CompTIA Pentest+ PT0-002 – Section 5: Active Reconnaissance Part 2

39. Conducting Enumeration (OBJ 2.3)

In this video, I’m going to demonstrate how to use Zenmap to conduct scanning and enumeration. For this example, I am connected directly to the local area network of my victim machines. So now Zenmap pops up and we can start doing our scans. The first scan we want to do is the least intrusive so we can figure out what machines are on this network. To do that, we’re going to do a ping scan. Our target for this network is going to be the entire network. So I’m going to use 192.168.56.0/24.

That will tell me that I want that entire subnet. Now, another way you could write this is we can actually say zero to 254, which would be all of those addresses as well. But in our case I would like to use the CIDR notation of /24. Now you’ll notice here in Zenmap that we actually get the command line syntax for Nmap right here shown for us. So Zenmap is going to use Nmap to do the work for us but then it’s going to take that detail and bring it back to us in a graphical format.

Now, right now our profile selected is the intensive scan and that’s going to be way too intensive for what we’re trying to do. So we’re going to go down and select a ping scan instead. Notice that the ping scan is just -sn and the IP address range that you want. And now I’m going to click Scan. Now, here in this main tab, what you’ll notice is you’re going to see the results that Nmap would provide you. In our case all we did was a ping scan so it searched 256 IP addresses and it found four of them that were up.

Those four is the server, the DHCP server we set up, one of our virtual machines, our second virtual machine, and then our Kali Linux box ourselves. Now we don’t necessarily know what these two machines are at this point. We just know that they’re up and taking requests. But since we do know that 102 is our own machine, we don’t need to scan that one anymore because we don’t need to attack it. We want to attack these other two machines. So what we’re going to do is we’re going to take it a step further, and we’re going to start doing different scans as we can gather different information.

Now, if you notice, if I click on the ports and hosts tab, there’s no ports yet because we haven’t scanned any ports. We’ve only done is this machine up or down. But here we can see in the topology our network, and you’ll see that there are four hosts connected, and we can also do a fish eye that makes it a little bit easier to see. You can see that we do have four hosts on the network. We have the three machines plus the one DHCP server. Now, if we look at host details, all we know is the state is, that it’s up.

The only reason we know that is because it did a ping. We haven’t scanned any ports yet. This is important to realize. So let’s go ahead and go back to our Nmap output and let’s try a more intensive scan, but only targeting it to the two machines that we want to look at, which were 101, excuse me, 100 and 101. And from here we’re going to do what’s called a quick scan.

Now, if you notice here the quick scan is going to do some of the most common ports for us and find what information we can about this. So let’s go ahead and do a quick scan. So here is what Nmap would’ve given you if you were doing this in the command prompt. The scan report for 101. And if we look at 101, you’ll see all of these ports are open. That is a lot of open holes that may be vulnerable for us to do exploitation later.

Now, if you notice that 192.168.56.100, all the ports were filtered. And that’s interesting to note because we’re going to take a look at that machine later as we go forward. But with the quick scan, we have identified that this 101 is a very vulnerable box. Now, if we look through it, we’re going to see some port numbers and those ports are going to be important to help us identify what this machine is. So as I look through it, I see we have FTP and SSH, and Telnet. Those are common to Windows and Linux. But the ones that aren’t are things like RPC bind 111.

This 139 and 445. Those are common of Microsoft and Windows machines. Notice though that there’s not a 135, which is another NetBIOS port that’s commonly seen on Microsoft. So what this is telling me is this this machine which I think is Linux is running some Microsoft services and they’re probably running Samba to do file sharing with Microsoft. If it had 135, 139, and 445, I would assume it’s a Windows machine but we’re going to be able to discern it later when we do our enumeration. As we keep going on, we’ll see the login and the shell again, very common Linux things.

