4.1 Learn the system hacking cycle, and understand enumeration and its techniques
Exam Focus: Learn the system hacking cycle, and understand enumeration and its techniques.
Objective includes:


Learn the system hacking cycle.
Understand enumeration and its techniques.
System hacking cycle
System hacking cycle contains the steps to enumerate an operating system and getting
unauthorized access into the system. It has the following steps:
1. Enumerate users: Get user information by using various techniques, such as by using
NetBIOS NULL session or by using SNMP probing.
2. Crack the password: Crack the password by using various password cracking tools and
gaining access into the system.
3. Escalate privileges: Get the privilege of administrative account.
4. Execute applications: Execute keyloggers, spyware, Trojan, virus, worms, etc.
5. Hide files: Hide files/information using steganography techniques.
6. Cover your tracks: Erase tracks and hacking evidences.
Enumeration
Enumeration is the process used to extract user names, machine names, network resources,
shares, and services from a system. Enumeration techniques are performed in an Intranet
environment. The following techniques are used in the enumeration phase:
1. Obtaining Active Directory information and identifying vulnerable user accounts
2. Discovering NetBIOS names
3. Employing Windows DNS queries
4. Establishing NULL sessions and queries
The following types of information are enumerated by intruders:




Network resources and shares
Users and group
Application and banners
Auditing settings
Enumeration techniques used by attackers
The following are the techniques of enumeration that can be used by attackers:






Extracting usernames using emails IDs
Extracting information using default passwords
Extracting usernames using SNMP
Using brute force AD
Extracting user groups from Windows
Extracting information using DNS zone transfer
NetBIOS
NetBIOS is a Microsoft service. To communicate within a LAN, NetBIOS enables applications
on different computers. NetBIOS systems identify themselves with a 15-character unique name
and use Server Message Block. Server Message Block allows Remote directory, file and printer
sharing, etc. 137/UDP is the default port value of NetBIOS Name Resolution Service.
NetBIOS enumeration
The NetBIOS enumeration is used by attackers to obtain a list of computers that belong to a
domain, list of shares on the individual hosts on the network, and policies and passwords.
SuperScan and NetBIOS enumerator are NetBIOS enumeration tools. The following services are
offered at different ports:
Ports
Service
TCP 53
DNS zone transfer
TCP 135
Microsoft RPC Endpoint Mapper
TCP 137
NetBIOS Name Service (NBNS)
UDP 139
NetBIOS Session Service (SMB over NetBIOS)
TCP 445
SMB over TCP (Direct Host)
UDP 161
Simple Network Management Protocol
TCP/UDP 389 Lightweight Directory Access Protocol
TCP/UDP 3368 Global Catalog Service
NBTscan
NBTscan is a scanner. It scans IP networks for NetBIOS name information. It sends a NetBIOS
status query to each address in a supplied range and lists received information in human readable
form. It displays the following information of each responded host:




IP address
NetBIOS computer name
Logged-in user name
MAC address
Although NBTscan operates in the same way as nbtstat, it works on a range of addresses instead
of just one.
PsTools
PsTools is a set of command-line utilities that allow the Network Administrator to manage local
and remote systems. All of the utilities in the PsTools suite work on most Windows operating
systems. The following tools are included in the PsTools suite:













PsExec executes processes remotely.
PsFile shows files opened remotely.
PsGetSid displays the SID of a computer or a user.
PsInfo lists information about a system.
PsKill kills processes by name or process ID.
PsList lists detailed information about processes.
PsLoggedOn sees who is logged on locally and via resource sharing (full source is
included).
PsLogList dumps event log records.
PsPasswd changes account passwords.
PsService controls services.
PsShutdown shuts down and optionally reboots a computer.
PsSuspend suspends processes.
PsUptime shows the user how long a system has been running since its last reboot
(PsUptime's functionality has been incorporated into PsInfo).
LDAP enumeration
The Lightweight Directory Access Protocol (LDAP) is used for accessing the directory listing
within Active Directory or from other directory services. A directory is compiled in a
hierarchical and logical format such as the levels of management and employees in a company. It
tends to be tied into the Domain Name System in order to permit the integrated quick lookups
and fast resolutions of queries. The following are LDAP enumeration tools:



