CEH v8 Labs Module 04 Enumeration PDF

CEH Lab M anual
E n u m e ra tio n
M o d u le 0 4
E n u m e r a tio n
E n u m e r a tio n is th e p ro ce ss o f e x tra c tin g u se r nam es, m a ch in e nam es, n e tiro rk resources, shares, a n d services fr o m a system . E n u m e r a tio n is co nd ucted in a n in tr a n e t en viro n m en t.
I C ON
KEY
La b S cen ario
Penetration testing is much more than just running exploits against vulnerable systems like we learned 111 the previous module. 111 fact a penetration test begins before penetration testers have even made contact with the victim systems. As an expert ethical hacker and penetration te s te r you must know how to enum erate target netw orks and extract lists o f computers, user names, user groups, ports, operating systems, machine names, network resources, and services using various enumeration techniques.
/ Valuable information y Test your knowledge
Web exercise Workbook review
La b O b jectives
The objective o f tins lab is to provide expert knowledge 011 network enumeration and other responsibilities that include: User name and user groups Lists o f computers, their operating systems, and ports Machine names, network resources, and services Lists o f shares 011 individual hosts 011 the network
Policies and passwords

& Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration
La b Environm ent
To earn out die lab, you need:
Windows Server 2012 as host machine Windows Server 2008, Windows 8 and Windows 7 as virtual machine
A web browser with an Internet connection Administrative privileges to nm tools
La b Duration
Time: 60 Minutes
O verview of Enum eration

Enumeration is the process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted 111 an intranet environment.
C E H Lab Manual Page 267
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Stricdy Prohibited.
M odule 04 - Enum eration
TASK
Overview
La b T a s k s
Recommended labs to assist you 111 Enumeration: Enumerating a Target Network Using Nm ap Tool Enumerating NetBIOS Using the S uperScan Tool Enumerating NetBIOS Using the N etB IO S Enumerating a Network Using SolarW inds Enumerating the System Using H yena
E nu m erato r Tool N e tw o rk S canner
Enumerating a Network Using the S o ftP e rfe c t
T oo lset
La b A n a ly sis
Analyze and document the results related to die lab exercise. Give your opinion on your targets security posture and exposure.
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S LAB.
E n u m e r a tin g a T a r g e t N e t w o r k U s in g N m a p
E n u m e ra tio n is th e p ro ce ss o f e x tra c tin g u se r nam es, m a ch in e nam es, nehvork resources, sha res, a n d services fr o m a system .
I C ON
KEY
La b S cen ario
111 fact, a penetration test begins before penetration testers have even made contact with the victim systems. During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems in their entirety, which allows evaluating security weaknesses. 1 1 1diis lab, we discus Nmap; it uses raw IP packets 111 novel ways to determine what hosts are available on die network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet biters/firewalls are 111 use, it was designed to rapidly scan large networks. By using the open ports, an attacker can easily attack the target machine to overcome this type of attacks network filled with IP filters, firewalls and other obstacles.
1._ Valuable
information
s
Test vour knowledge
O T Web exercise c a Workbook review
As an
and penetration tester to enum erate a target and extract a list ot computers, user names, user groups, machine names, network resources, and services using various enumeration techniques.
expert ethical hacker netw ork
La b O b jectives
The objective ot tins lab is to help students understand and perform enumeration on target network using various techniques to obtain: User names and user groups Lists of computers, their operating systems, and the ports on them Machine names, network resources, and services Lists of shares on the individual hosts on die network Policies and passwords
La b Environm ent
To perform die kb, you need: A computer running Windows Server 2 008 as a virtual machine A computer running with Windows Server 2 0 1 2 as a host machine Nmap is located at D:\CEH-Tools\CEHv8
Module 04 Enumeration\Additional Enumeration Pen Testing Tools\Nmap
Administrative privileges to install and mil tools
La b Duration
Time: 10 Minutes

Take asnapshot (a type of quick backup) of your virtual m achine before each lab, because if som ethinggoes wrong, you can go back to it.
Enumeration is die process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted 111 an intranet environment
La b T a s k s
The basic idea 111 dns section is to: Perform scans to find hosts with NetBIOS ports open (135,137-139, 445) Do an nbtstat scan to find generic information (computer names, user names, ]M AC addresses) on the hosts Create a Null Session to diese hosts to gain more information Install and Launch Nmap 111 a Windows Server 2012 machine
TASK 1
1. Launch the S ta rt menu by hovering the mouse cursor on the lower-left corner of the desktop.
Nbstat and Null Sessions
3 W in d o w s Se rv er 2012 winaowsbtrvw tt)>Ke*<$eurK!1 aau Lucmr Fvilutor cepj fejiri M O T
/ Zenmap file installs the following files: * Nmap Core Files * Nmap Path W inPcap 4.1.1 Network Interface Import Zenmap (GUI frontend)
FIGURE 1 .1 :W indow sS erver 2012 Desktopview
Click the N m ap-Zenm ap
GUI
app to open the Z en m ap window.
5 t3 T t
Adm inistrator
Server Manager
Windows PowerShell
Google Chrome
Hyper-V Manager
Nmap Zenmap GUI
r =
Computer
m
Central Panel
o
Hyper-V Virtual Machine...
f t SQL Server Installation Center...
*J
Command Prompt liflgnr
Q
Mozilla Firefox
MegaPing
Global Network Inventory
1!
HTTPorl 3.SNFM
0c*3Of
s S
!*
FIGURE 1 .2 :W indow sS erver 2012 A pps
3. Start your virtual machine running WMcwsSetver2008 4. Now launch die nmap tool 111 die Windows Server 2012 host machine. 5. Perform nmap -O scan for die Windows Server 2008 virtual machine (10.0.0.6) network. Tins takes a few minutes.
HU Use the ossscangu ess option for best resultsin nm ap.
Note:
IP addresses may vary 111 your lab environment.

