Enumeration

Enumeration can serve two distinct purposes in Vulnerability Assessment:

•     OS Fingerprinting
•     Remote applications being served.

OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host.  This is carried out by analyzing packets received from the host in question.  There are two distinct ways to OS fingerprint, actively (nmap) or passively (scanrand).  Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof).  Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. 

Remote applications being served on a host can be determined by an open port on that host.  By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

I have subdivided the enumeration section into specific areas to make it easier to navigate the site, saves me updating also.  Each section contains there own specific tools, sections include:

• General - You're here

• Firewall enumeration

• LDAP enumeration

• NTP enumeration

• SMTP enumeration

• SNMP enumeration (under construction)

• Web enumeration

Enumerating the target host can give you an idea straight away where to concentrate your vulnerability assessment on.  The best tool for this by far is of course nmap!  For further version enumerating there's amap and if you want a quick a easy port scanner, Dan Kaminsky's scanrand (part of the paketto suite), is furiously fast against your target host.  You could also try hping which as well as being an excellent tool for testing network performance can also be used for TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files across a firewall and many other stuff.

Other useful tools include:

nbtscan. - Enumerating NetBios information

Unicornscan - Basic enumeration, but also for introducing specific stimuli into the target network and measuring and recording the responses gained.

firewalk.- Enumerating what the firewall allow and deny rules are for the network.

Obviously a returned result from nmap will give you a bunch of open ports and the quick and easy way to enumerate services that are running and gather version and OS details is to utilise the trusty in built applications within your OS via command-line (or cheat with a GUI!):

General Manual Enumeration

The following are quick examples of general enumeration being carried out via the telnet command, as an alternative you could also use netcat in some scenarios.  Other examples can be found in Protocol specific enumeration pages.

Enumerating with Telnet:

Port 21 - File Transfer Protocol open

telnet 192.168.0.1 21

220 remote_hostname FTP server (Version 1.1.214.8 Fri Apr 25 08:57:22 GMT 2003) ready.

User (remote_hostname:(none))

Enumerates that there is a remote ftp server running on the host and gives the version number, a simple check of google could spring up possible exploits that may effect this version.  You could also try logging in as anonymous and supplying a bogus email address as the password if requested and anonymous access is allowed.

Port 23 - Telnet port open

telnet 192.168.0.1

Sun 5.6

Login

Enumerates that telnet is running on a Sun Solaris 5.6 host.

Common Banner List:
OS                          Banner
Solaris 8                  SunOS 5.8
Solaris 2.6               SunOS 5.6
Solaris 2.4 or 2.5.1  Unix(r) System V Release 4.0 (hostname)
SunOS 4.1.x            SunOS Unix (hostname)
FreeBSD                 FreeBSD/i386 (hostname) (ttyp1)
NetBSD                  NetBSD/i386 (hostname) (ttyp1)
OpenBSD               OpenBSD/i386 (hostname) (ttyp1)
Red Hat 8.0            Red Hat Linux release 8.0 (Psyche)
Debian 3.0              Debian GNU/Linux 3.0 / hostname
SGI IRIX 6.x          IRIX (hostname)
IBM AIX 4.1.x       AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.
IBM AIX 4.2/3.x    AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.
Nokia IPSO            IPSO (hostname) (ttyp0)
Cisco IOS               User Access Verification
Livingston ComOS  ComOS - Livingston PortMaster

Enumerating with Finger:

A bonus when enumerating is finding port 79 open, notably used by the finger service.  It may be possible to enumerate a number of valid user accounts and also the OS type by passing the following command against the remote host:

finger 'a b c d e f g h'@target

Sample output:

Login Name TTY Idle When Where
root Super-User console <Dec 30 08:47> :0
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
adm Admin < . . . . >
lp Line Printer Admin < . . . . >
smtp Mail Daemon User console <Dec 30 08:47> :0
uucp uucp Admin < . . . . >
nobody Nobody < . . . . >
noaccess No Access User < . . . . >
smith.j Dr J Smith - Directorate 7764 <Aug 15, 2005> 192.168.0.1
andrews.f Mr F Andrews - Accounts - < . . . . >
james.t Mr T James Personnel - pts/1 <Oct 15, 2005> 192.168.0.43
apache Apache Web Server < . . . . >

The output above would tell you the remote host is unix based, is probably running a web server, (apache) and there are 5 accounts you might want to try a dictionary or brute force attack against, (root, smith.j, andrews.f, james.t and apache)

Enumerating with Net View:

C:\Documents and Settings\administrator>net view \\192.168.0.1

Shared resources at \\192.168.0.1
HOME
Share name Type Used as Comment
-------------------------------------------------------------------------------
dd Disk
SharedDocs Disk
The command completed successfully.

Passing the net view command to a windows host will return a list of shares that are available, (albeit possibly tied down to an access control list) for the remote host.

Note: - With the majority of banner grabbing tools, beware of sneaky sysadmins obfuscating banners!