Enumeration

Hassan 1
PHASES OF ETHICAL HACKING

2
 FOOTPRINTING
Identify Target
Identify IP Network topology
DNS, Subdomains, whois, web
Identify ASN (https://ipinfo.io/)
Identify Servers if possible
Network Information technologies
Identify Admins (whois)
https://lookup.icann.org/en/lookup
Gather Org Information
Gather Passwords
Gather Employees Emails, phone nos
Haveibeenpawned
(harverster) (hunter.io),Linkedin
breadcheddirectory
Gather documents
(google dorks)
army secret site:*.gov.in filetype:pdf

Scanning &
Enumeration
3
 SCANNING AND ENUMERATION
Identify Live hosts
Ping sweep –sn TCP Ports
netdiscover Udp Ports
Identify Open Ports Scan for all ports

Identify services
System Enumerate
Detect service Version -sV
Collect usernames, system names,
Emails etc
Web Enumeration
Subdomains
Vhosts
DNS

Hack it
4
Enumeration

Hassan 5
Services and Ports to Enumerate

Hassan 6
NetBios Enumeration

Hassan 7
NetBios Enumeration

Hassan 8
NetBios Enumeration

Hassan 9
NetBios Enumeration

Hassan 10
Shares Enumeration

Hassan 11
 SMB Enumeration
 The security track record of the Server Message Block (SMB) protocol has been poor for
many years. From unauthenticated SMB null sessions in Windows 2000 and XP to a
plethora of SMB vulnerabilities over the years, SMB has had its fair share of action
 Keeping this in mind, the SMB protocol has also been updated and improved in parallel
with Windows releases
 The NetBIOS service listens on TCP port 139, as well as several UDP ports. NetBIOS is
an independent session layer protocol and service that allows computers on a local
network to communicate with each other. While modern implementations of SMB can
work without NetBIOS, NetBIOS over TCP (NBT) is required for backward compatibility,
and these are often enabled together
Hassan 12
 SMB Enumeration
 Nmap also offers many useful NSE scripts that we can use to discover and enumerate
SMB services. We’ll find these scripts in the /usr/share/nmap/scripts

Hassan 13
 SMB Enumeration

sudo nmap -p 139,445 -script smb-os-discovery 192.168.204.136

Hassan 14
 SMB Enumeration

enum4linux -a 192.168.204.136

Hassan 15
Telnet and SMB Enumeration

Hassan 16
 Telnet

 The Telnet protocol (Unencrypted) is an application layer protocol used to connect

to another computer or device. Using Telnet, a user can log into another computer
and access its terminal (console) to run programs, start batch processes, and
perform system administration tasks remotely
 Telnet protocol is relatively simple. When a user connects, they will be asked for a
username and password. Upon correct authentication, the user will access the
remote system’s terminal
 Telnetd is a daemon that enables remote login and interaction with a system's
command-line interface (linux) over a network via the Telnet protocol
Hassan 17
 Telnet

 HTTP sends and receives data as cleartext (not encrypted); therefore, you can
use a simple tool, such as Telnet (or Netcat), to communicate with a web server
and act as a “web browser”
 First, we connect to port 80 using telnet 10.10.172.67 80
 Next, we need to type GET /index.html HTTP/1.1 to retrieve the page
index.html or GET / HTTP/1.1 to retrieve the default page
 Finally, you need to provide some value for the host like host: telnet and hit
the Enter/Return key twice

Hassan 18
Telnet

Hassan 19
 SMTP Enumeration

 We can also gather information about a host or network from vulnerable mail
servers. The Simple Mail Transport Protocol (SMTP) supports several interesting
commands, such as VRFY and EXPN
 A VRFY request asks the server to verify an email address, while EXPN asks the
server for the membership of a mailing list. These can often be abused to verify
existing users on a mail server, which is useful information during a penetration
test

Hassan 20
SMTP Enumeration

Hassan 21
SMTP Enumeration

Hassan 22
SMTP Enumeration

Hassan 23
 SMMP Enumeration

 Simple Network Management Protocol (SNMP) is not well understood by many

network administrators. This often results in SNMP misconfigurations, which can
result in significant information leaks
 SNMP is based on UDP, a simple, stateless protocol, and is therefore susceptible
to IP spoofing and replay attacks. Additionally, the commonly used SNMP
protocols 1, 2, and 2c offer no traffic encryption, meaning that SNMP information
and credentials can be easily intercepted over a local network. Traditional SNMP
protocols also have weak authentication schemes and are commonly left
configured with default public and private community strings
Hassan 24
SMMP Enumeration

Hassan 25
SMMP Enumeration

Hassan 26
SMMP Enumeration

Hassan 27
NFS Enumeration

Hassan 28
NFS Enumeration

Hassan 29
VOIP Enumeration

Hassan 30
FTP Enumeration

Hassan 31
Enumeration Countermeasures

Hassan 32
Enumeration Countermeasures

Hassan 33
Thanks

Hassan 3434