CEH v11 Module 3 实验记录
1. Scenario
With the development of network technologies and applications, network attacks are greatly increasing in both number and severity(猛烈). Attackers continuously search for service and application vulnerabilities on networks and servers. When they find a flaw or loophole in a service run over the Internet, they immediately exploit it to compromise the entire system. Any other data that they find may be further used to compromise additional network systems. Similarly, attackers seek out and use workstations with administrative privileges, and which run flawed applications, to execute arbitrary(随意的) code or implant viruses in order to intensify(加剧) damage to the network.
In the first step of the security assessment and penetration testing of your organization, you gather open-source information about your organization. In the second step, you collect information about open ports and services, OSes, and any configuration lapses.
The next step for an ethical hacker or penetration tester is to probe the target network further by performing enumeration. Using various techniques, you should extract more details about the network such as lists of computers, usernames, user groups, ports, OSes, machine names, network resources, and services.
The information gleaned(收集) from enumeration will help you to identify the vulnerabilities in your system’s security that attackers would seek to exploit. Such information could also enable attackers to perform password attacks to gain unauthorized access to information system resources.
In the previous steps, you gathered necessary information about a target without contravening(违反) any legal boundaries. However, please note that enumeration activities may be illegal depending on an organization’s policies and any laws that are in effect in your location. As an ethical hacker or penetration tester, you should always acquire proper authorization before performing enumeration.
2. Objectives
The objective of the lab is to extract information about the target organization that includes, but is not limited to:
- Machine names, their OSes, services, and ports
- Network resources
- Usernames and user groups
- Lists of shares on individual hosts on the network
- Policies and passwords
- Routing tables
- Audit and service settings
- SNMP and FQDN details
3. Overview of Enumeration
Enumeration creates an active connection with the system and performs directed queries to gain more information about the target. It extracts lists of computers, usernames, user groups, ports, OSes, machine names, network resources, and services using various techniques. Enumeration techniques are conducted in an intranet environment.
4. Lab Tasks
Ethical hackers or penetration testers use several tools and techniques to enumerate the target network. Recommended labs that will assist you in learning various enumeration techniques include:
4.1. Perform NetBIOS enumeration
As a professional ethical hacker or penetration tester, your first step in the enumeration of a Windows system is to exploit the NetBIOS API. NetBIOS enumeration allows you to collect information about the target such as a list of computers that belong to a target domain, shares on individual hosts in the target network, policies, passwords, etc. This data can be used to probe the machines further for detailed information about the network and host resources. NetBIOS stands for Network Basic Input Output System. Windows uses NetBIOS for file and printer sharing. A NetBIOS name is a unique computer name assigned to Windows systems, comprising a 16-character ASCII string that identifies the network device over TCP/IP. The first 15 characters are used for the device name, and the 16th is reserved for the service or name record type. The NetBIOS service is easily targeted, as it is simple to exploit and runs on Windows systems even when not in use. NetBIOS enumeration allows attackers to read or write to a remote computer system (depending on the availability of shares) or launch a denial of service (DoS) attack.
a. Perform NetBIOS Enumeration using Windows Command-Line Utilities
Nbtstat helps in troubleshooting NETBIOS name resolution problems. The nbtstat command removes and corrects preloaded entries using several case-sensitive switches. Nbtstat can be used to enumerate information such as NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache. Net use connects a computer to, or disconnects it from, a shared resource. It also displays information about computer connections. Here, we will use the Nbtstat, and Net use Windows command-line utilities to perform NetBIOS enumeration on the target network.
Launch Windows Server 2019 and open command propt window. Type nbtstat -a [IP address of the remote machine]
(in this example, the target IP address is 10.10.10.10) and press Enter. In this command, -a
displays the NetBIOS name table of a remote computer. The result appears, displaying the NetBIOS name table of a remote computer (in this case, the WINDOWS10 machine), as shown in the screenshot.
In the same Command Prompt window, type nbtstat -c
and press Enter. In this command, -c
lists the contents of the NetBIOS name cache of the remote computer. The result appears, displaying the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses.
Note that it is possible to extract this information without creating a null session (an unauthenticated session).
Now, type net use and press Enter. The output displays information about the target such as connection status, shared folder/drive and network information, as shown in the screenshot.