We also have MySQL. We have a VNC player and X11. X11 is an extremely common Linux thing. So that again is one of those things that tells us it’s probably Linux. Now, if we click on the port and host tab, there’s actually an easier way to see all this information. So if I click on the host I want to look at and I click on the ports and hosts, 101, you’ll see that I have open and closed states. In this case, all these were open ports that we’re looking at, the port number and the FTP. So it makes it very easy to see graphical representation. Now, if I click on host details, it doesn’t know what type of host this is yet, but it did find that there was 82 closed ports and 18 open ports.

And we did look at 100 ports, which was pretty noisy of us. You can see under scans, this is the history of the scans we’ve done before. We did our ping scan and now we’ve done our quick scan. Now, if we want to get a little more intrusive, we can do what’s called an intense scan. And what we’re going to do is do an intense scan. And then we’re going to hit Scan. Now, the intense scan is going to look at the open ports and the closed ports and it’s also going to try to do some basic enumeration for us to try to figure out what this machine is or isn’t. So in our case, we’re looking at it, we’re doing a stealth scan right now. You could see that. And this scan will take us a little bit longer because it’s going through a lot of information. One of the things it does try to do is it tries to do an OS detection. It was unable to do an OS detection of the .100 system. Again, with the text based information, it’s going to give you a lot of information and we can go through each of this individually if we want.

But all of this is going to be shown in a much more graphical format for us to use as we move forward. So let’s go ahead and go over here to the ports and then click on the host. If you notice over here, our OS changed on the .101 machine, the Metasploitable machine. If you’ll notice, we have a little Linux icon here. We now see all of the open ports again but notice the difference here from before. Not only is it FTP, but we know that it’s VSftpd version 2.3.4. This is that enumeration piece. You’ll see that our Apache is version 2.2.8. You’ll see that they were running Samba, which again, Samba daemon is a Linux version of file sharing to allow us to share with Windows workgroup users. So our guess of this being a Linux machine did pan out to be right. In this case, we have MySQL version 5.0.51. And again, these are all important to know because we can take this information and search the CVE database and be able to find out what known exploits there are for these particular services. So this is all part of that information gathering stage for us to plan our attack. And then we’re going to move further down. You’ll see here we have a Metasploitable root shell.

We have IRC channel, Unreal IRC daemon, and again, HTTP with a Tomcat/Coyote JSP engine on Apache. So we also have another FTP up here on port 2121. So lots of different things that we can go after as we start attacking this machine later on. Now let’s take a look at that Windows machine we had. And you can see here no ports were identified. If we click on host details, it was unable to identify the fact that this was Windows. And if we go to Linux, you’ll see that this not only was able to figure out that it was Linux but that it’s most likely Linux 2.6, somewhere between version nine and version 33. That’s going to give, and it gives us an accuracy used based on the ports that it saw. So based on what ports it had and the responses it received from those, it’s able to tell us with 100% accuracy that this is Linux 2.6. So based on the ports used and the way that it responds, it understood that this was Linux with 100% accuracy. So it did a lot of that enumeration for us. Now, Windows has not been responding. Let’s go take a look at our Windows machine and see why that is. Let’s go into our control panel. We’ll go to our security center. So you’ll notice the Windows firewall was on. We’re going to go take a look at the Windows firewall and see if that’s the reason why it’s not responding to us. So in this case, we have the firewall on and the only exceptions are the ones in the exceptions tab. If we look here, there wasn’t a whole lot of exceptions.

If you notice, file and print sharing was not an exception. Let’s go ahead and let that be an exception right now because most home networks are going to use file and print sharing to be able to share files and printers across their network. And then let’s hit OK. Now let’s go back and try our scan again. So now that we’ve set the exception in the firewall, we’re going to scan the Windows machine again using that quick scan. That’s going to do the 100 most common ports. So we’ll scan that machine and you can see now, because we’ve opened the Windows file sharing and allowed that exception, that we can now identify port 139 and port 445 as part of that machine. Now, if we go to the host details, let’s see if we can figure that out. We still can’t figure that out yet. So we’re going to have to do a more intensive scan. We’ll go back here and do an intense scan on 100, just the one machine, and we’ll scan again. Now, it’s discovering the open ports on 139 and 445. It’s going to do a syn stealth scan to try to be a little bit sneaky for us as it goes through 1000 commonly looked at ports.

