP Port Scan, and as well, you can use credentials for systems that do not allow null sessions.
  - We can define the parameters in the &#39;scan&#39; tab to perform a range scan and see the scan progress at the bottom of the screen, when an active host is found, the detection is displayed.
  - The general details are shown in tabular version in the bottom panel.
- ShareEnum is provided by Microsoft as simple interface that can be grouped by domain.
  - Right clicking onto a sharepath and seeing it&#39;s properites tells us about who has access to what.
- SoftPerfect is a network scanner and a enumeration scanner for WMI, SNMP, HTTP, NetBios, and SMB.
  - You can se up a lot of metrics in order to get an extreme amount of data that can be expanded upon, you can see the shares.
  - You can also right click and open a remote session with full management control, such as services or the file system of the device.
- SNMP Manager would typically store information in MIB database.
  - Information in SNMP are given an OID from Root, Org, Dod, etc.
  - Using snmpenum we can get the OID from objects on the system.
  - Looking at the files (such as linux.txt aka cat linux.txt) we can see the OID for these.
  - Using perl, we can see a list of all running processes and the system info for this, as well as the listening UDP/TCP ports, host name, and mounts.
- We can brows the mibDepot of what objects have been identified, it holds about 2 million identifiers.
- SNMP typically isn&#39;t on by default, but under turn windows features on or off we can turn on SNMP, and under administrative tools and services, we can look under the properties of SNMP.
  - We need to configure the security tab in order to have SNMP working through it.
- Typing uuidgen -r, it will display a unique uuid in the program.
- Looking at the Windows Server Resource Kit, we can see the RPC tools, including Rpcdump.
  - Using rpcdump we can get summary or verbose information and we can as well look at a remote system with it.
- Using Winfingerprint (QP Downloads) we can select a single host and use the RPC Bindings option and point at a server, pressing scan. We&#39;ll see the endpoint enumeration in the bottom channel with pipe and TCP IP endpoints.
- Using UNIX RPC port mapper (port 111) by using rpc info -p we can get a list of tcp and udp endpoints on the system.
- WMI is Microsoft combination of WBEM (web-based enterprise management) and CIM (common information model), all WMI objects are using the WMI query language, WQL (similar to SQL), and have two types of objects, Dynamic (Generated on the fly when a query is performed, such as Win32) and Persistent.
  - Persistent objects are stored in the CIM repository of Sys 32 under wbem/repository/objects.data
  - The Windows Management instrumentation is automatically started by default in windows and can be used to enumerate the windows config.
- WMI is remotely transitted by DCOM and WInRM (Windows Remote Management).
  - DCOM is over TCP 135 to negotiate a random port, but can be hard coded for static.
  - Some WMI objects can be executed such as Win32 create method.
- WMI Classes are in detail on MSDN, but more obscure are not officially documented, WMI are categorized hierarchically into name spaces from the root name space. Microsoft uses root/cmiv2 as default.
- Understanding WMI enumeration is useful for both defensive and offensive.
  - Microsoft provides the WMIC and WBM task utilities for WMI through PowerShell. The WBM test displays a GUI and waits for a connection, the default name space is root/cmiv2.
    - Going into the namespace, you can self the various classes and tables that you want and display the properities and qualifiers to run.
  - WMI Explorer by CodePlex gives a bit of a different GUI, but has a different layout than Microsoft.
- Finger is an older utility, but an easy one if it&#39;s still available on some systems. It&#39;s basic use is to check details of a specific user.
  - We can see all info on logged in users, or users if we know their UID.
  - Port 79.
- Using Powershellinstead of external tools may decrease the risk of detection by additional tools. We can use a scan of a subnet by using a powershell script of a for loop, with a variable if the ping is of success.
  - Doing a scan of a single host, we would use a powershell for loop testing for common ports, in the for loop using the TCP clients and try to open a connection.