Zenmap
S c jn Target: Tools Profile Help [v ] P ro file [S ca n ] | Cancel |
10.0.0.6 nm ap 10.0.0.6 0
C om m and:
N m ap Output
Ports / Hosts [ Topology | Host Details | Scans
FIGURE 1 .3 : Hie Zenm apMainw indow
Nmap performs a scan for die provided target results on die Nmap Output tab.
m Nmap.org is die official source for downloadingNmap source code and binaries for Nmap and Zenm ap.
IP address
and outputs die
Your tirst target is die computer widi a Windows operating system on which you can see ports 139 and 4 4 5 open. Remember tins usually works only ag a in s t W indow s but may partially succeed 1 1other OSes have diese ports open. There may be more dian one system diat has N etB IO S open.
Zenmap TASK 2
Scan T ools rofile Help
V
1 0
Find hosts w ith NetBIOS ports open
C o m m an d :
.0.0.6
P ro file
|[Scan]
n m a p -0 10.0.0.6
Services O S < Host
N m ap O utput
Ports / Hosts | T op olog y | H ost Details | Scans |
n m ap -0 10.0.0.6
1 0 .0 .0 .6
S t a r tin g Nmap 6 .0 1 ( h ttp :/ / n m a p .o r g ) at 2 0 1 2 -0 9 -0 4 1 0 :5 5 Nmap s c a n r e p o r t f o r 1 0 . 0 . 0 . 6 H o s t i s up (0 .0 0 0 1 1 s l a t e n c y ) . N o t s h o w n : 993 f i l t e r e d p o r t s PORT ST AT E S E R V IC E 1 3 5 /tcp op en m srp c 1 3 9 /tcp op en n e t b io s - s s n op en 4 4 5 / tcp r o ic r o s o f t - d s op en 5 5 4 / tc p rts p op en 2 8 6 9 / tc p ic s la p 5 3 5 7 / tc p op en w sdapi 1 0 2 4 3 / tc p op en unknown (M ic r o s o ft) MAC A d d r e s s : W a r n in g : O SS ca n r e s u l t s may b n o t f i n d a t l e a s t 1 op en and 1 c l o s e d p o r t D e v ic e t y p e : g e n e r a l p u rp o s e R u n n in g : M i c r o s o f t W in d o w s 7 |V i s t a | 2008 OS C P E : c p e : / o : m i c r o s o f t : w i n d o w s _ 7 : : p r o f e s s i o n a l o :m ic r o s o f t :w in d o w s _ v is t a : : c p e :/ Filter Hosts
n r r n c n ^ t u i n H n w c % / c ts c n l rn s /
c p e :/
FIGURE 1 .4: The Zenm apoutputw indow
8. Now you see that ports 139 and 445 are open and port 139 is using NetBIOS. 9. Now launch die com m and prom pt 111 W indow s S erver 2 0 0 8 virtual machine and perform n b ts ta t on port 139 ot die target machine. 10. Run die command n b ts ta t -A
c A d m in is tr a to r C om m and P ro m p t C : \ U s e r s \ A d n in is tr a t o r > n b ts t a t -A 1 0 .0 .0 .?
1 0 .0 .0 .7 .
Ha
_x *
m Nmap has traditionally been a com m and-line tool run from aUNIX shell or (m ore recendy) aW indows com m and prom pt.
L o c a l A re a C o n n e c tio n 2 : Node I p A d d r e s s : [ 1 0 . 0 . 0 . 3 ] N e tB IO S Nane W IN - D 3 9 M R S H L9E 4<0 0 > WORKGROUP <00> W IN -D 3 9 M R 5 H L 9 E 4 < 2 0 > MAC A d d r e s s = D . J l. A R e m o te
S cope M a c h in e Type
Id :
[I
Name T a b l e S ta tu s R e g is te re d R e g is te re d R e g is te re d
U N IQ U E GROUP U N IQ U E M J1_-2D
C :\U s e r s \A d n in is tr a to r >
zl FIGURE 1 .5 : Com m andProm pt w ithdienbtstat com m and
11. We have not even created a null session (an unaudienticated session) yet, and we can still pull tins info down. 3
task3
12. Now c re a te a null session.
C reate a Null Session
Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
13. 1 1 1the command prompt, type n e t use \\X .X .X .X \IP C $ /u: (where X .X .X .X is die address of die host machine, and there are no spaces between die double quotes).
cs .Administrator: C o m m a n d Prompt C:\'net use \\10.0.0.7\IPC$ ""/u:"" L ocal name Renote name W10.0.0.7\IPC$ Resource type IPC Status OK # Opens 0 t t Connections 1 The comnand completed successfully.
& Net Com m and Syntax: NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ]
C:\>
FIGURE 1.6 : The com m andprom pt w iththenet u secom m and 14. Confirm
it by issuing a genenc n et sessions from your host.

