8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
1/41
CEH Lab Manual
E n u m e r a t i o n
M o d u l e 0 4
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
2/41
E n u m e ra tio n
E n u m era tio n is th e process o f ex tra c tin g u ser n am es , m ach ine na m es, n e tir o rk
resources, shares, a n d servicesfr o m a sy stem . E n u m era tio n is co ndu cted in an
intran et environm ent.
Lab Scenario
Penetration testing is much more than just running exploits against vulnerable
systems like we learned 111 the previous module. 111 fact a penetration test begins
before penetration testers have even made contact with the victim systems.
As an exper t ethical hacker and penetrat ion tester you must know how to
enumerate target networks and extract lists of computers, user names, user
groups, ports, operating systems, machine names, network resources, and servicesusing various enumeration techniques.
Lab Ob jectives
The objective of tins lab is to provide expert knowledge 011network
enumeration and other responsibilities that include:
User name and user groups
Lists o f computers, their operating systems, and ports
Machine names, network resources, and services
Lists o f shares 011individual hosts 011the network
Policies and passwords
Lab Environment
To earnout die lab, you need: Windo ws Server 2012 as host machine
Windo ws Server 2008, Windo ws 8 and Windo ws 7 as virtual machine
A web browser with an Internet connection
Administrative privileges to nm tools
Lab Duration
Time: 60 Minutes
Overview of Enumeration
Enumeration is the process of extract ing user names, machine names, network
resources, shares, and services from a system. Enumeration techniques areconducted 111an intranet environment.
ICON KEY
/Valuableinformation
y Test yourknowledge
Web exercise
m Workbook review
& Tools
demonstrated in
this lab are
avai lable in
D:\CEH-
Tools\CEHv8
Module 04
Enumeration
C EH Lab Manual Page 267 Eth ical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
3/41
Mod ule 04 - Enum eration
Lab Task s
Recommended labs to assist you 111Enumeration:
Enumerating a Target Network Using Nmap Tool
Enumerating NetBIOS Using the SuperScan Tool
Enumerating NetBIOS Using the NetBIOS Enumerator Tool
Enumerating a Network Using the Sof tPer fec t Network Scanner
Enumerating a Network Using SolarWinds Too lset
Enumerating the System Using Hyena
Lab A nalysis
Analyze and document the results related to die lab exercise. Give your opinion on
your targets security posture and exposure.
T A S K 1
Overview
P L EA S E T AL K TO Y OU R I N S T R U C T O R I F Y OU H AV E QU ES T I ON SR EL A T ED T O T H I S L AB .
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 268
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
4/41
Mod ule 04 - Enum eration
E n u m e ra tin g a T a r g e t N e tw o r k
U s in g N m a p
E nu m era tio n is th e process o f ex trac tin g u ser n am es , m ach ine na m es, nehvork
resources, shares, a n d servicesfr o m a sy ste m .
Lab Scenario
111fact, a penetration test begins before penetration testers have even made contactwith the victim systems. During enumeration, information is systematically collectedand individual systems are identified. The pen testers examine the systems in theirentirety, which allows evaluating security weaknesses. 111diis lab, we discus Nmap; ituses raw IP packets 111 novel ways to determine what hosts are available on dienetwork, what services (application name and version) those hosts are offering, what
operating systems (and OS versions) they are running, what type of packetbiters/firewalls are 111use, it was designed to rapidly scan large networks. By usingthe open ports, an attacker can easily attack the target machine to overcome thistype of attacks network filled with IP filters, firewalls and other obstacles.
As an exper t ethical hacker and penetrat ion tester to enumerate a target network and extract a list ot computers, user names, user groups, machine names,network resources, and services using various enumeration techniques.
Lab O bjectives
The objective ot tins lab is to help students understand and perform enumeration
on target network using various techniques to obtain: User names and user groups
Lists of computers, their operating systems, and the ports on them
Machine names, network resources, and services
Lists of shares on the individual hosts on die network
Policies and passwords
ICON KEY
1._ Valuableinformation
s Test vourknowledge
OT Web exercise
ca Workbook review
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 269
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
5/41
Mod ule 04 - Enum eration
Lab Environment
To perform die kb, you need:
A computer running Windows Server 2008 as a virtual machine
A computer running withWindows Server 2012 as a host machine
Nmap is located at D:\CEH-Tools \CEHv8 Mo du le 04 Enumeration\Addit ional Enumeration Pen Testing Tools\Nmap
Administrative privileges to install and mil tools
Lab Duration
Time: 10 Minutes
Overview of Enumeration
Enumeration is die process of extract ing user names, machine names, networkresources, shares, and services from a system. Enumeration techniques areconducted 111an intranet environment
Lab Task s
The basic idea 111dns section is to:
Perform scans to find hosts with NetBIOSports open (135,137-139, 445)
Do an nbts tat scan to find generic information (computer names, usernames, ]MAC addresses) on the hosts
Create a Null Session to diese hosts to gain more information Install and Launch Nmap 111a Windows Server 2012 machine
1. Launch the Star t menu by hovering the mouse cursor on the lower-leftcorner of the desktop.
& Tools
demonstrated in
this lab are
avai lable inD:\CEH-
Tools\CEHv8
Module 04
Enumeration
Take asnapshot (atype of quick backup) ofyour virtual machine beforeeach lab, because ifsomething goes wrong, youcan go back to it.
T A S K 1
Nbstat and Null
Sessions
3 Win dows Server 2012
winaows btrvw tt)>Ke*
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
6/41
Mod ule 04 - Enum eration
5 t 3 T t A d m in is tr at or
ServerManager
r=
WindowsPowerShell
m
GoogleChrome
o
Hyper-VManager
f t
Nmap -ZenmapGUI
OComputer
*J
CentralPanel
Hyper-VVirtual
Machine...
Q
SQL ServerInstallation
Center...
liflgnr
Command
Prompt
MozillaFirefox
GlobalNetworkInventory
1!
MegaPing HTTPorl3.SNFM
0c*3Of sS !*
FIGURE 1.2: Windows Server 2012Apps
3. Start your virtual machine running WMcwsSetver2008
4. Now launch die nmap tool 111die Windows Server 2012 host machine.
5. Perform nmap -O scan for die Windows Server 2008 virtual machine(10.0.0.6) network. Tins takes a few minutes.
Note: IP addresses may vary 111your lab environment.
Zenmap
Scjn Tools Profile Help
Target: 10.0.0.6 [ v ] Profile [Scan] |Cancel |
Command: nmap 10.0.0.6 0
Ports / Hosts [ Topology | Host Details | ScansNmap Output
HU Use the ossscan-guess option for bestresults in nmap.
FIGURE 1.3: Hie Zenmap Main window
Nmap performs ascan for die provided targ et IP address and outputs dieresults on die Nmap Output tab.
Your tirst target is die computer widi a Windows operating system onwhich you can see ports 139 and 445 open. Remember tins usually worksonly agains t Windows but may partially succeed 11other OSes have diese
ports open. There may be more dian one system diat has NetBIOS open.
m Nmap.org is dieofficial source fordownloading Nmap sourcecode and binaries forNmap and Zenmap.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 271
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
7/41
Mod ule 04 - Enum eration
Zenmap
Scan Tools rofile Help
10.0.0.6 V Profile V |[Scan]
Com mand: nm ap -0 10.0.0.6
Ports / Hosts | Top ology | Host Details | Scans |Nmap Output
nm ap -0 10.0.0.6
S t a r t i n g Nmap 6 . 0 1 ( h t t p :/ / n m a p . o r g ) at 2012-09-04 10:55
Nmap s c a n r ep o r t f o r 1 0 . 0 . 0 . 6
H o s t is up ( 0 .0 0 0 1 1 s l a t e n c y ) .
