Subsequently, this module provides insight into different techniques for Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), Network Time Protocol (NTP), Network File System (NFS), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Internet Protocol Security (IPsec), Voice over Internet Protocol (VoIP), remote procedure call (RPC), Linux/Unix, and Server Message Block (SMB) enumeration.
- ▪ Describe enumeration concepts
- ▪ Explain different techniques for NetBIOS enumeration
- ▪ Explain different techniques for SNMP enumeration
- ▪ Explain different techniques for LDAP and active directory (AD) enumeration
- ▪ Explain different techniques for NTP enumeration
- ▪ Explain different techniques for NFS enumeration
- ▪ Explain different techniques for SMTP and DNS enumeration
- ▪ Explain other enumeration techniques such as IPsec, VoIP, RPC, Linux/Unix, and SMB enumeration
- ▪ Apply enumeration countermeasures
1. Enumeration Concepts
Enumeration is the process of extracting usernames, machine names, network resources, shares, and services from a system or network. In the enumeration phase, an attacker creates active connections with a target system and sends directed queries to gain more information about the target. The attacker uses the information collected using enumeration to identify vulnerabilities in the system security, which help them exploit the target system. In turn, enumeration allows the attacker to perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment.
In particular, enumeration allows the attacker to collect the following information: ▪ Network resources ▪ Network shares ▪ Routing tables ▪ Audit and service settings ▪ SNMP and fully qualified domain name (FQDN) details ▪ Machine names ▪ Users and groups ▪ Applications and banners
During enumeration, attackers may stumble upon a remote inter-process communication (IPC) share, such as IPC$ in Windows, which they can probe further to connect to an administrative share by brute-forcing admin credentials and obtain complete information about the file-system listing that the share represents.
Techniques for Enumeration The following techniques are used to extract information about a target.
▪ Extract usernames using email IDs
▪ Extract information using default passwords
▪ Brute force Active Director
▪ Extract information using DNS Zone Transfer
▪ Extract user groups from Windows
▪ Extract usernames using SNMP
▪ Extract network resources and topology using SNMP
Services and Ports to Enumerate
▪ TCP/UDP 53: DNS Zone Transfe
▪ TCP/UDP 135: Microsoft RPC Endpoint Mappe
▪ UDP 137: NetBIOS Name Service (NBNS
▪ TCP 139: NetBIOS Session Service (SMB over NetBIOS)
▪ TCP/UDP 445: SMB over TCP (Direct Host)
▪ UDP 161: Simple Network Management Protocol (SNMP)
▪ TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)
▪ TCP 2049: Network File System (NFS)
▪ TCP 25: Simple Mail Transfer Protocol (SMTP)
▪ TCP/UDP 162: SNMP Trap
▪ UDP 500: Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE)
▪ TCP 22: Secure Shell (SSH) / Secure File Transfer Protocol (SFTP)
▪ TCP/UDP 3268: Global Catalog Service
▪ TCP/UDP 5060, 5061: Session Initiation Protocol (SIP)
▪ TCP 20/21: File Transfer Protoco
▪ TCP 23: Telnet
▪ UDP 69: Trivial File Transfer Protocol (TFTP
▪ TCP 179: Border Gateway Protocol (BGP)
1. NetBIOS Enumeration
The first step in enumerating a Windows system is to take advantage of the NetBIOS API. NetBIOS was originally developed as an API for client software to access local area network (LAN) resources. Windows uses NetBIOS for file and printer sharing. The NetBIOS name is a unique 16-character ASCII string assigned to Windows systems to identify network devices over TCP/IP; 15 characters are used for the device name, and the 16th is reserved for the service or record type. NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services). Attackers usually target the NetBIOS service because it is easy to exploit and run on Windows systems even when not in use. Attackers use NetBIOS enumeration to obtain the following:
▪ The list of computers that belong to a domain
▪ The list of shares on the individual hosts in a network
▪ Policies and passwords
An attacker who finds a Windows system with port 139 open can check to see which resources can be accessed or viewed on a remote system. However, to enumerate the NetBIOS names, the remote system must have enabled file and printer sharing. NetBIOS enumeration may allow an attacker to read or write to a remote computer system, depending on the availability of shares, or launch a DoS attack.
NetBIOS Enumeration Tools
▪ NetBIOS Enumerator
Source: https://nbtenum.sourceforge.net
▪ Nmap Source: https://nmap.org
As shown in the screenshot, an attacker uses the following Nmap command to perform NetBIOS enumeration on a target host:
- nmap -sV -v --script nbstat.nse <target IP address>
The following are some additional NetBIOS enumeration tools:
▪ Global Network Inventory (https://magnetosoft.com )
▪ Advanced IP Scanner (https://www.advanced-ip-scanner.com)
▪ Hyena (https://www.systemtools.com)
▪ Nsauditor Network Security Auditor (https://www.nsauditor.com)
Enumerating User Accounts - Source: https://learn.microsoft.com
Enumerating user accounts using the PsTools suite helps in controlling and managing remote systems from the command line. The following are some commands for enumerating user accounts. ▪ PsExec PsExec is a lightweight Telnet replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. PsExec’s most powerful use case is the launch of interactive command prompts on remote systems and remote-enabling tools such as ipconfig that otherwise cannot show information about remote systems. The syntax of the PsExec command is as follows:
psexec [\\computer[,computer2[,...] | @file]][-u user [-p psswd][-n s][-r servicename][-h][-l][-s|-e][-x][-i [session]][-c executable [-f|-v]][-w directory][-d][-<priority>][-a n,n,...] cmd [arguments]
▪ PsFile
PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. The default behavior of PsFile is to list the files on the local system opened by remote systems. Typing a command followed by "-" displays information on the syntax for that command. The syntax of the PsFile command is as follows:
psfile [\\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]
▪ PsGetSid
PsGetSid translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. It also displays the SIDs of user accounts and translates an SID into the name that represents it. It works across the network to query SIDs remotely. The syntax of the PsGetSid command is as follows: psgetsid [\\computer[,computer[,...] | @file] [-u username [-p password]]] [account|SID]
▪ PsKill
PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. Running PsKill with a process ID directs it to kill the process of that ID on the local computer. If a process name is specified, PsKill will kill all processes that have that name. One need not install a client on the target computer to use PsKill to terminate a remote process. The syntax of the PsKill command is as follows:
pskill [-] [-t] [\\computer [-u username] [-p password]] <process name | process id>
▪ PsInfo
PsInfo is a command-line tool that gathers key information about local or remote legacy Windows systems, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, installation date of the system, and expiration date in the case of a trial version. By default, PsInfo shows information for the local system. A remote computer name can be specified to obtain information for a remote system. The syntax of the PsInfo command is as follows:
psinfo
▪ PsList
PsList is a command-line tool that displays central processing unit (CPU) and memory information or thread statistics. Tools in the Resource Kits, pstat and pmon, show different types of data only for the processes on the system on which the tools are run.