use,
use
command to see connected null

c re a te d
15. To confirm, type n et session.
which should list your new ly
null
FIGURE 1 .7 : The com m andprom pt , w iththenet u secom m and
La b A n a ly sis
Analyze and document die results related to die lab exercise. Give your opinion on your targets security posture and exposure.
T o o l/U tility
In fo rm atio n C o lle c te d /O b je c tiv e s A chieved T a rg e t M achine:
10.0.0.6
L ist o f O p e n P orts: N m ap
135/tcp, 139/tcp, 445/tcp, 554/tcp, 2869/tcp, 5357/tcp, 10243/tcp 10.0.0.7

O u tp u t:
N e tB IO S R em ote m ach in e IP address:
Successful connection of Null session
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L A B .
Q uestio ns
1. Evaluate what nbtstat -A shows us for each of the Windows hosts. 2. Determine the other options ot nbtstat and what each option outputs. 3. Analyze the net use command used to establish a null session on the target machine.
In te rn e t C o n n ectio n R equired Yes P latform S upported 0 C lassroom 0 0
No
!Labs
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Stricdy Prohibited.
Lab
E n u m e r a tin g N e tB I O S U s in g t h e S u p erS ca n T ool

S /tp e rS c a n is a T C P p o / t scanner, p in g e r, a n d resolver. T h e to o l's fe a tu r e s includ e e x te n siv e W in d o w s h o s t en u m era tio n ca p a b ility, T C P S Y N sca n n in g , a n d U D P scan ning .
I C ON
KEY
La b S cen ario
During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems 111 their entirety; tins allows evaluating security weaknesses. 1 1 1 this lab we extract die information of NetBIOS information, user and group accounts, network shares, misted domains, and services, which are either running or stopped. SuperScan detects open TCP and UDP ports on a target machine and determines which services are running on those ports; bv using this, an attacker can exploit the open port and hack your machine. As an expert ethical hacker and penetration tester, you need to enumerate target networks and extract lists of computers, user names, user groups, machine names, network resources, and services using various enumeration techniques.
[Z7 Valuable information
Test your knowledge Web exercise Workbook review
La b O b jectives
The objective of tins lab is to help students learn and perform NetBIOS enumeration. NetBIOS enumeration is carried out to obtain: List of computers that belong to a domain List of shares on the individual hosts on the network Policies and passwords
La b Environm ent
To earn* out die k b, von need: SuperScan tool is located at D:\CEH-Tools\CEHv8 Module 04
Enumeration\NetBIOS Enumeration Tools\SuperScan
You can also download the latest version of SuperScan from tins link http://www.mcatee.com/us/downloads/tree-tools/superscan.aspx
A computer running Windows Server 2012 as host machine

Windows 8 running on a virtual macliine as target machine
Administrative privileges to install and run tools A web browser with an Internet connection
m You can also download SuperScan from http:/ / www.foundstone.co
La b Duration
Time: 10 Minutes
O verview of N etB IO S Enum eration

1. The purpose ot NetBIOS enumeration is to gather information, such as: a.
SuperScanis not supported byW indows 95/98/ME.
Account lockout threshold
b. Local groups and user accounts c. Global groups and user accounts 2. Restnct anonymous
a.
bypass
routine and also password checking:
Checks for user accounts with blank passwords
b. Checks for user accounts with passwords diat are same as die usernames 111 lower case
La b T a s k s
m. T A S K
1.
Double-click the S uperS can4 file. The SuperScan window appears.
Perform Enumeration
m W indows XP Service Pack 2 has rem oved raw sockets support, which nowlim its S uperScan and m any other network scanningtools. Som e functionality can be restored byrunning the net stop SharedA ccess at the W indows com m and prompt before starting SuperScan.
is J SuperScan features: Superior scanning speed Support for unlim ited IP ranges Improved host detection usingm ultiple ICMP m ediods TCP SYN scanning UDP scanning (tw o m ediods) IP add ress import supporting ranges and CIDR form ats Sim ple HTML report generation Source port scanning Fast hostnam e resolving Extensive banner grabbing M assive built-in port list description database IP and port scan order random ization A collection of useful tools (ping, traceroute, W hois etc.) Extensive W indows host enum eration capability
Ready
2. 3.
Click the Windows Enumeration tab located on the top menu. Enter the Hostname/IP/URL 111 the text box. 111 this lab, we have a W indows 8 virtual machine IP address. These IP addresses may van 111 lab environments. Check the types o f enum eration you want to perform. Now, click Enumerate.
%
SuperScan 4.0
4.
>^Tx
S c a n|H o s ta n dS e rv ic eD is c o v e ry| S c a nO p tio n s| T o o ls | W n d o w sE m m e ra h o n ~ |A b o u t| H o stn am e/IP /U R L 10008 |E n u m e ra te | O p tio n s ... | E n u m e ra tio nT y p e

