Kategori
CEH Security

Enumeration

4.1 Enumeration Conecpts

What is Enumeration?

  • In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target.
  • Attackers use extracted information to identify system attack points and perform password attacks to gain unauthorized access to information system resources.
  • Enumeration techniques are conducted in an intranet environment.
  • Information Enumerated by Intruders:
    • Network resources
    • Network shares
    • Routing tables
    • Audit and service settings
    • SNMP and DNS details
    • Machine names
    • Users and groups
    • Applications and banners

Techniques for Enumeration

  • Extract user names using email IDs
  • Extract information using the default passwords
  • Extract user names using SNMP
  • Brute force Active Directory
  • Extract user groups from Windows
  • Extract information using DNS Zone Transfer

Services and Ports to Enumerate

  • TCP/UDP 53: DNS Zone Transfer
  • TCP/UDP 135: Microsoft RPC Endpoint Mapper
  • UDP 137: NetBIOS Name Service (NBNS)
  • TCP 139: NetBIOS Session Service (SMB over NetBIOS)
  • TCP/UDP 445: SMB over TCP (Direct Host)
  • UDP 161: Simple Network Management Protocol (SNMP)
  • TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
  • TCP/UDP 3268: Global Catalog Service
  • TCP 25: Simple Mail Transfer Protocol (SMTP)
  • TCP/UDP 162: SNMP Trap

4.2 NetBIOS Enumeration

NetBIOS Enumeration (重要)

  • NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP, 15 characters are used for the device name and 16th character is reserved for the service or name record type.
  • Attackers use the NetBIOS enumeration to obtain:
    • List of computers that belong to a domain
    • List of shares on the individual hosts in the network
    • Policies and passwords
  • net view /domain
  • net view /domain:name
  • net view \\FIRE
  • net use \\FIRE "password" /u:"name"
  • Null Session: net use \\FIRE "" /u:""
W2KXP/2K3Vista/WS2K12R2Samba
Null SessionVVVV
Anonymous EnumerationVXXV
Auth-ed EnumerationVVVV
Remote (IPC$)VVVXX

VX: 端看是否有加入domain。沒加入domain,會有UAC Remote Restriction的保護

Note: NetBIOS name resolution is not supported by Microsoft for Internet Protocol Version 6 (IPv6)

  • Nbtstat utility in Windows displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache.
    • Run nbtstat command nbtstat.exe -c to get the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses.
    • Run nbtstat command nbtstat.exe -a <IP address of the remote machin> to get the NetBIOS name table of a remote computer.

NetBIOS Enumeration Tools:

  • SuperScan:
    • SuperScan is a connect-based TCP port scanner, pinger, and hostname resolver.
  • Hyena:
    • Hyena is a GUI product for managing and securing Microsoft operating systems. It shows shares and user logon names for Windows servers and domain controllers.
    • It displays graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc.
  • Winfingerprint:
    • Winfingerprint determines OS, enumerate users, groups, shares, SIDs, transports, sessions, services, service pack and hotfix level, date and time, disks, and open TCP and UDP ports.
  • NetBIOS Enumerator
  • Nsauditor Network Security Auditor

Linux的工具有: enum4linux

Enumerating User Accounts

Enumerating Shared Resources Using Net View (重要)

  • Net View utility is used to obtain a list of all the shared resources of remote host or workgroup.
  • Net View Commands:
    • net view \\<computername>
    • net view /workgroup:<workgroupname>

4.3 SNMP Enumeration

SNMP (Simple Network Management Protocol) Enumeration

  • SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
  • SNMP consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer.
  • SNMP holds two passwords to access and configure the SNMP agent from the management station:
    • Read community string: It is public by default; allows viewing of device/system configuration.
    • Read/write community string: It is private by default; allows remote editing of configuration.
  • Attacker uses these default community strings to extract information about a device.
  • Attackers enumerate SNMP to extract information about network resources such as hosts, routers, devices, shares, etc. and network information such as ARP tables, routing tables, traffic, etc.
  • 網管協定
  • snmpwalk: snmpwalk -v 1 -c public 192.168.99.144
  • snmpcheck: snmpcheck -t 192.168.99.144