▪ PsLoggedOn
PsLoggedOn is an applet that displays both the locally logged-in users and users logged in via resources for either the local computer or a remote one. If a username is specified instead of a computer, PsLoggedOn searches the computers in the network neighborhood and reveals if the user currently logged in. PsLoggedOn defines a locally logged-in user is one that has a profile loaded into the registry. Therefore, PsLoggedOn determines who is logged in by scanning the keys under the HKEY_USERS key. For each key that has a name or user SID, PsLoggedOn looks up the corresponding username and displays it. To determine who logged into a computer via resource shares, PsLoggedOn uses the NetSessionEnum API. The syntax of the PsLoggedOn command is as follows:
psloggedon [-] [-l] [-x] [\\computername | username]
▪ PsLogList
The elogdump utility dumps the contents of an Event Log on a local or remote computer. PsLogList is a clone of elogdump except that PsLogList can log in to remote systems in situations where the user’s security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log is stored. The default function of PsLogList is to display the contents of the System Event Log on the local computer with visually friendly formatting. The syntax of the PsLogList command is as follows:
psloglist [-] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event source[,event source][,..]]] [-l event log file] <eventlog>
▪ PsPasswd
PsPasswd can change an account password on local or remote systems, and administrators can create batch files that run PsPasswd on the computers they manage to perform a mass change of the administrator password. PsPasswd uses Windows password reset APIs; therefore, it does not send passwords over the network in the cleartext. The syntax of the PsPasswd command is as follows: pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username [NewPassword]
▪ PsShutdown
PsShutdown can shut down or reboot a local or remote computer. It requires no manual installation of client software. The syntax of the PsShutdown command is as follows:
psshutdown [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] -s|-r|-h|-d|-k|-a|-l|-o [-f] [-c] [-t nn|h:m] [-n s] [-v nn] [-e [u|p]:xx:yy] [-m "message"]
Enumerating Shared Resources Using Net View
Net View is a command-line utility that displays a list of computers in a specified workgroup or shared resources available on a specified computer. It can be used in the following ways.
net view \\<computername>
In the above command, <computername> is the name or IP address of a specific computer, the resources of which are to be displayed.
net view \\<computername> /ALL
The above command displays all the shares on the specified remote computer, along with hidden shares.
net view /domain
The above command displays all the shares in the domain.
net view /domain:<domain name>
The above command displays all the shares on the specified domain.
NetBIOS Enumeration using AI
▪ Attacker can also leverage AI-powered ChatGPT or other generative AI technology to perform this task by using appropriate prompt such as
“Perform NetBIOS enumeration on target IP 10.10.1.11”
The following prompt is designed to automate NetBIOS enumeration on the specified target IPs: nbtscan 10.10.1.11 The nbtscan command is used to perform NetBIOS enumeration on the target IP 10.10.1.11.
“Get NetBIOS info for IP 10.10.1.11 and display the associated names“
The following prompt is designed to automate NetBIOS enumeration on the specified target IPs: nmblookup -A 10.10.1.11 Explanation: The nmblookup command with the -A option is used to get NetBIOS information for the target IP 10.10.1.11 and display the associated names.
“Enumerate NetBIOS on target IP 10.10.1.22 with nmap”
The following prompt is designed to automate NetBIOS enumeration on the specified target IPs: nmap -sU -p 137 --script nbstat.nse 10.10.1.22 ▪ The nmap command with specific options ▪ script (nbstat.nse) is used to enumerate NetBIOS services on the target IP 10.10.1.22.
These commands automate NetBIOS enumeration tasks and provide detailed information about NetBIOS services on the specified target IPs.
2. SNMP Enumeration
SNMP ( Simple Network Management Protocol) Enumeration
▪ Attackers use SNMP default community strings to extract information about a device
▪ Attackers enumerate SNMP to extract information about network resources, such as hosts, routers, devices, and shares, and network information, such as ARP tables, routing tables, and traffic Enumerating SNMP using SnmpWalk and Nmap
SNMP contains the following two passwords for configuring and accessing the SNMP agent from the management station.
▪ Read Community String
o The configuration of the device or system can be viewed with the help of this password.
o These strings are public.
▪ Read/Write Community String
o The device configuration can be changed or edited using this password.
o These strings are private.
When administrators leave the community strings at the default setting, attackers can use these default community strings (passwords) for changing or viewing the configuration of the device or system. Attackers enumerate SNMP to extract information about network resources such as hosts, routers, devices, and shares as well as network information such as ARP tables, routing tables, device-specific information, and traffic statistics. Commonly used SNMP enumeration tools include OpUtils (https://www.manageengine.com) and Network Performance Monitor (https://www.solarwinds.com).
Enumerating SNMP using SnmpWalk Source: https://ezfive.com
Attackers execute the following command to retrieve SNMP information from the target device: snmpwalk -v1 -c public <Target IP Address> The above command allows attackers to view all the OIDs, variables, and other associated information. Using this command, attackers can also retrieve all the data in transit to the SNMP server from the SNMP agent, including the server being used, user credentials, and other parameters.
Other SnmpWalk Commands:
▪ Command to enumerate SNMPv2 with a community string of public: snmpwalk -v2c -c public <Target IP Address>
▪ Command to search for installed software: snmpwalk -v2c -c public <Target IP Address> hrSWInstalledName
▪ Command to determine the amount of RAM on the host: snmpwalk -v2c -c public <Target IP Address> hrMemorySize
▪ Command to change an OID to a different value: snmpwalk -v2c -c public <Target IP Address> <OID> <New Value>
▪ Command to change the sysContact OID: snmpwalk -v2c -c public <Target IP Address> sysContact <New Value>
Enumerating SNMP using Nmap Source: https://nmap.org
Attackers use the snmp-processes Nmap Scripting Engine (NSE) script against an SNMP remote server to retrieve information related to the hosted SNMP services.
nmap -sU -p 161 --script=snmp-processes <Target IP Address>
The above Nmap command, when executed, retrieves a list of all the running SNMP processes along with the associated ports on the target host. Other Nmap commands to perform SNMP enumeration:
▪ nmap -sU -p 161 --script=snmp-sysdescr <Target IP Address> → Retrieves information regarding SNMP server type and operating system details.
▪ nmap -sU -p 161 --script=snmp-win32-software <Target IP Address> → Retrieves a list of all the applications running on the target machine.
SNMP Enumeration Tools
SNMP enumeration tools are used to scan a single IP address or a range of IP addresses of SNMP-enabled network devices to monitor, diagnose, and troubleshoot security threats.