This concludes the demonstration of performing NetBIOS enumeration using Windows command-line utilities such as Nbtstat and Net use. Close all open windows and document all the acquired information.
b. Perform NetBIOS Enumeration using NetBIOS Enumerator
NetBIOS Enumerator is a tool that enables the use of remote network support and several other techniques such as SMB (Server Message Block). It is used to enumerate details such as NetBIOS names, usernames, domain names, and MAC addresses for a given range of IP addresses. Here, we will use the NetBIOS Enumerator to perform NetBIOS enumeration on the target network.
Launch WIndows 10, and open NetBIOS Enumerater. The NetBIOS Enumerator main window appears. Under IP range to scan, enter an IP range in the from and to fields and click the Scan button to initiate the scan (In this example, we are targeting the IP range 10.10.10.15-10.10.10.20). NetBIOS Enumerator scans for the provided IP address range. On completion, the scan results are displayed in the left pane, as shown in the screenshot. The Debug window section in the right pane shows the scanning range of IP addresses and displays Ready! after the scan is finished.
Click on the expand icon (+) to the left of the 10.10.10.16 and 10.10.10.19 IP addresses in the left pane of the window. Then click on the expand icon to the left of NetBIOS Names to display NetBIOS details of the target IP address, as shown in the screenshot.
This concludes the demonstration of performing NetBIOS enumeration using NetBIOS Enumerator. This enumerated NetBIOS information can be used to strategize an attack on the target. Close all open windows and document all the acquired information.
c. Perform NetBIOS Enumeration using an NSE Script
NSE allows users to write (and share) simple scripts to automate a wide variety of networking tasks. NSE scripts can be used for discovering NetBIOS shares on the network. Using the nbstat NSE script, for example, you can retrieve the target’s NetBIOS names and MAC addresses. Moreover, increasing verbosity(冗长) allows you to extract all names related to the system. Here, we will run the nbstat script to enumerate information such as the name of the computer and the logged-in user.
Launch WIndows 10 and open Zenmap. The Zenmap window appears. In the Command field, type the command nmap -sV -v --script nbstat.nse [Target IP Address]
(in this example, the target IP address is 10.10.10.16) and click Scan. -sV
detects the service versions, -v
enables the verbose output (that is, includes all hosts and ports in the output), and --script nbtstat.nse
performs the NetBIOS enumeration. The scan results appear, displaying the open ports and services, along with their versions. Displayed under the Host script results section are details about the target system such as the NetBIOS name, NetBIOS user, and NetBIOS MAC address, as shown in the screenshot.
In the Command field of Zenmap, type nmap -sU -p 137 -script nbstat.nse [Target IP Address]
(in this case, the target IP address is 10.10.10.16) and click Scan. -sU
performs a UDP scan, -p
specifies the port to be scanned, and --script nbtstat.nse
performs the NetBIOS enumeration. The scan results appear, displaying the open NetBIOS port (137) and, under the Host script results section, NetBIOS details such as NetBIOS name, NetBIOS user, and NetBIOS MAC of the target system, as shown in the screenshot.
This concludes the demonstration of performing NetBIOS enumeration using an NSE script. Other tools may also be used to perform NetBIOS enumeration on the target network such as Global Network Inventory, Advanced IP Scanner, Hyena, and Nsauditor Network Security Auditor. Close all open windows and document all the acquired information.
4.2. Perform SNMP Enumeration
As a professional ethical hacker or penetration tester, your next step is to carry out SNMP enumeration to extract information about network resources (such as hosts, routers, devices, and shares) and network information (such as ARP tables, routing tables, device-specific information, and traffic statistics). Using this information, you can further scan the target for underlying vulnerabilities, build a hacking strategy, and launch attacks. SNMP (Simple Network Management Protocol) is an application layer protocol that runs on UDP (User Datagram Protocol) and maintains and manages routers, hubs, and switches on an IP network. SNMP agents run on networking devices on Windows and UNIX networks. SNMP enumeration uses SNMP to create a list of the user accounts and devices on a target computer. SNMP employs two types of software components for communication: the SNMP agent and SNMP management station. The SNMP agent is located on the networking device, and the SNMP management station communicates with the agent.
a. Perform SNMP Enumeration using snmp-check
snmp-check is a tool that enumerates SNMP devices, displaying the output in a simple and reader-friendly format. The default community used is “public.” As an ethical hacker or penetration tester, it is imperative that you find the default community strings for the target device and patch them up. Here, we will use the snmp-check tool to perform SNMP enumeration on the target IP address
Launch Parrot Security and open terminal. Then switch to the root user as well as back home of root. In the Parrot Terminal window, type nmap -sU -p 161 [Target IP address]
(in this example, the target IP address is 10.10.10.16) and press Enter. -sU
performs a UDP scan and -p
specifies the port to be scanned. The results appear, displaying that port 161 is open/filtered and being used by SNMP, as shown in the screenshot.