0N e tB IO SN a m eT a b le 0N U L LS e s s io n 0M A C A d d r e s s e s 0W o rk s ta tio nty p e 0U s e s 0G r o u p s 0R P CE n d p o in tD u m p 0A c c o u n tP o lic ie s 0S h a r e s 0D o m a in s 0R e m o teT m eo fD a y 0L o g o nS e s s io n s 0D r iv e s 0T r u s te dD o m a in s 0S e r v ic e s 0R e g is tr y
C le a r
-J
FIGURE 2.2: S uperScan m ain windowwith IP ad d ress
6.
SuperScan starts en um erating the provided hostnam e and displays the results 111 the right pane o f the window.
%
Su p erScan 4.0
'
You canu se SuperScan to performport scan s, retrieve general network inform ation, such a snam e lookups and traceroutes, and enum erate W indows host inform ation, such a susers, groups, and services.
S c a n|H o s ta n dS e rv ic eD is c o v e r y| S c a nO p tio n s| T o o ls W n d o w sE n u m e r a tio n|A b o u t|
H o stn am e/IP /U R L1 0 .0 .0 .8 E n u m e r a te O p tio n s ... N e tB IO S inform ation o n 10.0.0.8 E n u m e r a tio nT y p e 0N e tB IO SN a m eT a b le 4 n a m e s in table W \N U L LS e s s io n 0M A C A d d r e s s e s A D M IN 00 U N IQ U EW orkstation service n a m e W O R K G R O U P 00 C R O U P W orkstation service n a m e 0W o r k s ta tio nty p e A D M IN 20 U N IQ U E Server services n a m e 0U s e r s W O R K G R O U P IE G R O U P G ro u pn a m e 0G r o u p s 0R P CE n d p o in tD u m p M A Caddress 0 ' 0A c c o u n tP o lic ie s A ttem pting a N U L Lsession connection o n 10.0.0.8 0S h a r e s
0D o m a in s 0R e m o teT n eo fD a y 0L o g o nS e s s io n s 0D r iv e s 0T r u s te dD o m a in s 0S e r v ic e s 0R e g is tiy
o n 10.0.0.8 W orkstation/server type o n 10.0.0.8 U sers o n 10.0.0.8 G ro u p so n 10.0.0.8 R P Cendpoints o n 10.0.0.8 E ntry 0
j?
s.
Ready
FIGURE 2.3: S u p erS canm ainw indowwith re s u lts
7. Wait for a while to c o m p le te the enumeration process. 8. A lter the com pletion o f the enumeration process, an E num eration com pletion message displays.
%
Su p erScan 4.0
1 ^ 1 r
S c a n|H o s ta n dS e rv ic eD is c o v e r y| S c a nO p tio n s| T o o ls W n d o w sE n u m e r a tio n[A b o u t|
Your scancan be configured in tire Host and Service Discovery and S can Options tabs. The S can Options tab lets you control such tilings a s nam e resolution and banner grabbing.
H o stn am e/IP /U R L1 0 .0 .0 .8 E n u m e ra te | O p tio n s ... | E n u m e ra tio nT y p e 0N e tB IO SN a m eT a b le S hares o n 10.0.0.8 0N U L L S e s sio n 0M A C A d d re ss e s 0W o rk s ta tio nty p e D o m a in so n 10.0.0.8 0U s e rs 0G ro u p s e m o te tim e of day o n 10.0.0.8 0R P C E n d p o n tD u m p R 0A c c o u n tP o fc c ie s L o g o n sessions o n 10.0.0.8 0S h a re s 0D o m a s is 0R e m o teT im eo fD a y D rives o n 10.0.0.8 0L o g o nS e s sio n s 0D riv e s T rusted D o m a in so n 10.0.0.8 ru s te dD o m a in s on 0 T S e rv ic e s a > 0 0R e g is try R e m o te services o n 10.0.0.8 R e m o te registry item so n 10.0.0.8 E num eration com plete 1 1
Ready
C le a r M
Erase Results
FIGURE 2.4: S u p erS canm ainw indowwith re s u lts
9. N ow move the scrollbar up to see the results o f the enumeration.
10. To perform a new enumeration on another host name, click the Clear button at the top right of the window. The option erases all the previous results.
'IT
Su p erScan 4.0
1 ^
Q SuperScan h as four different ICMP host discoverym ethods available. This isuseful, because w hile a firew all m ay block ICMP echo requests, it m ay not block other ICMP packets, such a s tim estam p requests. SuperScangives you die potential to discover m ore hosts.
03
S c a n|H o s ta n dS e rv ic eD is c o v e ry| S c a nO p tio n s| T o o ls W in d o w sE n u m e ra tio n| A b o u t| H o stn am e/IP /U R L 10008 E n u m e ra te | j O e a , | B inding: ncacn_ip_tcp:10.0.0.8[49154] E n u m e r a tio nT y p e O bject Id: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0N e tB IO SN a m eT a b le A nnotation: "X ctS rv service" 0N U L LS e s s io n E ntry 2 5 Interface: Ia0d010f-lc33-432c-b0f5-8cf4e8053099" ver 0M A C A d d r e s s e s 1.0 0W o r k s ta tio nty p e B inding: "ncacn_np:10.0.0.8[\\PIPE\\at*vc]" 0 U s e s O bject Id: "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0G r o u p s A nnotation: IdS egS rv trvic" 0R P C E n d p o in tD u m p E ntry 2 6 Interface: Ia0d010f-lc3343 2 cb0fS8cf4a305 3 0 9 9 " ver 0A c c o u n tP o fc c ie s 1.0 0S h a re s B inding: "ncacn_ip_tcp:10.0.0.8[49154] 0D o m a n s bject Id: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0R e m o teT m eo fD a y O A nnotation: "IdS egS rv service" E ntry 2 7 0L o g o nS e s sio n s Interface: "880fd55e-43b9-lle0-bla8-cf4edfd72085" ver 0D riv e s 1.0 0T ru ste dD o m a in s B inding: "ncacn_np:10.0.0.8[W P IP S W atsvc]" 0S e rv ic e s O bject Id: "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0R e g is try A nnotation: " K A P I Service endpoint" E ntry 2 8 Interface: "880fd55e-43b9-lle0-bla8-cf4edfd72085 ver 1 .0 B inding: "ncacn_ip_tcp:10.0.0.8[49154] O bject Id: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A nnotation: K A P I Service endpoint" E ntry 2 9 Interface: "880fdS5e-43b9-lle0-bla8-cf4edfd72085" ver
Ready
FIGURE 2.5: S u p erS canm ainw indowwithre s u lts
La b A n a ly sis
Analyze and document die results related to die lab exercise. Give your opinion on your targets security posture and exposure. Tool/Utility Information Collected/Objectives Achieved Enumerating Virtual Machine IP address: 10.0.0.8 Performing Enumeration Types: Null Session MAC Address Work Station Type Users Groups Domain Account Policies Registry Output: Interface, Binding, Objective ID, and Annotation
SuperScan Tool
Q uestio ns
1. Analyze how remote registry enumeration is possible (assuming appropriate access nghts have been given) and is controlled by the provided registry.txt tile. 2. As far as stealth is concerned, tins program, too, leaves a rather large footprint in die logs, even 111 SYN scan mode. Determine how you can avoid tins footprint 111 the logs. Internet Connection Required Yes Platform Supported
No
Classroom
0 !Labs
E n u m e r a tin g N e tB I O S U s in g t h e N e tB I O S E n u m e r a to r T o o l
E n u m e r a tio n is th e p ro cess o f p r o b in g id e n tifie d services f o r k n o w n w ea kn esses.
I C ON
KEY
La b S cen ario
Enumeration is the first attack 011 a target network; enumeration is the process of gathering the information about a target machine by actively connecting to it. Discover NetBIOS name enumeration with NBTscan. Enumeration means to identify die user account, system account, and admin account. 111 tins lab, we enumerate a machines user name, MAC address, and domain group. You must have sound knowledge of enumeration, a process that requires an active connection to the machine being attacked. A hacker enumerates applications and banners ni addition to identifying user accounts and shared resources.
/ Valuable information Test your knowledge g Web exercise
m Workbook review
La b O b jectives
The objective of this lab is to help students learn and perform NetBIOS enumeration. The purpose of NetBIOS enumeration is to gather the following information: Account lockout threshold Local groups and user accounts Global groups and user accounts To restrict anonymous bypass routine and also password checking for user accounts with:
Blank passwords Passwords that are same as the username 111 lower case
La b Environm ent
To earn out die lab, you need:
NETBIOS Enumerator tool is located at
D:\CEH-Tools\CEHv8 Module 04 E nu m eratio n \N etB IO S E num eration T oo ls\N etB IO S E num erator E nu m erato r
You can also download the latest version of N etB IO S the link http:// nbtenum.sourceforge.11et/
from
If you decide to download the latest version, then screenshots shown m the lab might differ Run tins tool in W indow s
S erver 2 0 1 2
Administrative privileges are required to nan this tool
La b Duration
Time: 10 Minutes

