Discussion I
Career Relevancy
Enumeration is a very aggressive form of attack on networks. As a cybersecurity analyst, you will have to be aware of how enumeration is performed on your network. Enumeration allows attackers to enter the network and begin gaining access to privileged accounts. The more you know how this attack is performed, the better prepared you will be to protect your organization’s assets.
Background
Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system or network. The attackers use the information collected by means of enumeration to identify the weak points in the system’s security, which helps them exploit the target system. In the enumeration phase, the attacker creates active connections with the system and performs directed queries to gain more information about the target. It allows the attacker to perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment.
Enumeration allows you to learn about an organization’s network resources, network shares, routing tables, audit and service settings, SNMP and FQDN details, machine names, users and groups, and applications and banners.
During enumeration, attackers may stumble upon a remote IPC share, such as IPC$ in Windows, which they can probe further for null sessions to collect information about other shares and system accounts. Together, we have previously highlighted how attackers gather necessary information about a target without entirely crossing onto the wrong side of the legal barrier. However, enumeration activities may be illegal depending on the organization policies and any laws that are in effect. As a pen tester, you should always acquire proper authorization before performing enumeration.
NetBIOS enumeration tools explore the network within a given range of IP addresses and lists of computers to identify security loopholes present in networked systems. These tools also enumerate OS, users, groups, SIDs, password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks and security event logs.
SNMP enumeration is the process of creating a list of the user’s accounts and devices on a target computer using SNMP. SNMP employs two types of software components for communication. They are the SNMP agent and SNMP management station. The SNMP agent is located on the networking device, and the SNMP management station communicates with the agent.
Almost all network infrastructure devices such as routers, switches, etc. contain an SNMP agent for managing the system or devices. The SNMP management station sends requests to the agent; after receiving the request, the agent replies. Both requests and replies are the configuration variables accessible by the agent software. SNMP management stations send requests to set values to some variables. Traps let the management station know if anything has happened on the agent’s side, such as a reboot, interface failure, or any other abnormal event.
Various protocols enable communication and manage data transfer between network resources. All of these protocols carry valuable information about network resources along with the data. An external user who is able to enumerate that information by manipulating the protocols can break into the network and misuse the network’s resources. The Lightweight Directory Access Protocol (LDAP) is one such protocol that accesses the directory listings. This section focuses on LDAP enumeration, information extracted via LDAP enumeration, and LDAP enumeration tools.
LDAP is an Internet protocol for accessing distributed directory services. LDAP accesses directory listings within an Active Directory or from other directory services. LDAP is a hierarchical or logical form of a directory, similar to a company’s org chart. Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory. It uses DNS for quick lookups and fast resolution of queries. A client starts an LDAP session by connecting to a Directory System Agent (DSA) typically on TCP port 389 and sends an operation request to the DSA. Basic Encoding Rules (BER) transmits information between the client and the server.
Administrators often overlook the Network Time Protocol (NTP) server in terms of security. However, if queried properly, it can provide valuable network information to the attackers. Therefore, it is necessary to know what information an attacker can obtain about a network through NTP enumeration. This section describes NTP enumeration, information extracted via NTP enumeration, various NTP enumeration commands, and NTP enumeration tools.
NTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its primary means of communication.
Attackers query the NTP server to gather valuable information such as a list of hosts connected to the NTP server, client IP addresses in a network, their system names and OS, and internal IPs can also be obtained if NTP server is in the DMZ.
Mail systems commonly use SMTP with POP3 and IMAP that enables users to save the messages in the server mailbox and download them occasionally from the server. SMTP uses Mail Exchange (MX) servers to direct the mail via DNS. It runs on TCP port 25.
Administrators and pen testers can perform SMTP enumeration using command-line utilities such as telnet, netcat, etc. or by using tools such as Metasploit, Nmap, NetScanTools Pro, smtp-user-enum, etc., to collect a list of valid users, delivery addresses, recipients of the message, etc.
DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. The attacker performs DNS zone transfer enumeration to locate the DNS server and records of the target organization. Through this process, an attacker gathers valuable network information such as DNS server names, hostnames, machine names, user names, IP addresses, etc. of the potential targets. In a DNS zone transfer enumeration, an attacker tries to retrieve a copy of the entire zone file for a domain from the DNS server.
To perform DNS zone transfer enumeration, the attacker can use tools such as nslookup, DNSstuff, etc. To perform a DNS zone transfer, the attacker sends a zone transfer request to the DNS server pretending to be a client; the DNS server then sends a portion of its database as a zone to you. This zone may contain a lot of information about the DNS zone network.
Prompt
If proper techniques are not used to prevent network enumeration by a hacker, what ramifications can occur for the company, employees, and customer? As you think about this answer, think not just about the physical but also the psychological and explain your reasoning.
For your citation, you might use articles that show examples of how to define and understand why enumeration is an essential step for hacking a network. Explore options for organizations as research components for examining why networks do not defend themselves against enumeration and how they should protect their assets.
Institution Writing Guidelines 300-400 LVL
Purpose: The Institution Writing Guidelines (IWG) exist to simplify student writing requirements and instructor grading, clarify and standardize writing expectations, focus instructor grading and student effort on content, and gradually introduce students to more complex and restrictive writing guidelines over time.
Below you will find the detailed information for your 300 and 400 level courses:
· Formatting (Specific to 300-400 level courses)
· Grammar/Spelling
· Sources (Specific to 300-400 level courses)
· Plagiarism
Formatting
· The top of the paper needs:
-Student name
-Date of submission or writing
-Course name
-Title of the paper
· It is recommended the paper identification information be placed at the top right. What matters is the information is present. Example:
· The paper should be set with one-inch margins all around
· 12-point font sans serif or serif, no decorative fonts. Recommended—but not mandatory—fonts include: Serif family (Times New Roman, Book Antiqua, Minion Pro), Sans Serif family (Calibri, Arial, Verdana)
· Double spacing lines is required
Grammar/Spelling
· General spelling, grammar, and punctuation expectations apply. The focus of the writing must address the issues raised by the prompt, emphasized in the rubric, and the learning objective(s) covered by the writing task
-The serial comma is expected (example: word, word, word, and word)
-Double-spacing after sentences is discouraged
Sources
· Students are expected to use citations, including in-text citations as needed. The guidelines are:
-In Text
* The Author, Year, page number (for quotes) format. Ex: (Doe, 2016, pp. 23-25)
* Sentence punctuation follows the in-text citation
-Reference Citation
* Example 1: Martinez, A. (2016). The way things should be. Harper.
* Example 2: Martinez. (2016). The way things should be. Retrieved, March 4, 2018, from https://worldswisdom.com
* References are not to be graded on punctuation, italics, inclusion of initials, date format, etc. Grading for references will focus on the required basic elements not the presentation of the elements.
* Rubrics will be followed and the focus remains on content, not style
Plagiarism
Plagiarism is not acceptable. Instructors should follow the academic policy on plagiarism. Egregious examples of plagiarism or repetitive plagiarism will be referred to the student’s dean for additional evaluation.
Revised: Final (15 June 2018)