Now, if they happen to be looking at this network traffic they’re probably going to see this because going port one, port two, port three, port four, and going all the way down, you’re going to end up seeing something. The other thing, because this is an intense scan, it’s actually using 138 specific scripts as it goes through and does this. This is how it’s able to do things like the enumeration for us. Figuring out what ports were open is fairly easy with the scan but now it’s actually going to use those different scripts. It’s going to see those open ports and based on the way it responded from each of those ports, we’re going to be able to determine what version of the operating system it’s using. So as we scroll up here in our text, we can see some information that was found from the scripts. Again, port 135 and 445. We believe it’s Windows XP based on the way it responded. We also get the Mac address. And based on that Mac address, we know it’s a virtual box. In this case, we also can see the operating system scan was unreliable because they couldn’t find at least one open and one closed port.

They only found those open ports. The firewall blocked the rest of the ports from us. But they believe that it’s Microsoft 2000 or XP. Now, why would it be 2000 or XP? Well, Microsoft XP and Microsoft 2000 share a common code base, just like Windows Vista and 2003 share a common code base. Windows 7 and 2008 both share a common code base. 2012 and Windows 8 also share a common code base. So as they move forward in these, you can start seeing this overlap and you’ll a lot of times get one where it thinks it’s one or the other, or both. Now in this case, it did a fairly good job. It realizes it’s either Windows XP Service Pack 2 or Service Pack 3, or Windows 2000 Service Pack 4. In this case, it wasn’t able to do the prediction through TCP sequence, but it can do it based on the information received from the port scans. Now, as we scroll down, we had some enumerations run as well. In this case, it did a NetBIOS check. It found the name of the computer. The name of the computer is John’s PC. It also gave us the fact that he’s in a workgroup, not in a domain. We also know the fact that we’re still again using Windows XP based on SMB that we found.

SMB being the file sharing. And then it did a trace route. In our case, the trace route goes immediately there because we’re on the same network. After it did all the scanning, it runs through a couple of other different reports and scripts, tries to find as much information as it can. And it did all of that scanning in about 50 seconds for one host. This is important to know because if you’re doing an intensive scan, it does take some time. This was on a network that was on the same network on the same machine, meaning it was very quick. If I had to go all the way across the internet to another host and I was scanning numerous hosts, that time goes up. The more time you’re spending, the more packets you’re sending, the more likely you are to get caught. In our case, we sent out 2035 packets but we only received 15 back. So the chances of us getting seen was 2035 times that we sent information to them. There are ways we can be a little bit more sneaky with these tools.

It just depends on the profiles we use and the way we configure them. Now, as we go into ports and hosts, and we click on our Windows tab here, the .100 machine, you’ll see the fact, again, based on the text output we had in a nice graphical format that we can see. We then go into topology. And we now see that there is some sort of a lock on this meaning that there was a firewall of some sort. And then we’re going to go here to the host and here we can see that we scanned 1000 ports and of those only two were open and 998 were filtered. Filtered means that there was some sort of firewall there blocking us. Again, the accuracy, the fact that we are Windows 2000, very accurate in this case, and they do that based on the port that they saw. The one they made their decision on was 139, which was a NetBIOS file sharing. And the class is Windows 2000.