Enumeration involves making active connections, so that they can be logged. Typical information attackers look for 111 enumeration includes user account names for future password guessing attacks. NetBIOS Enumerator is an enumeration tool that shows how to use rem ote network support and to deal with some other interesting web techniques, such as SMB.
La b T a s k s
TASK 1
Performing Enumeration using NetBIOS Enumerator
1. To launch NetBIOS Enumerator go to D:\CEH-Tools\CEHv8 Module 04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator, and double-click NetBIOS Enum erater.exe.
!
f k j I P range to scan from: | t o :|| Scan Your local ip: 10.0.0.7 W [1 ...2 54 ]
NetBIOS Enumerator
| Clear Settings |
Debug window A
m NetBIOS is designed to help troubleshoot NetBIOS nam e resolution problem s. When a network is functioning norm ally, NetBIOS over TCP/IP (NetBT) resolves NetBIOS nam es to IP ad d resses.
FIGURE 3.1: NetBIOS Enum erator m ainw indow
2. In the IP range to scan section at the top left of the window, enter an IP range in from and to text fields.
3.
m Feature: Added port scan GUI - ports can b e added, deleted, edited Dynam ic m em ory m anagem ent Threaded work (64 ports scanned at once)
IP range to scan fron :| 10.0.0.1 to | 10.0.0.501 Scan Your local ip: 10.0.0.7 W [1 ...2 54 ] Debug window
Click Scan.
NetBIOS Enumerator
Clear Settings
T ZL^ 1 *
'
m Network function SMB scanningis also im plem ented and running.
FIGURE 3.2: NetBIOS Enum eratorwithIP ran g eto s c a n
4. NetBIOS Enumerator starts scanning for die range of IP addresses provided.