JXplorer
Symlabs LDAP Browser
Softerra LDAP Administrator






LDAP Admin Tool
LDAP Browser Editor
LDAP Account Manager
LDAP Explorer Tool
LEX - The LDAP Explorer
Idp.exe
NTP enumeration
NTP enumeration is a method in which the NTP protocol is used to grab valuable data from a
vulnerable network. The NTP protocol is used to synchronize the time and date between
computers in the network. When an attacker queries the NTP server, he could get some vital
information. NTP enumeration is mainly performed by the following Linux commands:




ntpdate
ntptrace
ntpdc
ntpq
The following are NTP enumeration tools:







PresenTense Time Client
PresenTense NTP Auditor
LAN Time Analyser
NTP Time Server Monitor
NTP Server Checker
Time Watch
AtomSync
NTP Server Scanner
NTP Server Scanner is a NTP Server discovery tool. It is used to easily locate NTP and SNTP
servers on the network or the Internet. It supports administrators in setting and configuring time
management on their networks. It automatically scans and displays the available servers.
PresenTense Time Server
PresenTense Time Server can be used to synchronize PCs to a primary time source, such as an
atomic clock on the Internet or an in-house GPS receiver. It provides time services to clients in
the local area network.
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol (SMTP) is a protocol used for sending e-mail messages between
servers. E-mailing systems use this protocol to send mails over the Internet. The SMTP
enumeration can be performed manually via utilities like telnet and netcat or automatically via a
variety of tools, such as metasploit, nmap, and smtp-user-enum. NetScanTools Pro is a SMTP
enumeration tool.
DNS zone
A DNS zone is a contiguous portion of the DNS tree and is administered as a single separate
entity by a DNS name server. It is a unit that stores authoritative information about the DNS
namespace and resource records, and the names and IP addresses of all name servers in the zone.
A DNS zone can consist of a single domain or a domain with sub-domains. DNS zones are the
main units of replication in DNS. The three DNS zone types are as follows:



Primary DNS zone: Whenever a new user or host is added to the network, the
administrator needs to create a new record on the primary name server because only the
primary zone is meant to be modified. The primary server maintains all the records for
the DNS zones, and updates occur only on the primary server.
Secondary DNS zone: A secondary DNS zone is a read-only copy of the primary DNS
zone. The changes made to the primary zone file on an authoritative DNS server are
replicated to the secondary zone file on another DNS server. Secondary zones are used to
improve zone availability.
Stub DNS zone: A stub zone is a read-only copy of a zone, and it obtains its resource
records from other name servers. The DNS server that hosts a stub zone is configured
with the IP address of the authoritative server from which it loads. DNS servers can use
stub zones for both iterative and recursive queries. When a DNS server hosting a stub
zone receives a recursive query for a computer name in the zone that the stub zone refers
to, the DNS server uses the IP address to query the authoritative server. If the query is
iterative, the DNS server returns a referral to the DNS servers listed in the stub zone. A
stub zone reduces the amount of DNS traffic on the network and makes DNS more
efficient especially over slow WAN links.
DNS zone transfer enumeration
In DNS zone transfer enumeration, an attacker attempts to retrieve a copy of the entire zone file
for a domain from a DNS server. The information provided by the DNS zone can help the
attacker gather user names, passwords, and other valuable information. To attempt a zone
transfer, the attacker must be connected to the DNS server that is the authoritative server for that
zone. Besides this, the attacker can launch a Denial of Service attack against the zone's DNS
servers by flooding them with a lot of requests.
Men and mice suite
The men and mice suite provides comprehensive DNS analysis and AD monitoring capabilities.
It performs over 80 different tests on the DNS configuration and enumerates and reports any
issue that might affect the health of your DNS.
Commands used to enumerate UNIX network resources
The following commands are used to enumerate UNIX network resources:

showmount: It is used to find the shared directories on the machine.
[root $] showmount -e
19x.16x. xxx.x

