Ethical Hacking - Enumeration
Enumeration makes a fixed connection to the system.
-Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it.
-Enumeration means to identify the user account, system account and admin account. Enumerating windows active directory to find out these stuffs.
Enumeration is used to collect the following information
Usernames, Group names
Network shares and services
IP tables and routing tables
Service settings and Audit configurations
Application and banners
SNMP and DNS Details
-NetBIOS stands for Network Basic Input Output System. IBM developed it along with Sytek. The primary intention of NetBIOS was developed as Application Programming Interface (API) to enable access to LAN resources by the client’s software.
NetBIOS naming convention starts with 16-ASCII character string used to identify the network devices over TCP/IP; 15-characters are used for the device name, and the 16th character is reserved for the service or name record type.
NetBIOS software runs on port 139-137,139 on Windows operating system.File and printer service needs to be enabled to enumerate NetBIOS over Windows Operating system.
NETBIOS ENUMERATION TOOLS:
Following are the security controls to prevent netbios attack:
-By the closing of netbios port (445,137-139)
-Minimize the attack surface by minimizing the unnecessary service like Server Message Block (SMB).
-Remove File and Printer sharing in Windows OS.
SNMP stands for Simple Network Management Protocol is an application-layer protocol that runs on User Datagram Protocol (UDP). It is used for managing network devices which run on IP layer like routers. SNMP is based on a client-server architecture where SNMP client or agent is located on every network device and communicates with the SNMP managing station via requests and responses. Both SNMP request and responses are configurable variables accessible by the agent software. SNMP contains two passwords for authenticating the agents before configuring the variables and for accessing the SNMP agent from the management station.
SNMP Passwords are:
-Read Community string are public, and configuration of the device can be viewed with this password
-Read/Write community string are private, and configuration of the device can be modified using this password.
SNMP uses virtual hierarchical database internally for managing the network objects, and it is called Management Information Base (MIB). MIB contains tree like structure, and object ID uniquely represents each network object. The network objects can be viewed or modified based on the SNMP passwords.
Default SNMP password allow attackers to view or modify the SMMP configuration settings. Attackers can enumerate SNMP on remote network devices for the following:
Information about network resources such as routers, shares, devices, etc.
ARP and routing tables
Device specific information
Traffic statistics etc.
SNMP ENUMERATION TOOLS
SMTP SECURITY CONTROLS
Minimize the attack surface by removing the SNMP agents where not needed
Change default public community string
Upgrade to SNMPv3 which encrypts the community strings and messages
Implement group policy for additional restriction on anonymous connections
Implement firewall to restrict unnecessary connections
Implement IPSec filtering
Block access to TCP/UDP ports 161
Encrypt and authenticate using IPS
LDAP Security controls:
The following are the security controls to prevent LDAP enumeration attacks
Use SSL to encrypt LDAP communication
Use Kerberos to restrict the access to known users
Enable account lockout to restrict brute forcing