We have established that the SNMP service is running on the target machine. Now, we shall exploit it to obtain information about the target system. In the Parrot Terminal window, type snmp-check [Target IP Address]
(in this example, the target IP address is 10.10.10.16) and press Enter. The result appears as shown in the screenshot. It reveals that the extracted SNMP port 161 is being used by the default “public” community string. If the target machine does not have a valid account, no output will be displayed. The snmp-check command enumerates the target machine, listing sensitive information such as System information and User accounts.
Scroll down to view detailed information regarding the target network under the following sections: Network information, Network interfaces, Network IP and Routing information, and TCP connections and listening ports.
Similarly, scrolling down reveals further sensitive information on Processes, Storage information, File system information, Device information, Share, etc.
This concludes the demonstration of performing SNMP enumeration using the snmp-check. Close all open windows and document all the acquired information.
b. Perform SNMP Enumeration using SoftPerfect Network Scanner
SoftPerfect Network Scanner can ping computers, scan ports, discover shared folders, and retrieve practically any information about network devices via WMI (Windows Management Instrumentation), SNMP, HTTP, SSH, and PowerShell. The program also scans for remote services, registries, files, and performance counters. It can check for a user-defined port and report if one is open, and is able to resolve hostnames as well as auto-detect your local and external IP range. SoftPerfect Network Scanner offers flexible filtering and display options, and can export the NetScan results to a variety of formats, from XML to JSON. In addition, it supports remote shutdown and Wake-On-LAN. Here, we will use the SoftPerfect Network Scanner to perform SNMP enumeration on a target system.
Launch WIndows Server 2019 and open SoftPerfect Network Scanner. In the Options menu, click Remote SNMP…. The SNMP pop-up window will appear. Click the Mark All/None button to select all the items available for SNMP scanning and close the window.
To scan your network, enter an IP range in the IPv4 From and To fields (in this example, the target IP address range is 10.10.10.5-10.10.10.20), and click the Start Scanning button. The status bar at the lower-right corner of the GUI displays the status of the scan. The scan results appear, displaying the active hosts in the target IP address range, as shown in the screenshot.
To view the properties of an individual IP address, right-click a particular IP address (in this example, 10.10.10.16) and select Properties, as shown in the screenshot.
The Properties window appears, displaying the Shared Resources and Basic Info of the machine corresponding to the selected IP address.
Close the Properties window. To view the shared folders, note the scanned hosts that have a + node before them. Expand the node to view all the shared folders.
Right-click the selected host, and click Open Device. A drop-down list appears, containing options that allow you to connect to the remote machine over HTTP, HTTPS, FTP, and Telnet.
If the selected host is not secure enough, you may use these options to connect to the remote machines. You may also be able to perform activities such as sending a message and shutting down a computer remotely. These features are applicable only if the selected machine has a poor security configuration. This concludes the demonstration of performing SNMP enumeration using the SoftPerfect Network Scanner. You can also use other SNMP enumeration tools such as Network Performance Monitor, OpUtils, PRTG Network Monitor, Engineer’s Toolset, and WhatsUp® Gold to perform SNMP enumeration on the target network.
Close all open windows and document all the acquired information.
4.3. Perform LDAP Enumeration
As a professional ethical hacker or penetration tester, the next step after SNMP enumeration is to perform LDAP enumeration to access directory listings within Active Directory or other directory services. Directory services provide hierarchically and logically structured information about the components of a network, from lists of printers to corporate email directories. In this sense, they are similar to a company’s org chart. LDAP enumeration allows you to gather information about usernames, addresses, departmental details, server names, etc. LDAP (Lightweight Directory Access Protocol) is an Internet protocol for accessing distributed directory services over a network. LDAP uses DNS (Domain Name System) for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a DSA (Directory System Agent), typically on TCP port 389, and sends an operation request to the DSA, which then responds. BER (Basic Encoding Rules) is used to transmit information between the client and the server. One can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names.
Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. It can be used to navigate an AD database easily, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that can be saved and re-executed. Here, we will use the AD Explorer to perform LDAP enumeration on an AD domain and modify the domain user accounts.
