Enumeration Methods Practical For Ethical Hacking

The enumeration of a network starts with gathering the names of the devices on the network, such as switches, printers, document devices, etc.

After finding the names, the next steps will be to probe these devices to find their detailed information. 

In this lab, we will use the Global Network Inventory tool to scan a network. It is one of the most preferred tools for security auditing and testing of networks and firewalls. 

Dir= “Module 03 Scanning Networks\Scanning Tools\Global Network Inventory”

1. Click on I Agree when the About Global Network Inventory window displays. In case the app doesn't open automatically after installation, try opening it manually.

2. When the Global Network Inventory GUI displays, click on Close.

3. The New Audit Wizard window will come. Click on Next.

4. When the Audit Scan Mode shows up, choose IP Range Scan. Click on Next.

5. When the IP Range Scan section comes, set the IP range and click on Next.

6. From the Authentication Settings section that shows up, choose Connect as. Enter the username & password of the Windows Server 2012 machine. Click on Next.

7. Skip the default settings and click on Finish.

8. Global Network Inventory will initiate the scanning of the specified IR range.

9. After the completion of scanning, it will show the results. Choose the IP address of the Windows Server 2012. It can be found under the CEH node in View Results. 

10. The Scan Summary includes a short summary of the scanned machine.  This includes Machine name, MAC Address, OS installed, etc. 

11. In the Operating System tab, you can view the OS details. For detailed information, check the Windows Details tab.

12. In the BIOS section, you can view the details about BIOS settings. For detailed information, you can check the BIOS information tab.

13. For details about the NetBIOS apps, check the NetBIOS tab. 

14. In the User Groups tab, you can see the user account details by work group. 

15. In the Users tab, you can view the user accounts, their last login time, and user accounts.

16. In the Services section, you can see the information about the services on the machine. Click on a specific service for its details. 

17. In the Installed Software, you can view the information about the software installed on the machine.

18. On lab completion, close the tool and other windows. 

To detect vulnerabilities and flaws in a network, it is crucial to do vulnerability scanning. That's when you can patch them before hackers exploit those vulnerabilities. 

Advanced IP Scanner will help in finding the network devices that have known vulnerabilities. It will scan all the ports, hosts, as well as services on the network. 

In this lab, you will scan the system and network, enumerate user accounts, collect information about the devices on a network, and execute remote penetration. 

 Dir= “Module 03 Scanning Networks\Ping Sweep Tools\Advanced IP Scanner”

1. Launch the Advanced IP Scanner tool.

2. Enter the IP address range in the Select range field. Click on Scan.

3. It will start scanning and show the list of live hosts.

4. After scanning, you can see the IP address, Name, MAC address, and Manufacturer information about the target machine.

Click on Expand icon to see further details.

5. Right-click on any IP to view Wake-On-Lan, Shut down, Abort Shut Down, and a number of more options. These options can be used to force a machine to shut down, reboot, etc. Furthermore, there are options to ping, chat, send messages, share files, and connect to the machine remotely, etc. 

6. Here, we are using Shutdown options. When the window opens, specify a timeout and click on Shutdown. It will shut the machine down. 

7. The Shutdown Results window will come, with a message showing that the target machine has been shut down successfully.

8. Close the tool and other windows after completion.

Enumeration helps in finding information about the vulnerabilities in individuals systems and devices. Penetration testers analyze these systems thoroughly to detect the vulnerabilities. 

Here, we will use SuperScan to identify open TCP and UDP ports on a machine to find the services running on the machine, which can be targeted by the hackers. 

SuperScan can be used to enumerate networks, find a list of devices on it, user names, user groups, machine names, services, resources, etc. 

Dir=“Module 04 Enumeration\NetBIOS Enumeration Tools\SuperScan”

1. Click on Windows Enumeration when the SuperScan main window comes.

In the Hostname/IP/URL field, write the IP address of the target machine. From the Enumeration type tab, check the kind of enumeration you want to run. Click on Enumerate. It will initiate the enumeration process.

2. After enumerating the hostname, it will show the results. Scroll down and analyze the results properly. 

3. Close the tool and other windows after the lab completion. 

In this lab, let's explore how to enumerate system user information and the services running on the system. 

Dir= “Module 04 Enumeration\NetBIOS Enumeration Tools\Hyena”

1. Install Hyena and open it.

2. If you see the SystemTools Update Notification Utility, click on Close.

3. When the Registration window comes, click on OK.

4. If you see an Error dialog box, click on OK.

5. In case you see the Hyena dialog box asking for registration, click on No.

6. Click on '+' node when the primary Hyena window comes. Now, expand the Users node to see the users of the local machine.