Working of SNMP

Management Information Base (MIB)

  • MIB is a virtual database containing formal description of all the network objects that can be managed using SNMP.
  • The MIB database is hierarchical and each managed object in a MIB is addressed through Object Identifiers (OIDs).
  • Two types of managed objects exist:
    • Scalar objects that define a single object instance.
    • Tabular objects that define multiple related object instances are grouped in MIB tables.
  • The OID includes the type of MIB object such as counter, string, or address, access level such as not-accessible, accessible-for-notify, read-only or read-write, size restrictions, and range information.
  • SNMP uses the MIB’s hierarchical namespace containing Object Identifiers (OIDs) to translate the OID numbers into a human-readable display.
  • 網管資料庫
  • User ID: SID(重要不可被查到)+RID(流水號,從1000開始)
    • Computer
    • Domain

SNMP Enumeration Tools:

  • OpUtils: OpUtils with its integrated set of tools helps network engineers to monitor, diagnose, and troubleshoot their IT resources.
  • Engineer’s Toolset:
    • Engineer’s Toolset performs network discovery on a single subnet or a range of subnets using ICMP and SNMP.
    • It scans a single IP, IP address range, or subnet and displays network devices discovered in real time.

4.4 LDAP Enumeration

LDAP Enumeration

  • Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services.
  • Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory.
  • A client starts an LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and sends an operation request to the DSA.
  • Information is transmitted between the client and the server using Basic Encoding Rules (BER).
  • Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks.

4.5 NTP Enumeration

NTP Enumeration

  • Network Time Protocol (NTP) is designed to synchronize clocks of networked computers.
  • It uses UDP port 123 as its primary means of communication.
  • NTP can maintain time to within 10 milliseconds (1/100 seconds) over the public Internet.
  • It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions.
  • Attacker queries NTP server to gather valuable information such as:
    • List of hosts connected to NTP server
    • Clients IP addresses in a network, their system names and OSs
    • Internal IPs can also be obtained if NTP server is in the DMZ

NTP Enumeration Commands

  • ntptrace:
    • Traces a chain of NTP servers back to the primary source
    • ntptrace [-vdn] [-r retries] [-t timeout] [server]
  • ntpdc:
    • Monitors operation of the NTP daemon, ntpd
    • /usr/bin/ntpdc [-n] [-v] host1 | IPaddress1...
  • ntpq:
    • Monitors NTP daemon ntpd operations and determines performance
    • ntpq [-inp] [-c command] [host] [...]

4.6 SMTP and DNS Enumeration

SMTP Enumeration

  • SMTP provides 3 built-in-commands:
    • VRFY: Validates users
    • EXPN: Tells the actual delivery addresses of aliases and mailing lists
    • RCPT TO: Defines the recipients of the message
  • SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users from which we can determine valid users on SMTP server.
  • Attackers can directly interact with SMTP via the telnet prompt and collect list of valid users on the SMTP server.
  • Using the SMTP VRFY command:$ telnet 192.168.168.1 25 ... VRFY Jonathan 250 Super-User <Jonathan@NYmailserver> VRFY Smith 550 Smith... User unknown
  • Using the SMTP EXPN command:$ telnet 192.168.168.1 25 ... EXPN Jonathan 250 Super-User <Jonathan@NYmailserver> EXPN Smith 550 Smitn... User unknown
  • Using the SMTP RCPT TO command:$ telnet 192.168.168.1 25 ... MAIL FROM:Jonathan 250 Jonathan... Sender ok RCPT TO:Ryder 250 Ryder... Recipient ok RCPT TO: Smith 550 Smith... User unknown

SMTP Enumeration Tool: NetScanTools Pro

  • NetScanTools Pro’s SMTP Email Generator and Email Relay Testing Tools are designed for testing the process of sending an email message through an SMTP server and performing relay tests by communicating with a SMTP server.

