Module 4 Labs 1-6

Leave a comment

Objective: Extract information about the target organization that includes, but is not limited to:

  • Machine names, their OSes, services, and ports
  • Network resources
  • Usernames and user groups
  • Lists of shares on individual hosts on the network
  • Policies and passwords
  • Routing tables
  • Audit and service settings
  • SNMP and FQDN details

Machines Used:

  • Windows 10
  • Windows Server 2019
  • Parrot OS

Applications/Tools Overview:

  • NetBIOS enumeration
    • Windows command-line utilities
    • NetBIOS Enumerator
    • NSE Scripting
  • SNMP enumeration
    • snmp-check 
    • SoftPerfect Network Scanner
  • LDAP enumeration
    • Active Directory Explorer (AD Explorer)
  • NFS enumeration
    • RPCScan and SuperEnum
  • DNS enumeration
    • Zone transfers
    • DNSSEC zone walking
  • RPC, SMB, and FTP enumeration
    • NetScanTools Pro
    • Nmap

Category: NetBIOS enumeration

Overview – NetBIOS stands for Network Basic Input Output System. Windows uses NetBIOS for file and printer sharing. A NetBIOS name is a unique computer name assigned to Windows systems, comprising a 16-character ASCII string that identifies the network device over TCP/IP. The first 15 characters are used for the device name, and the 16th is reserved for the service or name record type.

Applications/Tools:

Name: Windows command-line utilities

Objective: Perform NetBIOS enumeration using Windows command-line utilities

Function: Use the Nbtstat, and Net use Windows command-line utilities to perform NetBIOS enumeration.

Commands and Options:

  • nbstat 
    • Displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. This command also allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, this command displays Help information.

Syntax

  • nbstat[-aRemoteName][-AIPAddress][-c][-n][-r][-R][-RR][-s][-S][Interval]
    • nbstat -a <IP address> 
      • Displays a remote NetBIOS table
    • nbstat -c 
      • Displays the contents of the NetBIOS name cache 
  • net use 
    •  Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.

Results: Extracting NetBIOS information can lead to better knowledge about the connected devices and folders on a network. Using the built in command line interface this can be performed rather stealthily as the attacker does not need to import any tools, and it is all done remotely. 

Name: NetBIOS Enumerator

Objective: Perform NetBIOS enumeration using NetBIOS Enumerator

Function: NetBIOS Enumerator is a tool that enables the use of remote network support. 

Commands and Options: This is a GUI tool that does everything for you. It can map out a local network that has open connections. It would need to be installed locally if you wanted to do any kind of enumeration. 

Results: A not very practical example, but it does provide a nice format to look at when the scan is complete. 

Name: nmap

Objective: Perform NetBIOS enumeration using an NSE Script

Function: This is another one of nmaps scripting abilities as previously mentioned in the module 3 labs. What is on display here specifically is the NetBIOS enumeration capabilities. 

Commands and Options:

    Basic Usage:

  • namp <options> <IP address>

    Example

  • nmap -sU –script nbstat.nse -p 137 10.10.10.10

Results: This will grab the hosts NetBIOSnames, MAC addresses, names of logged on users, and all the names the system thinks it owns.

Other Similar Tools:

  • Global Network Inventory
  • Advanced IP Scanner
  • Hyena
  • Nsauditor Network Security Auditor

Category: SNMP enumeration

Overview – SNMP enumeration uses SNMP to create a list of the user accounts and devices on a target computer. 

Name: snmp-check 

Objective:  Perform SNMP enumeration using snmp-check

Function: Use the tool to enumerate SNMP services on the target IP address.

Commands and Options:

Go down this rabbit hole if you see that port 161 is open (Default SNMP)

Results: This doesn’t mention anything about SNMP versions and how that if a host is running SNMPv3 it no longer uses the community strings that the enumeration is relying on. If the host is running v1 or v2 you can get all kinds of juicy information about the network and the target. System information, User accounts, Network interfaces/IPs, routing tables, processes, shares, and file information. 

Name: SoftPerfect Network Scanner

Objective: Perform SNMP enumeration using SoftPerfect Network Scanner

Function: A GUI based application that can scan a network range. In this case we are specifically looking for the SNMP protocol. 

Commands and Options: Example usage for SNMP

  1. In the Options menu, click Remote SNMP…. The SNMP pop-up window will appear.
  2. Click the Mark All/None button to select all the items available for SNMP scanning and close the window.
  3. To scan your network, enter an IP range in the IPv4 From and To fields (in this example, the target IP address range is 10.10.10.5-10.10.10.20), and click the Start Scanning button.

Results: The output here is the same as the other tools in the lab and displays nearly identical results. It does seem to have some more functionality that is not explored in this section.

Category: LDAP enumeration

Overview – LDAP enumeration allows you to gather information about usernames, addresses, departmental details, server names, etc.

Name: Active Directory Explorer (AD Explorer)

Objective: Perform LDAP Enumeration using Active Directory Explorer

Function: Use this tool to navigate and view AD users and permissions as well as edit them. This is an administrative tool that requires elevated permissions to actually use. The enumeration done here could allow you to create a remote DA and assign all privileges to them. 

Commands and Options: GUI Based

Example Usage

  1. The Connect to Active Directory pop-up appears; type the IP address of the target in the Connect to field (in this example, we are targeting the Windows Server 2016 machine: 10.10.10.16) and click OK.
  2. Now, expand DC=CEH, DC=com, and CN=Users by clicking “+” to explore domain user details.
  3. Click any username (in the left pane) to display its properties in the right pane.
  4. Right-click any attribute in the right pane (in this case, displayName) and click Modify… from the context menu to modify the user’s profile.
  5. The Modify Attribute window appears. First, select the username under the Value section, and then click the Modify… button. The Edit Value pop-up appears. Rename the username in the Value data field and click OK to save the changes.
  6. You can read and modify other user profile attributes in the same way.

