Help
Options
Question
What is enumeration?
click to flip
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't know
Question
How is enumeration used to gather information about a target?
Remaining cards (115)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
TestOut Ethical Hack
TestOut Ethical Hacker Pro Q&A Chapter 6 Enumeration
| Question | Answer |
|---|---|
| What is enumeration? | |
| How is enumeration used to gather information about a target? | |
| Which tools can be used for enumeration? | |
| Which type of information can be gathered with enumeration? | |
| How can companies protect themselves against enumeration attempts? | |
| Enumeration | To list items one by one Enumeration is a method of gathering information from a system to learn more about its configurations, software, and services. |
| Extract email IDs | An email address contains two parts, the username and the domain name. |
| Use default passwords | All devices have default passwords. These passwords are often left in place, providing an easy access point for an attacker. |
| Attack directory services | A directory service is a database of information that is used for network administration. Some directories are vulnerable to input verification deficiencies. Because of this, they are susceptible to brute force attacks. These attacks are usually automated. The program tries different combinations of usernames and passwords until it finds something that works. |
| Exploit SNMP | The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station. The agent is found on the device that is being managed, and the SNMP management station serves as the communication point for the agent. SNMP has two configuration passwords by default, one for public access, and one for private access. The public community string includes the configuration of the device or system. ... |
| SNMP has two configuration passwords by default, one for public access, and one for private access. The public community string includes the configuration of the device or system. The private read/write community string provides read and write access to the device configuration. If the passwords were not changed from the default, a hacker will have access to these strings and therefore have access to usernames, information about network devices, routing tables, network traffic, and file shares. | |
| Exploit SMTP | Simple Mail Transfer Protocol (SMTP) is the protocol used by most email servers and clients to send email messages. Scanning tools and commands can be used to verify the existence of specific email addresses. They can even provide a list of all users on a distribution list. |
| Perform DNS zone transfer | s DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to DNS servers. This type of structural data could be valuable to a hacker. It could be used to provide a mapping of the network. o perform a DNS zone transfer, the hacker, pretending to be a client, sends a zone transfer request to the ... |
| Retrieve system policies | Large networks, especially enterprise environments, frequently have policy settings in place to determine how security matters are handled. If you're able to gain access to these settings, you will know more about your target. The technique will vary depending on the operating system that you are targeting. |
| Enumerate IPsec | IPsec uses ESP (Encapsulation Security Payload), AH (Authentication Header), and IKE (Internet Key Exchange) to secure communication between virtual private network (VPN) endpoints. Using enumeration tools, hackers can pull sensitive information such as the encryption and hashing algorithm, authentication type, and key distribution algorithm. |
| Enumerate VoIP | VoIP uses SIP (Session Initiation Protocol) to enable voice and video calls over an IP network. SIP service generally uses UDP/TCP ports 2000, 2001, 5060, 5061. |
| Enumerate RPC | Remote Procedure Call (RPC) allows client and server to communicate in distributed client/server programs. Enumerating RPC endpoints enable hackers to identify any vulnerable services on these service ports. You can use the following nmap scan commands to identify RPC services running on the network: • nmap -sR IP/network • map -T4 –A IP/network |
| nmap -sR IP/network | use the following nmap scan commands to identify RPC services running on the network: |
| map -T4 –A IP/network | use the following nmap scan commands to identify RPC services running on the network: |
| Guest | The guest account has been part of Windows for quite some time. By design, this account has remained pretty much the same and is meant to be used only in very limited circumstances. Although included in the Windows installation, it is not enabled by default. |
| Administrator | The administrator account has gone through quite a few changes as the operating system has evolved. In earlier versions of Windows, the administrator account was enabled by default. However, in more recent releases, Windows Vista and beyond, the administrator account has been disabled by default. This change was made primarily for security purposes. The administrator account was often used as a normal user account and, as a result, the everyday user ..... |