▪ snmp-check (snmp_enum Module) Source: https://www.nothink.org
▪ SoftPerfect Network Scanner Source: https://www.softperfect.com
The following are some additional SNMP enumeration tools:
▪ Network Performance Monitor (https://www.solarwinds.com)
▪ OpUtils (https://www.manageengine.com)
▪ PRTG Network Monitor (https://www.paessler.com)
▪ Engineer’s Toolset (https://www.solarwinds.com)
SNMP Enumeration with SnmpWalk and Nmap using AI
Attackers can leverage AI-powered technologies to enhance and automate their network enumeration tasks. With the aid of AI, attackers can effortlessly perform SNMP enumeration and gather SNMP information and processes on target IP addresses. Attackers can use ChatGPT to perform this task by using appropriate prompts such as: Example #1:
▪ "Perform SNMP enumeration on target IP 10.10.1.22 using SnmpWalk and display the result here”.
The following command is designed to automate SNMP enumeration tasks on the specified target IP: snmpwalk -c public -v1 10.10.1.22
The snmpwalk command is used to perform SNMP enumeration on the target IP 10.10.1.22 using SnmpWalk.
Example #2: ▪ "Perform SNMP enumeration on target IP 10.10.1.22 using nmap and display the result here”.
The following command is designed to automate SNMP enumeration tasks on the specified target IP: nmap -sU -p 161 --script snmp-info 10.10.1.22
The nmap command with specific options and script (snmp-info) is used to perform SNMP enumeration on the target IP 10.10.1.22 using nmap.
Example #3: ▪ "Perform SNMP processes on target IP 10.10.1.22 using nmap and display the result here”.
The following command is designed to automate SNMP enumeration tasks on the specified target IP:
nmap -sU -p 161 --script snmp-processes 10.10.1.22
Another nmap command with specific options and script (snmp-processes) is used to perform SNMP processes on the target IP 10.10.1.22 using nmap. These commands automate SNMP enumeration tasks and display the results for each command executed on the specified target IP 10.10.1.22.
3. LDAP Enumeration
Lightweight directory access protocol (LDAP) is an Internet protocol for accessing distributed directory services A client starts a LDAP session by connecting to a directory
system agent (DSA) on TCP port 389 and then sends an operation request to the DSA
Attackers query the LDAP service to gather information, such as valid usernames, addresses, and departmental details, which can be further used to perform attacks
Manual and Automated LDAP Enumeration
Attackers can use both manual and automated approaches for LDAP enumeration. Some of the commands that can be used for LDAP enumeration are as follows. Manual LDAP Enumeration Attackers can perform manual LDAP enumeration using Python.
Follow the steps given below to perform manual LDAP enumeration using Python.
1. Using Nmap, check whether the target LDAP server is listening on port 389 for LDAP and port 636 for secure LDAP.
2. If the target server is listening on the specified ports, initiate the enumeration process by installing LDAP using the following command:
pip3 install ldap3
3. As shown in the code given below, create a server object (server), specify the target IP address or hostname and port number. If the target server is listening on secure LDAP, specify use_ssl = True.
4. Retrieve the Directory System Agent (DSA)–specific entry (DSE) naming contexts by specifying get_info = ldap3.ALL.
5. Now, create a connection object, connection, and initiate a call to bind().
6. If the connection is successful, True is displayed on the screen as follows: >>> import ldap3
>>> server = ldap3.Server('Target IP Address', get_info = ldap3.ALL, port =389) >>> connection = ldap3.Connection(server) >>> connection.bind() True
7. Now, one can fetch information such as the domain name and naming context using the following script: >>> server.info
8. After obtaining the naming context, retrieve all the directory objects using the script given below:
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
True >> connection.entries
9. Now, use the following script to dump the entire LDAP:
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True >>> connection.entries
Automated LDAP Enumeration Source: https://nmap.org
Attackers use the ldap-brute NSE script to brute-force LDAP authentication. By default, it uses the built-in username and password lists. The userdb and passdb script arguments can be employed to use custom lists.
nmap -p 389 --script ldap-brute --script-args ldap.base='"cn=users,dc=CEH,dc=com "' <Target IP Address>
LDAP Enumeration Tools
There are many LDAP enumeration tools that access directory listings within Active Directory
(AD) or other directory services. Using these tools, attackers can enumerate information such as valid usernames, addresses, and departmental details from different LDAP servers.
▪ Softerra LDAP Administrator Source: https://www.ldapadministrator.com
▪ ldapsearch Source: https://linux.die.net
ldapsearch is a shell-accessible interface for the ldap_search_ext(3) library call. ldapsearch opens a connection to an LDAP server, binds it, and performs a search using the specified parameters. The filter should conform to the string representation of the search filters, as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used.
Attackers use ldapsearch to enumerate AD users. This allows attackers to establish connections with an LDAP server to perform different searches using specific filters. The following command can be used to perform an LDAP search using simple authentication:
ldapsearch -h <Target IP Address> -x
If the above command is executed successfully, the following command can be executed to obtain additional details related to the naming contexts: ldapsearch -h <Target IP Address> -x -s base namingcontexts For example, from the output of the above command, if the primary domain component can be identified as DC=htb,DC=local, the following command can be used to obtain more information about the primary domain:
ldapsearch -h <Target IP Address> -x -b “DC=htb,DC=local” The following commands can be used to retrieve information about a specific object or all the objects in a directory tree:
ldapsearch -h <Target IP Address> -x -b "DC=htb,DC=local" '(objectClass=Employee)'→ retrieves information related to the object class Employee.
ldapsearch -x -h <Target IP Address> -b "DC=htb,DC=local" "objectclass=*" → retrieves information related to all the objects in the directory tree.
The following command retrieves a list of users belonging to a particular object class:
ldapsearch -h <Target IP Address> -x -b "DC=htb,DC=local" '(objectClass= Employee)' sAMAccountName sAMAccountType
The following are some additional LDAP enumeration tools:
▪ AD Explorer (https://docs.microsoft.com)
▪ LDAP Admin Tool (https://www.ldapsoft.com)
▪ LDAP Account Manager (https://www.ldap-account-manager.org)
▪ LDAP Search (https://securityxploded.com)
4. NTP and NFS Enumeration
NTP Enumeration NTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its
primary means of communication. NTP can maintain time within an error of 10 ms over the public Internet. Furthermore, it can achieve an accuracy of 200 μs or better in LANs under ideal conditions.
The following are some pieces of information an attacker can obtain by querying an NTP server:
▪ List of hosts connected to the NTP server
▪ Clients’ IP addresses in the network, their system names, and OSs
▪ Internal IPs, if the NTP server is in the demilitarized zone (DMZ)
NTP Enumeration Commands
NTP enumeration commands such as ntpdate, ntptrace, ntpdc, and ntpq are used to query an NTP server for valuable information.
▪ ntpdate
This command collects the number of time samples from several time sources. Its syntax is as follows:
ntpdate [-46bBdqsuv] [-a key] [-e authdelay] [-k keyfile] [-o version] [-p samples] [-t timeout] [ -U user_name] server [...]
