Chapter 3: Enumeration

OVERVIEW

Now that an attacker has successfully identified live hosts and running services using the techniques discussed in Chapter 2, they will typically turn next to probing the identified services more fully for known weaknesses, a process we call enumeration.

The key difference between previously discussed information-gathering techniques and enumeration is in the level of intrusiveness . Enumeration involves active connections to systems and directed queries. As such, they may (should!) be logged or otherwise noticed. We will show you what to look for and how to block it, if possible.

Much of the information garnered through enumeration may appear harmless at first glance. However, the information that leaks from the following holes can be your undoing, as we will try to illustrate throughout this chapter. In general, the information attackers will seek via enumeration includes user account names (to inform subsequent password-guessing attacks), oft-misconfigured shared resources (for example, unsecured file shares), and older software versions with known security vulnerabilities (such as web servers with remote buffer overflows). Once one of these openings is enumerated, it's usually only a matter of time before the intruder compromises the system in question to some degree, if not completely. By closing these easily fixed loopholes, you eliminate the first foothold of the hacker.

Enumeration techniques tend to be platform-specific and are therefore heavily dependent on information gathered in Chapter 2 (port scans and OS detection). In fact, port scanning and enumeration functionality are often bundled into the same tool, as you saw in Chapter 2 with programs such as SuperScan, which can scan a network for open ports and simultaneously grab banners from any it discovers listening. This chapter will begin with a brief discussion of banner grabbing , the most generic of enumeration techniques, and will then delve into more platform-specific mechanisms that may require more specialized tools.

We've also reorganized our platform-specific discussion according to service type rather than operating systema new approach implemented in the fourth edition and continued with the fifth. This was done primarily due to reader feedback, in an effort to more clearly show the tight link between port scanning and enumeration. After all, at this point in the Hacking Exposed methodology, one might not yet know the operating system of the target machine.

Services will be discussed in numeric order according to the port on which they traditionally listen, whether TCP or UDPfor example, TCP 25 (SMTP) will be discussed first, UDP 69 (TFTP) will be discussed next, TCP 79 (finger) after that, and so on. This chapter will not exhaustively cover every conceivable enumeration technique against all 65,535 TCP and UDP ports; we will focus only on those services that have traditionally given up the lion's share of information about target systems, based on our experiences as professional security testers. We hope this more clearly illustrates how enumeration is designed to help provide a more concise understanding of the target, along the way to advancing the attacker's main agenda of unauthorized system access.