| Local service | This account provides high-level access to the local machine, but only limited access to the network. |
| Network service | This account provides normal access to the network, but provides only limited access to the local machine. |
| System | This account provides almost unlimited access to the local machine. |
| Anonymous logon | This group provides anonymous access to resources, typically on a web server or web application. |
| Batch | This group is used to run scheduled batch tasks. |
| Creator group | A Windows 2000-specific group, the Creator group is used to grant permissions to users who are members of the same group as the creator of a directory or file. |
| Creator owner | The file or directory creator is a member of this group. By default, all releases after Windows 2000 use this group to grant permissions to the creator of the file or directory. |
| Everyone | All users are members of this group. It is used to provide wide-range access to resources. |
| Network | All users that access a system through a network are members of this group. It provides all remote users access to a specific resource. |
| Username | A username and user ID (UID) are used to identify users. When a username is created, it is given a UID. This number is selected from a range of numbers, typically above 500. |
| Password | Each account has a password that is encrypted and saved on the computer or on the network. |
| Groups | Groups are used to manage permissions and rights. Group identification numbers (GIDs) are stored in the /etc/passwd file. All users are assigned to the default primary group and can be assigned to additional groups that are called secondary groups. Secondary groups are listed in the /etc/group file. |
| finger | The Linux finger command provides information about a user. Use finger –s username to obtain the specified user's login name, real name, terminal name and write status, idle time, login time, office location, and office phone number. You can use finger –s to obtain the same information about all users on a system. Use finger –l user@host to obtain information about all users on a remote system. |
| NULL session | Null sessions are created when no credentials are used to connect to a Windows system. They are designed to allow clients access to limited types of information across a network. These sessions can be exploited to find information about users, groups, machines, shares, and host SIDs. A hacker can enter net use //hostname/ipc$ \\hostname\ipc$ “” /user:”“ to connect to a system. A hacker can use the command net view \\hostname to display shares available on a system. |
| PsTools | PsTools is a suite of very powerful tools that allow you to manage local and remote Windows systems. The package includes tools that can change account passwords, suspend processes, measure network performance, dump event log records, kill processes, or view and control services. |
| SuperScan | SuperScan can be used to enumerate information from a Windows host. Information can be gathered on the following: NetBIOS name table, services, NULL session, trusted domains, MAC addresses, logon sessions, workstation type, account policies, users, and groups. |
| finger –s username | to obtain the specified user's login name, real name, terminal name and write status, idle time, login time, office location, and office phone number. |
| finger –s | to obtain the same information about all users on a system. |
| finger –l user@host | to obtain information about all users on a remote system. |
| net use //hostname/ipc$ \\hostname\ipc$ “” /user:”“ | to connect to a system. |
| net view \\hostname | to display shares available on a system. |
| net use s: \\hostname\shared folder name | allows a hacker to connect to and view one of these shares. |
| TCP 21 FTP | Port 21 is used for the File Transfer Protocol (FTP). FTP is used by all operating systems to transfer files between client and server machines. |
| TCP 23 Telnet | Port 23 is used for the Telnet protocol/software. Telnet is used to connect to and run services on remote systems. Because of security concerns, Telnet is not used as frequently as it once was. |
| TCP 25 SMTP | Port 25 is used for the Simple Mail Transfer Protocol (SMTP). SMTP is used to send emails between client and server and between server and server. |
| TCP 53 DNS | Port 53 is used for DNS zone transfers. DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to the DNS servers. |
| UDP 53 DNS | Port 53 is used for UDP queries about IP-to-name and name-to-IP mappings. |
| TCP 80 HTTP | Port 80 is used for Hypertext Transport Protocol. HTTP is used by all web browsers and most web applications. |
| TCP 135 RPC | Port 135 is used by the Remote Procedure Call service in Windows for client-server communications. |
| TCP 137 NetBIOS | Port 137 is used by the NetBIOS Name Server (NBNS.) NBNS is used to associate names and IP addresses of systems and services. |