7. Double-click on Services to see the active services on the system.

8. Double-click on Users Rights to see the user rights.

9. To see the list of scheduled jobs, double-click on Scheduled jobs.

Analyze all these options to find if any confidential information has been discovered. If yes, take the right security measures to secure this information.

10. Close the tool and other windows after analyzing the results. 

NetBIOS Enumerator is a tool for enumeration of networks, collect information related to the user accounts, local and global groups, and use additional techniques. 

Here, it will be used for enumeration of the user name, MAC address, and domain group of the target machine. 

Dir=“Module 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator”

1. Enter the IP range to be scanned in the From and To fields. Click on Scan.

2. After scanning, you can expand the nodes and view information about the machines.

To start a new scan, erase the current results by clicking on Clear.

3. Close the tool and windows after viewing the results. 

Dir=“Module 04 Enumeration\NetBIOS Enumeration Tools\SoftPerfect Network Scanner”

1. Choose your preferred language when Welcome to the Network Scanner! window comes. Click on Continue.

2. Enter the IP range in From and To fields. Click on Start Scanning.

3. In the status bar, you can view the scan status.

4. To check the properties of an IP address, right-click on the specific IP and choose properties.

5. The Properties window will come, showing the Shared Resources and Basic Info of the machine related to the chosen IP address.

After checking the properties, close the window.

6. To see the shared folders, check the scanned hosts with '+' nodes before them.

7. Right-click on the chosen host. Click on Open Computer. You will see a drop-down with options for connecting to a remote machine as HTTP, HTTPS, Telnet, etc.

In case the chosen host is not secure, these options can be used for connecting to remote machines. You can do a number of activities like sending messages, shutting down the system remotely, etc. You can perform these activities only if the security configuration is poor. 

8. Close the tool after the lab completion. 

Nmap is used to find the hosts on a network, services offered by the hosts, operating systems, packets in use, and more. 

Here, you will learn how to perform enumeration to collect user names and user groups, list of devices, OS, ports, machine names, network resources, services, passwords, policies, etc.

1. Launch the nmap application.

2. When the Nmap - Zenmap interface opens, run the nmap -O scan for the Windows Server 2012. It will take a few minutes. Write nmap -O 10.10.10.12 command and click on Scan.

3. After scanning, it will provide the output for the specified IP address, which you can see in the Nmap Output tab.

You should first target the systems with Windows operating system, and look for the open ports. It generally works well for Windows, but may also work for other operating systems in some cases where the ports 139 and 445 are open. You can also find multiple systems with NetBIOS open. 

4. Open the Windows Server 2012 and login to it as administrator. You can do so by pressing Ctrl+Alt+Delete.

5. Open Command Prompt and write nbtstat -A 10.10.10.16. Press Enter. It will start the nbstat scan on port 139 of Windows Server 2016. The Command Prompt will show the results.

6. Write net use command to see the null sessions/shared folders from the host. Write net use command and press Enter.

7. To start a null session, use the following commands:

Write net use \\10.10.10.16\e ""\user:"" and press Enter. 

Write net use \\10.10.10.16\e ""/user:"" and press Enter.

8. Open File Explorer. Right-click on the mapped network drive (Z:\). Choose Disconnect.

9. It will create a null session. Issue a net use command for confirmation to view the connected null sessions.

10. Close the Command Prompt and other windows once the lab is completed. 

Networks and systems have services for several functionalities. When there are outdated services, there can be vulnerabilities in them which can be exploited. 

As an ethical hacker and pentester, it is important for you to enumerate the services so that vulnerabilities can be discovered and patched.

1. Write nmap -sP 10.10.10.0/24 and press Enter to start the ping sweep scan. 

Nmap will scan the network nodes and show the hosts that are active and running. It will also show the related MAC Addresses and device information. 

2. Select an IP address from the scan results and run a SYN scan. For this, write nmap -sS 10.10.10.12. Press Enter. With this command, a stealthy SYN scan will start and show the list of open ports on Windows Server 2012.

3. Since you now have the list of open ports and the services on them, it is time to try to enumerate the specific versions of the service. This will be done using SYN scan, while ensuring that the version switch is enabled. 

Write nmap -sSV -O 10.10.10.12 and press Enter. This command will start a stealthy SYN scan. Once scanning is done, it will show the service versions, as well as the OS fingerprint.

4. Write nmap -sSV -O 10.10.10.12 -oN Enumeration.txt. Press Enter. It will start the stealthy SYN scan with detection of the version of the OS. The results will be saved to the home (root) directory as Enumeration.txt.