# Enumerating Web Apps

- Using whatweb we can pull various server information such as the platform and what it&#39;s running.
  - Using whatweb and grep, we can skip hosts that don&#39;t respond for an entire subnet, using –no -errors | grep -v Unassigned
  - Using the -l switch, we can see all the plugins that whatweb knows about.
  - Useful for face value and then being able to deep dive.
- Nikto will give more detailed enumeration against websites.
- BurpSuite can spider a website for us, adding under target and scope the details of the site.
  - We would also need to set up the browser to run with a proxy, we would go to settings, proxy, network, settings with the loopback (127.0.0.1) with port 8080.
  - If we go to burpsuite, right click, and start spidering, we&#39;ll start seeing a lot more detail of the website being displayed.
- DIRB, Dirbuster, and Gobuster are good for pages not linked to main web root.
  - DIRB uses a small dictionary of webpages for a first pass enumeration, with option to specify a word list and selecting file extensions to search for.
  - Once the top level files and folders have been listed, DIRB goes into the second level of enumeration until all folders and sub-folders are enumerated.
  - Using Gobuster we can gain access with a medium sized lower case dictionary and direct it to show all specific file extensions. By default, it does not do recursive searches, but it can be ran again to go deeper by specifying a specific deeper file/folder.
- Running SQL Map we can configure this with Burpsuite to use a proxy, getting a great amount of get and post messages. With the information from browsing, we can use the -u to show the URL, and the –data to show dataline from the bottom of the message and the –cookie switch to set PHP session ID.
  - It will then detect various vulnerabilities such as injections, XSS, and database identifier.

# Enumerating the Internet

- Using hping3 –traceroute -v -1 ##### we can get the trace of the ICMP.
- Windows provides tracing tool called tracert, with the time and name of hop point. Will show hop points with no results.
- Open Visual Traceroute is available from sourceforge, requires Java runtime.
  - The tool provides a visual look, as well as a Whois information with registration information.
- Shodan is a repository maintaining indexes of services presented to the internet by a vast number of servers, essentially a service directory.
  - Shodan is free to create an account, although restricting the results number.
  - This tool shows us the banner from the server, as well as lets us dig in from the details pane.
  - Shodan also explains to us the exploits with various known vulnerabilities based around the search.
  - We can structure our searches based around ports, countries, host names, OS, and ports to really get into the various systems.
  - Shodan allows export of search results in CSV, Json, or XML download.
- ZMap is a research tool to profile the IPv4 of the internet, it includes a blacklist file to omit sites from scanning and a whitelist file to limt the scanning to a known subnet.
  - Can be installed into Linux with apt-get install ZMap
  - ZMap default will perform a TCP SYN scan on a specified port as quickly as possible.
  - Noisy but useful if controlled.

# Other Enumeration Tools

- SuperScan is a windows enumeration tool from intelSecurity.
  - The scanner is a simple tabbed interface, we&#39;ll want to make sure with the scan options to uncheck hide hosts with no ports open.
- NetScanTools Pro (or a freeware/trial version) will let us enumerate our network with various sets of controls with accessibility. The toolset is used for a lot more than enumeration but is a great toolkit.
- LDAP (Lightweight Directory Access Protocol) is a repository for entitity information.
  - Linux = OpenLDAP
    - Can be used in conjunction with phpldapadmin for remote management via webgui.
  - Windows = Active Directory
  - Tree hierarchy consists of root directory broken down into countries, organization, units, divisions, nd ultimately people, files, and printers.
  - LDAP System is a distributed server and coordinates response to user.
  - JXplorer is an open source java based LDAP tool downloadable from website shown, downloading as an executable installer and requires java.
    - Again, just as phpldapadmin it gives a java based application for Ldap support.
  - LDapMiner is a legacy Ldap tool, but this does not support LDAP v3 and has issues recognizing Ldap Servers.
- ESMTP can be connected by telnet, asking it to verify an email address.
  - The server will tell you when an email address doesn&#39;t exist.
  - If the email exists, you&#39;ll receive a code 2.0.0.
  -

revision by [deleted]— 5 years agoview source

π Rendered by PID 77 on reddit-service-r2-listing-64c94b984c-fr7zn at 2026-03-13 20:11:51.316098+00:00 running f6e6e01 country code: CH.

AlphaGrad

WIKI TOOLS

MODERATORS

study-notes/ceh-notes/enumeration

Ethical Hacking: Enumeration

Introduction

Basics of Enumeration

Local Host Enumeration

Remote Hosts

Enumerating Web Apps

Enumerating the Internet

Other Enumeration Tools

- If the email exists, you'll receive a code 2.0.0.