Results: This is a powerful administrative tool and if it is installed on your network you need to be aware of the power that it has. 

Similar Tools:

  • Softerra LDAP Administrator
  • LDAP Admin Tool
  • LDAP Account Manager
  • LDAP Search
  • JXplorer

Category: NFS enumeration

Overview – Perform NFS enumeration to identify exported directories and extract a list of clients connected to the server, along with their IP addresses and shared data associated with them.

Name: RPCScan and SuperEnum

Objective: Perform NFS Enumeration using RPCScan and SuperEnum

Function: If you find an open NFS port it is possible to enumerate more information from that shared service. Using two tools built into Parrot OS extract as much information as possible. SuperEnum can scan and search through a file for more detailed enumeration. 

Commands and Options:

RPCscan

  • Python3 rpc-scan.py <IP Address> –rpc

Superenum

  • ./superenum <File>

Results: Using these tools you can verify that the target has NFS running on it, if you happen to find an open port. Using supernum you can then get detailed information on the shares of the system. I think that the lab presented the two tools out of order. 

Category: DNS enumeration

Overview – This process yields information such as DNS server names, hostnames, machine names, usernames, IP addresses, and aliases assigned within a target domain.

Name: Zone transfers

Objective: Perform DNS Enumeration using Zone Transfer

Function: Enumerate the target by testing the DNS capabilities and defense measures in place by attempting a zone transfer. 

Commands and Options:

dig

Usage

  • dig <domain>
  • dig -h (There are far too many options to list)

nslookup

Displays information that you can use to diagnose Domain Name System (DNS) infrastructure.

  • Usage
    • nslookup (puts the cmd line into “live/interactive” mode)
  • set <options> 
    • querytype=soa (retrieves admin DNS zone info)
  • ls <options> <Name Server> 
    • ls -d ns1.bluehost.com (would request a zone transfer)

Results: After retrieving DNS name server information, the attacker can use one of the servers to test whether the target DNS allows zone transfers or not. In this case, the zone transfer was refused for the target domain.

Name: DNSSEC zone walking

Objective: Perform DNS Enumeration using DNSSEC Zone Walking

Function: A technique used to obtain the internal records of the target DNS server if it is not configured properly. This helps you build a network map.

Commands and Options: 

dnsrecon

Usage

dnsrecon <options> <domain> <mode>   

  • -d specifies the target domain
  • -z sets the scanner to DNSSEC zone walk 

Results: Using the DNSRecon tool, the attacker can enumerate general DNS records for a given domain (MX, SOA, NS, A, AAAA, SPF, and TXT). These DNS records contain digital signatures based on public-key cryptography to strengthen authentication in DNS.

Similar Tools:

  • LDNS
  • nsec3map
  • nsec3walker
  • DNSwalk

Category: RPC, SMB, and FTP enumeration
RPC Overview: RPC is an inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality residing in a different process.

SMB Overview: The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. SMB can also communicate with any server program that is set up to receive an SMB client request.

FTP Overview: The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files between a client and server on a computer network. FTP is built on a client-server model architecture and uses separate control and data connections between the client and the server.

Name: NetScanTools Pro

Objective: Perform RPC and SMB Enumeration using NetScan Tools Pro

Function: NetScan Tools Pro was previously covered in Module 3, the features used here is the RPC information tool and the SMB scanner tool

Commands and Options: Like last time this application uses a GUI based format where you select what you want to do from a menu and input the IP range you want to scan. 

Results: Upon enumeration you can gather detailed information about shared files such as share name, type, remark, path, permissions, and credentials used. You can also get information such as the NetBIOS names, DNS info, SMB versions, and share names. 

Name: Nmap

Objective: Perform RPC, SMB, and FTP Enumeration using Nmap

Function: Again nmap is one of the most widely used and powerful network scanning and enumeration tools there is. 

Commands and Options: The scan shown in the labs really just has you select the default port number for the service you are looking for with  the -p flag. 

Results: This shows that the port is open and what version the service is running. 

Precautions: Enumeration can reveal a ton of information. Even if you have permission to scan a network and perform a security assessment, ensure you document everything you find. If there is something on the network that does not belong to the company that hired you, then you are not entitled to access it. 

Countermeasures/Mitigation: UPDATE AND PATCH. Turn off multicast name resolution, disable NetBIOS over TCP/IP. Only use SMNPv3 and ensure only the highest level users have access. Use and apply ACL’s. Strictly monitor SNMP devices that have read/write abilities. Segregate SNMP traffic to a separate management network. Change default settings in AD, remove accounts when an employee leaves the company, have a good password policy. Employ good access control. Use NFSv4, ensure proper file permissions are set. Don’t allow zone transfers. Use DNSSEC and DNS filtering. Turn off the sharing services if they are unnecessary. 

Personal Reflection: I think that this module really could have been combined with the scanning module. Scanning an entire network to see what services are running and then checking version/info on those services should be done at the same time. Breaking it up like this is almost confusing because it has you bouncing around using different tools and then going back to one you just had open. I think a better way could be to stick with one or two tools and then work your way through the cyber kill chain. 

Works Cited (MLA):

EC-Council. Certified Ethical Hacker (CEH) Version 11 eBook w/ iLabs (Volumes 1 through 4). International Council of E-Commerce Consultants (EC Council), 2020. [VitalSource Bookshelf].

Wibjorn. “Developer Tools, Technical Documentation and Coding Examples.” Web. 16 Feb.2021. https://.docs.micorsoft.com

Leave a comment