And as I said before, Windows 2000, windows XP share a common code base. They answer up the same way so they look very similar in traffic. So as you can see, we can be very invasive or very quiet in our scanning techniques. It really depends on the level of information that we’re trying to gather. The question now becomes how quiet do you want to be in your hack? Well, that’s going to depend on why you were hired by the organization in the first place. Are they looking for a realistic hack to challenge their defenders and find their weaknesses? If so, then you would want to be very, very quiet to give a realistic threat. But if you were tasked to provide the defenders a simple emulation of an adversary of a script kiddie, you’d want to be really noisy. And that way they can find you quickly and take you down. It really depends on the intent of the assessment. Again, these tools can be used very sneakily due to the customization or very loudly. It all depends on how well you understand your tool set, your intent, and your method during the hack.

40. Other Enumeration (OBJ 2.2 and 2.3)

When you’re conducting enumeration you’re trying to gather detailed information on various targets that you find in an organization. Enumeration usually focuses on five key areas, the hosts the services, the domains, the users, and the URLs later on during the attacks and exploits phase of the engagement you’re going to return to enumeration again and again to expand your search from inside the network once you’ve gained your initial foothold as well. But for now, we’re going to take a quick look at the type of information that you can gather during your active reconnaissance efforts. First, we have hosts that can be found using enumeration techniques. A host is any server, workstation or client which can also include mobile devices, tablets and the internet of things devices as well as networking devices like switches, routers or access points. We’ve already covered some basic types of host enumeration in our earlier lessons. As we looked at automated tools like Zenmap and Nmap to conduct ping scans and port scans to find various hosts locate on a given network.

As we continue on the course, we’re going to return again to Nmap for a much more in depth look at it because it’s a really important tool and you have to understand how to use it. But for now, just knowing that you can conduct enumeration of a network by scanning for any host is sufficient at this point. Now if you’ve been able to gain access to the network already, for example, maybe you’re emulating an insider threat for an engagement. So they already gave you access to the local area network. You can then enumerate the host by using some command line based Windows tools to be able to learn more about the network. These tools are already built into the Windows operating system and its command line interface. So when you’re using these type of tools we call this “living off the land” because you’re using different tools that are available on a regular users’ workstation without having to bring any customized tools or bring your own tools.

The first command you want to look at is the net command. The net command is actually a suite of tools that can be used to perform operations on groups, users, account policies, network shares and much more to start your enumeration efforts. You can use the net view command from the command prompt and you’ll see a list of all the network shares available from that workstation that are being served up by other hosts on that network. There’s also many other optional parameters that you can use with the net command and to learn all about it simply type in net/? in the command prompt of your Windows workstation or search online for information on the net command. Another tool that’s used when enumerating a Windows host is the arp command. If you enter arp-a you’re going to have the arp cache known as the address resolution protocol cache displayed to your screen. This provides you with a list of all the other machines Mac addresses that have recently communicated with the host that you’re on. And these are all layer two addresses that are going to be contained to the local area network. This is another way to enumerate and find other hosts on that local area network. And it’s also much harder for network defenders to detect than simply running an in-app scan against the entire subnet or network. Now, if you need to determine the IP address of the machine you’re currently on you can enumerate this by using the IP command.

If you want to see all the DNS names that have recently been resolved on that computer you can use the command ipconfig/displaydns and this will print all those out to your screen. This is another way to determine which servers that post has been communicating with recently. Now if you’re working on enumerating a Linux host or server you can use BASH built in utilities to do that as well. For example, the finger command can be used to view a home user’s directory, their login name and their current idle time. If you want to learn about what the system is running you can enter the command you name -a at the Linux terminal. When you do this, you’re going to get the OSS name version and other relevant details displayed right there to your terminal. If you want to get a list of all the environmental variables on a Linux system, you can do this by entering the command env and pressing Enter.

When you do that all the variables will be displayed to your screen. Second, we have services that can be enumerated to provide us with additional details about a given host. For example, if you conduct an intensive scan using Nmap of all of the hosts, open ports, that can return information about the services that are operating over those ports. When you conduct a port scan for example you might see that port 80 was open and that means there’s a web server there but that doesn’t mean you’re done enumerating that port and the associated service. This is because there are many different types of web services that can run over port 80 using the HTTP protocol. Common types include Apache Microsoft’s Internet Information Services called IIS, NGIX, LiteSpeed and many others by conducting further fingerprinting and enumeration.