Launch Windows Server 2019 and open AD Explorer. The Connect to Active Directory pop-up appears; type the IP address of the target in the Connect to field (in this example, we are targeting the Windows Server 2016 machine: 10.10.10.16) and click OK. The Active Directory Explorer displays the active directory structure in the left pane, as shown in the screenshot.
Now, expand DC=CEH, DC=com, and CN=Users by clicking “+” to explore domain user details. Click any username (in the left pane) to display its properties in the right pane.
Right-click any attribute in the right pane (in this case, displayName) and click Modify… from the context menu to modify the user’s profile. The Modify Attribute window appears. First, select the username under the Value section, and then click the Modify… button. The Edit Value pop-up appears. Rename the username in the Value data field and click OK to save the changes.
You can read and modify other user profile attributes in the same way. This concludes the demonstration of performing LDAP enumeration using AD Explorer. You can also use other LDAP enumeration tools such as Softerra LDAP Administrator, LDAP Admin Tool, LDAP Account Manager, LDAP Search, and JXplorer to perform LDAP enumeration on the target.
Close all open windows and document all the acquired information.
4.4. Perform NFS Enumeration
As a professional ethical hacker or penetration tester, the next step after LDAP enumeration is to perform NFS enumeration to identify exported directories and extract a list of clients connected to the server, along with their IP addresses and shared data associated with them. After gathering this information, it is possible to spoof target IP addresses to gain full access to the shared files on the server. NFS (Network File System) is a type of file system that enables computer users to access, view, store, and update files over a remote server. This remote data can be accessed by the client computer in the same way that it is accessed on the local system.
RPCScan communicates with RPC (remote procedure call) services and checks misconfigurations on NFS shares. It lists RPC services, mountpoints(挂载点),and directories accessible via NFS. It can also recursively list NFS shares. SuperEnum includes a script that performs a basic enumeration of any open port, including the NFS port (2049). Here, we will use RPCScan and SuperEnum to enumerate NFS services running on the target machine.
Launch WIndows Server 2019 and open Server Manager. The Server Manager main window appears. By default, Dashboard will be selected; click Add roles and features. The Add Roles and Features Wizard window appears. Click Next here and in the Installation Type and Server Selection wizards. The Server Roles section appears. Expand File and Storage Services and select the checkbox for Server for NFS under the File and iSCSI Services option, as shown in the screenshot. Click Next.
In the Features section, click Next. The Confirmation section appears; click Install to install the selected features. The features begin installing, with progress shown by the Feature installation status bar. When installation completes, click Close.
By now, we finished the seting in our target machine (Windows Server 2019). Switch to Parrot Security and open terminal. Switch to root user as well as back to the home of root. In the terminal window, type nmap -p 2049 [Target IP Address]
(in this case, 10.10.10.19) and press Enter. The scan result appears indicating that port 2049 is opened, and the NFS service is running on it, as shown in the screenshot.
Type cd SuperEnum
and press Enter to navigate to the SuperEnum folder. Type echo "10.10.10.19" >> Target.txt
and press Enter to create a file having a target machine’s IP address (10.10.10.19). You may enter multiple IP addresses in the Target.txt file. However, in this task we are targeting only one machine, the Windows Server 2019 (10.10.10.19). The IP address may vary in your lab environment.
Type ./superenum
and press Enter. Under Enter IP List filename with path, type Target.txt
, and press Enter. If you get an error running the ./superenum script, type chmod +x superenum and press Enter, then repeat the step. The script starts scanning the target IP address for open NFS and other. The scan will take approximately 15-20 mins to complete. After the scan is finished, scroll down to review the results. Note that port 2049 is open and the NFS service is running on it.
You can also observe the other open ports and the services running on them. In the terminal window, type cd ..
and press Enter to return to the root directory. Now, we will perform NFS enumeration using RPCScan. To do so, type cd RPCScan
and press Enter. Type python3 rpc-scan.py [Target IP address] --rpc
(in this case, the target IP address is 10.10.10.19, the Windows Server 2019 machine); press Enter. --rpc
: lists the RPC (portmapper); the target IP address may differ in your lab environment. The result appears, displaying that port 2049 is open, and the NFS service is running on it.
This concludes the demonstration of performing NFS enumeration using SuperEnum and RPCScan. Close all open windows and document all the acquired information.
