Category: Enumeration

Posted on by

NTP enumeration for beginners

Hello, aspiring Ethical Hackers. In our previous blogpost, you learnt what is enumeration, why it is important in pen testing and what are the various types of enumeration. In this blogpost, you will learn about NTP enumeration.

What is NTP?

NTP stands for Network Time Protocol. Network Time protocol is used to synchronize clocks of networked computers. In simple words, NTP is used to maintain same time on all the computers of the same network. NTP runs on UDP port 123.

What information does NTP enumeration reveal?

NTP enumeration can reveal valuable information such as list of hosts connected to the NTP server, their IP addresses, system names, target server’s operating system etc.

How to perform NTP enumeration?

There are many tools to perform enumerate NTP but for this article, let’s see how to perform it using Nmap scripting engine. Yes, Nmap has specific scripts to enumerate NTP. One such script is “ntp-info.nse”. The “ntp-info.nse” script reveals time and configuration variables from the NTP server. Let’s see how to use it.

As you can see, the above script gives us information not only about the target server’s operating system but also the version of the kernel running etc. Another script “ntp-monlist.nse” can be used to retrieve NTP server’s monitor data.

Posted on by

DNS enumeration for beginners

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about DNS enumeration. In our previous blogpost, you learnt what is enumeration and why is it performed, what are its uses and types of enumeration.

What is DNS enumeration?

DNS enumeration is the process of locating the DNS server and viewing its records. By performing this enumeration, an attacker can collect valuable information about the network such as DNS server names, hostnames, machine names, user names, IP addresses etc. You can learn more about the importance of DNS server in DNS Footprinting.

How to perform DNS enumeration?

There are a number of tools that can be used to perform this enumeration. Let’s see some of them.

1. Linux host command

The host command in Linux can be used to perform DNS lookup of a domain. It can be used to retrieve IP address information from domain name and vice versa. See the image below.

We can also query for specific types of records from the DNS server using ‘host’ command. Here are the various records of a DNS server.

Let’s query for mail servers and name servers as shown below.

2. dig

The dig (Domain Information Groups) command is tool for interrogating DNS servers. Just like host command, Dig can be used to perform DNS lookups and query DNS servers. For example, if we want to query for the name servers of a particular domain, we can do this as shown below.

Similarly, we can also query for mail servers and name servers as shown below.

Learn how to enumerate DNS with DNSenum, DNSrecon and DNSwalk.

Posted on by

Enumeration guide for beginners

Hello, aspiring Ethical Hackers. This blogpost is an enumeration guide for beginners. The phase of enumeration actually comes after the port scanning stage in Ethical Hacking.

What is Enumeration?

In Enumeration, an attacker or a Pen Tester performs calculated queries to gather more detailed information about the target. Usually, enumeration is performed on the services running on the target (open ports) with the purpose of gaining access to the target system.

What information does enumeration reveal?

Enumeration can reveal valuable information like Network shares, usernames and passwords, version of the application running, users and groups, machine names, service settings and other network resources.

Which services can be enumerated?

Although all services running on the target system can be enumerated upon, there are some specific services which are regularly enumerated to retrieve useful information. They are,  

  1. DNS (Port 53)
  2. Microsoft RPC (Port 153)
  3. NetBIOS Name Service (NBNS) (Port 137)
  4. NetBIOS Session Service (SMB over NetBIOS)
  5. SMB Over TCP (Port 445)
  6. Network Time Protocol (NTP) (Port 123)
  7. Simple Network Management Protocol (SNMP) (Port 161)
  8. Lightweight Directory Access Protocol (LDAP) (Port 389)
  9. Simple Mail Transfer Protocol (SMTP) (Port 25)

Let’s learn about each of these services in detail.

1. SMTP

Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol that is used to send email. It is mostly used by email clients but most of the organizations have their own Email Servers to send mail. Enumerating SMTP Service can reveal the list of valid users on the SMTP Servers. Learn how to perform SMTP enumeration.

2. DNS

The function of Domain Name Service (DNS) is explained in our article DNS Footprinting. Enumerating DNS servers can reveal network information like host names, other DNS server names, machine names, IP addresses, potential targets and in some cases usernames too. Learn how to perform DNS enumeration.

