Quartz 4

Enumeration

5 min read

Enumeration is the process of gathering more detailed information on discovered network systems, such as the following:

  • Operating systems and services being used. Enumeration seeks to identify the types of operating systems running on target systems as well as the services and applications running on those systems.

  • User and group names. Enumeration aims to discover user accounts and groups present on the network or specific systems.

  • Contact information. This may include email addresses, phone numbers, or other contact details associated with users or systems.

  • Passwords and password hashes. Enumeration may attempt to retrieve passwords or password hashes stored on systems or transmitted over the network.

  • Hostnames, domain information, and IP addresses. Enumeration seeks to identify the network structure, including hostnames, domain names, and IP addresses of systems within the target network.

  • Network services such as DNS and SNMP. Enumeration involves identifying and gathering information about various network services such as Domain Name System (DNS) and Simple Network Management Protocol (SNMP).

  • Network devices such as routers and switches. Enumeration aims to identify and gather information about network infrastructure devices such as routers and switches.

Discovering and cataloging this information provide a more targeted list for further testing and exploitation. While some enumeration can be done without a credential, enumeration is typically much more successful if the PenTester is logged into the system. The credential can be that of an average user; a privileged account isn’t necessarily required since these accounts can still access the command prompt to enumerate information such as network information and shares.

While other tools such as Amass, Censys.io, and Shodan can be used to enumerate information, using Nmap will typically be the penetration tester’s first step in this process.

Nmap

Nmap (Network Mapper) is one of the most used tools during the enumeration process. It was first released in 1997 and has grown to be a widely used tool in network administration and penetration testing. Nmap is a free open-source utility that is used for network discovery and security auditing. Via a variety of techniques, Nmap sends specially crafted packets to a target host and then analyzes the responses to discover detailed information on the target. Scanning can be done using either TCP or UDP.

The standard Nmap scan format is nmap .

TCP is a connection-oriented protocol that can provide more detailed results when scanning. Nmap has a variety of scans that use TCP:

  • A TCP ACK scan is used to bypass firewall rulesets, determine which ports are filtered, and determine if a firewall is stateful or not. This scan uses the option -sA.

  • A full (or TCP connect) scan uses a standard TCP three-way handshake. This scan uses the option -sT.

  • A Christmas tree scan sends a TCP segment with the FIN, PSH, and URG flags raised to bypass a firewall or IDS. This scan uses the option -sX.

Scanning using UDP is also an option. When using a UDP scan, the response will indicate the state as follows:

  • If the port is open, the target might return a UDP packet, which provides proof that the port is open. However, if no response, the port is considered open or filtered.

  • If the port is closed, the target will return an ICMP port unreachable error (type 3, code 3).

  • If the target is filtered using a firewall, the target might return an ICMP unreachable error (type 3, codes 1, 2, 9, 10, or 13).

A UDP scan is run using the -sU option. In addition, the -sV option can be used to help differentiate the truly open ports from the filtered ones.

Because scanning using UDP is generally slower and more difficult than running a TCP scan, some PenTesters may opt to not run a UDP scan. However, it’s important to keep in mind that there are several protocols that use UDP, such as DNS, SNMP, and DHCP, and these services can be exploited. As a result, testing UDP ports should be included in the scanning phase of the PenTest.

Specifying Ports

For both TCP and UDP scans, ports to be used during the scan can be specified using the -p option. For example:

  • The command nmap -p 53 192.168.1.5 will scan port 53 on the target.

  • The command nmap -p 110, 25, 443 192.168.1.5 will scan ports 110, 25, 443 on the target.

  • The command nmap -p- 192.168.1.5 will scan all ports on the target.

Timing Options

Scanning networks is an integral part of the PenTesting process. However, running these scans can consume a lot of bandwidth and be intrusive, as certain scans generate a lot of traffic and are considered to be “noisy.”

Network performance is essential. If the target has a healthy amount of bandwidth and the client agrees, the PenTester can use multiple concurrent scanners, which will speed up the process. However, the PenTester will need to closely monitor the network, as this type of scanning can overburden it. Aggressive scans can also cause congestion and disrupt fragile systems, so the PenTester may have to run scans during off hours or use less intrusive scans.

Nmap has a timing option that can help reduce the burden on the network and can be used in some situation to bypass security rules. The timing option is -T <0-5>, where T0 is the slowest and T5 is the fastest, as described below:

  • T0 and T1 are the best options for IDS evasion but are extremely slow.

  • T2 slows the scan to conserve bandwidth.

  • T3 is the default and is the most stable option.

  • T4 is the recommended choice for a fast scan that is still relatively stable.

  • T5 is the fastest option but can be unstable and should only be used on a network that can handle the speed.

Some network devices enforce rate limiting, which limits the data flow by either policing or shaping the traffic. Nmap will detect whether rate limiting is in place and will adjust the scan to avoid flooding the network. Because rate limiting may result in a much lower scan rate, the option —host-timeout can be used to skip slow hosts.

reconnaissance networkreconnaissance activedirectory user passwords

Graph View

Backlinks