Lesson 5 – Enumeration

• Enumeration is often easy because sysadmins don’t go to the trouble of properly configuring systems and locking them down.
• Good enumeration saves you time.  You could try every username under the sun, but it’s a better use of your time and effort to figure out for sure which users have accounts on the system and focus on breaking into their accounts.

• SMB = Server Message Blocks; AKA CIFS (Common Internet File System); AKA Windows shares
• Remember, SMB isn’t just on Windows boxes!  Mac OS X has switched to SMB as its default network file sharing protocol (replacing AFP) and many Linux system support it via an open-source implementation called Samba.
• All that said, the null session is kind of a played-out misconfiguration.  It’s mentioned in a lot of pentesting literature, because legacy systems might still have it enabled, and if you do find it, it’s an awesome means of mining data about your target.  However, it’s becoming rarer and rarer, especially in Windows 7/8/10 environments.

• Winfo is a Windows tool that automates the process of enumerating information using null sessions
• The original enum was a Windows tool and a work-alike (enum4linux) was written in perl for Linux.  Like winfo, it automates the process of attempting null session attacks and enumeration.
• DumpSec is a Windows tool for enumerating users, groups, shares, permissions (DACLs), and audit settings (SACLs)
• Once you make a null session connection with: net use \\<computer name or IP>\ipc$ “” /user:”” ; you can then run: net view \\<computer name or IP> to list out the shares on the computer
• Nbtstat is a Windows command line to for diagnosing problems with NBT (NetBIOS over TCP).  You can use the -a or -A flags to pull the NetBIOS information of a remote host.
• Nbtscan is much like nbtstat, but can be used against a range of IP addresses, instead of only one at a time.  Available in Windows and Linux flavors.
• And (big shock!) nmap has several SMB enumeration scripts to run via the NSE (Nmap Scripting Engine), including smb-enum-shares, smb-enum-groups, smb-enum-processes, and many more.

• TESTING NOTE: How to set up vulnerable SNMP in Debian/Ubuntu/Linux Mint:
  -sudo apt-get install snmpd
  -Edit /etc/snmp/snmpd.conf, in the AGENT BEHAVIOUR section, comment out “agentAddress udp:127.0.0.1:161” and uncomment “agentAddress udp:161,udp6:[::1]:161”
  -sudo /etc/init.d/snmpd restart

• EXPN will spit out all the addresses in mailing lists or aliases.  It’s worth a shot to try “EXPN all” and other possible mailing list names.
• VRFY will verify that an email name (no @domain.com or whatever at the end) is a valid email address on the system
• And if all those fail, try entering the following
  MAIL TO: junk@junk.junk
  RCPT TO: <username>
  This is actually writing an email message in a raw SMTP session.  RCPT is specifying who the recipient of the email is going to be.  You can add as many as you like.  If the address is valid, it’ll say OK, else it will throw an error.
• smtp-user-enum is a Perl script (included with Kali) that can enumerate users using EXPN, VRFY, and RCPT methods, plus taking individual or lists of usernames/email addresses to try out and can enumerate multiple SMTP servers at once.
• swaks stands for Swiss Army Knife SMTP and is an all-purpose SMTP testing and debugging tool, but is also useful for doing SMTP enumeration work.

• LDAP (Lightweight Directory Access Protocol) is probably best known as the protocol behind Windows Active Directory, but is also used by Apple for its Open Directory system integrated into Mac OS X and many Linux/Unix systems use implementations of LDAP, such as OpenLDAP and Oracle Internet Directory.
• NTP (Network Time Protocol) can be abused to reveal peers and clients…in addition to revealing time/time zone, in case you weren’t sure where the target is located in the world.  Nmap scripts like ntp-info and ntp-monlist is probably the easiest way to query it.  Every once in a while, NTP has a bad vulnerability, so pay attention to the ntpd version info it leaks as well.

• Showmount will enumerate any NFS (Network File System) file shares: showmount –e <IP address or hostname>
• If you find a host that’s running the finger service on TCP port 79, you can query it for details on user accounts.  In addition to trying to tease normal user accounts out of it, you can look for service accounts (like www-data, ftp, and others) that will indirectly confirm the existence of certain software running.  For example, if you see the “www-data” user, then you know the target system has a web server like Apache installed.  One command to try is finger ‘a b c d e f g h’@<hostname>, which if it works will barf all the users on the system.
• If you see TCP or UDP port 111 open (nmap will identify it as “portmapper”), you can use the rpcinfo command to see what services and apps on a server map to what ports.  This is a great way to figure out what software is running on the system for looking up exploits later.
• Dirb is command-line based and Dirbuster is a Java-based GUI, but both do the same thing: take a list of possible names and try to brute-force all the directories under a given hostname, looking for signs of vulnerable software, hidden pages, admin login portals, and other juicy info.  Both come with wordlists of common web server directories in their respective /usr/share/ directories
• Also, if you’ve fingerprinted certain services and ESPECIALLY certain devices and appliances…go look up their default accounts and passwords online!  Lazy admins often neglect to change them.