N o t s h ow n : 99 3 f i l t e r e d p o r t s
PORT STATE SERVIC E
( M i c r o s o f t )
1 3 5 /tcp open m srpc
1 3 9 /tcp open n etb io s- ss n
4 4 5 / t c p open r o i c r os o f t - d s
5 5 4 / t c p open r t s p
2869/t cp open i c s l a p
5 3 5 7/tcp open w sd ap i
1 0 2 4 3/ tc p o pe n u nk no wn
MAC Ad dre ss: -
W a r n in g : O SSca n r e s u l t s m ay bn o t f i n d a t l e a s t 1 op en an d 1 c l o s ed p o r t
D e v i c e t y p e : g e n e r a l p u r po s e
R u n n i n g : M i c r os o f t W i nd ow s 7 | V i s t a | 2 00 8
O S C P E : c p e : / o : m i c r o s o f t : w i n d o w s _ 7 : : p r o f e s s i o n a l c p e : /
o : m i c ro s o f t : w i n d o w s _ v i s t a : : c p e : /n r r n c n ^ t u i n H n w c %/ cts cn l rn s /
Services
O S < H os t
10.0.0.6-
Filter Hosts
T A S K 2
Find hosts w ith
NetBIOS ports
open
FIGURE 1.4: The Zenmap output window
8. Now you see that ports 139 and 445 are open and port 139 is usingNetBIOS.
9. Now launch die c om m and p r om pt 111Windows Server 2008 virtualmachine and perform nb ts ta t on port 139 ot die target machine.
10. Run die commandnbts tat -A 10.0.0.7.
c Adm in is t ra to r Command Prompt H a _x
C : \U s e r s \ A d n i n i s tr a t o r > n b t s ta t - A 1 0 . 0 . 0 . ?*
L o c a l A r e a C o n n e c t io n 2 :
N od e I p A d d r e s s : [ 1 0 . 0 . 0 . 3 ] S c op e I d : [ I
N e tB IO S R e m o te M a c h i n e N a me T a b l e
Nane T yp e S ta tu s
W I N -D 3 9 MR SH L9 E4 U NIQ UE R e g i s t e r e dWORKGROUP < 0 0 > G ROUP R e g i s te r e dW I N- D3 9M R 5 HL 9 E4 U NIQ UE R e g i s t e r e d
MAC Ad dre ss = D . J l . A M J1_-2 D
C : \U s e r s \ A d n i n i s t ra t o r >
z l
m Nmap hastraditionally been acommand-line tool runfrom aUNIX shell or(more recendy) a Windowscommand prompt.
FIGURE 1.5: Command Prompt with die nbtstat command
11. We have not even created a nul l sess ion (an unaudienticated session) yet,and we can still pull tins info down.
3 t a s k 3 12. Now c reate a null session.
Create a Null
Session
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 272
http://nmap.org/http://nmap.org/8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
8/41
Mod ule 04 - Enum eration
13. 111the command prompt, type net use \\X.X.X.X\IPC$ /u: (whereX.X.X.X is die address of die host machine, and there are no spacesbetween die double quotes).
c s. Administrator: Command Prompt
C:\'net use \\10.0.0.7\IPC$ ""/u:""H
Local nameRenote name W10. 0.0. 7\IP C$Resource type I PCStatus OK# Opens 0tt Con nec tions 1The comnand completed successfully.
C:\>
FIGURE 1.6: The command prompt with the net use command
14. Confirm it by issuing a genenc net use command to see connected nullsessions from your host.
15. To confirm, type net use, which should list your newly c reated nullsession.
& Net CommandSyntax: NET [
ACCOUNTS |COMPUTER | CONFIG| CONTINUE | FILE |GROUP | HELP |HELPMSG |LOCALGROUP | NAME
| PAUSE | PRINT |SEND | SESSION |SHARE | START |STATISTICS | STOP |TIME | USE | USER |VIEW ]
FIGURE 1.7: The command prompt ,with the net use command
Lab A nalysisAnalyze and document die results related to die lab exercise. Give your opinion onyour targets security posture and exposure.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 273
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
9/41
Mod ule 04 - Enum eration
T o o l/ U til it y In fo rm a tio n C o lle ct ed /O b je ctiv es A chie ved
N m ap
Target Machine: 10.0.0.6
List of Open Ports: 135/tcp, 139/tcp, 445/tcp,
554/tcp, 2869/tcp, 5357/tcp, 10243/tcpN etB IO S R em ote m ach in e IP addre ss: 10.0.0.7
Output: Successful connection of Null session
P L EA S E T AL K TO Y OU R I N S T R U C T OR I F Y OU H AV E QU ES T I ON SR EL AT ED T O T H I S L AB .
Questions
1. Evaluate what nbts ta t -A shows us for each of the Windows hosts.
2. Determine the other options ot nbts tat and what each option outputs.
3. Analyze the net use command used to establish a null session on the targetmachine.
Internet Connection Required
Yes 0 NoPlatform Supported
0 C la ssro om 0 !Labs
Ethical Hacking and Countermeasures Copyright by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 274
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
10/41
Mod ule 04 - Enum eration
Lab
E n u m e ra tin g N e tB I O S U s in g t h e
S u p e r S c a n T o o l
S/tperScan is a T C P p o /t scanner, pinger, a n d resolver. T he tool 'sfe a tu re s include
ex ten s ive W in d o ws h o s t en u mera tio n ca p ab ility , T C P S Y N sca n nin g , a n d U D P
scanning.
Lab Scenario
During enumeration, information is systematically collected and individual systemsare identified. The pen testers examine the systems 111 their entirety; tins allowsevaluating security weaknesses. 111this lab we extract die information of NetBIOSinformation, user and group accounts, network shares, misted domains, andservices, which are either running or stopped. SuperScan detects open TCP and
UDP ports on a target machine and determines which services are running on thoseports; bv using this, an attacker can exploit the open port and hack your machine. Asan expert ethical hacker and penetration tester, you need to enumerate targetnetworks and extract lists of computers, user names, user groups, machine names,network resources, and services using various enumeration techniques.
Lab Ob jectives
The objective of tins lab is to help students learn and perform NetBIOSenumeration. NetBIOS enumeration is carried out to obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network
Policies and passwords
ICON KEY
[Z7 Valuableinformation
s Test yourknowledge
Web exercise
m Workbook review
Ethical Hacking and Countermeasures Copyright by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 275
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
11/41
Mod ule 04 - Enum eration
Lab Environment
To earn* out die kb, von need:
SuperScan tool is located at D:\CEH-Tools\CEHv8 Modu le 04Enumeration\NetBIOS Enumeration Tools\SuperScan
You can also download the latest version of SuperScan from tins linkhttp://www.mcatee.com/us/downloads/tree-tools/superscan.aspx
A computer running Windows Server 2012 as host machine
Wind ow s 8 running on a virtual macliine as target machine
Administrative privileges to install and run tools
A web browser with an Internet connection
Lab Duration
Time: 10 Minutes
Overview of NetBIOS Enumeration
1. The purpose ot NetBIOS enumeration is to gather information, such as:
a. Account lockout threshold
b. Local groups and user accounts
c. Global groups and user accounts
2. Restnct anonymous bypass routine and also password checking:a. Checks for user accounts with blank passwords
b. Checks for user accounts with passwords diat are same as dieusernames 111lower case
Lab Task s
1. Doub le-click the SuperScan4 file. The SuperScan window appears.
& To ols
demonstrated in
this lab are
available in
D:\CEH-
Tools\CEHv8
Module 04
Enumeration
m You can alsodownload SuperScan fromhttp: / / www. foundstone.co
SuperScan is notsupported by Windows95/98/ME.
m. T A S K 1
Perform
Enumeration
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 276
http://www.mcatee.com/us/downloads/tree-tools/superscan.aspxhttp://www.mcatee.com/us/downloads/tree-tools/superscan.aspx8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
12/41
Mod ule 04 - Enum eration
2. Click the Windows Enumeration tab located on the top menu.
3. En ter the Hostname/IP/URL 111 the text box. 111 this lab, we have a
Windows 8 virtual machine IP address. These IP addresses may van111
lab environments.