▪ ntptrace
This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network. Its syntax is as follows: ntptrace [-n] [-m maxhosts] [servername/IP_address]
▪ ntpdc
This command queries the ntpd daemon regarding its current state and requests changes in that state. Attackers use this command to retrieve the state and statistics of each NTP server connected to the target network. Its syntax is as follows: ntpdc [ -46dilnps ] [ -c command] [hostname/IP_address]
▪ ntpq
This command monitors the operations of the NTP daemon ntpd and determines its performance. Its syntax is as follows: ntpq [-46dinp] [-c command] [host/IP_address]
Note: In many Linux distributions, the NTP daemon ntpd has been joined with Chrony, chronyd. Both the daemons synchronize the local system’s time with a remote time server.
NTP Enumeration Tools
NTP enumeration tools are used to monitor the working of NTP and SNTP servers in the network and help in the configuration and verification of connectivity from the time client to the NTP servers.
▪ PRTG Network Monitor
The following are some NTP enumeration tools: ▪ Nmap (https://nmap.org) ▪ Wireshark (https://www.wireshark.org) ▪ udp-proto-scanner (https://labs.portcullis.co.uk) ▪ NTP Server Scanner (http://www.bytefusion.com)
NFS Enumeration
NFS is a type of file system that enables users to access, view, store, and update files over a remote server. These remote data can be accessed by the client in the same way it is accessed on the local system. Depending on the privileges assigned to the clients, they can either only read or both read and write the data.
An NFS system is generally implemented on a computer network in which the centralization of data is required for critical resources. The remote procedure call (RPC) is used to route and process the request between clients and servers. To accomplish the task of sharing files and directories over the network, the “exporting” process
is used. However, the client first attempts to make the file available for sharing by using the “mounting” process. The /etc/exports location on the NFS server contains a list of clients allowed to share files on the server. In this approach, to access the server, the only credential used is the client’s IP address. NFS versions before version 4 run on the same security specification. Enumerating NFS services enables attackers to identify the exported directories, list of clients connected to the NFS server along with their IP addresses, and the shared data associated with the IP addresses. After gathering this information, the attackers can spoof their IP addresses to gain full access to the shared files on the server. As shown in the screenshot, an attacker runs the following rpcinfo command to scan the target IP address for an open NFS port (port 2049) and the NFS services running on it:
rpcinfo -p <Target IP Address>
As shown in the screenshot, an attacker runs the following command to view the list of shared files and directories:
showmount -e <Target IP Address>
Further, an attacker can use various other commands and tools to gain access to the NFS server and upload malicious files on the server to launch further attacks.
NFS Enumeration Tools
▪ RPCScan
Source: https://github.com
RPCScan communicates with RPC services and checks misconfigurations on NFS shares. As shown in the screenshot, an attacker runs the following command to enumerate a target IP address for active NFS services:
python3 rpc-scan.py <Target IP Address> --rpc
▪ SuperEnum Source: https://github.com
SuperEnum includes a script that performs the basic enumeration of any open port. As shown in the screenshot, an attacker uses the ./superenum script and then enters a text file name “Target.txt” having a target IP address or a list of IP addresses for enumeration.
After scanning a target IP address, the script displays all the open ports, as shown in the below screenshot. Port 2049 has an NFS service running.
5. SMTP and DNS Enumeration
SMTP Enumeration
• SMTP provides 3 built-in-commands:
▪ VRFY - Validates users
▪ EXPN - Shows the actual delivery addresses of aliases and mailing lists
▪ RCPT TO - Defines the recipients of a message
• SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users, based on which we can determine valid users on the SMTP server
• Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP server
Mail systems commonly use SMTP with POP3 and IMAP, which enable users to save messages in the server mailbox and download them from the server when necessary. SMTP uses mail exchange (MX) servers to direct mail via DNS. It runs on TCP port 25, 2525, or 587.
SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users; therefore, valid users on the SMTP server can be determined. Attackers can directly interact with SMTP via the Telnet prompt and collect a list of valid users on the SMTP server.
Administrators and pen testers can perform SMTP enumeration using command-line utilities such as Telnet and netcat or by using tools such as Metasploit, Nmap, NetScanTools Pro, and smtp-user-enum to collect a list of valid users, delivery addresses, message recipients, etc.
SMTP Enumeration using Nmap
Source: https://nmap.org Attackers use Nmap to enumerate information from the target SMTP server. They enumerate the target SMTP server using various SMTP commands available with Nmap Scripting Engine (NSE) scripts.
▪ The following command, when executed, lists all the SMTP commands available in the Nmap directory: nmap -p 25, 365, 587 -script=smtp-commands <Target IP Address >
▪ Run the following command to identify SMTP open relays: nmap -p 25 -script=smtp-open-relay <Target IP Address>
▪ Run the following command to enumerate all the mail users on the SMTP server: nmap -p 25 –script=smtp-enum-users <Target IP Address>
SMTP Enumeration using Metasploit
Attackers use the Metasploit framework to enumerate SMTP users. The framework contains an SMTP enumeration module that allows attackers to connect to the target SMTP server and enumerate usernames using predefined wordlists. The SMTP server uses its inbuilt method VRFY to validate the usernames in the wordlist file with the users present on the server and displays the matched list of users. Steps to Enumerate SMTP Users Using Metasploit
▪ Step 1: Launch Metasploit msfconsole and switch to the relevant auxiliary scanner to initiate the process: auxiliary/scanner/smtp/smtp_enum. msf > use auxiliary/scanner/smtp/smtp_enum msf auxiliary(smtp_enum) >
▪ Step 2: Use the command show options to view the entire list of options required to perform this task. Alternatively, the command show evasion can be used to view the list of options to evade security solutions.
▪ Step 3: Use the option set RHOST to set the target SMTP server’s IP address or a range of IP addresses.
▪ Step 4: By default, the Metasploit framework uses default wordlists located at /usr/share/60etasploit-framework/data/wordlists/unix_users.txt to enumerate SMTP users. The USER _FILE option can be set to use custom wordlists.
msf auxiliary(smtp_enum) > set USER_FILE <location of wordlists file>
▪ Step 5: Use the command show advanced to view the complete list of available options in the SMTP user enumeration module.
▪ Step 6: Execute the run command to begin the enumeration process. It scans the given wordlists with the SMTP server users and lists all the matched usernames.
SMTP Enumeration Tools
SMTP enumeration tools are used to perform username enumeration. Attackers can use the usernames obtained from this enumeration to launch further attacks on other systems in the network.
▪ NetScanTools Pro
Source: https://www.netscantools.com
NetScanTools Pro’s SMTP Email Generator tool tests the process of sending an email message through an SMTP server. Attackers use NetScanTools Pro for SMTP enumeration and extract all the email header parameters, including confirm/urgent flags. Attackers can also record the email session in a log file and then view the communications between NetScanTools Pro and the SMTP server in the log file.
▪ smtp-user-enum Source: https://pentestmonkey.net
smtp-user-enum is a tool for enumerating OS-level user accounts on Solaris via the SMTP service (sendmail). Enumeration is performed by inspecting the responses to VRFY, EXPN, and RCPT TO commands. As shown in the screenshot, smtp-user-enum needs to be passed on to a list of users and at least one target running an SMTP service.
