“Enumeration can best be defined as the process of counting. From a security standpoint, it’s the process the attacker follows before an attack. The attacker is attempting to count or identify systems and understand their role or purpose.
This may mean the identification of open ports, applications, vulnerable services, DNS or NetBIOS names, and IP addresses before an attack.”
Michael Gregg (2008, p 149)
This means at this stage it’s only a matter of time before the attacker compromises a system on the network.
The main aim of this stage is to find:
User accounts for password guessing.
system groups and roles
Poorly configured shared resources.
Older software with known vulnerabilities.
Active Directory information.
This method is an active one (requires a connection to the system) and should be detected and logged, however as explained previously an attacker would hide his/her tracks.
This reveals the make and version of a service. The most basic way of banner grabbing is to telnet to the target. For a more advanced method netcat can be used.
then press enter few times.
Or you can redirect the content to netcat to nudge the system for more information:
Create a file called nudge.txt containing the following http header with two carriage returns: GET / HTTP1.0
Execute the following command:
root@bt:#nc -nvv -o banner.txt 192.168.136.167 < nudge.txt
n- numeric only IP no DNS
vv –very verbose.
o – output file.
Or you can do:
We can tell that the target is using apache server, so a real attacker can search for known vulnerabilities on this server.
Using traceroute an attacker can trace the route from his/her location to the target network and usually the hop before the target is a router. The next steps that an attacker would take is the same as described previously in this series (scanning, enumeration).
A brief list follows:
- Service detection
- nmap -sT [router IP]
- Search for a particular router type: for example Cisco
- nmap –p1-25,80,512-515,2001,4001,6001,9001 [IP address]
- OS ID:
- nmap -o -n [IP address] (-n to skip DNS query)
- or nmap -o –p[port number or port range] -n [IP address]
Enumerating Network Services
An attacker would than try to enumerate all of the different network services
he can find, a brief list is as follows:
- FTP services – can reveal directory structure and content.
- SMTP – can enumerate users:
- telnet [IP address] 25 or nc –v –n [IP address] 25 then commands such as VRFY can be used to confirm names of valid users and EXPN reveals the delivery addresses of aliases and mailing lists.
- DNS – can reveal information such as the location of the global catalogue and its port (_gc._tcp), the domain controller using Kerberos authentication (_kerberos._tcp) and the location of LDAP servers (_ldap._tcp). Nslookup with ls or dir –d or the DNS information groper (dig) commands can be used.
Enumerating the Boarder Gateway Protocol (BGP)
Searchtelecom [online] defined BGP as:
“BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts (each with its own router) in a network of autonomous systems. BGP is often the protocol used between gateway hosts on the Internet. The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen”
It is only implemented in medium-large networks that have more than one uplink. An attacker can get information about the networks that are part of a certain organisation’s network by looking at the this routing table.
To enumerate BGP you need to find the ASN of the organisation than perform a query on the routers.
You can find the ASN by doing a whois query on ARIN by typing ASN- companyname-AS if you know the name of the company.
If you only know the IP address you can query the router and use the last AS path as the ASN:
telnet to a public router
for the username type rviews than enter:
route-views>show ip bgp [IP address]
where it says “not advertised to any peer” pick the last number in the list than type:
route-views>show ip bgp regexp _(ASN number)$
(_) means a space and ($) means the end of the AS path. This will filter out entries where the AS is a transit network. The * marks valid networks of the organisation.
These steps are as described by Joel Scambray, Stuart McClure and George Kurtz (2009, page 127-129).
Scambray, Stuart McClure and George Kurtz (2009) also advises to check ARIN to make sure the ASN number obtained in the second step is correct. They also mentioned that many organisations don’t use BGP and the ASN returned is actually the ASN of the ISP that advertises BGP messages on behalf of the customer.
Exploitation in information security means taking advantage of configuration errors, software bugs and vulnerabilities to compromise a system and take control of it.