SMTP Enumeration Tools

  • Telnet:
    • Telnet can be used to probe an SMTP server using VRFY, EXPN and RCPT TO parameters and enumerate users.
  • smtp-user-enum:
    • It is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail)
    • Enumeration is performed by inspecting the responses to VRFY, EXPN and RCPT TO commands

DNS Zone Transfer Enumeration Using NSlookup

  • It is a process of locating the DNS server and the records of a target network.
  • An attacker can gather valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets.
  • In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.

使用host command查zonetransfer.me的name server:

host -t ns zonetransfer.me

root@kali:~# host -t ns zonetransfer.me
zonetransfer.me name server nsztm2.digi.ninja.
zonetransfer.me name server nsztm1.digi.ninja.

查到兩個name server,針對其中一個做zone transfer:

host -t axfr zonetransfer.me nsztm1.digi.ninja,下圖可看到取得DNS紀錄

root@kali:~# host -t axfr zonetransfer.me nsztm1.digi.ninja
Trying "zonetransfer.me"
Using domain server:
Name: nsztm1.digi.ninja
Address: 81.4.108.41#53
Aliases: 

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8677
;; flags: qr aa; QUERY: 1, ANSWER: 153, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zonetransfer.me.        IN    AXFR

;; ANSWER SECTION:
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
zonetransfer.me.    7200    IN    RRSIG    SOA 8 2 7200 20160330133700 20160229123700 44244 zonetransfer.me. GzQojkYAP8zuTOB9UAx66mTDiEGJ26hVIIP2ifk2DpbQLrEAPg4M77i4 M0yFWHpNfMJIuuJ8nMxQgFVCU3yTOeT/EMbN98FYC8lVYwEZeWHtbMmS 88jVlF+cOz2WarjCdyV0+UJCTdGtBJriIczC52EXKkw2RCkv3gtdKKVa fBE=
zonetransfer.me.    7200    IN    NS    nsztm1.digi.ninja.
zonetransfer.me.    7200    IN    NS    nsztm2.digi.ninja.
...
xss.zonetransfer.me.    3600    IN    NSEC    zonetransfer.me. TXT RRSIG NSEC
xss.zonetransfer.me.    3600    IN    RRSIG    NSEC 8 3 3600 20160330133700 20160229123700 44244 zonetransfer.me. a7tFtY1bsTwztv/khjV/NEgaOQyiI8t2R0xgQUp9ANKmAPqu831l9rpI rwKpBF88atlvQYTv9bRTjA/Y58WxsBYw+SOe3j3CUmHlQVbj8CJQpfJK cW1w7DoX8O1PYbWuCAhciUyh1CV4Y5a8pcPBiZBM6225h4eAdE6Ahx3S XGY=
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600

Received 16183 bytes from 81.4.108.41#53 in 645 ms
  • host -l zonetransfer.me 167.88.42.94
root@kali:~# host -l zonetransfer.me 167.88.42.94
Using domain server:
Name: 167.88.42.94
Address: 167.88.42.94#53
Aliases: 

zonetransfer.me has address 217.147.177.157
zonetransfer.me name server nsztm1.digi.ninja.
zonetransfer.me name server nsztm2.digi.ninja.
157.177.147.217.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me.
asfdbbox.zonetransfer.me has address 127.0.0.1
canberra-office.zonetransfer.me has address 202.14.81.230
dc-office.zonetransfer.me has address 143.228.181.132
deadbeef.zonetransfer.me has IPv6 address dead:beaf::
email.zonetransfer.me has address 74.125.206.26
internal.zonetransfer.me name server intns1.zonetransfer.me.
internal.zonetransfer.me name server intns2.zonetransfer.me.
intns1.zonetransfer.me has address 167.88.42.94
intns2.zonetransfer.me has address 167.88.42.94
office.zonetransfer.me has address 4.23.39.254
ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me has address 207.46.197.32
alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1
vpn.zonetransfer.me has address 174.36.59.154
www.zonetransfer.me has address 217.147.177.157

