Hey, everyone, welcome back to the course. So in this video, we're gonna go over a brief introduction to what enumeration is. We'll talk about what enumeration actually is. We also talk about some of the different techniques that are used for enumeration. And we'll talk about some of the services that as an adversary or pen tester, we should be looking to enumerate.
So what is enumeration?
Well, essentially, this is just where the Attackers creating active connections to the system or the target. And so, essentially, when we run a thing like end map, we can identify information about the operating system etcetera. And so we want to enumerated and find out what version of that operating system right?
What version of that software is in use because then
we can identify what potential vulnerabilities are there. So enumeration is really just allowing that attacker to get information to identify potential attack points. Um could also allow them to perform things like password attacks to essentially just gain that unauthorized access to the information system.
So some of the information the attacker might be looking for is information about things like users and groups. Network resource is network shares. Routing tables, information about DNS, information about audit or service settings, information about S and M P settings, machine name information as well as different applications that might be in use.
So what are some of the enumeration techniques?
Well, the attacker might use email i d. S to try to extract user name information. They may try to extract information using things like the default passwords.
They could use a brute force attack against active directory. They could try to extract user names using S and M P. They could try to extract user group information from Windows. They could also try to extract information using something like a DNS zone transform.
So let's talk about some of the services that we should be looking to enumerate as Attackers.
So Net Bios name is basically a unique 16 asking character string misuse. Identify the network devices over TCP I. P.
And so what an attacker can do is they can use that bios and Amerasian to get things like a list of computers that belong to the domain. They could potentially get a list of shares
on the individual host of the network. They could also get information around things like the policies that we're using or passwords.
And they could do this through, uh, commands like net view, command, Sonett view, ford slash domain, uh, net view forward slash domain and then the name of the actual domain that could use different tools. So, like hyena super scan, wind fingerprints, another one
net bios and numerator. So a lot of different ways that attacker could do this again. The goal
is to get information about computers that are on the domain, information around any shares and then potentially potentially information around policies and passwords that might be in use.
We have S and M p enumeration or simple network management protocol. And so, essentially here, the attacker is the numerator user accounts and devices on the target.
So S and M P, if you're not familiar with it, basically consists of a manager and an agent, and so the agents are embedded on the network device, and then the manager is installed in a separate computer, S, O S and P S and M P has to passwords that that it uses essentially right. There's a re community string
that's public and allows that view access so the viewing of the device or system
configuration. And then there's a read write community strings, so this one actually allows remote editing of configuration and by default, it's private for obvious reasons.
So the attacker uses thes default strings to extract information about the actual device so it could be information around host. Could be information around routers could be network information like AARP tables on the device routing tables and use,
uh, just general information around the traffic, etcetera, etcetera.
Some tools that we could use are things like the op tools op you tills a swells, the engineers tool set
We've got held up in new Marais Shin or the lightweight directory access protocol. So this is just an Internet protocol that's used for accessing distributed directory services so the directory service may provide, like, unorganized set of records. It's usually hierarchal and in some kind of logical structure. So an example that would be like a corporate email directory.
So what happens is the client system starts the LDF session. Um, it connects to that directory system agent or D s A over TCP port 389 and then it sends that operation request to the D S. A.
The information is then transmitted between the client and the server using what's called the ER or basic encoding rules. So what is the attacker do here? Actually, Well, basically, the attacker inquiries L DAP service on the goal here is to try to get information around things like user names,
addresses, department detail, information, Um, S o do they have an accounting department sales team? Whatever.
What's the actual naming convention? And then they use that information to further the actual attack and achieve their objective.
Next, we have network time protocol. So that's the enumeration for network time protocol. This is network time protocol. If you know, if you don't know what it is, it's basically designed to synchronize the clocks of network computers. So that way, everything's work. Everything is essentially working on the same schedule for lack of better words.
So NTP uses UDP Port 1 23 as its method of communication
and Attackers will query NTP servers to get information Things like the list of host that are connected to that network Time protocol server could be information around the client I P addresses uh, could be information around the system names for those clients, as well as operating systems and use as well as, uh,
they could potentially gather information around internal I P addresses
If that NTP server is sitting in the DMZ
and the attacker can use commands like NTP trace, which basically traces a chain of NTP servers back to the primary source. Uh, NTP Q. Which monitors anti P Damon operations and then determines performance, and NTP D. C, which monitors operation of the NTP Damon.
And then we have SMTP enumeration or simple mail transfer protocol enumeration thing that focus on here for the ch exam are gonna be three. These three commands right here the verify E S P n and the receipt to so verify. Basically, this validates the users right? Verify who this person or or device actually is.
ESPN tells the actual delivery addresses of the aliases and mailing lists, and then the receipt to, uh, defines the recipients. Right. Who's the actual recipient of this message or who should be the recipient of this message?
So an example of an attacker actually using this they could, um, telnet into the i p address of the host device and then they could run like the Verify Command on and say, you know, verify Bobby, right? And then it verifies that Bobby is a user. Tells you that there that Bobby is a super user, for example,
and gives you Bobby's email address.
Right? So you get some information around Bobby because you did that query.
So just a quick quiz question here for you. Chris is a pen tester looking to enumerate l dap. So which port should he target if he's looking to enumerate L dap? Is that port 123
All right, so the answer is port 389
So in this video, we just talked a little bit about what enumeration actually is again. It's just another aspect of the attacker gathering information about our target. So things like maybe user group information, user name information, Azaz, well, as information around what operating system or application versions are in use,
we also talked about some of the techniques we could do for the Attackers Might do for enumeration as well. Some of the services that we should in new Marie