Enumeration

Windows Enumeration:

Users - Guest, Admin, Local ser, Network Ser, System, Current User

Groups - Anon Login, Batch, Creator Own, Everyone, Interactive, Network Restricted, Self, Service, Windows, Terminal

Security Identifiers (SID) Windows:

• SIDs start with S1-5-21
• Admin account ends 500
• Guess account ends 501

Linux:

• UID is + (positive) number above 500 for user
• Below 100 for system accounts

Services and Ports:

• 53 - DNS
• 135,137,139 - RPC end point mapper, NBNS, SMB over NETBIOS
• 445 - SMB over TCP
• 161 - SNMP
• 162 - SNMP Trap
• 389 - LDAP
• 3268 - Global Catelog Service
• 25 - SMTP
• 500 - ISAKMP/IKE
• 5060,5061 - SIP

Commonly Exploited Services:

Windows:

• NetBIOS - Null session
• DNS Zone Transfers

with SNMP:

• Management information base (MIB)

Unix and Linux:

• Finger Commands
• RPCinfo
• Showmount
• LDAP and Directory Service Enumeration
• NTP Enumeration

SMTP enumeration:

• Using Telnet - VRFY, EXPN, RCPT to
• SMTP Relay

Techniques for enumeration:

• Extract Usernames using Email IDs
• Extract info using default passwords
• Brute force Active Directory
• Extract infro using DNS Zone Transfer
• Extract user groups from Windows
• Extract User name using SNMP

NetBIOS Enumeration:

nbstat utility:

syntax:

-a (+Remotename) - Displays netbios name table of remote computer

-A (+IP add) - Display netbios name table of remote computer

-c - Lists contents of netbious name cache, the table of netbious name and their resolved IP addresses

-n - Displays the names registered locally by netbios apps such as server and redirector

-R - Purges the name cache and reloades all #PRE entries from LMHOSTS

-RR -Releases and registers all names with name server

-s - Lists netbios sessions able coverting dest ip add to comp netbios name

-S - Lists current netbios sessions and their state with IP add

Enumeration: Tools and Usage for different services

Memcached recon:

• Find number of current items on a server - memcstat --server=<ip>
• Find name of keys present on server - memcdump --servers=<ip>

NTP queries:

• Current time - ntpq -c "rv 0 clock" <ip>
• Pool servers used - ntpq <ip>, Ipeers
• Current time - ntpdate -q <ip>

IRC servers:

• IRCSnapShot - dir: cd /tools/ircsnapshot,  run: python ircsnapshot.py

SMTP servers:

• User enum - stmp-user-enum -U <path>  -t  <ip>

SMTP fake email:

• Tool: SendEmail  
• Syntax: sendemail -f admin:attacker.abc  -t  root@victom1  -s  <ip>  -u fakemail  -m "hi root"  -o  tls=no

SSL connections:

• connect server using POP3 over SSL (pop3s)
• openssl s-client -connect <ip> : <port>

SMB server:

NMBlookup Tool

Find NetBIOS name of computer -  nmblookup -H  <ip>

SMBClient Tool

• Check if anonconnection allowed - smbclient -L  <ip>  -N
• (allowed if shares are displayed without password requirements)
• directory inside public share: smbclient //<ip>/public -N, ls
• get flag - smbclient //<ip>/public -N, ls, cd <folder>, ls, get <file>, exit

RPCclient Tool 

• Information: -N = do not ask for password
  
• determine if anon allowed - rpcclient -U "" -N <ip>
• find OS of server - rpcclient -U "" -N <ip>, srvinfo
• Lit all users on samba - rpcclient -U "" -N <ip>, enumdomusers
• Find SID of user admin - rpcclient  -U "" -N <ip> , lookupnames <admin>
• Find domain groups exist - rpcclient -U "" -N <ip>, enumdomgroups

Enum4linux

• Find OS version  - enum4linux -o <ip>
• List all users on samba - enum4linux -U <ip>
• List all available shares - enum4linux -U <ip>, enum4linux -U <ip>
• List of SID of unix users - enum4linux -r -u "admin" -p <pw> <ip>
  

SMBmap

• smbmap -H <ip>  -u <un> -p <pw>

VNC server:

• vncviewer <ip>:<port>