SMTP Enumeration using AI
Attackers can leverage AI-powered technologies to enhance and automate their network enumeration tasks. With the aid of AI, attackers can effortlessly perform SMTP enumeration and gather SMTP user information on target IP addresses.
Attackers can use ChatGPT to perform this task by using appropriate prompts such as:
Example #1: ▪ "Perform SMTP enumeration on target IP 10.10.1.19."
The following command is designed to automate SMTP enumeration tasks on the specified target IP:
nmap -p25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY, EXPN, RCPT} 10.10.1.19 -oN ~/enumeration_results/smtp_enum_10.10.1.19.txt This command uses nmap with specific options and script (smtp-enum-users) to perform SMTP enumeration on port 25 of the target IP 10.10.1.19. The results are saved to the file smtp_enum_10.10.1.19.txt in the ~/enumeration_results/ directory.
Example #2: ▪ "Perform SMTP enumeration on target IP 10.10.1.19 with Metasploit."
The following command is designed to automate SMTP enumeration tasks on the specified target IP:
msfconsole -q -x "use auxiliary/scanner/smtp/smtp_enum; set RHOSTS 10.10.1.19; run; exit"
This command uses msfconsole with the -q option to run Metasploit in quiet mode. The -x option is used to specify the commands to execute within Metasploit. It sets the target IP as 10.10.1.19 and executes the smtp_enum auxiliary module, which performs SMTP enumeration. These commands automate SMTP enumeration tasks and display the results for each command executed on the specified target IP 10.10.1.19.
DNS Enumeration using Zone Transfer
▪ If the target DNS server allows zone transfers, then attackers use this technique to obtain DNS server names, hostnames, machine names, usernames, IP addresses, aliases, etc. assigned within a target domain
▪ Attackers perform DNS zone transfer using tools, such as nslookup, dig, and DNSRecon; if DNS transfer setting is enabled on the target name server, it will provide DNS information, or else it will return an error saying it has failed or refuses the zone transfer
▪ dig Command
Attackers use the dig command on Linux-based systems to query the DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc. As shown in the screenshot, attackers use the following command to perform DNS zone transfer:
dig ns <target domain>
The above command retrieves all the DNS name servers of the target domain. Next, attackers use one of the name servers from the output of the above command to test whether the target DNS allows zone transfers. They use the following command for this purpose: dig @<domain of name server> <target domain> axfr
▪ nslookup Command Source: https://docs.microsoft.com
Attackers use the nslookup command on Windows-based systems to query the DNS name servers and retrieve information about the target host addresses, name servers, mail exchanges, etc.
▪ DNSRecon Source: https://github.com
Attackers use DNSRecon to check all NS records of the target domain for zone transfers. As shown in the screenshot, attackers use the following command for DNS zone transfer: dnsrecon -t axfr -d <target domain>
DNS Cache Snooping
• DNS cache snooping is a DNS enumeration technique whereby an attacker queries the DNS server for a specific cached DNS record
DNSSEC Zone Walking
▪ DNSSEC zone walking is a DNS enumeration technique where an attacker attempts to obtain internal records of the DNS server if the DNS zone is not properly configured
▪ Attackers use tools, such as LDNS and DNSRecon, to exploit this vulnerability and obtain the network information of a target domain and further launch Internet-based attacks
DNSSEC Zone Walking Tools
DNSSEC zone walking tools are used to enumerate the target domain’s DNS record files. These tools can also perform zone enumeration on NSEC and NSEC3 record files and further use the gathered information to launch attacks such as denial-of-service (DoS) attacks and phishing attacks. ▪ LDNS Source: https://www.nlnetlabs.nl LDNS-walk enumerates the DNSSEC zone and obtains results on the DNS record files. As shown in the screenshot, attackers use the following query to enumerate a target domain iana.org using the DNS server 8.8.8.8 to obtain DNS record files: ldns-walk @<IP of DNS Server> <Target domain>
▪ DNSRecon
Source: https://www.github.com
DNSRecon is a zone enumeration tool that assists users in enumerating DNS records such as A, AAAA, and CNAME. It also performs NSEC zone enumeration to obtain DNS record files of a target domain.
As shown in the screenshot, attackers use the following query to perform zone enumeration against a target domain certifiedhacker.com: dnsrecon -d <target domain> -z
DNS Enumeration Using OWASP Amass
OWASP Amass is a DNS enumeration tool that allows attackers to map the target network and discover potential attack surfaces
Attackers can execute the following command to enumerate DNS information from the target network: amass enum -d <Target Domain>
Other OWASP Amass commands for DNS Enumeration: ▪ Run the following command to perform a passive enumeration: amass enum -passive -d <Target Domain> -src
▪ Run the following command to perform an active enumeration through brute-forcing with a specified wordlist: amass enum
-active -d <Target Domain> /usr/share/wordlists/amass/all.txt
▪ Run the following command to track or compare the last two enumeration scans performed on the target domain:
amass track -config /root/amass/config.ini -dir amass4owasp -d <Target Domain> -last 2
▪ Run the following command to display the results of enumeration stored in amass database (amass4owasp): amass db -dir amass4owasp -list
▪ Run the following command to create a d3-force HTML visual graph: amass viz -d3 -dir amass4owasp
DNS and DNSSEC Enumeration Using Nmap
DNS Enumeration
Attackers use Nmap for scanning domains and obtaining a list of subdomains, records, IP addresses, and other valuable information from the target host
DNSSEC Enumeration
Attackers enumerate DNSSEC using Nmap dns-nsec-enum.nse or dns-nsec3-enum.nse scripts to obtain information related to domains and their sub-domains
DNS and DNSSEC Enumeration using Nmap
DNS Enumeration Using Nmap
Attackers use Nmap to scan domains and obtain a list of subdomains, records, IP addresses, and other valuable information from the target host. ▪ Run the following command to list all the available services on the target host: nmap --script=broadcast-dns-service-discovery <Target Domain>
▪ Execute the following command to retrieve all the subdomains associated with the target host: nmap -T4 -p 53 --script dns-brute <Target Domain>
▪ Run the following command to check whether DNS recursion is enabled on the target server: nmap -Pn -sU -p 53 --script=dns-recursion 192.168.1.150
DNS Security Extensions (DNSSEC) Enumeration using Nmap
DNSSEC provides security for DNS queries and responses. Attackers enumerate DNSSEC using dns-nsec-enum.nse or dns-nsec3-enum.nse NSE scripts to obtain information related to domains and their subdomains. ▪ Execute the following command to retrieve the list of subdomains associated with the target domain:
nmap -sU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains= eccouncil.org <target>
The following are some of the additional DNS enumeration tools: ▪ Knock (https://github.com) ▪ Raccoon (https://github.com) ▪ Subfinder (https://github.com) ▪ Turbolist3r (https://github.com)
DNS Enumeration with Nmap using AI
Attackers can leverage AI-powered technologies to enhance and automate their network enumeration tasks. With the aid of AI, attackers can effortlessly perform DNS enumeration and gather DNS information on target domains. Attackers can use ChatGPT to perform this task by using appropriate prompts such as: “Use Nmap to perform DNS Enumeration on target domain www.certifiedhacker.com”
DNS Cache Snooping using AI
Attackers can leverage AI-powered technologies to enhance and automate their network enumeration tasks. With the aid of AI, attackers can effortlessly perform DNS cache snooping on target domain. Example #1: Attackers can use ChatGPT to perform this task by using appropriate prompts such as: “Use dig command to perform DNS cache snooping on target domain www.certifiedhacker.com using recursive method. Use DNS server IP as 162.241.216.11.”