Check the types of enumeration you want to perform.
Now , click Enumerate.
> ^ T x
4.
SuperScan 4.0%
Scan| Host andServiceDiscovery| ScanOptions| Tools| WndowsEmmerahon~| About |
| Enumerate | Options... | ClearHostname/IP/URL 10008EnumerationType0 NetBIOSNameTable0 NULLSession0 MACAddresses0 Workstationtype0 Uses0 Groups0 RPCEndpoint Dump0 Account Policies0 Shares0 Domains0 RemoteTmeof Day0 LogonSessions0 Drives0 TrustedDomains0 Services0 Registryo
- JReady
m Windows XP Service
Pack 2 has removed rawsockets support, whichnow limits SuperScan andmany other networkscanning tools. Somefunctionality can berestored by running the netstop Shared Access at theWindows commandprompt before startingSuperScan.
isJ SuperScan features:
Superior scanning speed
Support for unlimited IPranges
Improved host detectionusing multiple ICMPmediods
TCP SYN scanning
UDP scanning (twomediods)
IP address importsupporting ranges andCIDR formats
Simple HTML reportgeneration
Source port scanning
Fast hostname resolving
Extensive bannergrabbing
Massive built-in port listdescription database
IP and port scan orderrandomization
A collection of usefultools (ping, traceroute,Whois etc.)
Extensive Windows hostenumeration capability
FIGURE 2.2: SuperScan main window with IP address
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 277
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
13/41
Mod ule 04 - Enum eration
6. SuperScan starts enumerat ing the provided hostname and displays the
resul ts 111the right pane o f the window.
X 'SuperScan 4.0%
Scan| Host andServiceDiscovery| ScanOptions| Tools WndowsEnumeration| About |
Enumerate Options...Hostname/I P/URL 10.0.0.8NetBIOSinformation on10.0.0.84names in tableADMIN 00 UNIQUE Workstation service nameWORKGROUP 00 CROUP Workstation service nameADMIN 20 UNIQUE Server services nameWORKGROUP IE GROUP Groupname
MACaddress 0 'AttemptingaNULLsession connection on10.0.0.8
on10.0.0.8
Workstation/server type on10.0.0.8
Users on10.0.0.8Groups on10.0.0.8
RPCendpoints on10.0.0.8Entry 0
EnumerationType0 NetBIOSNameTableW\NULLSession0 MACAddresses0 Workstationtype0 Users0 Groups0 RPCEndpoint Dump0 Account Policies0 Shares0 Domains0 RemoteTneof Day0 LogonSessions0 Drives0 TrustedDomains0 Services0 Registiy
s.j ?
Ready
FIGURE 2.3: SuperScan main window with results
7. Wait for a while to c om p l e te the enumeration process.
8. Alter the com pletion o f the enum eration process, an Enumerat ion
comple t i on message displays.
1 ^ 1 r X SuperScan 4.0%Scan| Host andServiceDiscovery| ScanOptions| Tools WndowsEnumeration[About |
Enumerate | Options... | ClearHostname/I P/URL 10.0.0.8EnumerationType M0NetBIOSNameTable0NULLSession Shares on10.0.0.80 MACAddresses0 Workstationtype Domains on10.0.0.80 Users0 Groups0 RPCEndpont Dump Remote time of dayon10.0.0.80 Account Pofccies0 Shares Logonsessions on10.0.0.80 Domasis0 RemoteTimeofDay0 LogonSessions Drives on10.0.0.80 Drives
0 TrustedDomains Trusted Domains on10.0.0.80 Services0 Registry Remote services on10.0.0.8
Remote registry items on10.0.0.8
-Enumeration complete 1 1
ona>
Ready
FIGURE 2.4: SuperScan main window with results
9. No w move the scrollbar up to see the resul ts of the enumeration.
You can useSuperScan to perform portscans, retrieve generalnetwork information, suchas name lookups andtraceroutes, and enumerateWindows host information,such as users, groups, andservices.
Your scan can beconfigured in tire Host andService Discovery and ScanOptions tabs. The ScanOptions tab lets youcontrol such tilings asname resolution andbanner grabbing.
Erase Results
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 278
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
14/41
Mod ule 04 - Enum eration
10. To perform a new enumeration on another host name, click the Clearbutton at the top right of the window. The option erases all theprevious results.
1 ^ x 'SuperScan 4.0 ITScan| Host andServiceDiscovery| ScanOptions| Tools WindowsEnumeration| About |
j Oea, |Enumerate |Hostname/I P/URL 10008[ncacn_ip_tcp:10.0.0.8[49154 00000000-0000-0000-0000-000000000000"XctSrvservice"Ia0d010f-lc33-432c-b0f5-8cf4e8053099" ver"ncacn_np:10.0.0.8[\\PIPE\\at*vc]""IdSegSrvtrvic00000000-0000-0000-0000-000000000000"Ia0d010f-lc33432cb0fS8cf4a3053099" ver"ncacn_ip_tcp:10.0.0.8[49154] 00000000-0000-0000-0000-000000000000"IdSegSrv service""880fd55e-43b9-lle0-bla8-cf4edfd72085" ver
"ncacn_np: 10.0.0.8 [WPIPSWatsvc] " 00000000-0000-0000-0000-000000000000""KAPI Service endpoint""880fd55e-43b9-lle0-bla8-cf4edfd72085ver"ncacn_ip_tcp:10.0.0.8[49154] "KAPI Service endpoint00000000-0000-0000-0000-000000000000"880fdS5e-43b9-lle0-bla8-cf4edfd72085" ver
Binding:Object Id:Annotation:
Entry 25Interface:
1.0Binding:Object Id:Annotation:
Entry 26Interface:
1.0Binding:Object Id:Annotation:
Entry 27Interface:
1.0
Binding:Object Id:Annotation:Entry 28
Interface:1.0
Binding:Object Id:Annotation:
Entry 29Interface:
EnumerationType0 NetBIOSNameTable0 NULLSession0 MACAddresses0 Workstationtype0Uses0 Groups0 RPCEndpoint Dump0 Account Pofccies0 Shares0 Domans0 RemoteTmeofDay0 LogonSessions0 Drives0 TrustedDomains0 Services0 Registry03
Ready
Q SuperScan has fourdifferent ICMP hostdiscovery methodsavailable. This is useful,because while afirewallmay block ICMP echorequests, it may not blockother ICMP packets, suchas timestamp requests.SuperScan gives you die
potential to discover morehosts.
FIGURE 2.5: SuperScan main window with results
Lab A nalysis
Analyze and document die results related to die lab exercise. Give your opinion onyour targets security posture and exposure.
Tool/Utility Information Collected/Objectives Achieved
SuperScan Tool
Enumerating Virtual Machine IP address: 10.0.0.8
Performing Enumeration Types:
Null Session MAC Address Work Station Type Users Groups Domain Account Policies Registry
Output: Interface, Binding, Objective ID, andAnnotation
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 279
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
15/41
Mod ule 04 - Enum eration
P L EAS E T AL K TO Y OUR I N S T R U C T OR I F YOU H AV E Q U ES T I ON SR EL AT ED T O T H I S L AB .
Questions
1. Analyze how remote registry enumeration is possible (assuming appropriateaccess nghts have been given) and is controlled by the provided registry.txttile.
2. As far as stealth is concerned, tins program, too, leaves a rather largefootprint in die logs, even 111SYN scan mode. Determine how you canavoid tins footprint 111the logs.
0 NoInternet Connection Required
Yes
Platform Supported
0 !Labs0 Classroom
Ethical Hacking and Countermeasures Copyright by EC-Council
A ll Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 280
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
16/41
Mod ule 04 - Enum eration
3
E n u m e ra tin g N e tB I O S U s in g t h e
N e tB IO S E n u m e ra to r T o o l
E n u m era tio n is th e proce ss o f pro b in g id en ti fie d serv icesf o r k n o w n w ea kn es se s.