3. NetBIOS

NetBIOS service allows programs and computers on a local area network to communicate with each other. These include services like files, printers and device shares. Enumerating NetBIOS can reveal information like list of computers in a specific domain, lists of shares, policies and Passwords etc. Learn how to perform NetBIOS enumeration.

4. SMB

Just like NetBIOS, Server Message Block (SMB) is a protocol that allows applications and computers in a local network talk to each other. The only difference between them is that NetBIOS is an API whereas SMB is a protocol. Starting from Windows 2000, SMB which earlier ran on top of NetBIOS was made to operate on top of TCP and it got a dedicated port 445.

It also enables network services like file, printer and device sharing. Enumerating SMB service can reveal information like host names, lists shares, checking for null session, users, operating system details, password policies, info groups and printers connected etc. Learn how to perform SMB enumeration.

5. NTP

Network Time Protocol (NTP) is a protocol designed to synchronize clocks of all computers on the same network. Enumerating NTP can reveal information about hosts connected to the NTP server and IP addresses of the machines in the network etc. Learn how to perform NTP enumeration.

6. SNMP

Simple Network Management Protocol (SNMP) is a protocol that is used to monitor and manage computer systems in the same network. Enumerating SNMP can reveal information about network resources like hosts, routes, shares, ARP tables, routing tables, etc. Learn how to perform SNMP enumeration.

7. LDAP

Lightweight Directory Access Protocol (LDAP) is an internet protocol that is used to access information from directories like Active Directory. Enumerating LDAP can reveal information such as valid usernames, addresses and other details. Learn how to perform LDAP enumeration.

Posted on by

SMTP enumeration for beginners

 

Enumeration is the process of collecting information about user names, network resources, other machine names, shares and services running on the network. Although a little bit boring, it can play a major role in the success of the pentest. In the previous howto, we saw how to perform SMB enumeration and got some usernames on our target. So we don’t need to perform SMTP enumeration. But we may not be so lucky that SMB enumeration will be successful on every network. For networks like these, we may need to enumerate other services like SMTP.

First let me give you a basic introduction of SMTP. SMTP stands for Simple Mail Transfer Protocol. As the name implies, it is used to send email. It uses port 25 by default. If you ever sent an email, you have definitely used SMTP. SMTP servers talk with other SMTP servers to deliver the email to the intended recipient. Luckily this all happens behind the scenes and we don’t have to break our heads to understand this. But there are some things we have to understand about SMTP that will help us in enumeration.

As the term “simple” implies, SMTP server can only understand simple text commands. Sender of the mail communicates with a mail receiver by issuing these command strings and supplying necessary data. Some of the important commands are

1. HELO – sent by a client to introduce itself.

2. EHLO – another way of client introducing itself to server

3. HELP – used to see all commands.

4. RCPT – to identify message recipients.

5. DATA – sent by a client to initiate data transfer.

6. VRFY – verify if the mailbox exists.

7. QUIT – to end the session.

SMTP enumeration can be performed in many ways. The easiest way to do this is by connecting to the SMTP service port of the target with telnet (we have seen this in scanning and banner grabbing).

As you can see, we got successfully connected. From here, we can verify manually if each user exists or not. If you remember the article on SMB enumeration, we already have some usernames available. Lets use the VRFY command to check if users “user”, “msfadmin” and “root” exist in this system.

Image explaining about SMTP enumeration

Yes, they exist. Similarly, let us test if user kalyan exists. As you can see in the above image, the user kalyan doesn’t exist. Nmap also has a script to perform SMTP enumeration. We can use the script as shown below.

By default, Nmap uses RCPT method to check if a particular user exists. Unfortunately for me, it gave unhandled status code here. This Nmap script can be modified to use different methods. Here I changed it to use VRFY method to enumerate users. I have only scanned port 25 to remove the clutter. But still it gave me the same error.

There is another tool in the arsenal of Kali Linux which is built specifically for SMTP enumeration. Its called smtp-user-enum. Here let us test if a user called “root” exists on the target system as shown below.

