Fig 5: Ports to Enumerate
NetBIOS (Network Basic Input Output System) Enumeration:
NetBIOS name is an exceptional sixteen ASCII character string used to distinguish the organization gadgets over TCP/IP. Fifteen characters are used for gadget names and the sixteenth character is used for the administration or name record type. The prime purpose of NetBIOS is allowing applications residing on different devices to establish sessions for accessing shared resources such as files and identify one another over a local area network (LAN).
Attackers can use the NetBIOS enumeration to obtain the following:
On finding an open port 139 in Windows OS, an attacker can verify the assets that can be seen on the distant framework. A programmer can examine and stay connected to the framework depending upon accessibility settings.
Nbtstat Utility: It is used to find protocol statistics, name cache details, and NetBIOS name table.
Superscan:It is a Graphical User Interface (GUI) tool used to enumerate windows machines.
Net view: A Command line tool to single out shared resources over a network.
Hyena: It shows shares and user login names for Windows servers and domain controllers.
SNMP(Simple Network Management Protocol) Enumeration:
SNMP or Simple Network Management Protocol is an application layer protocol that uses UDP protocol for maintaining and managing routers, hubs, and switches on an IP network. SNMP is a common protocol for operating systems like Windows, Linux, and UNIX servers as well as network devices like routers or switches.
SNMP holds two passwords to access and configure the SNMP agent from the management station:
Attackers take advantage of the default network strings to remove the data of a device. Attackers list SNMP to remove data about organization assets like switches, gadgets, shares, and network data such as ARP tables, directing tables, traffic, etc.
Stop the SNMP administration.
Change the default network string names if stopping SNMP administration is not possible.
Use the most advanced and secure version of SNMP.
LDAP (Lightweight Directory Access Protocol) Enumeration:
The LDAP protocol is used to access directory listings within Active Directory or from other Directory Services. LDAP can be related to DNS to help integrate quick lookups and fast resolution of queries. LDAP generally runs on port 389 and generally abides by a distinct set of rules (RFC). LDAP service can be queried anonymously and useful data like valid usernames, addresses, departmental details can be identified which could be used in a brute force or social engineering attack.
Several LDAP enumeration tools allow registry postings inside Active Directory or other catalog administrations. Attackers use these devices to identify data such as usernames, addresses, and division subtleties from various LDAP workers.
NTP (Network Time Protocol) Enumeration:
The Network Time Protocol is a protocol for synchronizing time across a network, especially while using Directory Services. It utilizes UDP port 123. NTP enumeration generates details such as lists of hosts connected to NTP server, IP addresses, system names, and operating systems running on the client system in a network. Attackers query NTP workers to assemble significant data. NTP enumeration tools screen the working of SNTP and NTP workers present in the organization and help in configuration and confirmation of availability from the time customer to the NTP workers.
SMTP (Simple Mail Transport Protocol) Enumeration:
SMTP uses Mail Exchange (MX) workers to coordinate mails through DNS and runs on TCP port 25. The servers respond differently to the commands for valid and invalid users from which valid users on SMTP servers can be listed. Attackers can associate with SMTP through telnet briefs and analyze several clients.
Built-in SMTP commands are:
VRFY: Used for validating users.
EXPN: Shows the actual delivery address of aliases and mailing lists.
RCPT TO: Define the recipients of messages.
Emails from suspicious addresses should be left unattended.
Disable open relay feature.
Sensitive mail server and localhost information must be excluded from mail responses.
DNS (Domain Name System) Enumeration using Zone Transfer:
DNS enumeration can be used to gather usernames, computer names, and IP addresses of potential target systems. DNS record sheds light on the types of resource records (database records) stored in the zone files. DNS Zone Transfer is used to replicate DNS data across several DNS servers or to back up DNS files. Attackers can request a DNS zone transfer in disguise of a client. If anonymous zone transfers are allowed, all the DNS names and IP addresses hosted by the name server will be returned in human-readable ASCII text. An attacker can accumulate tons of organizational data including DNS worker names, hostname, machine names, usernames, IPs, etc.
Disable Zone Transfer for untrusted hosts.
Care must be taken such that private hosts and their IP addresses are not published in DNS zone files of the public DNS server.
Premium DNS regulation services must be used which will hide sensitive information such as host information from the public.
Standard organization administrator contacts must be used for DNS enlistment to maintain a strategic distance from social designing assaults.
This is a common type of enumeration where a hacker attacks desktop workstations running on Windows OS. With this files can be accessed or altered thereby hampering confidentiality. Attackers, in some cases, can change the configuration of the desktop or OS.
Use built-in protection like Windows Defender SmartScreen, Credential Guard, Device Guard, Windows Defender Antivirus, UEFI Secure Boot, Early Launch Anti Malware, etc.
Activate Enterprise certificate pinning.
Block untrusted fonts.
This type of enumeration is done for UNIX/Linux systems which can be used to fetch valuable information like usernames, system addresses, network resources, shares, and other target characteristics. Command-line utilities to perform Linux user enumeration are users, rwho, finger, etc.
The kernel must be fixed and refreshed.
No service must be run as root barring extreme cases, especially the web, information base, and record mainframes.
The SUID digit must not be set to any program that leads to the shell.
The existence of a Virtual Private Network (VPN) passage can be identified by checking for ISAKMP (Internet Security Association and Key Management Protocol) at the UDP port 500. Encryption and hashing calculation, authentication type, key conveyance calculation, and other data can be noted on further investigation.