m The network
function, NetServerGetlnfo, is also im plem ented in this tool.
5. After the compledon of scanning, die results are displayed in die left pane of die window. 6. A Debug w indow section, located 111 the right pane, shows the scanning of die inserted IP range and displays Ready! after completion of the scan.
NetBIOS Enumerator
Scan Your local ip: ]1 0 .0 .0 .7 P [1 ...2 5 4 ] Debog window Scanning from: to : 1 0 .0 .0 .5 0 R eady! Settings
f i ) IP rang e to scan
from :| 1 0 .0 .0 .1 to : | 1 0 .0 .0 .5 0
B ?
0
10.0.0.3 [WIN-ULY858KHQIP]
|U N etB IO S Names (3) ^ W IN -U LY858KH Q IP - W orkstation Service WORKGROUP - Domain Name W IN -U LY858KH Q IP - R le Server Service U sername: (No one logged on)
Q=* The protocol SNMP is im plem ented and running on all versions of W indows.
l~ 2 f
Domain: WORKGROUP
Of Round Trip Tim e (RTT): 3 ms - Tim e To Live ( m i S ? 3 1 0 .0 .0 .6 [ADMIN-PC] H I N etB IO S Names (6) A DMIN-PC - W orkstation Service WORKGROUP - Domain Name A DMIN-PC - R le Server Service ^ 5 WORKGROUP - Potential M aster Browser WORKGROUP - M aster Browser _ M S B R O W S E _ - M a s t e r Browser
% ^ B ?
Username: (No one logged on) I ET Domain: WORKGROUP
,r
5 Of R o u n d T n p T im e (RTT): 0 ms -T im e T o U ve (TTl. 1 0 .0 .0 .7 [W IN -D 39M R 5H L9E4]
0 E 3 N etB IO S Names (3) ! Q Username: (No one logged on) [
# <
Of Domain: WORKGROUP
-.t.
5 - O f Round Trip Tim e (RTT): 0 ms -T im e To Lrve ( T H ^
FIGURE 3.3: NetBIOS Enum erator re s u lts
7. To perform a new
erased.
scan
or rescan, click Clear.
8. If you are going to perform a new scan, die previous scan results are
La b A n a ly sis
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved IP Address Range: 10.0.0.1 10.0.0.50 NetBIOS Enumerator Tool Result: Machine Name NetBIOS Names User Name Domain MAC Address Round Trip Time (RTT)
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .
Internet Connection Required
Y es Platform Supported 0 Classroom
0 No 0
!Labs
E n u m e r a tin g a N e t w o r k U s in g S o ftP e r fe c t N e tw o r k S c a n n e r
JT o ffP e fe c t N e t)) 01k S c a n n e r is a fr e e m u lti-th re a d e d IP , N e tB I O S , a n d S N M P
sca n n er n ith a m o d ern in terface a n d m a n y a d va n ced fe a t//re s.
I C ON
KEY
La b S cen ario
To be an expert ethical hacker and penetration tester, you must have sound knowledge of enumeration, which requires an active connection to the machine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources, hi this lab we trv to resolve host names and auto-detect vour local and external IP range.
[^7 Valuable information y
Test your knowledge Web exercise Workbook review
La b O b jectives
The objective of this lab is to help students learn and perform NetBIOS enumeration. NetBIOS enumeration is carried out to detect: Hardware MAC addresses across routers Hidden shared folders and writable ones Internal and external IP address
La b Environm ent
To carry out the lab, you need: SoftPerfect Network Scanner is located at
D :\CEH-Tools\CEHv8 M odule 0 4 E num eration\SN M P E num eration T o o ls\S o ftP erfect N e tw o rk S cann er
You can also download the latest version of S o ftP e rfe c t N e tw o rk S cann er from the link http: / /www.sottpertect.com/products/networkscanner/
If you decide to download die latest version, then screenshots shown in the lab might differ Run this tool 111 W indow s
2 0 1 2 server
Administrative privileges are required to run this tool

m You can also download SoftPerfect Network Scanner from http://www.SoftPerfect. com .
La b Duration
Tune: 5 A luiutes

Enumeration involves an active connection so diat it can be logged. Typical information diat attackers are looking for uicludes user account names for future password-guessuig attacks.
La b T a s k
E TASK 1
1. To launch SoftPerfect Network Seamier, navigate to
Enumerate N etw ork
D:\CEH-Tools\CEHv8 Module 04 Enumeration\SNMP Enumeration Tools\SoftPerfect N etw ork Scanner
2. Double-click netscan.exe
0
File View Actions Options
SoftPerfect Network Scanner