Example #2: Similarly, attackers can automate DNS cache snooping on the specified target domain using the non-recursive method.
6. Other Enumeration Techniques
Other Enumeration Techniques
This section discusses IPsec, VoIP, RPC, Unix/Linux user, Telnet, SSH user, and SMB enumeration.
IPsec Enumeration
IPsec is the most commonly implemented technology for both gateway-to-gateway (LAN-to-LAN) and host-to-gateway (remote access) enterprise VPN solutions. IPsec provides data security by employing various components such as Encapsulating Security Payload (ESP), Authentication Header (AH), and Internet Key Exchange (IKE) to secure communication between VPN endpoints.
Most IPsec-based VPNs use the Internet Security Association Key Management Protocol (ISAKMP), a part of IKE, to establish, negotiate, modify, and delete Security Associations (SA) and cryptographic keys in a VPN environment. Attackers can perform simple direct scanning for ISAKMP at UDP port 500 with tools such as Nmap to acquire information related to the presence of a VPN gateway. The following command can be used to perform an Nmap scan for checking the status of ISAKMP over port 500: # nmap –sU –p 500 <target IP address>
The following command is used for initial IPsec VPN discovery with ike-scan tool: # ike-scan –M <target gateway IP address>
ike-scan Source: https://github.com
ike-scan discovers IKE hosts and can fingerprint them using the retransmission backoff pattern.
IPsec Enumeration with AI
Attackers can leverage AI-powered technologies to enhance and automate their network enumeration tasks. With the aid of AI, attackers can effortlessly perform IPsec enumeration on the target domain.
For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: ▪ “Perform IPsec enumeration on target IP 10.10.1.22 with nmap”.
VoIP Enumeration
VoIP is an advanced technology that has replaced the conventional public switched telephone network (PSTN) in both corporate and home environments. VoIP uses Internet infrastructure to establish connections for voice calls; data are also transmitted on the same network. However, VoIP is vulnerable to TCP/IP attack vectors. Session Initiation Protocol (SIP) is one of the protocols used by VoIP for performing voice calls, video calls, etc. over an IP network. This SIP service generally uses UDP/TCP ports 2000, 2001, 5060, and 5061. Attackers use Svmap and Metasploit tools to perform VoIP enumeration. Through VoIP enumeration, attackers can gather sensitive information such as VoIP gateway/servers, IP-private branch exchange (PBX) systems, and User-Agent IP addresses and user extensions of client software (softphones) or VoIP phones. This information can be used to launch various VoIP attacks such as DoS attacks, session hijacking, caller ID spoofing, eavesdropping, spam over Internet telephony (SPIT), and VoIP phishing (Vishing).
▪ Svmap
RPC Enumeration
The remote procedure call (RPC) is a technology used for creating distributed client/server
programs. RPC allows clients and servers to communicate in distributed client/server programs. It is an inter-process communication mechanism, which enables data exchange between different processes. In general, RPC consists of components such as a client, a server, an endpoint, an endpoint mapper, a client stub, and a server stub, along with various dependencies. The portmapper service listens on TCP and UDP port 111 to detect the endpoints and present clients, along with details of listening RPC services. Enumerating RPC endpoints enables attackers to identify any vulnerable services on these service ports. In networks protected by firewalls and other security establishments, this portmapper is often filtered. Therefore, attackers scan wide port ranges to identify RPC services that are open to direct attack. Attackers use the following Nmap scan commands to identify the RPC service running on the network: # nmap -sR <target IP/network> # nmap -T4 –A <target IP/network>
Unix/Linux User Enumeration
One of the important steps for enumeration is to perform Unix/Linux user enumeration. Unix/Linux user enumeration provides a list of users along with details such as the username, host name, and start date and time of each session.
The following command-line utilities can be used to perform Unix/Linux user enumeration.
▪ rusers rusers displays a list of users who are logged in to remote machines or machines on the local network. It displays an output similar to the who command, but for the hosts/systems on the local network. Its syntax is as follows: /usr/bin/rusers [-a] [-l] [-u| -h| -i] [Host ...]
▪ rwho
rwho displays a list of users who are logged in to hosts on the local network. Its output is similar to that of the who command and contains information about the username, host name, and start date and time of each session for all machines on the local network running the rwho daemon. Its syntax is as follows: rwho [ -a]
▪ finger
finger displays information about system users such as the user’s login name, real name, terminal name, idle time, login time, office location, and office phone numbers. Its syntax is as follows: finger [-l] [-m] [-p] [-s] [user ...] [user@host ...]
SMB Enumeration
Server Message Block (SMB) is a transport protocol that is generally used by Windows systems for providing shared access to files, printers, and serial ports as well as remote access to Windows services. By default, SMB runs directly on TCP port 445 or via the NetBIOS API on UDP ports 137 and 138 and TCP ports 137 and 139. By using the SMB service, users can access files and other data stored at a remote server. The SMB service also allows application users to read, write, and modify the files on the remote server. A network running this service is highly vulnerable to SMB enumeration, which provides a good amount of information about the target.
In SMB enumeration, attackers generally perform banner grabbing to obtain information such as OS details and versions of services running. By using this information, attackers can perform various attacks such as SMB relay attacks and brute-force attacks. Attackers can also use SMB enumeration tools such as Nmap, SMBMap, enum4linux, nullinux, SMBeagle and NetScanTool Pro to perform a directed scan on the SMB service running on port 445.
As shown in the screenshot, attackers use the following Nmap command to enumerate the SMB service running on the target IP address: # nmap -p 445 -A <target IP>
SMB Enumeration with AI
Attackers can leverage AI-powered technologies to enhance and automate their network enumeration tasks. With the aid of AI, attackers can effortlessly perform SMB enumeration on target domains.
For example, An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: ▪ “Scan the target IP 10.10.1.22 for the port using SMB with nmap”.
Create and Run Custom Script to Automate Network Enumeration Tasks with AI
▪ An attacker can also leverage AI-powered ChatGPT or other generative AI technology to automate various network enumeration tasks by create custom script that will run automatically and fetch the desired result. They can use appropriate prompts to create custom scripts, such as the one below: • “Develop and execute a script which will automate network enumeration tasks on target IP range 10.10.1.0/24”
An attacker can use ChatGPT to perform this task by using an appropriate prompt such as: → “Develop and execute a script that will automate network enumeration tasks on target IP range 10.10.1.0/24”.
Enumeration Countermeasures
SNMP
• Remove the SNMP agent or turn off the SNMP service
• If turning off SNMP is not an option, then change the default community string names
• Upgrade to SNMP3, which encrypts passwords and messages
• Implement the Group Policy security option called “Additional restrictions for anonymous connections”
▪ Ensure that access to null session pipes, null session shares, and IPsec filtering is restricted.
▪ Block access to TCP/UDP port 161. ▪ Do not install the management and monitoring Windows component unless required. ▪ Encrypt or authenticate using IPsec. ▪ Do not misconfigure the SNMP service with read-write authorization. ▪ Configure access-control lists (ACLs) for all SNMP connections to allow only legitimate users to access SNMP devices.
▪ Limit SNMP access to only those IP addresses or networks that require it for legitimate management purposes. This can be achieved through access control lists (ACLs) on the devices themselves or through network firewalls.
▪ Regularly audit the network traffic. ▪ Encrypt credentials using the “AuthNoPriv” mode, which uses MD5 and SHA for additional protection.
▪ Modify the registry to allow only restricted or permitted access to the SNMP community name.
▪ Change the default password and periodically change the current password. ▪ Identify all the SNMP devices with read/write permissions and provide read-only permissions to specific devices that do not require read/write permissions.
▪ Avoid using the “NoAuthNoPriv” mode as it does not encrypt communications. ▪ Implement the role-based access control (RBAC) policies to SNMP communities or users. ▪ Configure SNMPv3 users in the cluster to enhance security with encryption and authentication.
▪ For devices still using SNMPv1 or SNMPv2c, change the default community strings (the equivalent of passwords for SNMP) from the default "public" and "private" to complex, unique values. Furthermore, restrict write access as much as possible.
▪ Keep management traffic, including SNMP, on a separate, secure VLAN or network segment. This limits the exposure of SNMP to potential eavesdroppers or attackers on the main network.
▪ If SNMP is not needed for network management tasks, consider disabling it entirely on devices. This eliminates the protocol as a potential source of information for attackers.
▪ Manufacturers often release updates that address security vulnerabilities in SNMP implementations. Regularly applying these updates can protect against exploitation.
▪ Implement monitoring and anomaly detection tools to alert on unusual SNMP traffic patterns, which could indicate enumeration or other malicious activities.
▪ Ensure SNMP access is logged, and regularly audit these logs for unauthorized access attempts or suspicious activities.
LDAP
• By default, LDAP traffic is transmitted unsecured; use SSL or STARTTLS technology to encrypt the traffic
• Select a username different from your email address and enable account lockout
• Use NT LAN Manager (NTLM), Kerberos, or any basic authentication mechanism to limit access to legitimate users
▪ Log access to Active Directory (AD) services. ▪ Block users from accessing certain AD entities by changing the permissions on those objects/attributes.
▪ Deploy canary accounts, which resemble real accounts, to mislead attackers. ▪ Create decoy groups with the word “Admin” in the name to mislead attackers. Attackers typically search for LDAP admin accounts.
▪ Enable multi-factor authentication (MFA) for accessing LDAP directories. This adds an additional layer of security, making it harder for attackers to gain unauthorized access using compromised credentials.
▪ Disable anonymous binds to the LDAP directory unless absolutely necessary for the organization's operation. This ensures that only authenticated users can query the LDAP server.
▪ Configure ACLs to limit what authenticated users can see and do. ACLs can restrict access to sensitive information based on the user’s credentials and their need to know.
▪ Ensure that all LDAP queries and modifications are logged. Regularly review these logs for unusual or unauthorized access patterns, which could indicate an enumeration attempt or other malicious activities.
▪ Employ monitoring tools capable of detecting abnormal LDAP query patterns. Such tools can alert administrators to potential enumeration or attack attempts in real-time.
▪ Place LDAP servers within a secure network segment, accessible only to those systems and users that require access. This can limit the attack surface and reduce the potential for unauthorized access.
▪ Configure firewalls to restrict LDAP traffic to and from authorized systems only. This includes blocking unnecessary external access to LDAP services.
▪ Enforce strong password policies for accounts that have access to LDAP. This minimizes the risk of brute-force or credential stuffing attacks.
NFS
Implement proper permissions (read/write must be restricted to specific users) on exported file systems
•Implement firewall rules to block NFS port 2049
• Ensure proper configuration of files, such as /etc/smb.conf, /etc/exports and etc/hosts.allow, to protect the data stored in servers
▪ Review and update the /etc/exports file to ensure that only authorized hosts can access shared directories.
▪ Use /etc/hosts.allow and /etc/hosts.deny files to define which hosts or networks are allowed or denied access to NFS services.
• Log the requests to access the system files on the NFS server
▪ Restrict access to Active Directory (AD) by using software such as Citrix.
▪ Keep the root_squash option in the /etc/exports file turned ON so that no requests made as root on the client are trusted.
▪ Implement NFS tunneling through SSH to encrypt the NFS traffic over the network. ▪ Implement the principle of least privileges to mitigate threats such as data modification, data addition, and the modification of configuration files by normal users.
▪ Ensure that users are not running suid and sgid on the exported file system. ▪ Ensure that the NIS netgroup has a fully defined hostname to prevent the granting of higher access to other hosts.
▪ Configure deep packet inspection (DPI) firewall to monitor all NFS traffic, irrespective of port number.
▪ Implement Kerberos authentication for NFS to ensure that both the client and server authenticate each other securely. This can help prevent unauthorized access.
▪ NFSv4 includes support for stronger security features than its predecessors, including the ability to use Kerberos for encryption and authentication. Migrating to NFSv4 can significantly enhance security.
▪ Keep NFS servers and clients within a secure, segmented part of the network to limit access from unauthorized network segments.
▪ Configure firewalls to restrict NFS traffic to and from authorized systems only. Blocking unnecessary external access to NFS services can prevent unauthorized discovery and access.
▪ Regularly monitor NFS server access logs for unusual access patterns or access attempts from unauthorized hosts. This can help in early detection of enumeration or attack attempts.
▪ Use file system auditing tools to monitor and log access to NFS shares. Auditing can help identify unauthorized access or modifications to sensitive files.
▪ Regularly update and patch the NFS server software and client systems to protect against known vulnerabilities that could be exploited during enumeration or attacks.
SMTP
Configure SMTP servers to ▪ Exclude sensitive mail server and local host information in mail responses
▪ Ignore email messages to unknown recipients. ▪ Exclude sensitive information on mail servers and local hosts in mail responses.
▪ Disable the open relay feature.
▪ Limit the number of accepted connections from a source to prevent brute-force attacks.
▪ Disable the EXPN, VRFY, and RCPT TO commands or restrict them to authentic users.
▪ Ignore emails to unknown recipients by configuring SMTP servers. ▪ Identify spammers through machine learning (ML) solutions. ▪ Do not share internal IP/host information or mail relay system information. ▪ Implement sender policy framework (SPF), domain keys identified mail (DKIM), and domain-based message authentication and reporting & conformance (DMARC).
▪ Configure the SMTP server to provide limited information in error messages. Verbose responses can provide attackers with clues about the server configuration or valid user accounts.
▪ Use ACLs to restrict the use of certain SMTP commands to authorized users or IP addresses. This can prevent anonymous or unauthorized users from attempting to enumerate user information.
▪ Ensure that the SMTP server requires authentication before allowing access to any information or the ability to send emails. This can help prevent anonymous enumeration attempts.
▪ Use transport layer security (TLS) to encrypt communication with the SMTP server. This ensures that any data exchanged with the server, including authentication credentials, is encrypted.
▪ Ensure that the SMTP server logs access attempts and commands used. Regular review of these logs can help identify suspicious activity or attempted enumeration.
▪ Use security tools that can analyze log files and detect unusual patterns of behavior, such as a high number of failed login attempts, which may indicate an enumeration attempt.
▪ Use firewalls to control access to the SMTP server, allowing only trusted IP addresses or networks to connect.
▪ Implement rate limiting to restrict the number of requests that an IP address can make to the SMTP server within a certain timeframe. This can help mitigate brute-force attacks.
SMB
▪ Ensure that Windows Firewall or similar endpoint protection systems are enabled on the system.
▪ Install the latest security patches for Windows and third-party software. ▪ Implement a proper authentication mechanism with a strong password policy. ▪ Implement strong permissions to keep the stored information safe. ▪ Perform regular audits of system logs. ▪ Perform active system monitoring to monitor the systems for any malicious incident. ▪ Implement secure VPNs to secure the organizational data during remote access. ▪ Employ file behavioral analysis systems such as next-generation firewalls (NGFWs) to observe traffic patterns and obtain timely analysis reports on SMB resources.
▪ Employ highly robust and secure monitoring systems such as global threat sensors for highly sensitive and top-secret data.
▪ Implement digitally signed data transmission and communication for accessing SMB resources.
▪ Block/disable TCP ports 88, 139, and 445 and UDP ports 88, 137, and 138 to prevent SMB attacks.
▪ Enable public profile settings in the firewall system. ▪ Block/disable the SMB protocol for Internet-facing servers. ▪ Ensure that SMB convention web confronting and DNS mainframes are disabled. ▪ Ensure that all systems are using SMBv3 or higher, which includes enhancements to security features, including encryption. Avoid using SMBv1, which is outdated and vulnerable.
▪ Configure ACLs to restrict access to SMB shares only to users who require it. Review and tighten permissions regularly.
▪ Use the least privilege principle to ensure users and services operate with the minimum necessary permissions, reducing the potential impact of compromised accounts.
▪ Configure SMB servers to log access attempts and changes to shared resources. Regularly review logs for suspicious activity.
DNS
▪ Restrict resolver access: Ensure that the resolver can be accessed only by the hosts inside the network to prevent external cache poisoning.
▪ Randomize source ports: Ensure that the request packets exiting the network use random ports, rather than UDP port 53. In addition, randomize the query IDs and change the alphabet case of domain names to defend against cache poisoning.
▪ Audit DNS zones: Audit DNS zones to identify vulnerabilities in domains and subdomains and address DNS-related issues.
▪ Patch known vulnerabilities: Update and patch nameservers with the most recent versions of software such as BIND and Microsoft DNS.
▪ Monitor nameservers: Monitor the behavior of nameservers to identify malicious activities or unexpected behaviors at the earliest.
▪ Restrict DNS zone transfers: Restrict DNS zone transfers to specific slave nameserver IP addresses because the zone transfer may include a master copy of the primary server’s database. Disable DNS zone transfers to untrusted hosts.
▪ Use different servers for authoritative and resolving functions: Separating the functions of the resolver and authoritative nameserver can reduce overload and prevent denial of service (DoS) attacks on domains.
▪ Use isolated DNS servers: Avoid hosting the application server along with the DNS server. Use an isolated and dedicated server for DNS services to minimize the risk of web application attacks.
▪ Disable DNS recursion: Disable DNS recursion in the DNS server configuration to recursively restrict queries from other or third-party domains and mitigate DNS amplification and poisoning attacks.
▪ Harden the OS: Harden the OS by closing unused ports and blocking unnecessary services. ▪ Use VPN: Use a VPN for secure communication. In addition, change default passwords. ▪ Implement two-factor authentication: Enforce two-factor authentication to provide secure access when a DNS server is managed by a third party.
▪ Use DNS change lock: Use DNS change lock or client lock to restrict the alteration of DNS settings without appropriate authorization.
▪ Use DNSSEC: Implement DNSSEC as an additional layer of security for the DNS server to allow only digitally signed DNS requests and mitigate DNS hijacking.
▪ Use premium DNS registration: Use premium DNS registration services that hide sensitive information, such as host information (HINFO), from the public.
▪ Secure DNS queries/encrypt DNS traffic: Consider using DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt DNS queries and responses. This helps prevent eavesdropping and man-in-the-middle attacks that could facilitate DNS enumeration.
▪ Enable DNS logging and monitoring: Enable logging on DNS servers to record queries and responses. Regular monitoring and analysis of these logs can help identify suspicious patterns that may indicate enumeration attempts.
▪ Employ anomaly detection: Employ anomaly detection systems to automatically flag unusual DNS query volumes or patterns, which could signify enumeration or other DNS attacks.
▪ Implement rate limiting: Configure DNS servers to limit the rate of accepted queries from individual IP addresses. This can mitigate the effectiveness of brute-force enumeration techniques.
▪ Split DNS architecture: Implement a split DNS architecture, where internal DNS queries are handled by a separate DNS server from those coming from external sources. This limits the exposure of internal network structure to the outside world.
▪ Use minimal DNS information: Be cautious about the amount of information shared through DNS records. For instance, avoid using descriptive subdomain names that reveal internal network details or server purposes.
Other countermeasures to defend against DNS enumeration are as follows: ▪ Ensure that private hosts and their IP addresses are not published in the DNS zone files of the public DNS server.
▪ Use standard network admin contacts for DNS registrations to avoid social engineering attacks.
▪ Prune DNS zone files to avoid revealing unnecessary information. ▪ Maintain independent internal and external DNS servers. ▪ Ensure that old or unused DNS records are deleted periodically. ▪ Restrict version.bind request queries using ACLs. Remove or run BIND with the least privileges.
▪ Use /etc/hosts file for the development or staging of subdomains instead of using DNS records.
▪ Deploy DNS Firewalls to block malicious queries and protect against DNS-based threats by using threat intelligence to identify and prevent communication with known malicious domains.
▪ Periodically review and audit DNS configurations to ensure that they are secure and that only necessary DNS information is exposed to the public.
No comments:
Post a Comment