In the enumeration phase, the security team establishes an active connection with the webserver to gather information on users, hosts, networks, primary servers, and application configuration. This is done keeping in mind that if an attacker can enumerate the application, they can gain access to sensitive information that exposes common vulnerabilities.
This article discusses the types, techniques, and commonly asked questions on enumeration in cyber security.
What Is Enumeration In Hacking?
Enumeration forms the basis of information gathering of the target system during a cyber attack. Once attackers have established a connection with the target host during an enumeration attack, they can send directed queries to extract information on system vulnerabilities. Attackers typically assess attack vectors by leveraging the enumeration’s outputs to exploit the system further. Malicious actors also use penetration testing tools to gain pieces of information such as:
- IP routing tables
- DNS details
- SNMP information
- Users on database records
- Network services and shares
Types of Enumeration
Enumeration attacks are classified depending on the target system, the services it runs, and the information it hosts. The most prevalent forms of enumeration include:
NetBIOS is the basic input-output system that enables applications on separate network devices to connect over a LAN, establish sessions, and access shared resources. In NetBIOS network enumeration attacks, hackers use network scanner tools to extract NetBIOS name information from IP networks. Information obtained during NetBIOS search exploits includes:
- Network policies and passwords
- The number and identity of computers within a domain
- A list of shares across individual machines in the network
This extraction is carried out on TCP ports 137 (name services),138 (datagram services), and 139 (session services).
The Simple Network Management Protocol (SNMP) simplifies the management of network devices such as routers, hubs, switches, etc., in the application layer using the UDP protocol. SNMP attacks enumerate usernames, group names, passwords, system names, and devices in the network. This attack involves accessing an SNMP agent on the target device (managed device). SNMP agents are software that converts the data on target devices into SNMP compatible format.
An SNMP agent also provides access to a database known as the Management Information Base (MIB), which contains records of network objects managed by SNMP. MIB is a giant repository, and access is authenticated using a community string that travels as clear text over the network. In the event the string bindings are left at their default settings, malicious actors commonly access these records and find deeper connection loopholes.
The Lightweight Directory Access Protocol (LDAP) enables applications to access directory listings from directory services such as an Active Directory. An LDAP is usually integrated into the Domain Name System (DNS) for quicker resolution of queries and an expedited lookup process. An attacker can exploit a directory scanner to query the LDAP service through port 389 anonymously. This gives the attacker access to a host of information that can be misused to orchestrate social engineering or brute force attacks. Though the impact of such attacks varies, information uncovered by LDAP enumeration attacks generally includes active directory objects, access lists, user names, groups, trusts, sessions, etc.
The Network Time Protocol (NTP) is used to synchronize the system clocks of networked computers. NTP agents are connected to time servers globally that sync systems across different time zones. Agents usually request synchronization by sending mode four packets to the remote machine servers, which respond with mode three packets. Orchestrating such attacks require attackers to query the NTP agent via UDP port 123, which returns information related to the machines communicating with the NTP server, system names, client OSs, detailed interface info, IP addresses, etc.
The Simple Mail Transfer Protocol (SMTP) is the standard protocol for electronic mail transmission. The protocol works on TCP port 25 and sets up connections with mail servers to send mail via DNS. SMTP enumeration facilitates the identification of valid users on the SMTP server by using three built-in commands to investigate the complete access list and affirm whether the current user is valid or not. Three commonly used commands in SMTP enumeration are EXPN, VRFY, and RCPT TO.
Exploiting the SMTP server can help attackers access all email addresses and make mail users targets for phishing emails or emails loaded with viruses.
The DNS service enables consistency using zone transfers to copy the information across servers. The zone transfer service requires no authentication, enabling malicious actors to obtain a copy of the entire DNS zone from any DNS server. This facilitates exposing information about the configuration of all hosts within the domain, which opens up security gaps within the network’s topology.
Some ways for adversaries to orchestrate enumeration attacks include:
User Enumeration using Email IDs and Usernames
Email IDs customarily contain two parts – user name and domain name. Character preceding the @ symbol refers to the user name that attackers can utilize to guess valid users based on a brute-force attack.
In a brute-force attack technique, attackers presume valid users of an application based on how the server responds to the authenticity of submitted credentials. On the login window, the attacker enters credentials and checks the server response. If the server response is “User does not exist,” it implies a problem with the username and not the password. When the server responds ‘Wrong password,’ the attacker infers that the username exists in the directory. The output of this user enumeration attack is used to gain valid username lists.
Enumeration Using Default Passwords
Most software documents publish default passwords assigned by the vendor for their products. If the users fail to change those default passwords, an attacker exploits the use of valid usernames to gain access to their accounts. The attacker then assumes the user’s identity, which can be exploited for further enumeration, access to sensitive information, or escalation of administrative access.
Exposing Topological Information with DNS Zone Transfer
The DNS service enables consistency using zone transfers to copy the information across servers. The zone transfer service requires no authentication, enabling malicious actors to obtain a copy of the entire DNS zone from any DNS server. This facilitates exposing information about the configuration of all hosts within the domain, opening security gaps within the network’s topology.
Enumeration in Cybersecurity Video Explanation
Is enumeration a cybersecurity vulnerability?
Enumeration is not an inherent vulnerability. However, if the information gathered becomes available to anyone with harmful intent, it introduces cyber security risks. Adversaries utilize enumeration techniques to uncover existing vulnerabilities that can foster an attack.
What is the difference between enumeration and reconnaissance?
Both reconnaissance and enumeration are practical information-gathering techniques. Reconnaissance is a passive assessment of the system’s security posture to determine the attack vectors. On the other hand, enumeration is a pen-testing technique that involves identifying and listing the users, networks, and resources associated with a target system and checking whether any of them introduce cybersecurity vulnerabilities.
What are enumeration tools?
An enumeration tool commonly involves a vulnerability scanner used to probe networks to gain information about the attack surface. Popular penetration testing tools for network enumeration include NBTScan, DumpSec, SMBScanner, NetCat, etc.