finger: It is used to enumerate the user and the host. It enables the user to view the user's
home directory, login time, idle times, office location, and the last time they both
received or read mail.
[root$] finger -1 @target.hackme.com

rpcclient: It is used to enumerate usernames on Linux and OS X.
[root $] rpcclient $> netshareenum

rpcinfo (RPC): It is used to enumerate the Remote Procedure Call protocol. The RPC
protocol permits applications to communicate over the network.
[root] rpcinfo -p 19x.16x.xxx.xx
inetd daemon
Linux uses inetd daemon to control most of the network services. The inetd handles
communication for these services by listening on their specific TCP/IP ports. When a request
comes in, inetd enables the services required for processing the request. The /etc/inetd.conf
configuration file is used to keep the configuration information of the services.
DNS zone transfer countermeasures
The following are the DNS zone transfer countermeasures:




Do not allow DNS zone transfer using the DNS property sheet:
1. Open DNS.
2. Right-click a DNS zone and click Properties.
3. On the Zone Transfer tab, clear the Allow zone transfers check box.
Configure the master DNS server to allow zone transfers only from secondary DNS
servers:
1. Open DNS.
2. Right-click a DNS zone and click Properties.
3. On the zone transfer tab, select the Allow zone transfers check box, and then do
one of the following:
 To allow zone transfers only to the DNS servers listed on the name servers
tab, click on the Only to the servers listed on the Name Server tab.
 To allow zone transfers only to specific DNS servers, click Only to the
following servers, and add the IP address of one or more servers.
Deny all unauthorized inbound connections to TCP port 53.
Implement DNS keys and encrypted DNS payloads.
SMTP enumeration countermeasures
The following are SMTP enumeration countermeasures:

SMTP servers should be configured either to ignore email messages to unknown
recipients or to send responses that do not include the following type of information:
o
o

Details of mail relay systems being used (such as Sendmail or MS Exchange)
Internal IP address or host information
Emails to unknown recipients should be ignored by configured SMTP servers.
LDAP enumeration countermeasures
The following are LDAP enumeration countermeasures:



NTLM or basic authentication should be used to limit access to known users only.
The SSL technology should be used to encrypt the traffic as LDAP traffic is transmitted
insecurely by default.
A username different from your email address should be selected and account lockout
should be enabled.
SMB enumeration countermeasures
As a countermeasure for SMB enumeration, you should disable SMB. Take the following steps
to disable SMB:
1. Go to Local Area Connection properties.
2. Select the Client for Microsoft Network and File and Printer Sharing for Microsoft
Networks check boxes, and click Uninstall.
3. Follow the uninstall steps.
Using default passwords to enumerate systems
A default password may be used to enable devices, such as switches, hubs, and routers. Default
and common passwords can be used by attackers for gaining access to the devices.
Enumerating user accounts
The following tools are used for enumerating user accounts:








PsExec
PsInfo
PsFile
PsList
PsGetSid
PsLoggedOn
PsKill
PsLogList
PsExec
PsExec is a light-weight telnet-replacement tool that executes processes on remote computers
and has full interactivity for console applications. The main advantage of using PsExec is that
there is no need to manually install client software on remote computers for executing processes
remotely. PsExec provides interactive command-prompt and remote-enabling tools, such as
IpConfig for the remote systems. The command syntax for PsExec is as follows:
psexec [\\computer[,computer2[,...] | @file][-u user [-p psswd]][-n s][-l][s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d][-<priority>][-a n,n,...
] cmd [arguments]
Command
options
Description/Function
computer
It determines whether PsExec has to run the desired application on a single
computer or on multiple computers. If the user omits the computer name, PsExec
runs the command on the local system.
@file
Directs PsExec to run the command on each computer listed in the text file
specified.
-a
Separates processors on which the application can run with commas where 1 is
the lowest numbered CPU. For example, to run the application on CPU 2 and
CPU 4, enter: -a 2,4
-c
Copies the specified program to the remote system for execution. If the user omits
this option, then the application must be in the system's path on the remote
system.
-d
Do not wait for the application to terminate. Only use this option for noninteractive applications.
-e
Does not load the specified account's profile.
-f
Copies the specified program to the remote system even if the file already exists
on the remote system.
-i
Runs the program so that it interacts with the desktop of the specified session on
the remote system. If no session is specified, the process runs in the console
session.
-l
Runs process as a limited user (strips the Administrators group and allows only
privileges assigned to the Users group). On Windows Vista, the process runs with
Low Integrity.
-n
Specifies timeout in seconds connecting to remote computers.
-p
Specifies an optional password for user name. If the user omits this option, the
user will be prompted to enter a hidden password.
-s
Runs remote process in the System account.
-u
Specifies the optional user name for login to a remote computer.
-v
Copies the specified file only if it has a higher version number or is newer than
the one on the remote system.
-w
Sets the working directory of the process (relative to the remote computer).
-x
Displays the UI on the Winlogon desktop (local system only).
-priority
Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process
at a different priority. Use -background to run at low memory and I/O priority on
Vista.
program
Name of the program to execute.
argument
Arguments to pass (note that file paths must be absolute paths on the target
system).
Examples:

The following command launches an interactive command prompt on \\server_name:
psexec \\server_name cmd

This command executes IpConfig on the remote system with the /all switch and displays
the resulting output locally:
psexec \\server_name ipconfig /all

This command copies the program test.exe to the remote system and executes it
interactively:
psexec \\server_name -c test.exe

This specifies the full path to a program that is already installed on a remote system if it
is not on the system's path:
psexec \\server_name c:\bin\test.exe

This runs Regedit interactively in the System account to view the contents of the SAM
and SECURITY keys:
psexec -i -d -s c:\windows\negedit.exe

To run Internet Explorer with limited-user privileges, use this command:
psexec -l -d "c:\program files\internet explorer\iexplore.exe"
PsFile
PsFile is a command-line utility that shows a list of files on a system that are opened remotely. It
also allows a user to close opened files either by name or by a file identifier. The command
syntax for PsFile is as follows:
psfile [\\RemoteComputer [-u Username [-p Password]]] [Id | path] [-c]
The options used in PsFile are as follows:


-u specifies the optional user name for logging in to a remote computer.
-p specifies a password for a user name. If this is omitted, the user is prompted to enter
the password without it being echoed to the screen.


Id is the identifier of the file about which the user wants to display information.
-c closes the files identified by the ID or path.
PsList
PsList is a command-line tool used to retrieve the statistics of all the processes of a remote
computer. The command syntax of PsList is as follows:
pslist [-?] [-t] [-m] [-x] [\\computer [-u user] [-p passwd]] [name | pid]
The options used in PsList are as follows:








