CEH Lab Manual Enumeration Module 04 Enumeration E n u m e r a t i o n i s th e p r o c e s s o f e x tr a c tin g u s e r n a m e s , m a c h in e n a m e s , n e tir o r k r e s o u r c e s , s h a r e s , a n d s e r v ic e s f r o m a s y s te m E ‫ ־‬n u m e r a t i o n i s c o n d u c te d i n a n i n t r a n e t e n v ir o n m e n t I CON KEY / Valuable information y ‫ ״‬Test your knowledge — m Web exercise Workbook review Lab Scenario Penetration testing is much more than just running exploits against vulnerable systems like we learned 111 the previous module 111 fact a penetration test begins before penetration testers have even made contact with the victim systems As an expert ethical hacker and penetration tester you must know how to enum erate target networks and extract lists of computers, user names, user groups, ports, operating systems, machine names, network resources, and services using various enumeration techniques Lab Objectives The objective of tins lab is to provide expert knowledge enumeration and other responsibilities that include: 011 network ■ User name and user groups ■ Lists of computers, their operating systems, and ports ■ Machine names, network resources, and services ■ Lists of shares 011 individual hosts 011 the network ■ Policies and passwords & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration Lab Environment To earn‫ ־‬out die lab, you need: ■ Windows Server 2012 as host machine ■ Windows Server 2008, Windows and Windows a s virtual machine ■ A web browser with an Internet connection ■ Administrative privileges to mil tools Lab Duration Time: 60 Minutes Overview of Enumeration Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system Enumeration techniques are conducted 111 an intranet environment C E H L ab M an u al P ag e 267 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration TASK Overview Lab Tasks Recommended labs to assist you 111 Enumeration: ■ Enumerating a Target Network Using Nmap Tool ■ Enumerating NetBIOS Using the SuperScan Tool ■ Enumerating NetBIOS Using the NetBIOS Enumerator Tool ■ Enumerating a Network Using the S oftP erfect Network Scanner ■ Enumerating a Network Using SolarWinds T oolset ■ Enumerating the System Using Hyena Lab Analysis Analyze and document the results related to die lab exercise Give your opinion on your target’s security posture and exposure P L EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S L AB C E H L ab M an u al Page 268 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration Enumerating a Target Network Using Nmap E n u m e r a t i o n i s th e p r o c e s s o f e x t r a c tin g u s e r n a m e s , m a c h in e n a m e s , n e t i r o r k r e s o u r c e s , s h a r e s , a n d s e r v ic e s f r o m I CON KEY _ Valuable information s Test your knowledge OT Web exercise c a Workbook review a s y s te m Lab Scenario 111 fact, a penetration test begins before penetration testers have even made contact with the victim systems During enumeration, information is systematically collected and individual systems are identified The pen testers examine the systems in their entirety, which allows evaluating security weaknesses 111 tliis lab, we discus Nmap; it uses raw IP packets 111 novel ways to determine what hosts are available on die network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet biters/firewalls are 111 use, it was designed to rapidly scan large networks By using the open ports, an attacker can easily attack the target machine to overcome this type of attacks network filled with IP filters, firewalls and other obstacles As an expert ethical hacker and penetration tester to enum erate a target network and extract a list ot computers, user names, user groups, machine names, network resources, and services using various enumeration techniques Lab Objectives The objective ot tins lab is to help students understand and perform enumeration on target network using various techniques to obtain: ■ User names and user groups ■ Lists of computers, their operating systems, and the ports on them ■ Machine names, network resources, and services ■ Lists of shares on the individual hosts on die network ■ Policies and passwords C E H L ab M an u al Page 269 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration & Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration Lab Environment To perform die kb, you need: ■ A computer running Windows Server 2008 as a virtual machine ■ A computer running with Windows Server 2012 as a host machine ■ Nmap is located at D:\CEH-Tools\CEHv8 Module 04 Enumeration\Additional Enumeration Pen Testing Tools\Nmap ■ Administrative privileges to install and mil tools Lab Duration Time: 10 Minutes Overview of Enumeration Take a snapshot (a type o f quick backup) o f your virtual machine before each lab, because if something goes wrong, you can go back to it Enumeration is die process of extracting user names, machine names, network resources, shares, and services from a system Enumeration techniques are conducted 