Now that an attacker has successfully identified live
and running services using the techniques discussed in Chapter 2, they will typically
to probing the identified services more fully for known weaknesses, a process we call
The key difference between previously discussed information-gathering techniques and enumeration is in the level of
. Enumeration involves active connections to systems and directed queries. As such, they may (should!) be logged or
noticed. We will show you what to look for and how to block it, if possible.
Much of the information garnered through enumeration may appear harmless at first glance. However, the information that leaks from the following holes can be your undoing, as we will try to
throughout this chapter. In general, the information
will seek via enumeration includes
password-guessing attacks), oft-misconfigured shared resources (for example, unsecured file shares), and older software versions with known security vulnerabilities (such as web servers with remote buffer overflows). Once one of these openings is enumerated, it's usually only a matter of time before the intruder compromises the system in question to some degree, if not completely. By closing these easily fixed loopholes, you eliminate the first foothold of the hacker.
Enumeration techniques tend to be platform-specific and are therefore heavily dependent on information gathered in Chapter 2 (port
and OS detection). In fact, port scanning and enumeration functionality are often bundled into the same tool, as you saw in Chapter 2 with programs such as SuperScan, which can scan a network for
grab banners from any it discovers listening. This chapter will begin with a brief discussion of banner
, the most generic of enumeration techniques, and will then delve into more platform-specific mechanisms that may require more specialized tools.
We've also reorganized our platform-specific discussion according to service type rather than operating systema new approach implemented in the fourth edition and
with the fifth. This was done primarily due to reader feedback, in an effort to more clearly show the tight link between port scanning and enumeration. After all, at this point in the
methodology, one might not yet know the operating system of the target machine.
Services will be discussed in numeric order according to the port on which they traditionally listen, whether TCP or UDPfor example, TCP 25 (SMTP) will be discussed first, UDP 69 (TFTP) will be discussed next, TCP 79 (finger) after that, and so on. This chapter will not exhaustively cover every conceivable enumeration technique against all 65,535 TCP and UDP ports; we will focus only on those services that have traditionally given up the lion's share of information about target systems, based on our experiences as professional security testers. We hope this more clearly illustrates how enumeration is designed to help provide a more
understanding of the target, along the way to advancing the attacker's main agenda of unauthorized system access.
Throughout this chapter, we will use the phrase "NT Family" to refer to all systems based on Microsoft's "New Technology" (NT) platform, including Window NT 3.
Windows 2000, Windows XP, and Windows Server 2003. Where necessary, we will differentiate between desktop and server versions. In contrast, we will refer to the Microsoft DOS/Windows 1.
/Me lineage as the "DOS Family."