Enumeration

What is enumeration?

Enumeration is gathering context specific information about a system and its users, and putting any existing information you have into context.

This gathered information is then used to assist with and enable exploitation of vulnerabilities in a system.

What are we looking for?

• Users
• Groups
• Web pages
• FTP server
• Subdomains

Website enumeration

The `dirb` command of kali can be used to try many common sub-pages of websites.

Be aware that this isn't particularly stealthy and you're also tapping in the dark

Sometimes website authors think that adding a directory to the robots.txt file (intended to instruct good-faith bots what not to scan) prevents malicious people accessing their private pages.

Enumerating Subdomains

Discovering subdomains can reveal a great amount of information about a target. Many websites and other http services are hosted behind reverse proxies which use the Host header to select which back-end to proxy to. There are a couple of ways to discover subdomains, such as examining TLS certificates, querying DNS servers, brute forcing. Lots of tools to automate this.

As an example we will use lancaster.ac.uk

Findomain, sublist3r, etc

Brute force approach, queries many different APIs for subdomains, optionally resolves the IPs these domains point to.

Subdomains from Certs

• Subject Alt Name (SAN) in Certs
• Certificate Transparency (CT) Logs
  • Certs added to log when issued, can view all certs issued to a domain
  • Maintained by Google, Cloudflare, Digicert etc.
  • Check:
    • https://transparencyreport.google.com/https/certificates
    • https://blog.cloudflare.com/introducing-certificate-transparency-and-nimbus/
    • https://crt.sh/

FTP Enumeration

FTP is used to transfer files from a server to other computers Some servers have anonymous login enabled

1
2

Username: anonymous
Password: \<anything/blank>

Can also brute force credentials using Hydra:

hydra -L <user list> -P <pass list> -vV <IP> ftp

/usr/share/wordlists/rockyou.txt is a huge pw list

Anonymus login and hidden stuff in file shares

SMB shares and FTP servers can be misconfigured to allow anonymus logins allowing attackers to enumarate part of the file server or the server in its entirety

ftp <IP>

1
2

Username: anonymous
Password: \<anything/blank>

smbclient -L //<IP> -N

smbclient //<IP>/<share> -N

DNS

“Normal” DNS query:

dig @server <query type (A|AAAA|MX|TXT|CNAME|...)> domain

Zone Transfer

Transfer an entire zone file, can reveal ALL records 😎

dig @server axfr domain.com

Quick sidenote

A huge amount of products are shipped with insecure default settings and credentials. It may seem obvious to change these, but companies developing IoT devices just don’t care to allow the end user to change them. Often possible to bypass fancy hacking by just investigating default settings and credentials for a target device. The mirai botnet compromised millions of devices with a wordlist of only 60 users and passwords: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Malware/mirai-botnet.txt

Useful Links

https://www.virustotal.com/#/home/upload https://searchnetworking.techtarget.com/definition/SNMP https://www.geeksforgeeks.org/simple-mail-transfer-protocol-smtp/ https://censys.io/ https://www.shodan.io/ https://cirt.net/passwords https://tools.kali.org/password-attacks/hydra https://haveibeenpwned.com/

Lets start hacking

Challenges on: https://luhack.uk/w3