111 an intranet environment Lab Tasks The basic idea 111 diis section is to: ■ Perform scans to find hosts with NetBIOS ports open (135,137-139, 445) ■ Do an nbtstat scan to find generic information (computer names, user names, ]MAC addresses) on the hosts ■ Create a Null Session to diese hosts to gain more information ■ Install and Launch Nmap 111 a Windows Server 2012 machine TASK 1 Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop Nbstat and Null S essio n s ■3 Windows Server 2012 / Zenmap file installs the following files: * Nmap Core Files * Nmap Path winaows btrvw tt)‫׳>׳‬Ke* n b ts t a t m N map has traditionally been a command-line tool run from a U N IX shell or (more recently) a Windows command prompt L o c a l A re a C o n n e c tio n : Node I p A d d r e s s : [ 31 N e tB IO S R e m o te Nane W IN - D M R S H L9E 4 WORKGROUP W IN -D M R H L E < > MAC A d d r e s s = D J l A -A 0 ? * — S cope Id : M a c h in e [1 Name T a b l e Type S ta tu s U N IQ U E GROUP U N IQ U E R e g is te re d R e g is te re d R e g is te re d M J1_-2D C :\U s e r s \A d n in is tr a to r > zl FIGURE 1.5: Command Prompt with die nbtstat command 11 We have not even created a null s e s s io n (an unaudienticated session) yet, and we can still pull tins info down t a s k 12 Now cr e a te a null session Create a Null Session C E H L ab M an u al Page 272 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration 13 111 the command prompt, type net u se \\X.X.X.X\IPC$ /u:”” (where X.X.X.X is die address of die host machine, and diere are no spaces between die double quotes) cs.Administrator:Command Prompt C:\'net use \\10.0.0.7\IPC$ ""/u:"" Local name Renote name W10.0.0.7\IPC$ Resource type IPC Status OK # Opens tt Connections The command completed successfully & N et Command Syntax: N E T [ ACCOUNTS | COM PUTER | C O N FIG | C O N T IN U E | FILE | G R O U P | H ELP | HELPM SG | LOCALGROUP | NAME | PAUSE | PRIN T | SEN D | SESSION | SHARE | START | STATISTICS | STOP | TIM E | USE | USER | VIEW ] H C:\> FIGURE 1.6: The command prompt with the net use command 14 Confirm it by issuing a genenc net u se command to see connected null sessions from your host 15 To confirm, type net u se, which should list your new ly created null session FIGURE 1.7: The command prompt ,with the net use command Lab Analysis Analyze and document die results related to die lab exercise Give your opinion on your target’s security posture and exposure C E H L ab M an u al Page 273 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration T ool/U tility Inform ation C ollected/O bjectives Achieved T arget M achine: 10.0.0.6 N m ap List of O pen Ports: 135/tcp, 139/tcp, 445/tcp, 554/tcp, 2869/tcp, 5357/tcp, 10243/tcp N etB IO S Rem ote m achine IP address: 10.0.0.7 O utput: Successful connection of Null session PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S R E L A T E D T O T H I S LAB Questions Evaluate what nbtstat -A shows us for each of the Windows hosts Determine the other options ot nbtstat and what each option outputs Analyze the net u se command used to establish a null session on the target machine Internet C onnection Required □ Yes No Platform Supported Classroom C E H L ab M an u al Page 274 !Labs E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration Lab Enumerating NetBIOS Using the SuperScan Tool S/tperScan is a TCP po/t scanner, pinger, and resolver The tool'sfeatures include extensive Windows host enumeration capability, TCP S Y N scanning, and UDP scanning I CON KEY [£Z7 Valuable information s — Test your knowledge Web exercise m Workbook review Lab Scenario During enumeration, information is systematically collected and individual systems are identified The pen testers examine the systems 111 their entirety; tins allows evaluating security weaknesses 111 this lab we extract die information of NetBIOS information, user and group accounts, network shares, misted domains, and services, which are either running or stopped SuperScan detects open TCP and UDP ports on a target machine and determines which services are nuining on those ports; by using this, an attacker can exploit the open port and hack your machine As an expert ethical hacker and penetration tester, you need to enumerate target networks and extract lists of computers, user names, user groups, machine names, network resources, and services using various enumeration techniques Lab Objectives The objective of tins lab is to help students learn and perform NetBIOS enumeration NetBIOS enumeration is carried out to obtain: ■ List of computers that belong to a domain ■ List of shares on the individual hosts on the network ■ Policies and passwords C E H L ab M an u al Page 275 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Stricdy Prohibited Module 04 - Enumeration Lab Environment To earn’ out the lab, you need: ‫י‬ m You can also download SoftPerfect Network Scanner from http://www.solarwinds com SolarW inds-Toolset-V10 located at D:\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration Tools\SolarW ind’s IP Network B rowser ■ You can also download the latest version of SolarWinds T oolset Scanner Irom the link http:/ / www.solarwmds.com/ ■ If you decide to download the la te st version, then screenshots shown 111 the lab might differ ■ Run this tool 111 W indows Server 2012 Host machine and W indows Server 2008 virtual machine ■ Administrative privileges are required to run this tool ■ Follow the wizard-driven installation instructions Lab Duration Time: Minutes Overview of Enumeration Enumeration involves an active connection so that it can be logged Typical information diat attackers are looking for includes user account nam es lor future password guessing attacks Lab Task W TASK Enumerate Network Configure SNMP services and select Start ‫^־־‬Control Panel ‫^־‬Administrative Tools ‫ ^־־‬Services _ □‫ ־‬X File Acton ViM Help ■ ‫ *־‬.S j □ £5 E3 Cut troubleshooting time in half using the Workspace Studio, which puts the tools you need for common situations at your fingertips B ► ■ « ‫►י‬ f t Stiver Sh«H Hardware Detect!:n S^Smir Card £4 Smart Card Removal Policy E SNMP Service Oescnptior: Lrvjfck: Smpk Network SNMP Trap Management Protocol (SNMP) ^ Software Protection requests to be processed by this ^ Spccial Administration Comclr Hdpct cornputer If this service 15stopped, the computer •will be unoble to Spot Verifier proem SNMP irquettt If this servic &SGI Full-text Filter Daemon launcher - k disabled, any services that explicit!) £* SQL Server (MSSQLSERVER) depend on it will fail to start &SQL Server Agent (MSSQLSERVER) S*,SQL Server Analyse Services (MSSQLS— SQL Server Browser & SQL Server Distributed Replay CSert £6 SQL Server Distributed Replay Cortrcl S* SQL Server Integration Services 110 5* SQL Server Reporting Services (MSSQL Q SQL Server YSS Writer SfcSSDP Discovery Superfetch & System Event Nctficaton Scrvicc ‫׳‬$ , Task Scheduler S i TCP/IP NetBIOS Helper Dcscnpton Supports We, paProvide* notifica Manages k c i ! ! A!lc«ss th» systr Enafcks Simple Recedes trap m#_ Enables the dow A lcm admreit( Verifies potential Service to launch Provides stcrcge Executesjobs m Supplies online a- Provides SQL Ser One or more Dist Provides trace re Provides manag Manages, execut Provides the inte Discover* rehvor Maintains end i Monitors system— Enables a user to Provides support Status Running Running Running Running Running Running Running Running Running Running Running Running Startup type Automatic Automatic Disabled Manual Automatic Manual Automatic (D Manual Manual (Trig Manual Automatic Manual Automatic Disabled Manual Manual Automatic Automatic Automatic Disabled Manual Automatic Automatic Automatic (T» Log On As Local Syste Local Syne Local Servict Local Syste Local Syne Local Service Network S Local Syste Local Syste NT Service NT Service NT Scrvice NT Service Local Service NT Service NT Service NT Service NT Service Local Syste Local Service Local Syste Local Syste Local SysteLocal Service \ Extended >vStandard / FIGURE 5.1: Setting SNMP Services C E H L ab M anual Page 292 E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 04 - Enumeration Double-click SNMP service Click die Security tab, and click Add The SNMP Services Configuration window appears Select READ ONLY from Community rights and Public 111 Community Name, and click Add SNMP Service Properties (Local Computer) Security General ] Log On [ Recovery [ Agent [ Traps Dependencies @ Send authentication trap Accepted community names Community Rights Add Edit Remove D Accept SNMP packets from any host IP Monitor and alert in real tim e on network availability and health with tools including RealTime Interface Monitor, SNMP Real-Time Graph, and Advanced CPU Load SNMP Service Configuration Community rights: _ ! reado nly [“ “ ^1 Cancel Community Name: |public Leam more about SNfflP‫־‬ Cancel OK Apply FIGURE 5.2: Configuring SNMP Services Select A ccept SNMP packets from any host, and click OK SNMP Service Properties (Local Computer) General Log On Recovery Agent raps | | Z-epenaencies Send authentication trap Accepted community names ® \ccept SNMP packets from any host O Accept SNMP packets from these hosts Leam more about SNMP OK C E H L ab M anual Page 293 Cancel Apply E th ical H a ck in g a nd C ounterm easures Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Module 04 - Enumeration FIGURE 5.3: setting SNMP Services Install SolarWinds-Toolset-V10, located 111 D:\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration Tools\SolarWind’s IP Network Browser Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop FIGURE 5.4: Windows Server 2012—Desktop view & Perform robust network diagnostics for troubleshooting and quickly resolving com plex network issu e s with tools such as Ping Sw eep, DNS Analyzer, and Trace Route Click the W orkspace Studio app to open the SolarWinds W orkspace Studio window Start Server Manager Administrator Windows PowerShel Workspace Studio m o ‫י י‬ SQL Server Installation Center Command Prompt Mozilla Firefox ProxySwiL Standard F3 \ S jLtisl Sc