Lab Scenario
Enumeration is the first attack 011a target network; enumeration is the process ofgathering the information about a target machine by actively connecting to it.Discover NetBIOS name enumeration with NBTscan. Enumeration means toidentify die user account, system account, and admin account. 111 tins lab, weenumerate a machines user name, MAC address, and domain group. You musthave sound knowledge of enumeration, a process that requires an active connectionto the machine being attacked. A hacker enumerates applications and banners ni
addition to identifying user accounts and shared resources.
Lab O bjectives
The objective of this lab is to help students learn and perform NetBIOSenumeration.
The purpose of NetBIOS enumeration is to gather the following information:
Account lockout threshold
Local groups and user accounts
Global groups and user accounts
To restrict anonymous bypass routine and also password checking foruser accounts with:
Blank passwords
Passwords that are same as the username 111lower case
Lab Environment
To earnout die lab, you need:
ICON KEY
/ Valuableinformation
Test yourknowledge
g Web exercise
m Workbook review
& Tools
demonstrated in
this lab are
avai lable in
D:\CEH-
Tools\CEHv8
Module 04
Enumeration
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 281
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
17/41
Mod ule 04 - Enum eration
NETBIOS Enumerator tool is located at D:\CEH-Tools\CEHv8 Modu le04 Enumerat ion\NetBIOS Enumerat ion Tools \NetBIOS Enumerator
You can also download the latest version of NetBIOS Enumerator fromthe link http:// nbtenum.sourceforge.11et/
If you decide to download the latest version, then screenshots shown mthe lab might differ
Run tins tool in Windows Server 2012
Administrative privileges are required to nan this tool
Lab Duration
Time: 10 Minutes
Overview of Enumeration
Enumeration involves making active connections, so that they can be logged.Typical information attackers look for 111enumeration includes user accoun t namesfor future password guessing attacks. NetBIOS Enumerator is an enumeration toolthat shows how to use remote network support and to deal with some otherinteresting web techniques, such as SMB.
Lab Task s
1. To launch NetBIOS Enumerator go to D:\CEH-Tools\CEHv8 Mo du le 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator, anddouble-click NetBIOS Enumerater.exe.
! NetBIOS Enumerator 1
1
X
fk j IP range to scan Scan | Clear Settings |
from: | Your local ip:
10.0.0.7
W [1...254]
to: | |
Debug window
A
\ FIGURE 3.1: NetBIOS Enumerator main window
T AS K 1
Performing
Enumeration
using NetBIOSEnumerator
m NetBIOS is designedto help troubleshootNetBIOS name resolutionproblems. When a networkis functioning normally,NetBIOS over TCP/IP(NetBT) resolves NetBIOSnames to IP addresses.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 282
http://nbtenum.sourceforge.11et/http://nbtenum.sourceforge.11et/http://nbtenum.sourceforge.11et/http://nbtenum.sourceforge.11et/8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
18/41
Mod ule 04 - Enum eration
2. In the IP range to scan section at the top left of the window, enter an IPrange in f rom and to text fields.
3. Click Scan.
T Z L ^ 1 * 'NetBIOS Enumerator
SettingsClearScanIP range to scan
Debug window
Your local ip:
10.0.0.7
W [1...254]
fron :| 10.0.0.1
to | 10.0.0.501
FIGURE 3.2: NetBIOS Enumerator with IP range to scan
4. NetBIOS Enumerator starts scanning for die range of IP addresses provided.
5. After the compledon of scanning, die results are displayed in die left pane
of die window.
6. A Debug windo w section, located 111the right pane, shows the scanning ofdie inserted IP range and displays Ready! after completion of the scan.
Feature:m
Added port scanGUI - ports can beadded, deleted, edited
Dynamic memorymanagement
Threaded work (64 portsscanned at once)
m Network functionSMB scanning is alsoimplemented and running.
m The networkfunction,NetServerGetlnfo, is alsoimplemented in this tool.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 283
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
19/41
Mod ule 04 - Enum eration
NetBIOS EnumeratoraSettingsScanf i ) IP range to scan
Your local ip:
Debog window
]10.0.0.7
P [ 1 . .. 254 ]
from:| 10.0.0.1
to: | 10.0.0.50
Scanning from:
to : 10.0.0.50
Ready!
10.0.0 .3 [WIN-ULY858KHQIP]B ?0 | U N e tB I OS Nam es (3 )
^ WIN-ULY858KHQIP - Works tat ion Serv ice WORKGROUP - Domain NameWIN-ULY858KHQIP - Rle Server ServiceUsername: (No one logged on)l~ 2 f Domain: WORKGROUP
Of Round Trip Time (RTT): 3 ms - Time To Live (m i
S ? 10.0.0.6 [ADMIN-PC]
3 H I NetBIOS Names (6)
% A DMIN-PC - Workstation ServiceWORKGROUP - Domain NameAD MIN- PC - R le Se rv er Ser vi ce ^5 WORKGROUP - Potential Master Browser% WORKGROUP - Master Browser
^ _ M S B R O W S E _ -M a s t e r Bro wser
Username: (No one logged on)
I ET Domain: WORKGROUP
, r |5 Of Rou ndTn pTim e (RTT): 0 ms -TimeT o Uve (TTl.
B ? 10.0.0.7 [WIN-D39MR5HL9E4]
0 E 3 NetBIOS Names (3)
!Q Username: (No one logged on)
[ Of Domain: WORKGROUP
#< .- t.{ 5-O f Round Trip Time (RTT): 0 ms -Time To Lrve (T H ^
Q=* The protocol SNMPis implemented andrunning on all versions ofWindows.
FIGURE 3.3: NetBIOS Enumerator results
7. To perform a new scan or rescan, click Clear.
8. If you are going to perform a new scan, die previous scan results areerased.
Lab A nalysis
Analyze and document die results related to die lab exercise.
Tool/Utility Information Collected/Objectives Achieved
NetBIOS
EnumeratorTool
IP Address Range: 10.0.0.1 10.0.0.50
Result:
Machine Name
NetBIOS Names User Name Domain MAC Address Round Trip Time (RTT)
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 284
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
20/41
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
21/41
Mod ule 04 - Enum eration
E n u m e r a tin g a N e tw o r k U s in g
S o f tP e r fe c t N e tw o r k S c a n n e rJTo f fP e f ec t N e t )) 01k S c a n n er is afr e e m u lti -th rea d ed IP , N e tB IO S , a n d S N M P scanner n i th a modern in terface an d m any advancedfe a t// re s.
Lab Scenario
To be an expert ethical hacker and penetrat ion tester, you must have soundknowledge of enumeration, which requires an active connection to the machinebeing attacked. A hacker enumerates applications and banners 111 addition toidentifying user accounts and shared resources, hi this lab we trv to resolve hostnames and auto-detect vour local and external IP range.
Lab O bjectives
The objective of this lab is to help students learn and perform NetBIOSenumeration. NetBIOS enumeration is carried out to detect:
Hardware MAC addresses across routers
Hidden shared folders and writable ones
Internal and external IP address
Lab Environment
To carry out the lab, you need:
SoftPerfect Network Scanner is located at D:\CEH-Tools\CEHv8Module 04 Enumerat ion\SNMP Enumerat ion Tools \Sof tPer fect
Networ k S c anner
You can also download the latest version of Sof tPer fec t Network Scanner from the linkhttp: / /www.sottpertect.com/products/networkscanner/
ICON KEY
[ 7 Valuableinformation
y Test yourknowledge
Web exercise
m Workbook review
& Tools
demonstrated in
this lab are
avai lable in
D:\CEH-Tools\CEHv8
Module 04
Enumeration
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 286
http://www.sottpertect.com/products/networkscanner/http://www.sottpertect.com/products/networkscanner/8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
22/41
Mod ule 04 - Enum eration
If you decide to download die latest version, then screenshots shown inthe lab might differ
Run this tool 111Windows 2012 server
Administrative privileges are required to run this tool
Lab Duration
Tune: 5 Aluiutes
Overview of Enumeration
Enumeration involves an act ive connect ion so diat it can be logged. Typicalinformation diat attackers are looking for uicludes user account names for futurepassword-guessuig attacks.
Lab Task
1. To launch SoftPerfect Network Seamier, navigate to D:\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration Tools\SoftPerfect Netwo rk
Scanner
2. Double-click netscan.exe
0 SoftPerfect Network Scanner L^JFile View Actions Options Bookmarks Help
y * A rj* * Q (0 Web-siteRange From fg . 0 . 0 . 0 | to |~0 . 0 . 0 . 0 I 3 f>Start Scanning *
IP Address Host Name MAC Address Response Time
Ready Threads Devices 0/0 Scan
FIGURE 4.1: SoftPerfect Network Scanner main window
3. To start scamung your network, enter an IP range ui die Range From fieldand click Start Scanning.
m You can alsodownload SoftPerfectNetwork Scanner fromhttp://www.SoftPerfect.com.
E T AS K 1
Enumerate
Network
m SoftPerfect allowsyou to mount sharedfolders as network drives,browse them usingWindows Explorer, and
filter the results list.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 287
http://www.softperfect/http://www.softperfect/8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
23/41
Mod ule 04 - Enum eration
0 SoftPerfect Network Scanner 1-10 SoftPerfect Network Scanner
File View Actions Options Bookmarks Help
L3 H B # Web-site
0 . 50 a Start Scanning IIRange From I E0 . 0 . 0 . 1 t o I 10Response Time
Ready_______________________Threads__________ Devices 0/ 0
FIGURE 4.2: SoftPerfect setting an IP range to scan
4. The status bar displays the status ot the scamied IP addresses at diebottom of die window.
>*j SoftPerfect Network Scanner
File View Ac ti ons Opt ions Bookmarks He lp
y | X fc* V IP id fa, & Q W Web-site
Range From E l . 0 . 0 1 |To | 10 . 0 0 . 50 ~| a IB Stop Scanning j j
F Address Host Name MAC Address Response Tme
? 10.0.0.1 0! 0 ms
B 10.0.0.2 WIN-MSSELCK4... D ...1- 2ms
ffl 10.0.0.3 WIN-ULY858KH... 0! 1-0... 1ms
a , 10.0.0.5 WIN-LXQN3WR... 0! S-6... 4 ms
ISA 10.0.0.6 ADMIN-PC 0' 1-0... 0 ms
B e 10.0.0.7 WIN-D39MR5H... D 5-C... 0 ms
Igu 10.0.0.8 ADMIN 0! t-0... 0 ms
1u 10.0.0.10 WINDOWS8 Ot . .8-6... 2 ms
FIGURE 4.3: SoftPerfect status bar
5. To view die propert ies of an individual IP address, nght-click diatparticular IP address.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
& Tools
demonstrated in
this lab are
avai lable in
D:\CEH-
Tools\CEHv8
Module 04
Enumeration
Q SoftPerfect NetworkScanner can also check forauser-defined port andreport if one is open. It canalso resolve host namesand auto-detect your localand external IP range. It supports remote shutdown
and Wake-On-LAN.
C EH Lab Manual Page 288
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
24/41
Mod ule 04 - Enum eration
SoftPerfect Network Scanner
File View Actions Options Bookmarks Help
% j > Start Scan ning *50To 10Range From B3
Response Time0ms
2ms
MAC Address0 -2...D - l. ..
Open Computer >
Copy
Properties
Rescan Computer
Wake-On-LAN i
Remote Shutdown
Remote Suspend / Hibernate
Send Message...
Create B atch File...
VVIN-MSSELCK4..
WIN-UL'f
WIN-LXQ
ADMIN-P
WIN-D 39
ADMIN
WINDOW
IP Addresse i 10.0 .0. 1
11 . 10.0.0.2 j 10.0.0.3El eta 10.0.0.5
eu 10.0.0.6s eb 10.0.0.7
e u 10.0 .0. 8
eta 10.0.0.10
Devices 8/8
FIGURE 4.4: SoftPerfect IP address scanned details
Lab A nalysis
Analyze and document die results related to die lab exercise.
Tool/Utility Information Collected/Objectives Achieved
SoftPerfectNetworkScanner
IP Address Range: 10.0.0.1 10.0.0.50
Result:
IP Address Host Names MAC Address Response Time
P L EA S E T AL K TO Y OUR I N S T R U C T OR I F Y OU H AV E QU ES T I ON SR EL AT ED T O T H I S L AB .
Questions1. Examine die detection of die IP addresses and MAC addresses across
routers.
2. Evaluate die scans for listening ports and some UDP and SNMP services.
C EH Lab Manual Page 289 Eth ical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
25/41
Mod ule 04 - Enum eration
3. H o w w ou ld you laun ch externa l th ird-par ty app l ica t ions?
Internet Connection Required
Yes
Platform Supported
0 Classroom 0 !Labs
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 290
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
26/41
Mod ule 04 - Enum eration
Lab
E n u m e r a tin g a N e tw o r k U s in g
S o la v W in d s T o o ls e t
T h e S o la r W in d s T o o l se tp ro v id e s th e to o lsy o n n eed n s a n e tw o rk eng in eer
o r n e tn o rk co n su l ta n t to g e t y o u r j o b d o ne . To o l se t i n c lu d es b e s t- o f- b reed
so lu tio n s t h a t w o rk s im p ly a n d p rec ise ly , p ro v id in g th e d ia g no s ti c, p e tfo r m a nee,
a n d b a n d w id th m e a s ur e m e n ts y o u w a n t, w it h o u t e xtr a n e o u s, n n n e c e s sa y
fe a tu re s .
Lab Scenario
Penetration testing is much more than just running exploits against vulnerablesystems like we learned 111 the previous module. 111 fact a penetration test begins
before penetration testers have even made contact with die victim systems. Rather
dian blindly dirowing out exploits and praying diat one of them returns a shell,penetration tester meticulously study the environment for potential weaknesses andtheir mitigating factors. Bv the time a penetration tester runs an exploit, he or she isnearly certain diat it will be successful. Since failed exploits can in some cases cause acrash or even damage to a victim system, or at die very least make the victim un-exploitable 111the future, penetration testers won't get the best results. 111tins lab weenumerate target system services, accounts, hub ports, TCP/IP network, and routes.You must have sound knowledge of enumeration, which requires an activeconnection to the macliine being attacked. A hacker enumerates applications andbanners 111addition to identifying user accounts and shared resources.
Lab Ob jectivesThe objective of tins lab is to help students learn and perform NetBIOSenumeration. NetBIOS enumeration is carried out to detect:
Hardware MAC addresses across routers
Hidden shared folders and writable ones
Internal and external IP addresses
ICON KEY
/Valuableinformation
Test your
knowledge Web exercise
m Workbook review
Tools
demonstrated in
this lab are
available inD:\CEH-
Tools\CEHv8
Module 04
Enumeration
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 291
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
27/41
Mod ule 04 - Enum eration
Lab Environment
To earn out the lab, you need:
SolarWinds-Toolset-V10 located at D:\CEH-Tools\CEHv8 Mod ule 04 Enumerat ion\SNMP Enumerat ion Tools \SolarWinds IP Network
B r ows er
You can also download the latest version of SolarWinds Toolset Scanner trom the link http:/ /www.solarw1nds.com/
If you decide to download the la test vers ion, then screenshots shown111the lab might differ
Run tliis tool 111Windows Server 2012 Host machine and Windows Server 2008 virtual machine
Administrative privileges are required to run tins tool Follow the wizard-dr iven installation instructions
Lab Duration
Tune: 5 Minutes
Overview of Enumeration
Enumeration involves an act ive connect ion so that it can be logged. Typicalinformation diat attackers are looking for includes user account names tor futurepassword guessing attacks.
Lab Task
1. Configure SNMP services and select Start Control Panel^A dm inis t rat ive Tools Services.
_ XFile Acton ViM Help
3S j 5 B.*4
ft Stiver
Dcscnpton Status
Supports Me, pa- Running
Startup type
Automatic
Log On As
Local Syste...
ShHHardware Detect!:n Provide* notifica.. Running Automatic Local Syste...
S^Smir Card Manages access.. DkabUd Local Service
4 Smart Card Removal Policy Allow* the cyst*... Manual Local Syste ..
E SNMP Servke Enables Simple... Running Automatic Local Syste .. 1
4 SNMP Trap trap m#_. Manual Local Service
Software Protection FrvtLIrs th*(Scfjj.. Automatic (D... NrtrtorV S..
Special Admimilitlicn Comcle Hdpct Allow*adrniktti . . Manual Local Syste...w5fcSpot Verifier Verifies potential.. Manual (Trig... Local Syste..
&S GI Full-text Filter Daemon launcher -. Service to launch.. Running Manual NT Servke...
(*SQL Server (MSSQLSERVER Provides stcrcge... Running Automatic NT Service...&S QL Server Agent (MSSQLSERVER) Executes jobs. m... Manual NT Scrvice...
SQL Server Analyse Services (MSSQLS.. Supplies online a-. Running Automatic NT Service...
SQL Server Browser Provides SQL Ser.. Disabled Local Service
& SQL Server Distributed Replay CSert One or more Dist.. Manual NT Service...
6SQL Server Dirtributed Replay Cortrcl - Provides trace re... Manual NT Service...
&SQL Server Integration Services 110 Provides manag.. Running Automatic NT Service...
5* SQL Server Reporting Services (MSSQL - Manages, execute. Running Automatic NT Servke...
QSQL Server VSS Writer Provides the inle_. Running Automatic Local Syste.{fcSSDP Discovery D wen nehvor- Oisabled Local Service
Superfetch Maintains and i . Manual Local Syste..
SystemEvent NotificationSciyicc Monitors system Running Automatic Local Syste..
$ ,Task Scheduler Enables auser to.. Running Automatic Local Syste-Si TCP/IP NetBIOS Helper Provides support.. Running Automatic (T. Local Service
Descnptior:Lrvjfck: Smpk NetworkManagement Protocol (SNMP)requests to be processed by thiscomputer If this service 15stopped,the computer will be unable toproem SNMP irquetti. If this servic.k disabled, any services that eiplicitljdepend on it will fail to (tart.
\ Extended >vStandard /
FIGURE 5.1: Setting SNMP Services
m You can alsodownload SoftPerfectNetwork Scanner fromhttp://www.solarwinds.com
W T AS K 1
Enumerate
Network
E3 Cut troubleshootingtime in half using theWorkspace Studio, whichputs the tools you need forcommon situations at yourfingertips
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 292
http://www.solarw1nds.com/http://www.solarw1nds.com/http://www.solarw1nds.com/http://www.solarwinds/http://www.solarwinds/http://www.solarw1nds.com/8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
28/41
Mod ule 04 - Enum eration
2. Double-click SNMP service.
3. Click die Securi ty tab, and clickAdd... The SNMP Services Configurationwindow appears. Select READ ONLY from Community r ights and Public 111Commun ity Name, and clickAdd.
SNMP Service Properties (Local Computer)
Dependenc iesSecurityGene ral ] Log On [ Reco ver y [ Agent [ Traps
@ Send authenticat ion trap
Accepted community names
RightsCommunity
RemoveEditAdd...
D Ac c ept S NM P pa c ke t s from a ny host
SNMP Service Configuration
Community rights:_____________________________
[
! r e a d o n l y ^1
CancelCommunity Name:
|public
Leam more about SN ff lP
ApplyCancelOK
FIGURE 5.2: Configuring SNMP Services
4. SelectA c cep t SNMP pac ket s from an y host, and click OK.
SNMP Service Properties (Local Computer) T lGenera l Log On Recover y Agent raps | | Z-epenaenc ies
0 Send au then ti c at ion t rap
Accepte d community names
\ c cept SNM P pac ke t s f rom any host
O Ac c ept S NM P pac ke t s f rom thes e hos ts
Lea m more abou t SNM P
ApplyCancelOK
IP Monit or and
alert in real t ime
on network
avai labi l i ty and
heal th w i th tools
including Real-
Time Interface
Monitor, SNMP
Real-Time Graph,
and Advanced
CPU Load
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 293
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
29/41
Mod ule 04 - Enum eration
5. Install SolarWinds-Toolset-V10, located 111D:\CEH-Tools \CEHv8 Mo du le04 Enumeration\SNMP Enumeration Tools\SolarWinds IP Network
Browser.
6. Launch the Star t menu by hovering the mouse cursor on the lower-leftcorner of the desktop.
FIG URE 5.3: setting SNMP Services
FIGURE 5.4: Windows Server 2012Desktop view
7. Click the Workspace S tud io app to open the SolarWinds Workspace Studio window.
S t a r tA d m i n i st r a to r ^
ServerManager
WindowsPowerShel
GoogleChrome
Hyper-V
ManagerWorkspaceStudio
IL IT * f t m
Computer ControlPanel
?
HyperVVirtual
Machine...
SQL ServerInstallation
Center...
Internet Explorer
Command
Prompt
F 3
Mozilla
Firefox
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
30/41
Mod ule 04 - Enum eration
"!*Compare Engineer s Toolset- I
SolarWinds Workspace Studio
File Tabs Yiew Devices Inter faces Gadgets External Tocl s Help
Add New De/ice .. Manage SNMP Credentials Manage Tehec/SSH Credentials Settings... Q Page Setup... ^N ew Ta b 5 Save Selected Tabs aa
!5 Switch Poit Mapper _ Telnet/SSH *AInterface Chart t TraceRoute^ I * V I I* ^
EM] GettingStarted* x I
O GettingStartedSETTING UP WORKSPACE STUDIO COESTT HAVE TO EE SCARYStep 1 - Register the ne:wori devices you wcuH iie to montor. Add Device
Step 2 - Drag gadgets fromthe explorer at feft to this w3rt space and associate themwith a device. Id
Step 3 - Add tabs to create grojps cf gadgets 0*agan ze then any way you wart. New Tab & L
O MoreHelpOTHER RE30URCC3 TOOCTYOU:
Memory GaugesMEMORY STATISTICCTOR ONE OR TWOHOSTS
< ... T >TFTP Service
Status Running Clear Setrinas
Evert Viewer TFTP Service
S Devices
GrojpDy. Gftxp Kane rSarG
CevicesP 1Recently tseo
[ 0ofC0tt::re X' Gadgetsd Q Mcn Dday: 2 C seconds
FIGURE 5.6 Solarwinds workspace studio main window
7. Click External Tools, and then select Classic tools -> Networ k Discovery -> IP Network Browser.
T=TOSolarWinds Workspace StudioFile Tabs View Devices Interfaces Gadgets [ Extcma^ools I Help
U E 210311a |
ngj. Q Poge Setup... 1.,^New Tob Save Selected Tabs
________________ in
] : DNS Audit
It*) IP Address Management
IP Network Browser |
Etui MAC Address Discovery
Q Network Sonar
ti Ping
Ping Sweep
da Port Scanner^ SNMP Sweep
@ Subnet List
" ! Switch Port Moppet
Cisco Tools
IP Address Management
LdunchPad
Network Discovery
Network Monitoring
Ping Diagnostic
Security
SWMP Tools
Create New External Tod. ..