或使用 dig command來查詢,同樣也要先查到name server:

dig -t ns zonetransfer.me

root@kali:~# dig -t ns zonetransfer.me

; <<>> DiG 9.10.3-P4-Debian <<>> -t ns zonetransfer.me
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46473
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 512
;; QUESTION SECTION:
;zonetransfer.me.        IN    NS

;; ANSWER SECTION:
zonetransfer.me.    5    IN    NS    nsztm1.digi.ninja.
zonetransfer.me.    5    IN    NS    nsztm2.digi.ninja.

;; Query time: 234 msec
;; SERVER: 192.168.99.2#53(192.168.99.2)
;; WHEN: Sat Jul 09 16:00:36 CST 2016
;; MSG SIZE  rcvd: 96

接著做zone transfer:

dig axfr @nsztm1.digi.ninja zonetransfer.me

root@kali:~# dig axfr @nsztm1.digi.ninja zonetransfer.me

; <<>> DiG 9.10.3-P4-Debian <<>> axfr @nsztm1.digi.ninja zonetransfer.me
; (1 server found)
;; global options: +cmd
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
zonetransfer.me.    7200    IN    RRSIG    SOA 8 2 7200 20160330133700 20160229123700 44244 zonetransfer.me. GzQojkYAP8zuTOB9UAx66mTDiEGJ26hVIIP2ifk2DpbQLrEAPg4M77i4 M0yFWHpNfMJIuuJ8nMxQgFVCU3yTOeT/EMbN98FYC8lVYwEZeWHtbMmS 88jVlF+cOz2WarjCdyV0+UJCTdGtBJriIczC52EXKkw2RCkv3gtdKKVa fBE=
zonetransfer.me.    7200    IN    NS    nsztm1.digi.ninja.
zonetransfer.me.    7200    IN    NS    nsztm2.digi.ninja.
...
xss.zonetransfer.me.    3600    IN    NSEC    zonetransfer.me. TXT RRSIG NSEC
xss.zonetransfer.me.    3600    IN    RRSIG    NSEC 8 3 3600 20160330133700 20160229123700 44244 zonetransfer.me. a7tFtY1bsTwztv/khjV/NEgaOQyiI8t2R0xgQUp9ANKmAPqu831l9rpI rwKpBF88atlvQYTv9bRTjA/Y58WxsBYw+SOe3j3CUmHlQVbj8CJQpfJK cW1w7DoX8O1PYbWuCAhciUyh1CV4Y5a8pcPBiZBM6225h4eAdE6Ahx3S XGY=
zonetransfer.me.    7200    IN    SOA    nsztm1.digi.ninja. robin.digi.ninja. 2014101603 172800 900 1209600 3600
;; Query time: 710 msec
;; SERVER: 81.4.108.41#53(81.4.108.41)
;; WHEN: Sat Jul 09 15:13:31 CST 2016
;; XFR size: 153 records (messages 1, bytes 16183)

或使用nslookup command來查詢,同樣也要先查到name server:

nslookup -type=ns zonetransfer.me

root@kali:~# nslookup -type=ns zonetransfer.me
Server:        192.168.99.2
Address:    192.168.99.2#53

Non-authoritative answer:
zonetransfer.me    nameserver = nsztm2.digi.ninja.
zonetransfer.me    nameserver = nsztm1.digi.ninja.

Authoritative answers can be found from:

接著做zone transfer:

nslookup - nsztm2.digi.ninja

ls -d zonetransfer.me

C:\Users\Sean>nslookup - nsztm2.digi.ninja
預設伺服器:  UnKnown
Address:  167.88.42.94

> ls -d zonetransfer.me
[UnKnown]
 zonetransfer.me.               SOA    nsztm1.digi.ninja robin.digi.ninja. (2014101601 172800 900 1209600 3600)
 zonetransfer.me.               HINFO  Casio fx-700G  Windows XP
 zonetransfer.me.               TXT             "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA"

 zonetransfer.me.               MX     0    ASPMX.L.GOOGLE.COM

Q1) Which port number is used by DNS for zone transfers?

