Deep Dive into Enumeration in CEH Module 4

In earlier modules, we have outlined how attackers can legitimately collect essential information from a target. However, the legality of enumeration activities can vary depending on an organization’s internal policies and applicable legal regulations. An ethical hacker or penetration tester must secure the necessary authorization before engaging in enumeration to ensure they conduct these activities within legal and ethical boundaries.

What is Enumeration?

Enumeration refers to the method of gathering user accounts, system names, network resources, and services from a network or individual system. During this process, an attacker forges active connections to the system and submits specific queries to collect more information about the target. The attacker then utilizes the data gathered through enumeration to identify security weaknesses within the system, which can be exploited. Ultimately, enumeration enables attackers to attack passwords and gain unauthorized access to the system’s resources. This technique is applicable and effective within the confines of an intranet.

Specifically, enumeration enables an attacker to gather a range of information, such as:

• Details on network resources and shared network drives
• Information on network routing
• Settings related to audits and services
• Data on SNMP (Simple Network Management Protocol) and Fully Qualified Domain Names (FQDN)
• Names of devices on the network
• Lists of user accounts and groups
• Details on applications and service banners

During the enumeration phase, attackers might discover services like Windows Inter-Process Communications (IPC$) shares, which they can investigate further. They may also attempt to access administrative shares by brute-forcing administrator credentials. If successful, they can gain comprehensive details about the file system the administrative share represents.

Enumeration Techniques

Derive usernames from their associated email addresses: This technique involves using email IDs to determine the format of usernames within an organization. Since email addresses often include a person’s name and are structured consistently (like firstnamelastname@company.com), attackers can guess the username format used for other system logins.

Obtain information by exploiting factory-set passwords: Many devices and systems are initially set up with default passwords, which are often common and well-known. Attackers can use these default passwords to gain unauthorized access to systems that the user or administrator has not updated.

Use forceful attempts to gain entry into the Active Directory: Active Directory (AD) is a directory service used by Windows networks to manage all users and computers within a network domain. Brute force attacks consist of repeatedly attempting various username and password pairs until the correct combination is identified, potentially allowing the attacker to gain access to the Active Directory.

Perform DNS Zone Transfer to acquire data: A DNS Zone Transfer (AXFR) is a DNS transaction where a domain’s DNS records are replicated to another server. If an attacker can initiate a zone transfer from a DNS server, they can gain detailed information about the domain, including hostnames and IP addresses.

Identify Windows user groups: Windows operating systems organize user accounts into groups that share common access rights and permissions. By enumerating these groups, an attacker can understand the structure and hierarchy of users within a system, which can help plan further attacks.

Utilize SNMP to deduce usernames: Simple Network Management Protocol (SNMP) is used to manage IP network devices. By querying SNMP, attackers can potentially retrieve information about network devices, including details about the users.

Services and Ports to Enumerate

• Domain Name System (DNS) Zone Transfer: Accessible over TCP/UDP port 53, this service is used to replicate DNS data across DNS servers.
• Microsoft RPC Endpoint Mapper: Found on TCP/UDP port 135, it manages RPC (Remote Procedure Call) services.
• NetBIOS Name Service (NBNS): Operates on UDP port 137 and is responsible for network basic input/output system functions, including name registration and resolution.
• NetBIOS Session Service (SMB over NetBIOS): Available on TCP port 139, this service is used for session establishment and termination in NetBIOS over TCP/IP.
• SMB over TCP (Direct Host): Uses TCP/UDP port 445 for Server Message Block (SMB) communication without the need for NetBIOS.
• Simple Network Management Protocol (SNMP): Running on UDP port 161, SNMP is used to manage IP network devices.
• Lightweight Directory Access Protocol (LDAP): Utilizes TCP/UDP port 389 for directory services.
• Network File System (NFS): Accessible via TCP port 2049, it’s used for file sharing over a network.
• Simple Mail Transfer Protocol (SMTP): Found on TCP port 25, it’s the protocol for sending emails across networks.
• SNMP Trap: This service operates on TCP/UDP port 162, used to send notifications from SNMP agents to a management system.
• ISAKMP/Internet Key Exchange (IKE): Works on UDP port 500 and sets up a security association in the IPsec protocol suite.
• Secure Shell (SSH): Accessible through TCP port 22, it’s used for secure access to remote computers.

CEH with InfosecTrain

Ethical hacking is a complex and multi-phase process that requires deep knowledge and security certifications. Professionals can improve their security assessment and network architecture skills through ethical hacking courses, such as the Certified Ethical Hacker (CEH v12) training provided by InfosecTrain. This training provides individuals with the essential skills and methods needed to perform sanctioned hacking into organizations.

TRAINING CALENDAR of Upcoming Batches For CEH v13

AUTHOR
Pooja Rawat ( )

“ My name is Pooja Rawat. I have done my B.tech in Instrumentation engineering. My hobbies are reading novels and gardening. I like to learn new things and challenges. Currently I am working as a Cyber security Research analyst in Infosectrain. “