Bookmarks Help
L^J
y
Range From IP Address
fg
.0
.0
| to
|~ 0
0 . 0 . 0
* A r j* * Q (0 Web-site I 3 f >Start Scanning *

Response Time
Host Name
MAC Address
m SoftPerfect allow s you to m ount shared folders a snetwork drives, brow se themusing W indows Explorer, and filter the results list.
Ready Threads Devices 0/0 Scan
FIGURE 4.1: S oftP erfect Network S can n erm ainw indow
3. To start scamung your network, enter an IP range ui die Range From field and click S tart Scanning.
0 0
File V iew Actions O ptions

Bookm arks Help
1-1
B #
W eb-site
L3 H
Range From I E0 . 0 . 0 . 1
to
10
50
Start Scanning
II
Response Time
Ready_______________________Threads__________ Devices
0/0
FIGURE 4.2: S oftP erfect settin ganIP ran g eto s c a n
4. The status bar displays the status ot the scamied IP addresses at die bottom of die window.
> * j
File View A ction s Options

Bookm arks Help
y
El .
0 . 0 1
| X fc* V IP id
| To |
10 . 0 0 . 50
Range From
fa, & Q W W eb-site ~ | a IB Stop Scanning
jj
F Address ?
B
Host Name WIN-MSSELCK4... WIN-ULY858KH... WIN-LXQN3WR... ADMIN-PC WIN-D39MR5H... ADMIN WINDOWS8
MAC Address 0! D 0! 0! 0' D 0! Ot . 1... 1-0... S-6... 1-0... 5-C... t-0... .8-6...
Response Tme 0 ms 2ms 1ms 4 ms 0 ms 0 ms 0 ms 2 ms
10.0.0.1 10.0.0.2 10.0.0.3
ffl a B
, 10.0.0.5 ISA 10.0.0.6 e 10.0.0.7 Igu 10.0.0.8 1u 10.0.0.10
Q SoftPerfect Network Scanner can also check for auser-defined port and report if one is open. It can also resolve host nam es and auto-detect your local and external IP range. It supports rem ote shutdow n and Wake-On-LAN.
FIGURE 4.3: S oftP erfect s ta tu sbar
5. To view die properties of an individual particular IP address.
IP address,
nght-click diat

File V iew Actions O ptions Bookm arks Help
Range From IP Address e i
B3
To
10
50 Response Time 0ms 2ms

>
j^> Start Scanning *
MAC Address
10 .0 .0 .1
0 ^ ^-2...
VVIN-MSSELCK4.. WIN-UL'f
1 1 . 1 0 .0 .0 .2
El
- l...
j 10.0.0.3
eta 10.0.0.5
WIN-LXQ ADMIN-P WIN-D 39 ADMIN WINDOW
Open Computer
Copy Properties Rescan Com puter W ake-O n-LAN R em ote Shutdow n R em ote Suspend / Hibernate Send Message... Create Batch File...
eu 1 0 .0 .0 .6
s e b 10.0.0.7 eu
10 .0 .0 .8
e ta 1 0 .0 .0 .1 0
Devices
8/8
FIGURE 4.4: S oftP erfect IP ad d re s sscan n edd e ta ils
La b A n a ly sis
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved IP Address Range: 10.0.0.1 10.0.0.50 SoftPerfect Network Scanner Result: IP Address Host Names MAC Address Response Time
Q uestio ns
1. Examine die detection of die IP addresses and MAC addresses across routers. 2. Evaluate die scans for listening ports and some UDP and SNMP services.
C E H Lab Manual Page 289 Ethical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
3.
H o w w o u ld y o u la u n c h e x te rn a l th ird - p a rty a p p lic a tio n s ?
Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs
Lab
E n u m e r a tin g a N e t w o r k U s in g S o la v W in d s T o o ls e t
T h e S o la r W in d s T o o ls e t p r o v id e s th e to o ls y o n n e e d n s a n e tw o r k en g in ee r o r n e tn o r k c o n s u lta n t to g e t y o u r j o b d on e. T o o ls e t in c lu d e s b e st-o f-b re e d s o lu tio n s th a t w o r k s im p ly a n d p re c ise ly , p r o v id in g th e d ia g n o stic, p e t fo r m a nee, and b a n d w id th m e a su re m e n ts y o u w a n t, w ith o u t e x tr a n e o u s, n n n e c e s s a y
fe a tu r e s .
I C ON
KEY
La b S cen ario
Penetration testing is much more than just running exploits against vulnerable systems like we learned 111 the previous module. 111 fact a penetration test begins before penetration testers have even made contact with die victim systems. Rather dian blindly dirowing out exploits and praying diat one of them returns a shell, penetration tester meticulously study the environment for potential weaknesses and their mitigating factors. Bv the time a penetration tester runs an exploit, he or she is nearly certain diat it will be successful. Since failed exploits can in some cases cause a crash or even damage to a victim system, or at die very least make the victim unexploitable 111 the future, penetration testers won't get the best results. 111 tins lab we enumerate target system services, accounts, hub ports, TCP/IP network, and routes. You must have sound knowledge of enumeration, which requires an active connection to the macliine being attacked. A hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources.
/ Valuable information Test your knowledge Web exercise

