CompTIA CYSA+ CS0-002 – Enumeration Tools Part 1

1. Enumeration Tools (OBJ 1.4)

Enumeration tools. In this lesson, we’re going to talk about some of the enumeration tools that we’re going to experience as we’re trying to enumerate our networks. Now, what exactly is enumeration? Well, enumeration is the process to identify and scan network ranges and hosts that belong to the target and then map out an attack surface. So essentially, if an attacker is looking at your network, they’re trying to enumerate to figure out what the network looks like so they can attack it. But as defenders, we’re also going to enumerate our network because we want to know what our attack surface is. And so enumeration is used by both attackers and defenders. Now, as we start looking at enumeration, there is really two kinds of enumeration. We have active enumeration and passive enumeration.

When we talk about an active enumeration, this occurs when a connection is made from the attacker to a target, and there’s data being transmitted back and forth. Now, when we are dealing with that, sometimes we don’t want to be active because by being active, somebody can detect us because we’re actually touching their system. We also can be traced back if we’re an attacker, and that wouldn’t be good for us either. So a lot of attackers use what’s known as a semipassive technique. Now, a semipassive technique is going to use sparse and widely dispersed attempts to make that connection to the target during the reconnaissance. The reason they do this is because if they’re active and they’re actually reaching out and touching your machine and they’re doing it very quickly, you can detect that very quickly.

Most intrusion detection systems will be able to detect things like port scans and different enumeration techniques from an attacker because those are active methods. But if you’re using a semi passive method and you wait a long time in between each ping or each type of probe, that can actually delay it and make the IDs miss it. Now, on the other side, we have what’s known as passive. Now, when we deal with passive enumeration, we are talking about no connection being made here. So the attacker is not actually physically touching the target. They’re trying to analyze. Instead, they collect data on the network, and then they analyze that data to learn things about the different devices on that network. We’ll talk more about how this works as we go through this section of the course.

Now, one of the ways that we can do passive collection is using a network sniffer. For example, if I have a network sniffer on your network, I’m collecting all the traffic that’s going across your network. That is considered passive, because I’m not actually touching all those machines. I’m just collecting the network data that’s passing through that sniffer, and then I can analyze it to figure out what those machines are using. Now, there are lots of different ways to do passive collection and passive enumeration. You might use things like wireshark where you’re actually looking at the packet captures and analyzing things based on that. You can use tools like Zeke or Bro, or you can use something like p zero F, which is another tool. Now, if you’re using something like Zeke or Bro, it’s going to look like this here.

You can see that in Zeker bro being used as part of security. Onion is showing us the information about different devices on our network. As the data was crossing the network, Zeker bro was going through and looking at that and analyzing that traffic. From that, they started figuring out what software was being used on the network, what version number was being used on that network, and what type of service or support was being used on the network. And it also shows us the IP address that identified that piece of software being run on. For example, the first entry we see here is Apache and it’s running version 2. 4. This is a web server, as we can see here in the type and it’s source IP address of ten 1010. This tells me as an attacker, there’s a web server on this network, and I may want to go after it.

Now, if I skip down to the third line, I’ll also see that there’s Microsoft IIS that was detected. This is version 10. 0. This again is a web server, but it’s Microsoft’s version of web server. Instead of running Apache here, they’re running Microsoft’s Internet information services. Again, this tells me the server it’s on, in this case, ten, 10, 102. So what does that tell me about this? It tells me that this client sitting at 102 is a server and it’s running Microsoft, which means it’s running Windows and it’s running IIS. Now, knowing all that, I can find vulnerabilities on that server that are associated with this piece of software and then run my attack against it if I was an attacker. Now, the other tool I mentioned was p zero F.

And this is a tool that utilizes an array of sophisticated, purely passive trafficked fingerprinting techniques to be able to identify the players behind any incidental TCP IP communications. So even with just a single sin packet, this tool can actually detect what type of operating system or what type of browser is being used. All of this can be collected through this information. And it gives you something that looks like what you see here on the screen. So here on the screen, you can see there is a single packet, a sin packet. And from that, we found out that the client was using Windows XP. In addition to that, we see it was using a DSL line. We see how long this client has been up.

In this case, over 11 hours. And we can also see that this is using Firefox as its web browser. All of that information from just a single sin packet. And this is the type of information you can get from a passive reconnaissance. Now, the next thing we have to start thinking about is how can we actually set up this passive scanning on our network if we’re a defender. Well, as a defender is actually a lot easier for us because we have access to the network. One of the ways we can do this is by using legitimate passive scanning, using things like a tap or a port mirror. For example, if I connect this device to my network, I can do that in line. I can connect one part of my network into A, and the other part of the network in B.

And everything transmitting from A through B will have a copy of it sent out through the USB port on the other side to my machine, where I can do a packet capture. Then I can analyze all that information. If I didn’t have access to a device like this, which is a network tap, I could actually set up a port mirror and have all that data pushed out to a network client that is ready to capture that information. Now, all of these different tools are used for enumeration and reconnaissance. And to really support our enumeration and reconnaissance efforts, we’re going to be using open source intelligence, footprinting and Fingerprinting. Now, when we talk about open source intelligence, these are tools that allow us to search publicly available information in order for us to aggregate and search that data.

So if I’m going to get information like DNS records, IP addresses, any information that’s found on a public website, that is all open source intelligence. When I start talking about Footprinting, these are tools that allow us to map out the layout of the network, typically in terms of IP address usage, routing, topology, and DNS namespace, including your subdomains and your host names. When you’re thinking about Footprinting, I want you to think about networks. Think about if you’re mapping out something and you’re drawing out the big outlines. If I pull up a map of the state of Florida, you might draw the major highways like I 95 and I 75 and I four. That would be the idea of Footprinting. It’s very broad, it’s very big, but it doesn’t show you a single house or a single piece on that information. That’s where Fingerprinting comes into play.

Fingerprinting uses tools that perform host system detection to map out open ports on a system, operating system type, inversion, file shares, running services and applications, system uptime, and other useful metadata. So we have all of this information very detailed when we talk about fingerprinting. That’s the big difference here. So for the exam, you do need to understand the difference between Footprinting and Fingerprinting. Now, people will often use these terms interchangeably in the real world and in the workplace, but for the exam, they do mean different things. I want you to remember that footprinting is focused on the overall network layout and Fingerprinting is focused on a single host or single server. That is the idea when we start talking about footprinting versus fingerprinting and how both of them are are used in enumeration.

2. Nmap Discovery Scans (OBJ 1.4)

Nmap discovery scans. In this lesson, we’re going to start our coverage of Nmap, which is the world’s most popular enumeration tool. Now, Nmap comes to us from the Nmap project, which is an open source project that developed this tool and all the supporting resources that come with it. When we talk about Nmap, we’re talking about the Nmap security scanner. It is a versatile port scanner that’s used for topology, host service and operating system discovery and enumeration. Now, in this lesson, specifically, we’re going to talk about discovery scans. And an Nmap discovery scan is used to footprint the network. So if you remember our last lesson, we talked about footprinting. This is the big overview. We want to figure out what hosts are sitting on this network.

We want to figure out what this network looks like from a topology standpoint. And that would include things like IP addresses and things of that nature. Now, when we start talking about MMAP, if you want to use it in its most basic form, it’s really easy. You just type in Nmap, the IP address you want to scan, or NPAP, and the IP range you want to scan. For instance, if I type Nmap 192, 168, 100:24, that’s going to scan all 256 IPS in that range. Now, when you use Nmap in this basic syntax, this is the default configuration. It’s going to have its default behavior being used. And that default behavior is to ping and send a TCP acknowledgement packet to ports 84, four, three. This will determine whether a host is there and whether it’s present.

If that host is there and detected, nmap will then perform a port scan against that host to determine which services it’s actually running across the 1000 most commonly used ports. Now, this port scanning can be time consuming because there’s a thousand ports it’s checking. If you have a very large range, this can take a lot of time. The other thing about using Nmap in this default configuration is it is not very stealthy. Most of your intrusion detection systems or intrusion prevention systems or firewalls will see this activity as scanning and they will try to block it. And so you need to make sure that you know all the different ways to use Nmap so you’re not being blocked by these network devices. And that brings us into another way of doing things, which is what’s called a host discovery scan.

Now, a host discovery scan uses the flag SN. This is what tells us we want to do a host discovery scan instead of using the default procedures. If you only want to perform the host discovery part and not that port scan, you can use Nmap SN and then the IP range. This will suppress that 1000 port scan that I talked about using the basic syntax, using that default behavior. Now, there are lots of other scanning options that you can utilize when using Nmap, and they all rely on these things known as switches. That is that Dash SN that I just showed you? But there’s lots of different options as well. For instance, you might have a List scan which is Dash SL, and this will list the IP addresses from the supplied target range and it will perform a reverse DNS query to discover any host names associated with those IPS.

So think about this as a DNS lookup. That’s essentially what we’re doing here when we’re doing a List scan. Now, the List scan is considered more of a passive method because you’re not actually sending probes directed at the host. Instead you’re taking their IP range and you’re asking the DNS server to do those reverse lookups for you so you’re never really touching the host themselves. Now, another option you can use is what’s known as Dash PS and this is a TCP Sin ping. Now what this does is it’s going to probe all the specific ports that you list in the command and it’s going to do this using a TCP Syn packet. This is really helpful because some networks are going to block ICMP packets from being used for ping. And if you try to ping something using the ping command, it’s going to come back as host not found or no response.

But by using something like Dash here, you can actually use a Sin packet to conduct that because when you send a Syn packet to somebody, they are going to send back a Sin AK and then normally you’d send back an acknowledgement request as an act packet and that would finish the three way handshake. Well, here what we’re going to do is send out the sin. We’re going to get back the syn ACK and that tells us that host is alive. And then we’re not going to finish the three way handshake. We’re not going to send back the acknowledgment. And that way it’s less information that can go towards that host to figure out who we are. Are. Now, the next one we want to talk about is using sparse scanning. Now again, if you want to be more stealthy and you don’t want to do a ping sweep or a port scan really quickly, you can actually spread out your timing.

And if I do it over a long period of time, that can make it harder for detection to occur. So what we do is we use Dash dash scan delay and the amount of time we want to wait. This will issue probes with significant delays to become much more stealthy and avoid detection by an IDs or an IPS. The next one we want to talk about is scan timing and this uses the flag TN. This is going to issue probes when using a timing pattern with that N being the timing pattern you want to utilize. If you use a zero, that’s going to be the slowest. If you use a five, that’s going to be the fastest if you use a three, it’s somewhere in the middle. The idea here again is to try to evade detection by an IDs IPS or firewall. The next flag we’re going to talk about is Dashi, which is used for a TCP idle scan.

This is another stealthy method, and this is going to allow the scan to make it appear like it’s coming from another machine, which we’ll call a zombie. Now, this is going to allow that machine to pretend like it started the scan to hide the true identity of the scanning machine. Essentially, it’s a redirection. We’re trying to throw the defenders off our tail and be a little bit more stealthy as we go. The next thing we can use is fragmentation, and this can be done using either of two flags, either F or MTU. This is a technique that splits that TCP header of each probe being sent through multiple IP diagrams. And this will make it harder for an IDs or IPS to detect. You notice a trend here. The last couple of things we’ve talked about were all about trying to be more stealthy so we can’t be detected as an attacker.

Now, the results of a discovery scan should be a list of IP addresses and whatever they responded to in regards to the probes. It’ll look something like this. Notice here I have nmap a t four scanme. Nmap. org. Notice that? T four. Which type of scan was that? That’s right, it’s a scan timing type of scan. We’re using TN, which tells us in this case T four, which means it’s pretty darn fast. It’s not the fastest, but it’s pretty fast. Now notice the results here. You’ll see that we had two clients that were scanned. We had scamme, Mmap. org and DOE’s. Once we scanned those, we got a response from them and they showed us what interesting packets there were. This is giving us more information.

We’ll talk more about these port states and the different services and versions in a later lesson as we go through and learn more about Nmap. Now, another thing you got to think about is the way output is given to you in Nmap. For instance, this output you’re seeing right now is displayed to the screen, and this is what is known as interactive. This is the default setting. Whenever you run a command, by default it will display it to the screen. But you don’t have to do that. You can actually send data to a file as well. You can do this in a normal method using the on command. This flag will say, take what I saw on the screen, and instead of putting it on the screen, put it in a file. You also can use XML using Ox, and this will put it in an XML format to a file. Or you can use something that is grepable using OG.

This will allow a greppable format being sent to a file that you can later, then use grep upon to find information. This is really helpful if you have really large data sets. Now, all of these things can be looked at by a human, but XML and greppable output are much more useful if you’re trying to integrate them in with most of your Steam products. This allows you to take that information from those scans and put it into your CM database so you can correlate that with other information. And this is much more useful to you as a cybersecurity analyst. Now, let me give you a quick exam tip for the Cysaplus exam. Now, you don’t have to become an expert on Nmap.

I know I covered a lot of different flags here. You don’t have to memorize them all. But if you go into Pentest Plus, you will have to learn all these things and you’re going to have to be very comfortable with scanning networks and hosts using Nmap. It is a listed objective inside of the Pentest Plus exam and they go into a lot of depth and all the different flags here in CYSA, you really just need to understand the concept of Nmap and what you use it for. As an analyst in the real world though, you are going to use Nmap a lot to do your job. So spending some time and getting comfortable with some basic Nmap information is very critical. And that’s why we’re going to spend quite a bit of time on it in this course.

• Category: Uncategorized