Ethical Overflow - A new focus on Cyber Security

Ethical Hacking - Enumeration

Enumeration makes a fixed connection to the system.

-Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it.

-Enumeration means to identify the user account, system account and admin account. Enumerating windows active directory to find out these stuffs.

Enumeration is used to collect the following information

  • Usernames, Group names

  • Hostnames

  • Network shares and services

  • IP tables and routing tables

  • Service settings and Audit configurations

  • Application and banners

  • SNMP and DNS Details

Enumeration classification:-

1.NetBios Enumeration:-

-NetBIOS stands for Network Basic Input Output System. IBM developed it along with Sytek. The primary intention of NetBIOS was developed as Application Programming Interface (API) to enable access to LAN resources by the client’s software.

NetBIOS naming convention starts with 16-ASCII character string used to identify the network devices over TCP/IP; 15-characters are used for the device name, and the 16th character is reserved for the service or name record type.

NetBIOS software runs on port 139-137,139 on Windows operating system.File and printer service needs to be enabled to enumerate NetBIOS over Windows Operating system.

NETBIOS ENUMERATION TOOLS:

-NbtStat

-Superscan

-Hyena

-Winfingerprint

-NetBios Enumerator

Following are the security controls to prevent netbios attack:

-By the closing of netbios port (445,137-139)

-Minimize the attack surface by minimizing the unnecessary service like Server Message Block (SMB).

-Remove File and Printer sharing in Windows OS.

2.SNMP ENUMERATION

SNMP stands for Simple Network Management Protocol is an application-layer protocol that runs on User Datagram Protocol (UDP). It is used for managing network devices which run on IP layer like routers. SNMP is based on a client-server architecture where SNMP client or agent is located on every network device and communicates with the SNMP managing station via requests and responses. Both SNMP request and responses are configurable variables accessible by the agent software. SNMP contains two passwords for authenticating the agents before configuring the variables and for accessing the SNMP agent from the management station.

SNMP Passwords are:

-Read Community string are public, and configuration of the device can be viewed with this password

-Read/Write community string are private, and configuration of the device can be modified using this password.

SNMP uses virtual hierarchical database internally for managing the network objects, and it is called Management Information Base (MIB). MIB contains tree like structure, and object ID uniquely represents each network object. The network objects can be viewed or modified based on the SNMP passwords.

SNMP Enumeration:

Default SNMP password allow attackers to view or modify the SMMP configuration settings. Attackers can enumerate SNMP on remote network devices for the following:

Information about network resources such as routers, shares, devices, etc.

ARP and routing tables

Device specific information

Traffic statistics etc.

SNMP ENUMERATION TOOLS

-OpUtils

-SolarWinds

-SnScan

-Ns Auditor

SMTP SECURITY CONTROLS

  • Minimize the attack surface by removing the SNMP agents where not needed

  • Change default public community string

  • Upgrade to SNMPv3 which encrypts the community strings and messages

  • Implement group policy for additional restriction on anonymous connections

  • Implement firewall to restrict unnecessary connections

  • Implement IPSec filtering

  • Block access to TCP/UDP ports 161

  • Encrypt and authenticate using IPS

LDAP Security controls:

The following are the security controls to prevent LDAP enumeration attacks

  • Use SSL to encrypt LDAP communication

  • Use Kerberos to restrict the access to known users

  • Enable account lockout to restrict brute forcing