| TCP 139 NetBIOS | Port 139 is used by the NetBIOS Session Service (SMB over NetBIOS.) SMB over NetBIOS allows you to manage connection between NetBIOS clients and applications. |
| TCP 445 SMB over TCP | Port 445 is used by SMB over TCP. SMB over TCP also known as Direct Host is a service used to improve network access. This service is available in Windows 2000 and newer. |
| UDP 161 and 162 SNMP | Ports 161 and 162 are used by the Simple Network Management Protocol (SNMP.) SNMP is a standard method of managing devices and software from most manufacturers. |
| TCP/UDP 389 LDAP | Port 389 is used by the Lightweight Directory Access Protocol (LDAP.) LDAP is an internet protocol for accessing distributed directory service. If this port is open, it indicates that Active Directory or Exchange may be in use. |
| TCP/UDP 3268 Global Catalog Service | Port 3268 is used by the Global Catalog Service. The Global Catalog Service is used by Windows 2000 and later systems to locate information in Active Directory. |
| In which phase of the ethical hacking process do you gather information from a system to learn more about its configurations, software, and services? | Enumeration |
| Which enumeration process tries different combinations of usernames and passwords until it finds something that works? | Brute force |
| What best describes IPsec enumeration? | Uses ESP, AH, and IKE to secure communication between VPN endpoints. |
| What enumeration tools provides information about users on a Linux machine? | Finger |
| The Simple Network Management Protocol (SNMP) is used to manage devices such as routers, hubs, and switches. SNMP works with an SNMP agent and an SNMP management station in which layer of the OSI model? | Application Layer |
| The Application Layer (Layer 7) supports | application and end-user processes. Examples include NFS, SNMP, Telnet, HTTP, and FTP. |
| The Session Layer (Layer 5) establishes | manages, and terminates connections between applications. Examples include NFS, NetBIOS names, RPC, and SQL. |
| The Transport Layer (Layer 4) provide | transparent transfer of data between end systems or hosts. Examples include SPX, TCP, and UDP. |
| The Network Layer (Layer 3) provides | switching and routing technologies. Examples include AppleTalk, DDP, IP, and IPX. |
| A hacker has managed to gain access to the /etc/passwd file on a Linux host. What can the hacker obtain from this file? | Usernames, but no passwords |
| Jorge, a hacker, has gained access to a Linux system. He has located the usernames and IDs. He wants the hashed passwords for the users that he found. Which file should he look in? | /etc/shadow |
| In Linux what does the etc/passwd file contain | - The username and user ID used to identify each user. - Passwords that are encrypted and saved on the computer or on the network. - Group identification numbers (GIDs). |
| Whats in /etc/shadow | The hashed passwords file |
| What in /etc/group | The list of groups is stored in the /etc/group file |
| what in /etc/services | The list of running services is stored in the /etc/services file. |
| Whats in /etc/passwd | The username and ID is stored in the /etc/passwd file. |
| Typically, you think of the username as being the unique identifier behind the scenes, but Windows actually relies on the security identifier (SID). Unlike the username, a SID cannot be used again. When viewing data in the Windows Security Account Manager (SAM), you have located an account ending in -501. Which of the following account types did you find? | The built-in guest |
| What SID ends in -501 | The built in guestg |
| What SID ends in -500 | Administrator account |
| What SID ends in -512 | The Domain admins group |
| What SID ends in -514 | Domain Guests group |
| What port does a DNS zone transfer use? | TCP 53 |
| What port does Telnet protocol/software use? | Port 23 |
| What port does NetBIOS Session Service use? | Port 139 |
| What port does SMB over TCP use? | Port 445 |
| Port 53 | DNS zone transfers. |
| Port 23 | Telnet protocol/software |
| Port 139 | NetBIOS Session Service . |
| Port 445 | SMB over TCP. |
| What ports are used by null sessions on your network? | 139 and 445 A Null Session attack uses the Windows net command to map a connection using a blank username and password. These connections would take place over port 139 (NetBIOS sessions services) or 445 (runs SMB over TCP/IP without NetBIOS). |
| Port 135 | is used by the Remote Procedure Call service in Windows for client-server communications. |
| Port 137 | is used by the NetBIOS Name Server (NBNS). NBNS is used to associate names and IP addresses of systems and services. |
| Port 443 | is the standard TCP port that is used for websites that use SSL. |
| Port 444 | may use a defined protocol to communicate, depending on the application. |
| LDAP is an internet protocol for accessing distributed directory services. If this port is open, it indicates that Active Directory or Exchange may be in use. What port does LDAP use? | TCP/UDP 389 is used by the Lightweight Directory Access Protocol (LDAP.) |