At this stage the attacker would’ve gained lots of information about the network, it’s topology, the services it runs, the IP ranges it uses, type of devices used, OS, type and location of routing and control devices, the next step would be to find the vulnerabilities each one of these might have and try to exploit them.
Tools such as Nessus are available to make this process easier, otherwise a manual search would’ve been implemented. After a vulnerability have been discovered an attacker would try to exploit this vulnerability to gain control of the system.
To automate the process of exploitation tools like Metasploit, Inguma, Fasttrack, Hydra and OneSixtyOne to name a few are available in Backtrack.
An attacker reaching this stage will be able to exploit a service and escalate his privileges to own the system where he can then use it to compromise other systems or networks.
Network security preserves the confidentiality, integrity, availability and auditing of the systems and the data stored inside them. These are controlled by authentication, access control and authorisation. All of these control mechanisms are interlinked and a weakness in one could weaken the rest.
It is important to implement a least privilege policy while keeping things balanced. It’s not wise implementing a very strong password policy when the employees will end up writing it on sticky notes because it’s too hard to remember.
A balanced auditing policy that doesn’t generate too many logs (so they are not ignored) and assigning someone to monitor these logs on a regular bases is also important.
Having an all round security policy that takes into account everything surrounding the network infrastructure is as important as keeping unauthorised users out.
It is vital to invest in a well designed infrastructure that implements a properly placed firewalls (as shown above) from different vendors at each layer of the network infrastructure.
A very determined attacker will try to use everything in his toolkit to gain control of your network even if it is the most secure one, while the majority of times the attacks are carried on easy targets (lowest hanging fruit) and the attacker will move on to another target if he finds it hard to compromise your network.
So it is very essential to harden everything in your network infrastructure as mentioned by Greg White and WM Arthur Conklin (2009), you need to harden the operating system, harden network devices and harden the applications, which I totally agree with because if you harden the network, host and the applications and you happen to overlook a service that is left running when it’s not needed an attacker could use this to gain unauthorised access or even root access into your network due to that service being the weakest link.
As it was illustrated previously in this report and summarised in the diagram below the systematic steps attackers would take to map out a network and attack it, explains how important it is for network administrators to master these skills and to use them to monitor their networks regularly. This could be twice or even three times a year as well as every time new changes made to the network.
This will allow them to see what an attacker can see about their network and take appropriate action to prevent such information leakage.
For example an administrator performing the foot printing step would see information an attacker can see that can aid the attacker in his attack. The administrator can than remove such information from website, public archives and change banners or even parameters that help ID the OS, services or network devices.
Brian Barber (2010) CompTIA Linux+ Exam XK0-003 Certification Study Guide
Christopher Negus (2006) Linux Bible, Wiley Publishing
Greg White and WM Arthur Conklin (2009) All-in-one CompTia Security Plus
Joel Scambray, Stuart McClure and George Kurtz answers this question in their book (2009), Hacking Exposed: Network Security Secrets and Solutions, 6th edition, McGraw-Hill
Lance Spitzner, Passive Fingerprinting, [online white paper last accessed 03 Dec 2010], http://old.honeynet.org/papers/finger/
Mark Horton and Clinton Mugge (2003) Hack notes: Network security Portable Reference, McGraw-Hill
Michael Gregg (2008), Build Your Own Security Lab: A field guide for network testing, Wiley Publishing
http://nmap.org/book/man-port-scanning-techniques.html (last accessed 19th Dec 2010 at 2:00 am)
Paul Wheway a lecturer at Sheffield Hallam University, lecture presentations (2010), An overview of network security
Simon Garfinkel, Gene Spafford and Allan Schwartz (2003) Practical Unix and Internet Security, 3rd edition, O Reilly
http://searchtelecom.techtarget.com/definition/BGP [online] last accessed 21st Dec 2010
William Stallings illustration of the main four classes of attacks, Network Security Essentials: application and standards (2000) Prentice Hall.