Recently Used
Remote Dcsrtoo
gf?Add New Dcvicc... Manage SNMP Credentials fj
SSSwitch Pa t Mapper ^, Telnet/SSH uul Interface Chart
jetting StartedlO CcttingsL
SETTING JP /WORKSPACE STUDO OOESNT HAVE TO
St6p 1 - Register the network devices you wouH l*e te n
St ep 2 - Drag gadgets frcm the explorer at lei tc this wort
Step 3 - A(M taos :0create groups or gacgets ororgarize
Clear SHtma* | * Step ]TFTP Service
Statu* Rjnning
Groupby: GnupNane *
f l DevicesP 1Recently Jsed
:of Ddev ce(s) seecteStar cro raiies
jtJMonitoringfo f^ i CPU and Wenory
a i Interface Chart
& interface Cauge
ntefaceTaWe
Event Viewer TFTP Service
gy Gadgets
B Deploy an array ofnetwork discovery toolsincluding Port Scanner,Switch Port Mapper, and
Advanced SubnetCalculator.
FIGURE 5.7: Menu Escalation for IP network browser
8. IP Network Browser will be shown. Enter die Windows 8 Vir tual MachineIP address (10.0.0.7) and click Scan Device ( the IP address will bedifferent 111your network).
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 295
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
31/41
Mod ule 04 - Enum eration
P SolarWinds
Toolset
appl ications use
several methods
to col lect data
about the heal th
and performance
of your network,
including ICMP,
SNMPv3, DNS and
Syslog. Toolset
does NOT require
deployment of
proprietary
agents,
appl iances, or
garden gnomes
on the network.
9. It will show die result 111a line with die IP address and name ot diecomputer diat is being scanned.
10. Now click the Plus (+) sign before die IP address.
& NetFlow
Realt ime isintended for
granular, real-time
troubleshooting
and analysis of
NetFlow stat is t ics
on single
interface and is
l imited to a 1 hour
capture
11. It will list all die information ot die targeted IP address.
File Edit Nodes MBs Discovery Subnet View
IP Network Browser [ 10.0.0.7 J
Help
1- O X
y m 4 %NeA Restart E>port Print Copy Copy
* j Stop Zoom | Ping
1 @ e rf fTelnet Trace Confg Surf Setting: Help
A A
\0,A/k ^ 4 y
vo
< ^ 4 ynA oV
\|
A o V
A
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
32/41
Mod ule 04 - Enum eration
& To start a new tab, goto tabs on the menu barand choose new tab.Right-click on atab tobring up options (Import,Export, Rename, Save,Close). You can add toolsto tabs from the Gadgetsbos in the lower left ordirectly from the gadgetsmenu. A good way toapproach it is to collect allthe tools you need for agiven task (troubleshootingInternet connectivity, forexample) on one tab. Nexttime you face that situation
simply open that tab
Lab A nalysis
Analyze and document die results related to die lab exercise.
Tool/Utility Information Collected/Objectives Achieved
Scan Device IP Address: 10.0.0.7
Output:
Interfaces Services
SolarWinds Tool AccountsSet Shares
Hub Ports TCP/IP Network IPX Network Routes
P L EA S E T AL K TO Y OUR I N S T R U C T OR I F Y OU H AV E QU ES T I ON SR EL AT ED T O T H I S L AB .
Questions1. Analyze die details of die system such as user accounts, system MSI,
hub ports, etc.
'*-IP Network Browser [ 100.0.7 JFile Edit Node* MlBs Discovery Subnet View Help
y m % * 0} s & sfExport Print Copy Copy Stop Zoom Ping Telnet Tra \
K%4C*a rV*
255 a255.255255.255
AdirlnittritorC Cuh: Af i UM5*JAaC.ll USSRA t n a
Shared Dilnt tn
TC9/ZF ^cworksIPX hvcworic
--
E ^ 0.0.9.0
:0.00oS 3> 10.0.0.7ti: 10.0.0.26S
S ^ 127.9.0.0
E ^ 127.9.0.1 127.266256.266
Sjtr elS c4r ComptetiC
FIGURE 5.10: IP Network Browser windows results page
Et liica l H acking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 297
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
33/41
Mod ule 04 - Enum eration
2. Find the IP address and Mac address of the system.
Internet Connection Required
Yes
Platform Supported
0 Classroom 0 !Labs
Ethical Hacking and Countermeasures Copyright by EC-Council
A ll Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 298
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
34/41
Mod ule 04 - Enum eration
E n u m e r a tin g t h e S y s t e m U s in g
H y e n a
H yen a use s a n E x p lo re r -s ty k interfa cefo r a ll ope ra tions , inclu d in g rig h t m ouse click
p o p - ip co n te x t m en u sfo r a ll ob jects. M a n a g em en t o f users, g ro u p s (b oth lo ca l an d
global), shares, d om ains, com puters, services, devices, events, files, pr inte rs a n d p rin t
jo b s , session s, op en fi le s , d is k space, u ser rig hts , m essa ging , exp o /ti n g , jo b sche du ling,
pr oc esse s, a n d p r in tin g are a ll su ppo/te d .
Lab Scenario
The hacker enumerates applications and banners 111 addition to identifying useraccounts and shared resources. 111tliis lab. Hyena uses an Explorer-style interfacefor all operations, management of users, groups (both local and global), shares,domains, computers, services, devices, events, files, printers and print jobs, sessions,open tiles, disk space, user nghts, messaging, exporting, job scheduling, processes,and printing are all supported. To be an expert ethical hacker and penetration tester,you must have sound knowledge of enumeration, which requires an activeconnection to the maclune being attacked.
Lab Ob jectives
The objective of this lab is to help students learn and perform networkenumeration:
Users information 111the system
Services running 111the system
Lab Environment
To perform the lab, you need:
A computer runningWindows Server 2012
Administrative privileges to install and run tools
You can also download tins tool from following linkhttp: / / www. svstemtools.com/hvena/download.htm
ICON KEY
/Valuableinformation
' Test your
____
knowledge______
m Web exercise
Q Workbook review
& Tools
demonstrated in
this lab are
avai lable in
D:\CEH-
Tools\CEHv8
Module 04
Enumeration
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 299
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
35/41
Mod ule 04 - Enum eration
If you decided to download latest version of dns tool screenshots may differ
Lab Duration
Time: 10 Minutes
Overview of Enumeration
Enumeration is die process of extract ing user names, machine names, networkresources, shares, and services from a system. Enumeration techniques areconducted 111an intranet environment
Lab Task s
The basic idea 111diis section is to:
1. Navigate toD:\CEH-Tools\CEHv8 Mod ule 04 Enum eration\Net
E t a s k 1 Enumeration Too ls\Hyena
Instal lat ion of Double-click Hyena_English_x64.exe. You can see die following window.Hyena Click Next
H y e n a v 9 . 0 - In s t a l lS h i e l d W i z a r d
ca You can downloaddie Hyena fromhttp://unv1v.systemtools.com/hyena/hyena_ne1v.htm
FIGURE 6.1: Installation of Hyena
3. The Sof tware L i cense Agreement window appears, you must acceptthe agreement to install Hyena.
4. Select I accep t the te rms o f the l i cense agreemen t to continue andclick Next.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 300
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
36/41
Mod ule 04 - Enum eration
x
FIGURE 6.2: Select die Agreement
5. Choose die destination location to install Hyena.
6. Click Next to continue the installation.
Change...
H y e n a v 9 . 0 I n s t a ll S h i e l d W i z a r d
Install Hyenav9.0to:C:\ProgramFies\Hyena
Choose Destination Location
Select folder wheresetupwill install files.
m In addition tosupporting standardWindows systemmanagement functions,Hyena also includesextensive Active Directoryintegration
FIGURE 6.3: Selecting folder for installation
7. The Ready to install the Program window appears. Click Install
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 301
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
37/41
Mod ule 04 - Enum eration
H y e n a v 9 . 0 - I n s ta l l S h i e ld W i z a r dr
ILU Hyena can be used onany Windows client tomanage any Windows NT,Windows 2000, WindowsXP/Vista, Windows 7, orWindows Server2003/2008/2012installation
Ready to Install the Program
The wizard is ready to begin installatic
ClickInstall tobegintheinstalation
If youwant toreviewor changeanyerf your retaliationsettings, click Back. ClickCancel toexit thewizard.