4.5 Perform DNS Enumeration
As a professional ethical hacker or penetration tester, the next step after NFS enumeration is to perform DNS enumeration. This process yields information such as DNS server names, hostnames, machine names, usernames, IP addresses, and aliases assigned within a target domain. DNS enumeration techniques are used to obtain information about the DNS servers and network infrastructure of the target organization. DNS enumeration can be performed using the following techniques:
- Zone Transfer
- DNS Cache Snooping
- DNSSEC Zone Walking
a. Perform DNS Enumeration using Zone Transfer
DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. In most cases, the DNS server maintains a spare(备用) or secondary server for redundancy, which holds all information stored in the main server. If the DNS transfer setting is enabled on the target DNS server, it will give DNS information; if not, it will return an error saying it has failed or refuses the zone transfer. Here, we will perform DNS enumeration through zone transfer by using the dig (Linux-based systems) and nslookup (Windows-based systems) tool.
Open Parrot Security and open terminal. Switch to root user as well as back to home of root. A Parrot Terminal window appears. In the terminal window, type dig ns [Target Domain]
(in this case, the target domain is www.certifiedhacker.com); press Enter. In this command, ns
returns name servers in the result. On Linux-based systems, the dig command is used to query the DNS name servers to retrieve information about target host addresses, name servers, mail exchanges, etc. The above command retrieves information about all the DNS name servers of the target domain and displays it in the ANSWER SECTION, as shown in the screenshot.
In the terminal window type dig @[[NameServer]] [[Target Domain]] axfr
(in this example, the name server is ns1.bluehost.com and the target domain is www.certifiedhacker.com); press Enter. In this command, axfr
retrieves zone information. The result appears, displaying that the server is available as shown in the screenshot.
After retrieving DNS name server information, the attacker can use one of the servers to test whether the target DNS allows zone transfers or not. A penetration tester should attempt DNS zone transfers on different domains of the target organization.
We now move on to DNS enumeration of Windows DNS servers. Open Windows 10 and open cmd propt. The Command Prompt window appears; type nslookup
, and press Enter. In the nslookup interactive mode, type set querytype=soa
, and press Enter. Type the target domain certifiedhacker.com
and press Enter. This resolves the target domain information. set querytype=soa
sets the query type to SOA (Start of Authority) record to retrieve administrative information about the DNS zone of the target domain certifiedhacker.com. The result appears, displaying information about the target domain such as the primary name server and responsible mail addr, as shown in the screenshot.
In the nslookup interactive mode, type ls -d [Name Server]
(in this example, the name is ns1.bluehost.com) and press Enter, as shown in the screenshot. In this command, ls -d
requests a zone transfer of the specified name server. The result appears, displaying that the DNS server refused the zone transfer, as shown in the screenshot.
This concludes the demonstration of performing DNS zone transfer using dig and nslookup commands. Close all open windows and document all the acquired information.
b. Perform DNS Enumeration using DNSSEC Zone Walking
DNSSEC zone walking is a DNS enumeration technique that is used to obtain the internal records of the target DNS server if the DNS zone is not properly configured. The enumerated zone information can assist you in building a host network map. There are various DNSSEC zone walking tools that can be used to enumerate the target domain’s DNS record files. Here, we will use the DNSRecon tool to perform DNS enumeration through DNSSEC zone walking.
Open Parrot Security and open termial. Switch to root user as well as back to home of root. A Parrot Terminal window appears. Type dnsrecon -h
and press Enter to view all the available options in the DNSRecon tool.
Type dnsrecon -d [Target domain] -z
(in this example, the target domain is www.certifiedhacker.com); press Enter.In this command, -d
specifies the target domain and -z
specifies that the DNSSEC zone walk be performed with standard enumeration. The result appears, displaying the enumerated DNS records for the target domain. In this case, DNS record file A is enumerated, as shown in the screenshot.
Using the DNSRecon tool, the attacker can enumerate general DNS records for a given domain (MX, SOA, NS, A, AAAA, SPF, and TXT). These DNS records contain digital signatures based on public-key cryptography to strengthen authentication in DNS. This concludes the demonstration of performing DNS Enumeration using DNSSEC zone walking. You can also use other DNS enumeration tools such as LDNS, nsec3map, nsec3walker, and DNSwalk to perform DNS enumeration on the target domain. Close all open windows and document all the acquired information.