computer: It is used to find whether PsList has to run the desired application on a single
computer or on multiple computers specified. PsList runs the command on the local
system if the user omits the computer name.
-p passwd: It is used to specify a password for a user (optional). It is passed as a clear
text. The user is prompted to enter a hidden password if this option is omitted.
-u user: It is used to specify a user name for logging in to a remote computer (optional).
-t: It is used to show the statistics for all active threads on the system. Each thread is
grouped with its owning process.
-m: It is used to show memory-oriented information for each process, rather than the
default of CPU-oriented information.
-x: It is used to show CPU, memory, and thread information for each process specified.
name: It is used to scan only those processes that begin with the name process. For
example, pslist exp will display the processes that start with exp, i.e., Explorer, Export,
etc.
-?: It is used to display options and units of measurement.
PsGetSid
PsGetSid is a tool that is used to query SIDs remotely. Using PsGetSid, the attacker can access
the SIDs of user accounts and translate an SID into the user name. The command syntax for
PsGetSid is as follows:
psgetsid [\\computer[,computer[,...] | @file] [-u username [-p password]]]
[account|SID]
PsLoggedOn
PsLoggedOn is an applet that displays both the local and remote logged on users. If an attacker
specifies a user name instead of a computer, PsLoggedOn searches the computers in the network
and tells whether the user is currently logged on or not. The command syntax for PsLoggedOn is
as follows:
psloggedon [- ] [-l] [-x] [\\computername | username]
Parameters
-
Description
It displays the supported options and the units of measurement used for output
values.
-l
It shows only local logons instead of both local and network resource logons.
-x
It does not show logon times.
\\computername It specifies the name of the computer for which to list logon information.
If an attacker specifies a user name, PsLoggedOn searches the network of
username
computers on which the user is logged on.
PsLogList
PsLogList is a tool that is used to dump event log records from the local system or from remote
computers. The syntax for the PsLogList is as follows:
psloglist [- ] [\\computer[,computer[,...] | @file [-u username [-p
password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a
mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o
event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l
event log file] &amp;lteventlog&amp;gt
The parameters of the PsLogList tool are given below:
Parameters
Description
It executes the command on each of the computers listed in the file.
@file
-a
It dumps records timestamped after the specified date.
-b
It dumps records timestamped before the specified date.
-c
It clears the event log after displaying it.
-d
It only displays records from previous n days.
-e
It excludes events with the specified ID or IDs (up to 10).
-f
It filters event types with a filter string (e.g. "-f w" to filter warnings).
-h
It only displays records from previous n hours.
-i
It shows only events with the specified ID or IDs (up to 10).
-l
It dumps records from the specified event log file.
-m
It only displays records from previous n minutes.
-n
It only displays the number of most recent entries specified.
-o
It shows only records from the specified event source (e.g. \"-o cdrom\").
-p
It specifies an optional password for a user name. If this is omitted, the user is
prompted to enter a hidden password.
-q
It omits records from the specified event source or sources (e.g. \"-q cdrom\").
-r
It dumps log from least recent to most recent.
-s
This switch has PsLogList print Event Log records one-per-line, with comma
delimited fields. This format is convenient for text searches, e.g. psloglist | findstr /i
text, and for importing the output into a spreadsheet.
-t
The default delimeter is a comma, but it can be overridden with the specified
character.
-u
It specifies an optional user name for login to a remote computer.
-w
It waits for new events, dumping them as they generate (local system only).
-x
It dumps extended data.
PsPasswd
PsPasswd is a tool that is used by Network Administrators to change an account password on the
local or remote system. The command syntax of PsPasswd is as follows:
pspasswd [\\computer[,computer[,..] | @file [-u user [-p psswd]] Username
[NewPassword]
Parameters
Description
@file
Runs the command on each computer listed in the specified text file.
-u
Specifies an optional user name for login to a remote computer.
-p
Specifies an optional password for a user name.
Username
Specifies the name of account for password change.
NewPassword Creates a new password. If omitted, a NULL password is applied.
Enum
Enum is a console-based Win32 information enumeration utility. It retrieves userlists, machine
lists, sharelists, namelists, group and member lists, passwords, and LSA policy information using
null sessions. It can also perform brute force dictionary attacks on individual accounts. The
command syntax of Enum is as follows:
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
UserInfo
UserInfo is a utility that gathers all available information about any known user from any
Windows 2000/NT operating system (accessible by TCP port 139). UserInfo returns mainly the
following information:




SID and Primary group
Logon restrictions and smart card requirements
Special group
Password expiration
Note: Even if the RestrictedAnonymous value in the LSA key is set to 1, UserInfo works as a
NULL user to specifically deny anonymous enumeration.
Bouncer
A bouncer, also known as BNC, is a program that runs as a daemon on a server and functions as
a persistent proxy. The purpose is to maintain a connection to an IRC server, acting as a relay
between the server and client, or simply to act as a proxy. If the client loses network
connectivity, the BNC may stay connected and archive all traffic for later delivery and permit the
user to resume his IRC session without disrupting their connection to the server.
Furthermore, as a way of obtaining a bouncer-like effect, an IRC client may be run on an alwayson server to which the user connects via ssh. This also allows devices that only have ssh
functionality to connect to the IRC, and it allows sharing of IRC sessions.
To keep the IRC client from quitting when the ssh connection closes, the client can be run inside
a piece of screen-detaching software (e.g. GNU Screen or tmux), thus staying connected to the
IRC network(s) constantly.
4.2 Understand null sessions and their countermeasures
Exam Focus: Understand null sessions and their countermeasures. Objective includes:


Null sessions
Countermeasures of null sessions
Null session
A null session is an anonymous connection to a freely accessible network share called IPC$ on
Windows-based servers. It allows immediate read and write access with Windows NT/2000 and
read-access with Windows XP and 2003.The command to be inserted at the DOS-prompt is as
follows:
net use \\IP address_or_host name\ipc$ "" "/user:"
net use
Steps required to disable NetBIOS NULL sessions
NetBIOS NULL session vulnerabilities are difficult to prevent, especially if NetBIOS is required
as part of the infrastructure. Limit NetBIOS NULL session vulnerabilities by taking one or more
of the following steps:
1. Null sessions need access to the TCP 139 or TCP 445 port, which can be disabled by a
network administrator.
2. A network administrator can unbind WINS Client TCP/IP from the interface to disable
SMB services entirely on individual hosts.
3. A network administrator can edit the registry values to restrict the anonymous user:
1. Open regedit32, and go to HKLM\SYSTEM\CurrentControlSet\LSA.
2. Choose edit > add value.
 Value name: RestrictAnonymous
 Data Type: REG_WORD
 Value: 2
4.3 Understand SNMP enumeration and its countermeasures
Exam Focus: Understand SNMP enumeration and its countermeasures. Objective includes:


Understand SNMP enumeration.
Describe countermeasures against SNMP enumeration.
SNMP enumeration
Simple Network Management Protocol (SNMP) is a TCP/IP standard protocol. It is used for
remote monitoring, managing hosts, routers, and devices on a network. SNMP operates through
a system of agents and nodes. SNMP enumeration is gathering information about hosts, routers,
devices, etc. using SNMP. SNMP version 3 provides data encryption, but the more widely used
SNMP version 1 is a clear text protocol that provides limited security by using community
strings. Public and private are the names of the default community strings. They are transmitted
in clear text. As default community strings provide more than enough information needed to
launch an attack, they are advantageous to a hacker.
The following are SNMP enumeration tools:










OpUtils Network Monitoring Toolset
SolarWinds
Getif SNMP MIB Browser
LoriotPro
OidView SNMP MIB Browser
SNMP Scanner
iReasoning MIB Browser
Nsauditor Network Security
SNScan
SoftPerfect Network Scanner
MIB
MIB is a virtual database including formal description of all the network objects that can be
managed using SNMP. The MIB database is hierarchical, and object identifiers are used to
address each managed object in the MIB. MIB managed objects include scalar objects and
tabular objects. Scalar objects define a single object instance and tabular objects define group of
related object instances. The object identifier includes the object's type such as counter, string, or
address, access level, such as read or read/write, size restrictions, and range information. The
MIB is used by a SNMP manager to translate the OID numbers into a human-readable display.
Tools used for SNMP enumeration
The following tools are used in SNMP enumeration:

snmpwalk: The SNMP application snmpwalk retrieves SNMP GETNEXT requests to
query a network entity for a tree of information. The command syntax for SNMP is as
follows:
snmpwalk [APPLICATION OPTIONS] [COMMONOPTIONS] [OID]
The OID may be given on the command line. It specifies which portion of the object
identifier space is to be searched using GETNEXT requests. snmpwalk searches the
entire root if the OID is not specified.