Since user “root” exists, I’m assuming other users like “msfadmin” and “user” also exist. While performing SMB enumeration, we created a wordlist which can be users on the target system. Now let’s enumerate if all the users in that wordlist exist. It can be done as shown below.

All the users we got during SMB enumeration exist. That’s good. In this case, we already have the wordlist of usernames (we got during SMB enumeratin). What if we don’t have the exact wordlist. We can use different wordlists present in Kali Linux. These wordlists are present in /usr/share/dirb directory.

What We Achieved?

We got some usernames which may be useful to us while exploiting the system in future. All these usernames have a recipient email address to them.

Posted on by 2 Comments

SMB enumeration for beginners

In the previous part of the tutorial, we performed a vulnerability scan on our target Metasploitable and got some high ranking vulnerabilities. Before we take the plunge and exploit those vulnerabilities, let’s do some enumeration first.

Enumeration is the process of collecting information about user names, network resources, other machine names,  shares and services running on the network. Although little bit boring, it can be very helpful for the success of the hack in real time. In our previous parts, we have performed scanning and banner grabbing. So we already know what services are running on the target machine. They include FTP, telnet, SMTP and SMB etc. We can perform enumeration on all these services.

SMB stands for Server Message Block. Its mainly used for providing shared access to files, printers and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism. It is a predecessor of  Common Internet File system (CIFS). To know more about SMB please go here.

SMB enumeration can provide a treasure trove of information about our target. So for today’s tutorial let’s see how to perform SMB enumeration with Kali Linux. I will use three tools inbuilt in Kali Linux : enum4linux, acccheck and SMBMap.

The first tool we will use is enum4linux. As the name suggests, it is a tool used for enumeration of Linux. To see all the options of this tool, just type “enum4linux -h“. Using this tool, first let us see the users of the SMB service. Open terminal and type command “enum4linux -U 192.168.25.129” as shown below.

As we can see above, this system is part of a workgroup. Know the difference between domain and workgroup. We can see below that it has listed all the SMB users present on the target.

Of all the usernames the tool got us, I am assuming only three usernames are useful to us: user,root and msfadmin since others seem more like processes but we will keep our fingers crossed.

Before we check for validity of these credentials, let us perform a full enumeration with enum4linux. In the terminal type command “enum4linux 192.178.25.129” i.e without any options.  As you can see below, it lists us Nbtstat information of what services are active on the target.

SMB enumeration

It also provides us with the OS information.

And crucial info about Shares, i.e which user has what rights on the target.

It provides us password policy info, in case we don’t get the credentials and want to crack them.

Groups present on the system.

It will also display users based on RID cycling.

It seems there are no printers connected to the target.

Ok, now we know the users. Let’s try to find out the passwords for the usernames we seem to have got. We will use a tool called acccheck for this purpose. It is a password dictionary attack tool that targets windows authentication via the SMB protocol.  We will see more about password cracking later. First I will try it with the user “user”. In Kali Linux, most of the password dictionaries are present in “usr/share/dirb” directory. So I specify a dictionary which consists of most common passwords used.

Here, I am just guessing that the user may be using a common password. After specifying all the options, Hit Enter. The cracking process starts as shown below.

Once the tool gets the correct password, it stops the scan and displays a success message as shown below. Voila … the password of the user “user” is “user” only.

Seeing this result, I get a new idea. There might be a possibility that all the users may be using their username as password. To find out this, I create a new file called user.txt with all the usernames we got with enum4linux and specify the file for both username and password as shown below.

We got succces with three users; user, msfadmin and a blank user with password “games”. Since we successfully got some credentials, it’s time to see the share drives on our target system. For this, we will use another tool called SMBMap.

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

First let us check the rights of each user we got as shown below.

We can see that users user and msfadmin have READ,WRITE permissions on tmp directory only and the Blank user doesn’t have much. Next let us try to list all the drives on the target system with user “msfadmin”. We can see we don’t have enough privileges to execute a command.

Since we have READ privileges, let us read the drive on the target system as shown below. Well that’s all for SMB enumeration guys. If you want to read  about SMTP enumeration, you can go here.

RESULT: We got some usernames which may be useful to us while exploiting the system in future.