4.6. Perform RPC, SMB, and FTP Enumeration
As an ethical hacker or penetration tester, you should use different enumeration techniques to obtain as much information as possible about the systems in the target network. This lab will demonstrate various techniques for extracting detailed information that can be used to exploit underlying vulnerabilities in target systems, and to launch further attacks. Besides the methods of enumeration covered so far (NetBIOS, SNMP, LDAP, NFS, and DNS), various other techniques such as RPC, SMB, and FTP enumeration can be used to extract detailed network information about the target.
- RPC Enumeration: Enumerating RPC endpoints enables vulnerable services on these service ports to be identified
- SMB Enumeration: Enumerating SMB services enables banner grabbing, which obtains information such as OS details and versions of services running
- FTP Enumeration: Enumerating FTP services yields information about port 21 and any running FTP services; this information can be used to launch various attacks such as FTP bounce, FTP brute force, and packet sniffing
a. Perform RPC and SMB Enumeration using NetScanTools Pro
NetScanTools Pro is an integrated collection of Internet information-gathering and network-troubleshooting utilities for network professionals. The utility makes it easy to find IPv4/IPv6 addresses, hostnames, domain names, email addresses, and URLs related to the target system. It also captures the RPC information of the target network and enables detection of and access to the Portmapper daemon/service, which typically runs on port 111 on the target machine. Here, we will use the NetScanTools Pro tool to perform RPC and SMB enumeration.
Launch Windows 10 and open NetScanTools Pro Demo. The NetScanTools Pro main window appears. In the left pane, under Manual Tools (all), scroll down and click *nix RPC Info, as shown in the screenshot.
In the Target Hostname or IPv4 Address field in the right pane, enter the target IP address (in this case, 10.10.10.19) and click the Dump Portmap button to start RPC enumeration.
In the left pane, under the Manual Tools (all) section, scroll down and click the SMB Scanner option, as shown in the screenshot. In the right pane, click the Start SMB Scanner (external App) button.
The SMB Scanner window appears; click the Edit Target List button. The Edit Target List window appears. In the Hostname or IPv4 Address field, enter the target IP address (10.10.10.19, in this example). Click the Add to List button to add the target IP address to Target List. Similarly, add another target IP address (10.10.10.16, in this example) to Target List and click OK.
Now, click Edit Share Login Credentials to add credentials to access the target systems. The Login Credentials List for Share Checking window appears. Enter Administrator
and Pa$$w0rd
in the Username and Password fields, respectively. Click Add to List to add the credentials to the list and click OK.
In the SMB Scanner window, click the Get SMB Versions button. Once the scan is complete, the result appears, displaying information such as the NetBIOS Name, DNS Name, SMB versions, and Shares for each target IP address.
Right-click on any of the machines (in this example, we will use 10.10.10.19) and click View Shares from the available options. The Shares for 10.10.10.19 window appears, displaying detailed information about shared files such as Share Name, Type, Remark, Path, Permissions, and Credentials Used.
You can view the details of the shared files for the target IP address 10.10.10.16 in the same way. This concludes the demonstration of performing RPC and SMB enumeration on the target systems using NetScanTools Pro. Close all open windows and document all the acquired information.
b. Perform RPC, SMB, and FTP Enumeration using Nmap
Nmap is a utility used for network discovery, network administration, and security auditing. It is also used to perform tasks such as network inventory, service upgrade schedule management, and host or service uptime monitoring. Here, we will use Nmap to carry out RPC, SMB, and FTP enumeration.
Launch Windows Server 2019. Click on the File Explorer icon at the bottom of Desktop. In the File Explorer window, right-click on Local Disk (C:) and click New --> Folder. A New Folder appears. Rename it to FTP-Site Data, as shown in the screenshot.
Close the window and click on the Type here to search icon at the bottom of the Desktop. Type iis. In the search results, click on Internet Information Services Manager (IIS) Manager. In the Internet Information Services (IIS) Manager window, click to expand SERVER2019 (SERVER2019\Administrator) in the left pane. Right-click Sites, and then click Add FTP Site…. In the Add FTP Site window, type CEH.com in the FTP site name field. In the Physical path field, click on the icon. In the Browse For Folder window, click Local Disk (C:) and FTP-Site Data, and then click OK. In the Add FTP Site window, check the entered details and click Next.
The Binding and SSL Settings wizard appears. Under the Binding section, in the IP Address field, click the drop-down icon and select 10.10.10.19. Under the SSL section, select the No SSL radio button and click Next. The Authentication and Authorization Information wizard appears. In the Allow access to section, select All users from the drop-down list. In the Permissions section, select both the Read and Write options and click Finish.
