2. What Is Enumeration In Hacking?
Enumeration forms the basis of information gathering of the target
system during a cyber attack. Once attackers have established a
connection with the target host during an enumeration attack, they can
send directed queries to extract information on system
vulnerabilities. Attackers typically assess attack vectors by leveraging
the enumeration’s outputs to exploit the system further. Malicious actors
also use penetration testing tools to gain pieces of information such as:
• IP routing tables
• Hostnames
• DNS details
• SNMP information
• Users on database records
• Network services and shares
3. Types of Enumeration
• Enumeration attacks are classified depending on the target system,
the services it runs, and the information it hosts. The most
prevalent forms of enumeration include:
4. NetBIOS Enumeration
NetBIOS is the basic input-output system that enables applications on
separate network devices to connect over a LAN, establish sessions, and
access shared resources. In NetBIOS network enumeration attacks, hackers
use network scanner tools to extract NetBIOS name information from IP
networks. Information obtained during NetBIOS search exploits includes:
• Network policies and passwords
• The number and identity of computers within a domain
• A list of shares across individual machines in the network
• This extraction is carried out on TCP ports 137 (name services),138 (datagram
services), and 139 (session services).
5. SNMP Enumeration
The Simple Network Management Protocol (SNMP) simplifies the
management of network devices such as routers, hubs, switches, etc., in
the application layer using the UDP protocol. SNMP attacks enumerate
usernames, group names, passwords, system names, and devices in the
network. This attack involves accessing an SNMP agent on the target device
(managed device). SNMP agents are software that converts the data on target
devices into SNMP compatible format.
6. An SNMP agent also provides access to a database known as
the Management Information Base (MIB), which contains records of network
objects managed by SNMP. MIB is a giant repository, and access is
authenticated using a community string that travels as clear text over the
network. In the event the string bindings are left at their default settings,
malicious actors commonly access these records and find deeper connection
loopholes.
7. LDAP Enumeration
The Lightweight Directory Access Protocol (LDAP) enables
applications to access directory listings from directory services such
as an Active Directory. An LDAP is usually integrated into the Domain Name
System (DNS) for quicker resolution of queries and an expedited lookup
process. An attacker can exploit a directory scanner to query the
LDAP service through port 389 anonymously. This gives the
attacker access to a host of information that can be misused to orchestrate
social engineering or brute force attacks. Though the impact of such attacks
varies, information uncovered by LDAP enumeration attacks generally includes
active directory objects, access lists, user names, groups, trusts, sessions, etc.
8. NTP Enumeration
The Network Time Protocol (NTP) is used to synchronize the system
clocks of networked computers. NTP agents are connected to time servers
globally that sync systems across different time zones. Agents usually request
synchronization by sending mode four packets to the remote machine
servers, which respond with mode three packets. Orchestrating such
attacks require attackers to query the NTP agent via UDP port 123, which
returns information related to the machines communicating with the NTP server,
system names, client OSs, detailed interface info, IP addresses, etc.
9. SMTP Enumeration
• The Simple Mail Transfer Protocol (SMTP) is the standard protocol for
electronic mail transmission. The protocol works on TCP port 25 and sets
up connections with mail servers to send mail via DNS. SMTP enumeration
facilitates the identification of valid users on the SMTP server by
using three built-in commands to investigate the complete access list and
affirm whether the current user is valid or not. Three commonly used
commands in SMTP enumeration are EXPN, VRFY, and RCPT TO.
• Exploiting the SMTP server can help attackers access all email addresses
and make mail users targets for phishing emails or emails loaded with
viruses.
10. DNS Enumeration
The DNS service enables consistency using zone transfers to copy
the information across servers. The zone transfer service requires no
authentication, enabling malicious actors to obtain a copy of
the entire DNS zone from any DNS server. This facilitates exposing
information about the configuration of all hosts within the domain,
which opens up security gaps within the network’s topology.