5. Once the lab is complete, go to the Desktop and click on Folders. When the Home folder appears, showing the Enumeration.txt file, open it to see the results. 

6. You can see and analyze the result.

7. Another way to do it is by writing the cat Enumeration.txt. 

8. With enumeration of services, hackers may try to detect weaknesses in an application and exploit them to access the target machine.

When the accounts of users and devices on a computer with SNMP-enabled are enumerated, it is called SNMP enumeration. 

SNMP service comes with two strings or passwords, which are needed for the configuration and to access the SNMP agent. The first one is Read community strong and the second is Read/Write community string. 

There is a default value for these strings, which is the same for all computers or systems. 

Therefore, hackers can make these the opportunities for getting entry into systems. This is why the admins should change the default passwords. 

By enumerating SNMP, hackers can collect information related to the network resources, including hosts, devices, shares, routers, etc. They can also collect other network information, like ARP tables, routing tables, device details, traffic stats.

It is important for you to fix the default community strings issues. 

1. Open a terminal window and write nmap -sU -p 161 10.10.10.12. Press Enter and it will show the port status of the machine. 

2. Write nmap -sU -p 161 --script=snmp=brute 10.10.10.12. Press Enter.

The snmp-brute script will fetch the SNMP community string and show the output. It will change the community strings to valid username and password.

Now, this will search for the pcap socket parallely and send the SNMP probes with the valid community strings.

3. Write msfconsole in the terminal window. Press Enter. It will open the Metasploit Framework.

4. Write use auxiliary/scanner/snmp/snmp_login in the msf command line. Press Enter. It will load the module in the framework. 

5. Write show options. Press Enter to view the configurables for the module. 

6. Write set RHOSTS 10.10.10.12 and hit Enter. It will define the target host. 

7. Write exploit and hit Enter to run the module.

8. Write use auxiliary/scanner/snmp/snmp_enum and hit Enter. It will load the snmp_enum module.

9. Write set RHOSTS 10.10.10.12 and hit Enter. 

10. Write exploit and hit Enter. It will run the module.

Once done, it will show a message: 10.10.10.12, Connected. Then, a rapid scrolling text will show up on the screen. Wait for a few seconds till you receive the Auxiliary module execution completed message.

11. After the completion of module execution, scroll and do the analysis of the output.

12. Close the command terminal once the lab is completed.

Active Directory Explorer (ADP) service is used for the management of permission and resources in a network. Developed by Microsoft, ADP also helps in running authentication of users and computers on the network.

Dir=“Module 04 Enumeration\LDAP Enumeration Tools\Active Directory Explorer”

1. When the Connect to Active Directory pop-up comes, write the IP address of the target machine. Click on OK.

In this lab, Windows Server 2012 is the target machine and the IP address is 10.10.10.12.

In order to access or modify the attributes with ADExplorer, you should have a User Account with admin privileges. For instance, a CEH/Jason account can be used as it is a member of Administrators.

2. The ADExplorer will show the active directory structure.

3. Expand the DC=CEH,DC=com, and then expand CN=Users. It will help you to check the Domain user details.

4. Click on a user name to see its properties. Click on CN=Jason to see the properties of this user.

5. Right-click on displayName and then click on Modify from the context menu. 

6. The Modify Attribute window will show up. From here, make the necessary changes to the user profile. Double-click on Jason.

7. The Edit Value pop-up will show up. Here, write a new name under the Value data. Click on OK. For example, let’s change the name of Jason to Steve.

8. Once done, click on OK for closing the current window. Now, you can check that the name has been changed. 

The same way, you can make changes to other attributes.

9. Once the lab is completed, close the AdExplorer and the other open windows.

Enum4linux tool is used to enumerate information from Windows and Samba systems. As an ethical hacker, you need to know where the attackers can create active connections with the target system and exploit it. Hence, you need to understand what information can become available to the attackers, and then secure that information before it is compromised.

1. Open the command terminal window and write enum4linux -u martin -p apple -U 10.10.10.12. Press Enter. It will display the target system details. Scroll and check the complete results.

2. Write enum4linux -u martin -p apple -o 10.10.10.12. Press Enter to collect the information about the operating system of the target machine.

3. Write enum4linux -u apple -P 10.10.10.12. Press Enter to find the password policies. 

4. Write enum4linux -u martin -p apple -G 10.10.10.12. Press Enter to view the information about the groups in the system.

5. Write enum4linux -u martin -p apple -S 10.10.10.12. Press Enter to find information about the sharing policy.

6. Close the command terminal once the lab is completed.