22 JAN 2021
Author: Praddyum Verma
Greeting to all the lovely souls who are reading this article. Maybe you are a noob(yep, this is what we call a newbie) an intermediate, or an expert who opened this article to quench their thirst for Cyber Security. Some of you might have already known how important an enumeration is? At the same time for others, it is either a new word or they are already with problems in understanding the topic. Don’t worry, I’ll try my best to compile creativity and knowledge and provide you clear explanations with examples. Just hold tight for a Rollercoaster Ride!!
When we talk about hacking a thing, where this “thing” could range from a simple NASA Challenge website to NASA servers, operating in their headquarters(don’t tell me you already hacked both using HTML). A set of phases have been framed by the professional of the cybersecurity field.
Namely,
This can be grouped as:
As a penetration tester, you’ll be investing 50–60% of your time gathering information about the target. But think of a situation where you are not aware of the target like- on which OS it’s running(different OS have different sets of exploits), what are the vulnerable services running, and what are their versions? This is where “Enumeration” plays a vital role. Enumeration is the practice of researching more about various services running on our target and then listing the possibilities of exploiting them. It helps us to finetune our action. We can just blindly use every exploit in hope of getting the movie type terminal with an infinite loop of words! LOL!!. Enumeration can be used to gather usernames, passwords, network information, hostnames, application data, services, or any other information that may be valuable to a hacker.
As I have already mentioned how important the enumeration process is, let’s try to understand it with an analogy. Think of yourself, you are a noob and you want to hack into your friend's system(maybe the one you got from your university). By the grace of god, you all are connected by the university Wi-Fi means you can easily ping each other and are located on the subnet. Sounds exciting? Now you can ping the target that’s where you have options:
So which one are you choosing?
Enough of theory, let’s see an example to understand the whole process. To make you understand, I’ll replicate the SMB enumeration in the Network Services room at TryHackMe. Let’s assume we only have the IP of our target and we are on the same network(i.e. I can ping the machine/ connect to it).
IP of target : 10.10.10.10 (Imaginary)
So this was our scanning phase where we tried to know about the open ports, services running on those ports, and the OS fingerprint.
Now, let’s get the important parts from above
Ports and Services
So now we know that two services namely SSH and SMB are running on the target. This will help us to pick exploits meant only for these vulnerabilities. Let’s enumerate SMB to gain more insights. We’ll be using a CLI tool named Enum4Linux to enumerate SMB thereby, extracting all the possible information like shares, users, etc.
IP of target : 10.10.10.10 (Imaginary)
Key Findings:
So we found that “profiles” are shared in SMB. Let’s try to connect to it with a tool called “smbclient”, using the misconfiguration of Anonymous Login.
Woohoo!! We got the files of credentials. Now we can do ssh and connect to the machine, create the backdoor and also clear the tracks.
Maybe you found this a bit daunt or maybe you thought it’s all setup praddy. We don’t find these in real life but it does take place in reality. Many organizations are hit by cyber attacks due to outdated services running on the system. In this article, we learned how to enumerate(know more) about services and to save time by choosing wisely their respective exploits. For various services, we have various enumeration tools. I recommend learning about them. Share your experience in the comment section. Till then keep hacking and securing :) Signing off!!
“The more you enumerate The finer you know”
Thanks for Visiting. Have a nice day.