The Internet Information Services (IIS) Manager window appears with a newly added FTP site (CEH.com) in the left pane. Click the Site node in the left pane and note that the Status is Started (ftp), as shown in the screenshot.
Close all windows.
Launch Parrot Security and open terminal. Switch to user root as well as back home of root. In the Parrot Terminal window, type nmap -p 21 [Target IP Address]
(in this case, 10.10.10.19) and press Enter. The scan result appears, indicating that port 21 is open and the FTP service is running on it, as shown in the screenshot.
In the terminal window, type nmap -T4 -A [Target IP Address]
(in this example, the target IP address is 10.10.10.19) and press Enter. In this command, -T4
specifies the timing template (the number can be 0-5) and -A
specifies that the ACK flag is set. The scan result appears, displaying that port 80 is open, and giving detailed information about the services running on it, along with their versions.
Click the MATE Terminal icon at the top of the Desktop window to open a new Terminal window. Switch to user root as well as back to home of root. In the terminal window, type nmap -p [Target Port] -A [Target IP Address]
(in this example, the target port is 445 and the target IP address is 10.10.10.19) and press Enter. In this command, -p
specifies the port to be scanned, and -A
specifies that the ACK flag is set. The scan result appears, displaying that port 445 is open, and giving detailed information under the Host script results section about the running SMB, as shown in the screenshot.
In the terminal window, type nmap -p [Target Port] -A [Target IP Address]
(in this example, the target port is 21 and target IP address is 10.10.10.19) and press Enter. The scan result appears, displaying that port 21 is open, and giving traceroute information, as shown in the screenshot.
This concludes the demonstration of performing RPC, SMB, and FTP enumeration using Nmap. Close all open windows and document all the acquired information.
4.7. Perform Enumeration using Various Enumeration Tools
The details obtained in the previous steps might not reveal all potential vulnerabilities in the target network. There may be more information available that could help attackers to identify loopholes to exploit. As an ethical hacker, you should use a range of tools to find as much information as possible about the target network’s systems. This lab activity will demonstrate further enumeration tools for extracting even more information about the target system. To recap(扼要重述) what you have learned so far, enumeration tools are used to collect detailed information about target systems in order to exploit them. The information collected by these enumeration tools includes data on the NetBIOS service, usernames and domain names, shared folders, the network (such as ARP tables, routing tables,traffic, etc.), user accounts, directory services, etc.
a. Enumerate Information using Global Network Inventory
Global Network Inventory is used as an audit scanner in zero deployment and agent-free environments. It scans single or multiple computers by IP range or domain, as defined by the Global Network Inventory host file. Here, we will use the Global Network Inventory to enumerate various types of data from a target IP address range or single IP.
Launch Windows 10 and open Global Network Inventory. The New Audit Wizard window appears; click Next. Under the Audit Scan Mode section, click the Single address scan radio button, and then click Next. (You can also scan an IP range by clicking on the IP range scan radio button, after which you will specify the target IP range.) Under the Single Address Scan section, specify the target IP address in the Name field of the Single address option (in this example, the target IP address is 10.10.10.16); Click Next.
The next section is Authentication Settings; select the Connect as radio button and enter the Windows Server 2016 machine credentials (Domain\Username: Administrator and Password: Pa$$w0rd), and then click Next. In reality, attackers do not know the credentials of the remote machine(s). In this situation, they choose the Connect as currently logged on user option and perform a scan to determine which machines are active in the network. With this option, they will not be able to extract all the information about the target system. Because this lab is just for assessment purposes, we have entered the credentials of the remote machine directly. In the final step of the wizard, leave the default settings unchanged and click Finish. The Scan progress window will appear.
The results are displayed when the scan finished. The Scan summary of the scanned target IP address (10.10.10.16) appears. Hover your mouse cursor over the Computer details under the Scan summary tab to view the scan summary, as shown in the screenshot.
Click the Operating System tab and hover the mouse cursor over Windows details to view the complete details of the machine.
Click the BIOS tab, and hover the mouse cursor over windows details to display detailed BIOS settings information.
Click the NetBIOS tab, and hover the mouse cursor over any NetBIOS application to display the detailed NetBIOS information about the target.
Click the User groups tab and hover the mouse cursor over any username to display detailed user groups information.
Click the Users tab, and hover the mouse cursor over the username to view login details for the target machine.
