1 00:00:06,600 --> 00:00:09,540 - Our goal for Enumeration is to extract information 2 00:00:09,540 --> 00:00:12,240 about the systems that we are trying to compromise, 3 00:00:12,240 --> 00:00:14,850 and this can give us avenues of attack. 4 00:00:14,850 --> 00:00:17,673 For example, if we're able to extract user names, 5 00:00:18,550 --> 00:00:21,380 or group names, SNMP information. 6 00:00:21,380 --> 00:00:23,690 What are we going to do with this information, 7 00:00:23,690 --> 00:00:27,320 or how can this information help us get into the system? 8 00:00:27,320 --> 00:00:29,810 If we're able to figure out usernames 9 00:00:29,810 --> 00:00:34,410 by querying an LDAP database, we know what usernames to try 10 00:00:34,410 --> 00:00:36,720 when we're doing our brute-force dictionary attack 11 00:00:36,720 --> 00:00:38,400 to try to log in as those users. 12 00:00:38,400 --> 00:00:40,840 If we have to brute-force a username and a password, 13 00:00:40,840 --> 00:00:42,610 it's gonna take a lot longer 14 00:00:42,610 --> 00:00:44,503 than just brute-forcing passwords. 15 00:00:45,430 --> 00:00:46,630 So, here's what we're trying to figure out. 16 00:00:46,630 --> 00:00:48,780 We wanna see machine names. 17 00:00:48,780 --> 00:00:50,040 Information from SNMP. 18 00:00:50,040 --> 00:00:51,300 This will be network interfaces, 19 00:00:51,300 --> 00:00:54,160 IP addresses, port utilization. 20 00:00:54,160 --> 00:00:56,810 We wanna see some DNS names, maybe some routing tables, 21 00:00:56,810 --> 00:00:59,250 some banners from services that are running. 22 00:00:59,250 --> 00:01:00,440 What services are running? 23 00:01:00,440 --> 00:01:02,720 We've looked at discovering available services, 24 00:01:02,720 --> 00:01:03,553 when we talked 25 00:01:03,553 --> 00:01:06,230 about Nmap, H-paying (as pronounced), Metasploit. 26 00:01:06,230 --> 00:01:08,170 Now, what techniques are we gonna be talking about 27 00:01:08,170 --> 00:01:09,740 through the remainder of this lesson? 28 00:01:09,740 --> 00:01:12,780 Starting off with default passwords. 29 00:01:12,780 --> 00:01:15,020 Enumerating information from a system 30 00:01:15,020 --> 00:01:18,040 might require authentication to that system; 31 00:01:18,040 --> 00:01:20,390 default passwords can be used for that. 32 00:01:20,390 --> 00:01:21,480 We can take a look at, 33 00:01:21,480 --> 00:01:24,850 what is available through active directory queries? 34 00:01:24,850 --> 00:01:26,410 Extracting user groups. 35 00:01:26,410 --> 00:01:28,030 Usernames from emails. 36 00:01:28,030 --> 00:01:29,350 DNS Zone Transfers. 37 00:01:29,350 --> 00:01:30,970 Walking with SNMP. 38 00:01:30,970 --> 00:01:32,820 We're gonna take a look at all of these techniques 39 00:01:32,820 --> 00:01:34,820 throughout the remainder of this lesson. 40 00:01:36,270 --> 00:01:39,150 Once we have a system that we're going to target 41 00:01:39,150 --> 00:01:41,350 in order to do this enumeration, 42 00:01:41,350 --> 00:01:44,970 what services might we be talking to? 43 00:01:44,970 --> 00:01:47,320 For example, is it a DNS server? 44 00:01:47,320 --> 00:01:50,390 You gonna be listening on UDP 53, if it is? 45 00:01:50,390 --> 00:01:51,640 Is it active directory? 46 00:01:51,640 --> 00:01:54,290 We'll have server message block on 445. 47 00:01:54,290 --> 00:01:56,330 If it's a windows, we'll have some NetBIOS stuff. 48 00:01:56,330 --> 00:01:58,700 We might have LDAP on 389. 49 00:01:58,700 --> 00:02:01,430 Services don't have to be running on the host. 50 00:02:01,430 --> 00:02:05,020 So, you run your Nmap, see what services you can talk to? 51 00:02:05,020 --> 00:02:06,780 Once you know what services you can talk to, 52 00:02:06,780 --> 00:02:09,850 then you try to grab information from those services. 53 00:02:09,850 --> 00:02:12,340 Also, this is important to note. 54 00:02:12,340 --> 00:02:14,060 Port numbers can be changed. 55 00:02:14,060 --> 00:02:15,560 It's not very common, 56 00:02:15,560 --> 00:02:17,810 because if you change the port number for LDAP, 57 00:02:17,810 --> 00:02:19,650 you have to change all of the systems 58 00:02:19,650 --> 00:02:20,810 to talk to that port number. 59 00:02:20,810 --> 00:02:25,810 So, most of the time, if you see 389, it's gonna be LDAP.