FIGURE 6.4: selecting installation type
8. The InstallShield Wizard complete window appears. Click Finish rocomplete die installation.
InstallShield Wizard Complete
TheInstallShieldWizardhassuccessful instaledHyenav9.0. ClickFinishtoexit thewizard.
FIGURE 6.5: Ready to install window
Enumerating 9. Launch the Start menu by hovering the mouse cursor 011the lower-system left corner of the desktop.
Information
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 302
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
38/41
Mod ule 04 - Enum eration
FIGURE 6.6: Windows Seiver 2012Desktop view
Click the Hyena app to open the Hyena window.10.
FIGURE 6.7: Windows Server 2012 Apps
11. The Registrat ion window will appear. Click OK to continue.
12. The main window ofHyena
is shown111
following figure.
& Hyena al so
includes ful l
export ing
capabi l i t ies and
both Microsoft
Acces s and Ex cel
report ing and
export ing options
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Stricdy Prohibited.
C EH Lab Manual Page 303
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
39/41
Mod ule 04 - Enum eration
13. Click + to expand Local workstat ion, and then click Users.
'x H yena v 9 .0JHe Edit Wew Tools Help
- Jfr W1N-D39MR5HL9E4(Local Workstation)!j 5 1Drivesj g "Local Connections
- cygSUE Administrator4C Guest4CJason(Jason)&CJuggyboy(Juggyboy)& Martin(Martin)CShiela(Shiela)
J1 Local Groups>' Printers Shares
8Sessions& OpenFiles Servicesgp Devices
>Events4 9 DiskSpace
j'
User RightsI 9 Performance, a ScheduledJobs
: Registryj . WMI+ Enterprise
a a 1 1Hyena v9.0
6user(s) foundon,\\W1N-D39MR5HL9E4'
FIGURE 6.9: Expand the Systemusers
14. To check the services running on the system, double-click Serv ices
H y e n a v 9 .0 S e r v ic e s o n W W I N - D 3 9 M R 5 H L 9 E 4
Re Ed Wew Toots HelpV *s & x a :s [e ]o ^ v 3! 31y b !
a aServices on WWIN-D39M R5HL9E4
Name________________Display Name_________Status______
RunningStoppedStoppedStoppedRunningStoppedStoppedRunningStoppedStoppedRunningRunningRunningStoppedStoppedStoppedRunningRunningStoppedStopped
AdobeAcrobat Up...ApplicationExperie...ApplicationLayer G...Windows All-User I...ApplicationHost H...ApplicationIdentityApplicationInform...ApplicationManag...Windows AudioEn...Windows AudioBaseFilteringEngineBackgroundIntellig...BackgroundTasksI...Computer BrowserCertificatePropaga...COMSystemApp...CryptographicServi...DCOMServer Proce...OptimizedrivesDeviceAssociation...
$5AdobeARMservice}AeLookupSvc} ALG
AIIUserinstallAgent AppHostSvc ApplDSvc Appinfo$5AppMgmt AudioEndpomtB... Audiosrv6FE0-BITS Brokerlnfrastruct... Browser CertPropSvcCOMSysApp0CryptSvcDcomLaunch defragsvc DeviceAssociatio...
- V7IN-D39MR5HL9E4(Local Workstation)
Drives& Local ConnectionsI Users
. c AdministratorC Guest
| 5 c Jason(Jason)CJuggyboy(Juggyboy) C Martin(Martin)CShiela(Shiela)
5 Local Groupsg 4 Printersffi Q Shares
S" SessionsiLJQpenhles
Lj&EEZaU2P Devices
BE EventsO DiskSpace
S S User Rights*9 Performance
I 0 ScheduledJobsRegistryi & WMI
Enterpnse
156servicesfoundon\\W1N-D39MR5HL9E41/156objectsK//www.systemtools.comFIGURE 6.10: Sendees running in the system
15. To check the User Rights , click + to expand it.
c a Additionalcommand-line optionswere added to allowstarting Hyena andautomatically insertingand selecting/ expandinga domain, server, orcomputer.
Ethical Hacking and Countermeasures Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C EH Lab Manual Page 304
http://www.systemtools.com/http://www.systemtools.com/8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
40/41
Mod ule 04 - Enum eration
' r *H yena v 9 .0 - 3 Dr iv e s on A\W IN- D 39M R5H L9E 4 'He Edt VtcH Tools Hdpy *3 a X * 3* ::: 5=] Q SI fl J 3 ai fe E3
3 Drives on \\WIN-D 39MR 5HL9E4 Server * Drive Format Total UsedWIN-D39MR... C NTFS 97.31GB 87.15GBW1N-D39MR... D NTFS 97.66GB 2.90GBWIN-D39MR... E NTFS 270.45GB 1.70GB
* CJuggyboy(Juggyboy)C Martin(Martin)
CShiela(Shiela) Local GroupsPnnters
+ SharesSSessions
j OpenFilesQbServices
Devicesffi & Events
DiskSpaceghts I
ft BackupOperatorsUsers
AdministratorsEveryone
SeTcbPrivilege(Act as part of theopera&SeMachmeAccountPrivilege(Addwork-,St SeBackupPrivilege(Backupfilesanddii
iLSeChangeNotifyPrivilege(Bypasstraver
^SeUnsolicitedlnputPrivilege(SeUnsolicii -|SeSystemtimePrivilege(Changethesys21SeCreatePagefilePrivilege(Createapag-
=SeCreateTokenPrivilege(Createatoki : a
^ biects3Driveson"WW1N-D39MR5HL9E417www.systefntools.com
FIGURE 6.11: Users Rights
To check the Scheduled jobs, click + to expand it.16.
Hyen a v9.0 - 77 tota l schedule d jobs .JFile Ed Wew Tools Help
a a [Ho
Trigger Type ^MultipleTrigcDailyDailyDailyOnIdle
MultipleTrigcAt Logon
At LogonAt Startup
At Startup
MultipleTrigcMultipleTrigc
77 to t a l s c hedu led j o bs .
Name StatusCCIeanerSkipUAC ReadyGoogleUpdateTaskMac... ReadyGoogleUpdateTaskMac... ReadyGoogleUpdateTaskUserS... ReadyGoogleUpdateTaskUserS... ReadyOptimizeStart MenuCa... Ready.NETFrameworkNGEN... Ready.NETFrameworkNGEN... ReadyADRMSRightsPolicyT... DisabledADRMSRightsPolicyT... ReadyPolicyConverter DisabledSmartScreenSpecific ReadyVenfiedPublisherCertSto... DisabledAitAgent ReadyProgramDataUpdater ReadyStartupAppTask ReadyCleanupTemporaryState Ready
Ready
ReadyReady
Proxy
SystemTaskUserTask
Server *0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...5]WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...S]WIN-D39MR...
0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...0WIN-D39MR...
0WIN-D39MR...0WIN-D39MR...
y *3< x 3 :: |e |o ^ y y Aj .3; j r b ft C Juggyboy(Juggyboy)c Martin(Martin)9CShiela(Shiela)
$ Local Groups& Printers 1 Shares
S'SessionsOpenFiles
9 Services2P Devices
ffi-AEvents DiskSpace
ffi-S User RightsEB Performance| fo] ScheduledJobs |
- C0MicrosoftWindows
; C.NETFrameworkffi @ActiveDirectoryRightsManagei: AppIDIApplicationExperience ApplicationDatajL
8/14/2019 CEH v8 Labs Module 04 Enumeration.pdf
41/41
Mod ule 04 - Enum eration
Tool/Utility Information Collected/Objectives Achieved
Intention : Enumerating the system
Output: Local Connections Users Local Group Shares
Hyena Shares Sessions Services Events User Rights Performance Registry m n
P L EAS E T AL K TO Y OUR I N S T R U C T OR I F YOU H AV E Q U ES T I ON SR EL AT ED T O T H I S L AB .
Internet Connection Required
Yes 0 NoPlatform Supported
0 Classroom 0 !Labs