SNMPUtil: The SNMPUtil tool is a command-line utility. It uses the standard Win32
SNMP Management API. The source-code includes a source file (snmputil.c) and a make
file. It should be ensured that a user has the Windows SNMP libraries, snmpapi.lib, and
mgmtapi.lib if the user is building snmputil.exe.
IP Network Browser: IP Network Browser can scan an IP subnet and show the devices
that are responding on that subnet. Each of the responding devices are then queried
through SNMP.
SMB signing
Server Message Block (SMB) signing is a security feature of Windows operating systems. SMB
signing makes sure that the transmission and reception of files across a network are not modified
in any manner. The secure transmission of SMB traffic is needed as the traditional SMB
authentication is vulnerable to man-in-the-middle (MITM) attacks. A network from these attacks
can be protected by implementing mutual authentication SMB signing. To strengthen SMB
authentication, the SMB signing feature adds digital signatures into SMB packets.
Note: The performance of the network is reduced by enabling SMB signing on the network
because the increased processing and network traffic are required to digitally sign each SMB
packet.
Countermeasures against SNMP enumeration
The following are the countermeasures against SNMP enumeration:
1. Remove the SNMP agent or disable the SNMP service.
2. Change the default PUBLIC community name when 'shutting off SNMP' is not an option.
3. Implement the Group Policy security option known as Additional restrictions for
anonymous connections.
4. Restrict access to NULL session pipes and NULL session shares.
5. Upgrade SNMP Version 1 with the latest version.
6. Implement access control list filtering to permit only access to the read-write community
from approved stations or subnets.
Enumeration pen testing
Enumeration pen testing uses active connections to systems and directed queries to identify valid
user accounts or poorly protected resource shares. It is used in combination with data collected in
the reconnaissance phase.
Steps during enumeration pen testing
The following steps are taken during enumeration pen testing:
1. Use tools such as WhoIs Lookup and Graphical DNS Zones to find the network range.
2. Calculate the subnet mask needed for the IP range as an input to many of the ping sweep
and port scanning tools such as SubnetMask Calculator.
3. Use tools such as nmap to find the servers connected to the Internet using tools.
4. Use tools such as nslookup and the men and mice suite to perform DNS enumeration.
5. Use tools such as SuperScan, NetBIOS enumerator, and PsTools suite to perform
NetBIOIS enumeration.
6. Use tools such as OpUtils Network Monitoring Toolset, SolarWinds, and SNScan to
perform SNMP enumeration.
7. Use tools such as Enum4linux to perform UNIX/LINUX enumeration.
8. Use tools such as Jxplorer to perform LDAP enumeration using tools.
9. Use tools such as ntpdate, ntptrace, ntpdc, and ntpq to perform NTP enumeration.
10. Use tools such as Super Webscan and Power E-mail Collector to perform SMTP
enumeration using .
Chapter Summary
In this chapter, we learned about system hacking cycle, enumeration, and techniques of
enumeration. We also discussed null sessions and steps required to disable NetBIOS NULL
sessions. This chapter is also focused on SNMP enumeration and its countermeasures.
Glossary
DNS zone
A DNS zone is a contiguous portion of the DNS tree and is administered as a single separate
entity by a DNS name server.
Lightweight Directory Access Protocol
Lightweight Directory Access Protocol is a protocol used to access the directory listing within
Active Directory or from other directory services.
MIB
MIB is a virtual database including formal description of all the network objects that can be
managed using SNMP.
NBTscan
NBTscan is a scanner that scans IP networks for NetBIOS name information.
NetBIOS
NetBIOS is a Microsoft service that enables applications on different computers to communicate
within a LAN.
NTP enumeration
NTP enumeration is a method in which the NTP protocol is used to grab valuable data from a
vulnerable network.
NTP Server Scanner
NTP Server Scanner is a NTP Server discovery tool. It is used to easily locate NTP and SNTP
servers on your network or the Internet.
Null session
A null session is an anonymous connection to a freely accessible network share called IPC$ on
Windows-based servers.
PsExec
PsExec is a light-weight telnet-replacement tool that executes processes on remote computers
and has full interactivity for console applications.
PsFile
PsFile is a command-line utility that shows a list of files on a system that are opened remotely. It
also allows a user to close opened files either by name or by a file identifier.
PsGetSid
PsGetSid is a tool that is used to query SIDs remotely.
PsList
PsList is a command-line tool that is used to retrieve the statistics of all the processes of a remote
computer.
PsTools
PsTools is a set of command-line utilities that allow a network administrator to manage local and
remote systems.
Simple Network Management Protocol
Simple Network Management Protocol (SNMP) is a part of the TCP/IP protocol suite, which
allows users to manage the network. SNMP is used to keep track of what is being used on the
network and how the object is behaving.
System hacking cycle
System hacking cycle contains the steps to enumerate an operating system and getting
unauthorized access into the system.