Enumeration Types and Techniques in Ethical Hacking

Enumeration is fundamentally checking. An attacker sets up a functioning associated with the objective host. The weaknesses are then tallied and evaluated. It is done mostly to look for assaults and dangers to the objective framework. Enumeration is utilized to gather usernames, hostname, IP addresses, passwords, arrangements, and so on. At the point when a functioning connection with the objective host is set up, hackers oversee the objective framework. They at that point take private data and information. Now and again, aggressors have additionally been discovered changing the setup of the objective frameworks. The manner in which the connection is set up to the host decides the information or data the attacker will have the option to get to.

Enumeration attacks are classified depending on the target system, the services it runs, and the information it hosts. The most prevalent forms of enumeration include:

NetBIOS Enumeration

NetBIOS is the basic input-output system that enables applications on separate network devices to connect over a LAN,  establish sessions, and access shared resources. In NetBIOS network enumeration attacks, hackers use network scanner tools to extract NetBIOS name information from IP networks. Information obtained during NetBIOS search exploits includes:

  • Network policies and passwords
  • The number and identity of computers within a domain
  • A list of shares across individual machines in the network

This extraction is carried out on TCP ports 137 (name services),138 (datagram services), and 139 (session services).

SNMP Enumeration

The Simple Network Management Protocol (SNMP) simplifies the management of network devices such as routers, hubs, switches, etc., in the application layer using the UDP protocol. SNMP attacks enumerate usernames, group names, passwords, system names, and devices in the network. This attack involves accessing an SNMP agent on the target device (managed device). SNMP agents are software that converts the data on target devices into SNMP compatible format.

The Management Information Base (MIB), a database with records of network objects maintained by SNMP, is also accessible by an SNMP agent. Access to MIB, a sizable repository, is verified using a community string that is transmitted across the network in clear text. Malicious actors frequently access these data when the string bindings are left in their default configuration, which leads to deeper connection vulnerabilities.

LDAP Enumeration

The Lightweight Directory Access Protocol (LDAP) enables applications to access directory listings from directory services such as an Active Directory. An LDAP is usually integrated into the Domain Name System (DNS) for quicker resolution of queries and an expedited lookup process. A directory scanner can be used by an attacker to query the LDAP service through port 389 in an anonymous manner. This gives the attacker access to a wealth of data that can be abused to plan brute force or social engineering attacks. LDAP enumeration attacks often provide information about active directory objects, access lists, user names, groups, trusts, sessions, etc., however the effects of such attacks can differ.

NTP Enumeration

Networked PCs’ system clocks are synced via the Network Time Protocol (NTP). Global time servers that sync systems across time zones are connected to by NTP agents. The remote machine servers often react to an agent’s request for synchronization with mode three packets. Attackers must use UDP port 123 to query the NTP agent in order to execute such attacks. This query gives details about the machines connecting with the NTP server, including system names, client OSs, comprehensive interface information, IP addresses, etc.

SMTP Enumeration

The accepted protocol for sending electronic mail is known as SMTP (Simple Mail Transfer Protocol). The protocol establishes connections with mail servers to enable DNS-based email transmission on TCP port 25. In order to explore the entire access list and determine if the present user is valid or not, SMTP enumeration uses three built-in commands. This makes it easier to identify valid users on the SMTP server. The three most often used SMTP enumeration instructions are EXPN, VRFY, and RCPT TO.

Exploiting the SMTP server can help attackers access all email addresses and make mail users targets for phishing emails or emails loaded with viruses. 

DNS Enumeration

The DNS service enables consistency using zone transfers to copy the information across servers. The zone transfer service requires no authentication, enabling malicious actors to obtain a copy of the entire DNS zone from any DNS server. This facilitates exposing information about the configuration of all hosts within the domain, which opens up security gaps within the network’s topology. 

Enumeration Techniques 

Some ways for adversaries to orchestrate enumeration attacks include:

User Enumeration using Email IDs and Usernames

Email IDs customarily contain two parts – user name and domain name. Character preceding the @ symbol refers to the user name that attackers can utilize to guess valid users based on a brute-force attack.

In a brute-force attack technique,  attackers presume valid users of an application based on how the server responds to the authenticity of submitted credentials. On the login window, the attacker enters credentials and checks the server response. If the server response is “User does not exist,” it implies a problem with the username and not the password. When the server responds ‘Wrong password,’ the attacker infers that the username exists in the directory. The output of this user enumeration attack is used to gain valid username lists.

Enumeration Using Default Passwords

Most software documents publish default passwords assigned by the vendor for their products. If the users fail to change those default passwords, an attacker exploits the use of valid usernames to gain access to their accounts. The attacker then assumes the user’s identity, which can be exploited for further enumeration, access to sensitive information, or escalation of administrative access.

Exposing Topological Information with DNS Zone Transfer

By copying the data between servers, the DNS service facilitates consistency. A copy of the whole DNS zone can be obtained from any DNS server by malicious actors because to the zone transfer service’s lack of authentication requirements. This makes it easier to provide details about every host’s configuration within the domain, which exposes security holes in the network’s topology. 

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *