What is Enumeration: Enumeration is the process of extracting information from a target system to determine more of the configuration and environment present.
In many cases it is possible to extract information such as usernames, machine names, shares, and services from a system as well as other information, depending on the OS itself.
However, unlike with previous phases, you will be initiating active connections to a system in an effort to gather a wide range of information.
With this in mind, you will need to view enumeration as a phase that comes with much greater chances of getting caught. Take extract effort to be precise lest you risk detection.
NOTE: Think carefully about each of the actions you take, and think several steps ahead in order to anticipate results and how to respond.
So why initiate active connections to a target? Simply put, it is the only way to learn additional information on top of what we gathered so far through Footprinting and scanning.
Through these active connections we can now execute directed queries at a host, which will extract much additional information.
Having retrieved sufficient information, we can better assess the strengths and weaknesses of the system.
Information gathered during this phase generally falls into the following types:
- Network resources and shares
- Users and groups
- Routing tables
- Auditing and service settings
- Machine names
- Applications and banners
- SNMP and DNS details
So what options are available to an attacker performing enumeration? Let’s look at the techniques you will be using in this nugget:
Extracting Information from Email IDs: This technique is used to obtain username and domain name information from an email address or ID.
An email address contains two parts: The first part before the @ is the username and what comes after the @ is the domain name.
Obtaining Information through Default Passwords: Every device has default settings in place, and default passwords are part of this group.
It is not uncommon to find default settings either partially or wholly left in place, meaning that an attacker can easily gain access to the system and extract information as needed.
Using Brute-Force Attacks on Directory Services: A directory service is a database that contains information used to administer the network.
As such, it is not a big target for an attacker looking to gain extensive information about an environment.
Many directories are vulnerable to input verification deficiencies as well as other holes that may be exploited for the purpose of discovering and compromising user accounts.
Exploiting SNMP: The Simple Network Management Protocol (SNMP) can be exploited by an attacker who can guess the strings and use them to extract usernames.
Exploiting SMTP: The Simple Mail Transport Portocol (SMTP) can be exploited by an attacker who can connect to and extract information about usernames through an SMTP server.
Working with DNS Zone Transfers: A zone transfer in DNS is a normal occurrence, but when this information falls into the wrong hands, the effect can be devastating.
A zone transfer is designed to update DNS servers with the correct information; however, the zone contains information that could map out the network, providing valuable data about the structure of the environment.
Capturing User Groups: This technique involves extracting user accounts from specified groups, storing the results, and determining whether the session accounts are in the group.
Retrieving System Policy Settings: In enterprise environments and others, there are frequently policy settings or something similar in place that determines how security and other things are handled.
The enumeration phase can sometimes obtain these settings, allowing you to get more insight into your target.