  1. 53 TCP
  2. 53 UDP
  3. 25 TCP
  4. 25 UDP

A1) Port 53 TCP is used for zone transfers concerning DNS.

Q2) A DNS zone transfer is used to do which of the following?

  1. Copy files
  2. Perform searches
  3. Synchronize server information
  4. Decommission servers

A2) A zone transfer is used to synchronize information, namely records, between two or more DNS servers.

4.7 Enumeration Countermeasures

Enumeration Countermeasures

  • SNMP:
    • Remove the SNMP agent or turn off the SNMP service
    • If shutting off SNMP is not an option, then change the default community string name
    • Upgrade to SNMP3, which encrypts passwords and messages
    • Implement the Group Policy security option called “Additional restrictions for anonymous connections”
    • Ensure that the access to null session pipes, null session shares, and IPSec filtering is restricted.
  • DNS:
    • Disable the DNS zone transfers to the untrusted hosts
    • Make sure that the private hosts and their IP addresses are not published into DNS zone files of public DNS server
    • Use premium DNS registration services that hide sensitive information such as HINFO from public
    • Use standard network admin contacts for DNS registrations in order to avoid social engineering attacks
  • SMTP: Configure SMTP servers to:
    • Ignore email messages to unknown recipients
    • Not include sensitive mail server and local host information in mail responses
    • Disable open relay feature
  • LDAP:
    • By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic
    • Select a user name different from your email address and enable account lockout
  • SMB:
    • Disable SMB protocol on Web and DNS Servers
    • Disable SMB protocol on Internet facing servers
    • Disable ports TCP 139 and TCP 445 used by the SMB protocol
    • Restrict anonymous access through RestrictNullSessAccess parameter from the Windows Registry

4.8 Enumeration Pen Testing

Enumeration Pen Testing

  • Used to identify valid user accounts or poorly protected resources shares using active connections to systems and directed queries.
  • The information can be users and groups, network resources and shares, and applications.
  • Used in combination with data collected in the reconnaissance phase.
  • In order to enumerate important servers, find the network range using tools such as WhoIs Lookup.
  • Calcuate the subnet mask required for the IP range using Subnet Mask Calculators, that can be given as an input to many of the ping sweep and port scanning tools.
  • Find the servers connected to the Internet using tools such as Nmap.
  • Perform port scanning to check for the open ports on the nodes using tools such as Nmap.
  • Perform NetBIOS enumeration using tools such as SuperScan, Hyena, and Winfingerprint.
  • Perform SNMP enumeration using tools such as OpUtils Network Monitoring Toolset and Engineer’s Toolset.
  • Perform LDAP enumeration using tools such as Softerra LDAP Administrator.
  • Perform NTP enumeration using commands such as ntptrace, ntpdc, and ntpq.
  • Perform SMTP enumeration using tools such as NetScanTools Pro.
  • Perform DNS enumeration using Windows utility NSLookup.

Module Summary

  • Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system.
  • SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP.
  • MIB is a virtual database containing formal description of all the network objects that can be managed using SNMP.
  • Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks.
  • Network Time Protocol (NTP) is designed to synchronize clocks of networked computers.
  • Attackers use the specific port with telnet to enumerates the server version running on the remote host.

Q1) Which of the following tools are used for enumeration? (Choose three.)

  1. SolarWinds
  2. USER2SID
  3. Cheops
  4. SID2USER
  5. DumpSec

A1) USER2SID,SID2USER,and DumpSec are three of the tools used for system enumeration. Others are tools such as NAT and Enum. Knowing which tools are used in each step of the hacking methodology is an important goal of the CEH exam. You should spend a portion of your time preparing for the test practicing with the tools and learning to understand their output.