| TCP/UDP port 3268 | TCP/UDP port 3268 is used by the Global Catalog Service. |
| TCP port 53 | TCP port 53 is used for DNS zone transfers. UDP port 53 is used for UDP queries about IP-to-name and name-to-IP mappings. |
| TCP port 445 | TCP port 445 is used by SMB over TCP. |
| Shawn, a malicious insider, has obtained physical access to his manager's computer and wants to listen for incoming connections. He has discovered the computer's IP address, 192.168.34.91, and he has downloaded netcat. Which of the following netcat commands would he enter on the two computers? | nc -l -p 2222 (manager's computer) and nc -nv 192.168.34.91 2222 (Shawn's machine) |
| In nc -nv 192.168.34.91 2222 what is -nv | (the -n switch tells netcat not to use DNS lookups, and the -v switch uses verbose output). |
| In netcat what does -s do? | Use the source IP |
| How can companies protect themselves against enumeration attempts? | |
| What can you do to prevent SNMP exploitation? | The easiest way is to block, or at least monitor, activity on ports 161 and 162 and any other port you've configured for SNMP traffic. Another option is to remove the SNMP agent or turn off the SNMP service completely. Keep up to date change default password |
| What is the best way to secure LDAP? | Although blocking LDAP port 389 is an option, you can't always block ports, or you'll risk impacting your network. Blocking LDAP ports could prevent your clients from querying necessary services. The best way to secure LDAP is to review and implement the security settings and services available with your server software. |
| SNMP Countermeasures | • Monitor SNMP ports Block or monitor activity on ports 161 and 162 and any other ports that you have configured for SNMP traffic. • Remove SNMP agent Remove the SNMP agent or turn off the SNMP service completely. • Update SNMP Verify that you are running the most recent version of SNMP at all times. • Change default passwords Change default passwords on all devices and services. • Run SNScan Use SNScan, a utility that detects network SNMP devices that are vulnerable to attack. |
| DNS Countermeasures | • DNS zone restriction DNS zone restriction ensures that a server provides copies of zone files to only specific servers. • Digital signatures Modern systems include digital signatures that help with DNS zone restriction. • Split DNS Splitting the DNS into internal and external groups provides an added layer of security. |
| SMTP Countermeasures | The most basic way to counteract Simple Mail Transfer Protocol (SMTP) exploitation is to simply ignore messages to unknown recipients instead of sending back error messages. Additionally, you’ll want to configure your server to block open SMTP relaying. |
| LDAP Countermeasures | Hardening against Lightweight Directory Access Protocol (LDAP) enumeration can be tricky. Although blocking LDAP port 389 is an option, you can’t always block ports, or you’ll risk impacting your network. Blocking LDAP ports could prevent your clients from querying necessary services. The best way to secure LDAP is to review and implement the security settings and services available with your server software. |
| Hugh, a security consultant, recommended the use of an internal and external DNS to provide an extra layer of security. Which of the following DNS countermeasures is being used? | Split DNS |
| DNS splitting | splitting the DNS into internal and external groups, provides an added layer of security. |
| DNS zone restrictions | ensure that a server only provides copies of zone files to specific servers. |
| Digital signatures | help with DNS zone restriction. |
| DNS zone transfers | are designed to provide updated network and access information to the DNS servers. References |
| After the enumeration stage, you have are considering blocking port 389. Your colleague has advised you to use caution when blocking ports that could potentially impact your network. Which of the following necessary services could be blocked? | LDAP |
| Which of the following is the most basic way to counteract SMTP exploitations? | Ignore messages to unknown recipients instead of sending back error messages. |
| Robby, a security specialist, is taking countermeasures for SNMP. Which of the following utilities would he most likely use to detect SNMP devices on the network that are vulnerable to attacks? | SNscan |
| SNscan | is a utility that is used to detect SNMP devices that are vulnerable to attacks. |
| Scany | is a scanner application for iOS devices. It scans networks, websites, and ports to find open network devices. It can obtain domain and network names and include basic networking utilities such as ping, traceroute, and whois. |
| Colasoft | is a packet crafting software that can be used to modify flags and adjust other packet content. |
| Currports | lists all open TCP and UDP ports on your computer. It also provides information about which process opened the port, which user created the process, and what time it was created. |
Created by:
jacobth