Click the Services tab and hover the mouse cursor over any service to view its details.
Click the Installed software tab, and hover the mouse cursor over any software to view its details.
Click the Shares tab, and hover the mouse cursor over any shared folder to view its details.
Similarly, you can click other tabs such as Computer System, Processors, Main board, Memory, SNMP systems, Main board, and Hot fixes. Hover the mouse cursor over elements under each tab to view their detailed information. This concludes the demonstration of performing enumeration using the Global Network Inventory. Close all open windows and document all the acquired information.
b. Enumerate Network Resources using Advanced IP Scanner
Advanced IP Scanner provides various types of information about the computers on a target network. The program shows all network devices, gives you access to shared folders, provides remote control of computers (via RDP and Radmin), and can even remotely switch computers off. Here, we will use the Advanced IP Scanner to enumerate the network resources of the target network.
Launch Windows Server 2019 and open Advanced IP Scanner. The Advanced IP Scanner GUI appears. In the IP address range field, specify the IP range (in this example, we will target 10.10.10.5-10.10.10.20). Click the Scan button. Advanced IP Scanner scans the target IP address range, with progress tracked by the status bar at the bottom of the window. Wait for the scan to complete. The scan results appear, displaying information about active hosts in the target network such as status, machine name, IP address, manufacturer name, and MAC addresses, as shown in the screenshot.
Click the Expand all icon to view the shared folders and services running on the target network. The shared folders and services running on the target network appear, as shown in the screenshot.
Right-click any of the detected IP addresses to list available options.
Using these options, you can ping, traceroute, transfer files, chat, send a message, connect to the target machine remotely (using Radmin), etc. In the same way, you can select various other options to retrieve shared files, view system-related information, etc. This concludes the demonstration of enumerating network resources using Advanced IP Scanner. Close all open windows and document all the acquired information.
c. Enumerate Information from Windows and Samba Hosts using Enum4linux
Enum4linux is a tool for enumerating information from Windows and Samba systems. It is used for share enumeration, password policy retrieval, identification of remote OSes, detecting if hosts are in a workgroup or a domain, user listing on hosts, listing group membership information, etc. Here, we will use the Enum4Linux to perform enumeration on a Windows and a Samba host.
Launch Parrot Security and open terminal. Switch to user of root as well as back to home of root. In the Parrot Terminal window, type enum4linux -h
and press Enter to view the various options available with enum4linux. The help options appear, as shown in the screenshot. In this lab, we will demonstrate only a few options to conduct enumeration on the target machine.
We will first enumerate the NetBIOS information of the target machine. In the terminal window, type enum4linux -u martin -p apple -n [Target IP Address]
(in this case, 10.10.10.16) and hit Enter. In this command, -u user
specifies the username to use and -p pass
specifies the password. The tool enumerates the target system and displays the NetBIOS information under the Nbtstat Information section, as shown in the screenshot.
In the terminal window, type enum4linux -u martin -p apple -U [Target IP Address]
(in this case, 10.10.10.16) and hit Enter to run the tool with the “get userlist” option.
Enum4linux starts enumerating and displays data such as Target Information, Workgroup/Domain, domain SID (security identifier), and the list of users, along with their respective RIDs (relative identifier), as shown in the screenshots below.
Second, we will obtain the OS information of the target; type enum4linux -u martin -p apple -o [Target IP Address]
(in this case, 10.10.10.16) and hit Enter. The tool enumerates the target system and lists its OS details, as shown in the screenshot.
Third, we will enumerate the password policy information of our target machine. In the terminal window, type enum4linux -u martin -p apple -P [Target IP Address]
(in this case, 10.10.10.16) and hit Enter. The tool enumerates the target system and displays its password policy information, as shown in the screenshot.
Fourth, we will enumerate the target machine’s group policy information. In the terminal window, type enum4linux -u martin -p apple -G [Target IP Address]
(in this case, 10.10.10.16) and hit Enter. The tool enumerates the target system and displays the group policy information, as shown in the screenshot.
It further enumerates the built-in group memberships, local group memberships, etc. displaying them as shown in the screenshot.
Finally, we will enumerate the share policy information of our target machine. Type enum4linux -u martin -p apple -S [Target IP Address]
(in this case, 10.10.10.16) and hit Enter. The result appears, displaying the enumerate shared folders on the target system.
This concludes the demonstration performing enumeration using Enum4linux. Close all open windows and document all the acquired information.