Q2) What did the following commands determine?

C: user2sid \earth guest
S-1-5-21-343818398-789336058-1343024091-501
C:sid2user 5 21 343818398 789336058 1343024091 500
Name is Joe 
Domain is EARTH
  1. That the Joe account has a SID of 500
  2. These commands demonstrate that the guest account has NOT been disabled
  3. These commands demonstrate that the guest account has been disabled
  4. That the true administrator is Joe
  5. Issued alone,these commands prove nothing

A2) One important goal of enumeration is to determine who the true administrator is. In the example above, the true administrator is Joe.

Q3) Peter, a Network Administrator, has come to you looking for advice on a tool that would help him perform SNMP enquires over the network. Which of these tools would do the SNMP enumeration he is looking for? Select the best answers.

  1. SNMPUtil
  2. SNScan
  3. SNMPScan
  4. Solarwinds IP Network Browser
  5. NMap

A3) SNMPUtil is a SNMP enumeration utility that is a part of the Windows 2000 resource kit. With SNMPUtil,you can retrieve all sort of valuable information through SNMP. SNScan is a SNMP network scanner by Foundstone. It does SNMP scanning to find open SNMP ports. Solarwinds IP Network Browser is a SNMPenumeration tool with a graphical tree-view of the remote machine’s SNMP data.

Q4) In the context of Windows Security, what is a ‘null’ user?

  1. A user that has no skills
  2. An account that has been suspended by the admin
  3. A pseudo account that has no username and password
  4. A pseudo account that was created for security administration purpose

A4) NULL sessions take advantage of “features” in the SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:

  • List of users and groups
  • List of machines
  • List of shares
  • Users and host SID’ (Security Identifiers)

NULL sessions exist in windows networking to allow:

  • Trusted domains to enumerate resources
  • Computers outside the domain to authenticate and enumerate users
  • The SYSTEM account to authenticate and enumerate resources NetBIOS NULL sessions are enabled by default in Windows NT and 2000. Windows XP and 2003 will allow anonymous enumeration of shares,but not SAM accounts.

Q5) Enumeration does not uncover which of the following pieces of information?

  1. Services
  2. User accounts
  3. Ports
  4. Shares

A5) Ports are usually uncovered during the scanning phase and not the enumeration phase.

Q6) Enumeration is useful to system hacking because it provides __

  1. Passwords???
  2. IP ranges
  3. Configuration
  4. Usernames

A6) Usernames are especially useful in the system-hacking process because they let you target accounts for password cracking. Enumeration can provide information regarding usernames and accounts.

Q7) What is enumeration?

  1. Identifying active systems on the network
  2. Cracking passwords
  3. Identifying users and machine names
  4. Identifying routers and firewalls

A7) Enumeration is the process of finding usernames, machine names, network shares, and services on the network.

Q8) What is a countermeasure for SNMP enumeration?

  1. Remove the SNMP agent from the device
  2. Shut down ports 135 and 139 at the firewall
  3. Shut down ports 80 and 443 at the firewall
  4. Enable SNMP read-only security on the agent device

A8) The best countermeasure to SNMP enumeration is to remove the SNMP agent from the device. Doing so prevents it from responding to SNMP requests.

Q9) A company has publicly hosted web applications and an internal Intranet protected by a firewall. Which technique will help protect against enumeration?

  1. Reject all invalid email received via SMTP.
  2. Allow full DNS zone transfers.
  3. Remove A records for internal hosts.
  4. Enable null session pipes.

Q10) What is the following command used for?

net use \target\ipc$ "" /u:""

  1. Grabbing the etc/passwd file
  2. Grabbing the SAM
  3. Connecting to a Linux computer through Samba.
  4. This command is used to connect as a null session
  5. Enumeration of Cisco routers

A10) The null session is one of the most debilitating vulnerabilities faced by Windows. Null sessions can be established through port 135, 139, and 445.

Ref : [1][2]