You’re going to be able to identify which software is running that host web services and possibly what version is being run. Currently, Apache is still one of the world’s most popular web services with 38% of the market share. But NGIX, is actually a close second at 32%. Third, you can enumerate domains. When I refer to enumeration of domains though I’m referring to a Windows domain and not a website domain or DNS entry. In Windows, everything is stored, classified and retrieved using a directory service known as Active Directory, active directory also known as AD is a type of database that stores organizes and enables access to other objects under its control.

Active directory, is going to be used to connect all of the hosts to the servers, and those servers’ resources and this is going to rely on Kerberos based authentication and a system of tickets to provide authorization. Many of the attacks against Windows systems rely on trying to trick or bypass the Kerberos authentication in a domain environment. Now each domain contains OUs or Organizational Units underneath them as well in larger organizations. These domains can actually be consolidated as part of a tree and multiple trees, can become part of a forest. Each domain is considered the core of a Windows network, and the first domain is always going to be considered the root domain. All the other domains are sub domains that are created underneath that root domain are considered children.

By default, there’s an inherent trust relationship between children and the root domain that created them. And this trust relationship can be exploited by a skilled attacker. The organizational units in a domain also known as OUs are going to be used to group together similar objects. Now objects can be computers, groups or even users. Users are a special type of object. That’s used to represent a person or process that will access a given resource in the domain. When you log into a Windows domain at work you’re logging in as a user, and that user represents you your access rights and the permissions for all the things you have access to on that network such as a shared file server. Users can also be placed into objects known as groups. A group is simply a collection of users.

Computer accounts can also be placed into groups too. This allows groupings of permissions to be applied for all the objects in a given group. Let’s pretend I create a folder on the shared drive for the marketing department. Now I can individually add every user to that folder and give them unique permissions or I can more simply apply a marketing group to that folder and give all the people in the marketing group access. Now anybody who works in marketing who’s a part of the marketing group will be able to access the files in this new shared folder simply by being a member of that group.

Now when you want to enumerate a domain you’re normally going to do this using PowerShell. If you’re doing a living off the land approach or you’re going to use a tool like Nmap or Metasploit if you’re bringing your own tools to the engagement. In PowerShell you can enter the commandlet Get-NetDomain to list the current logged in user’s domain. If you enter Get-Netloggedon, you’re going to get a list of all the users who are logged into a given computer. Now, this isn’t as helpful when you’re finding yourself on a workstation, but if you’ve gained access to a server this can really provide a lot of users and their details in one simple command. This brings us to our fourth area of enumeration users.

When enumerating users, you can also enumerate groups too because many users are part of a group as part of their access rights and permissions. So let’s pretend you’re in your exploitation phase and you’ve gained access to a user’s username and password. And now you’ve logged in as them. If you enter the command get Get-NetGroupMember into PowerShell, you’re going to receive a list of domain members, belonging to a given group. Now that you know what groups they’re a member of you possibly will also know what resources such as servers and file shares. You now have access to. Now if you can’t access PowerShell on a Windows host or server you can also use the command line tool net by typing net user to list all the users on a given machine. If you want to list out all the groups simply use net groups on that machine as well.

The fifth area for enumeration is uniform resource locators. Also known as URLs. Once you have a list of value URLs you can use various tools to gain more details about a web server or the applications running on those URLs. For example, Nmap has a scripting engine that you can use to enumerate URLs by entering nmap–script=http-enum and the target URL. This will return information about the services running on that web server, as well as the applications that are actually running the server such as the content management system like Drupal, Joomla or WordPress. Once you identify these you can then link them to known vulnerabilities. As you start planning your future attacks and exploits for stage three of your engagement.

• Category: Uncategorized