The sub-section of CEH module-4 provides an overview of enumeration strategies for extracting data pertinent to network resources. Additionally, it explores methods for DNS enumeration that offer insights into the organization’s DNS servers and network configuration. The content delves into both SMTP and DNS enumeration techniques, including how to perform SMTP enumeration to identify legitimate users on an SMTP server, the use of SMTP enumeration tools, strategies for DNS zone transfer, the practice of DNS cache snooping, and the method of DNS zone walking.
SMTP Enumeration
SMTP enumeration is a technique used in mail systems that rely on SMTP (Simple Mail Transfer Protocol) alongside POP3 (Post Office Protocol 3) and IMAP (Internet Message Access Protocol). SMTP is predominantly employed for dispatching emails, whereas POP3 and IMAP serve the purpose of email retrieval. POP3 enables users to download emails to their personal devices for offline perusal, contrasting with IMAP, which facilitates the organization and retention of emails on the server itself.
SMTP communicates with mail exchange (MX) servers responsible for routing emails via DNS (Domain Name System). DNS functions to translate domain names into their corresponding IP addresses and uses MX records to route emails to the appropriate mail servers by interpreting the domain segment of an email address.
SMTP operates on TCP (Transmission Control Protocol) ports. The default SMTP port is port 25. An alternative port, used in case port 25 is blocked, is port 2525. Port 587 is typically used for SMTP submission, which involves encryption and authentication. SMTP provides the following three in-built commands:
1. VRFY Command
2. EXPN Command
3. RCPT TO Command
SMTP servers exhibit different responses to VRFY, EXPN, and RCPT TO commands depending on whether the users are recognized as valid or not. This behavior allows for the identification of legitimate users on an SMTP server. By utilizing the Telnet interface, individuals can engage with the SMTP server to compile a list of authentic users.
SMTP Enumeration Tools
SMTP enumeration tools are used in cybersecurity to discover usernames by interacting with an email server. Cyber attackers can exploit such tools to gain information that could facilitate subsequent attacks on a network.
Command-line options for the smtp-user-enum tool, which is used for determining valid usernames on an SMTP server:
Additionally, other options include:
DNS Enumeration Using Zone Transfer
DNS Enumeration via Zone Transfer is like asking a main directory (the primary DNS server) to share its entire list of contacts and details with a backup directory (the secondary DNS server). This is normally done to back up and update information across servers.
However, a hacker can use this process to sneakily get a complete list of all the names, numbers, and addresses (like server names, machine names, usernames, and IP addresses) that are stored in the main directory, but only if the main directory is willing to share this information without proper checks. If the hacker’s request is denied, they’ll hit a dead end, as the main directory refuses to give out the list. They use tools like ‘nslookup’, ‘dig’, or ‘DNSRecon’ to try and make this request seem legitimate.
In a DNS zone transfer attack, the attacker pretends to be a legitimate entity, asking the DNS server to share a section of its directory containing a wealth of information about the network’s domain structure. The server, thinking the request is genuine, may send over details from its database about the network’s zone.
dig Command:
Attackers use the ‘dig’ command on Linux machines to interact with the target’s DNS name servers.
dig @<domain of name server> <target domain> axfr’ |
‘nslookup’ Command
Attackers run the ‘nslookup’ command on Windows systems to request information from DNS name servers about a target’s hosts, name servers, and email servers.
‘/ls -d <domain of name server>’ |
What is DNS Cache Snooping?
DNS cache snooping is when someone tries to find out what websites you’ve visited by looking at the saved data on a DNS server. Just like checking the history in your web browser, they can see the names of the sites you’ve been to. This can also tell them who runs the DNS server, who provides its internet service, and even sensitive stuff like banking details. The snoopers use special commands and tools to do this, kind of like using a special key to peek into someone’s diary.
CEH with InfosecTrain
Ethical hacking is a complex and multi-phase process that requires deep knowledge and security certifications. Professionals can improve their security assessment and network architecture skills through ethical hacking courses, such as the Certified Ethical Hacker (CEH v12) training provided by InfosecTrain. This training provides individuals with the essential skills and methods needed to perform sanctioned hacking into organizations.
Start Date | End Date | Start - End Time | Batch Type | Training Mode | Batch Status | |
---|---|---|---|---|---|---|
04-Jan-2025 | 15-Feb-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
25-Jan-2025 | 08-Mar-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] | |
01-Feb-2025 | 09-Mar-2025 | 19:00 - 23:00 IST | Weekend | Online | [ Open ] | |
15-Feb-2025 | 30-Mar-2025 | 09:00 - 13:00 IST | Weekend | Online | [ Open ] |