m
Workbook review
Tools dem onstrated in this lab are available in D:\CEHTools\CEHv8 Module 04 Enumeration
La b O b jectives
The objective of tins lab is to help students learn and perform NetBIOS enumeration. NetBIOS enumeration is carried out to detect: Hardware MAC addresses across routers Hidden shared folders and writable ones Internal and external IP addresses
La b Environm ent
To earn out the lab, you need:
SolarW inds-Toolset-V10 located at D:\CEH-Tools\CEHv8 M odule 04 E num eration\SN M P E num eration Tools\S olarW inds IP N e tw o rk B row ser T oo lset
m You can also download SoftPerfect Network Scanner from http://www.solarwinds .com
You can also download the latest version of SolarW inds S cann er trom the link http:/ /www.solarw1nds.com/ If you decide to download the la te s t 111 the lab might differ
version,
then screenshots shown
Run tliis tool 111 W indow s S erver 2 0 1 2 Host machine and W indow s S erver 2 0 0 8 virtual machine Administrative privileges are required to run tins tool Follow the w izard -d riven installation instructions
La b Duration
Tune: 5 Minutes

Enumeration involves an active connection so that it can be logged. Typical information diat attackers are looking for includes user account names tor future password guessing attacks.
La b T a s k
W TASK 1
1. Configure SNMP services and select Start

Â dm inistrative Tools ^ Services.
File Acton ViM 5 Help B 3
^Control Panel
Enumerate N etw ork
4 *.S j

Dcscnpton Supports Me, paProvide* notifica.. Manages access.. Allow* the cyst*... Enables Simple... trap m #_. FrvtLIrs th* (Scfjj.. A llo w * adrniktti. . Verifies potential.. Service to launch.. Provides stcrcge... Executesjobs. m ... Supplies online a-. Provides SQL Ser.. One or more Dist.. Provides trace re... Provides manag.. Manages, execute. Provides the inle_. Dwen nehvorMaintains and i . Monitors system Enables a user to.. Provides support.. Status Running Running Startup type Automatic Automatic DkabUd Manual Automatic Manual Automatic (D... Manual Manual (Trig... Manual Automatic Manual Automatic Disabled Manual Manual Automatic Automatic Automatic Oisabled Manual Automatic Automatic Automatic (T. Log On As Local Syste... Local Syste... Local Service Local Syste .. Local Syste .. 1 Local Service NrtrtorV S.. Local Syste... Local Syste.. NT Servke... NT Service... NT Scrvice... NT Service... Local Service NT Service... NT Service... NT Service... NT Servke... Local Syste. Local Service Local Syste.. Local Syste.. Local SysteLocal Service
E3 Cut troubleshooting tim e in half usingthe W orkspace Studio, which puts the tools you need for com m on situations at your fingertips
f t Stiver ShH Hardware Detect!:n S^Smir Card 4 Smart Card Removal Policy E SNMP Servke Descnptior: Lrvjfck: Smpk Network 4 SNMP Trap Management Protocol (SNMP) ^ Software Protection requests to be processed by this ^ Special Admimilitlicn Comcle Hdpct computer If this service 1 5stopped, the computer w ill be unable to w 5 fcSpot Verifier proem SNMP irquetti. If this servic. & S G I Full-text Filter Daemon launcher -. k disabled, any services that eiplicitlj *SQL Server (MSSQLSERVER) depend on it will fail to (tart. &SQL Server Agent (MSSQLSERVER) SQL Server Analyse Services (MSSQLS.. SQL Server Browser & SQL Server Distributed Replay CSert 6 SQL Server Dirtributed Replay Cortrcl &SQL Server Integration Services 110 5* SQL Server Reporting Services (MSSQL Q SQL Server VSS Writer {fcSSDP Discovery Superfetch System Event Notification Sciyicc $ ,Task Scheduler S i TCP/IP NetBIOS Helper \ Extended > vStandard/
Running
Running Running Running
FIGURE 5.1: S ettin gSNMP S erv ic e s
2. Double-click SNMP service. 3. Click die Security tab, and click Add... The SNMP Services Configuration window appears. Select READ ONLY from Community rights and Public 111 Community Name, and click Add.
SNMP Service Properties (Local Computer)
G e n e ra l ] Log O n [ R e c o v e r y [ A g e n t [ T ra p s Se cu rity D e p e n d e n c ie s
S e n d a u th e n ticatio n trap A c c e p t e d com m unity n a m e s Com m unity Rig hts
A d d ... IP Monitor and alert in real tim e on netw ork availability and health w ith tools including RealT im e Interface Monitor, SNMP R eal-Tim e Graph, and Advanced CPU Load
Edit
Remove
D A c c e p t S N M P p a c k e t s from a n y host
SNMP Service Configuration

Com m unity rights:_____________________________ !r ea d o n ly C om m unity N am e : |public ^1 [
C a n c e l
L e a m m ore ab o u t S N f f lP
O K
C a n c e l
A p p ly
FIGURE 5.2: C onfiguringSNMP S e rv ic e s
4.
Select A ccept SNMP packets from any host, and click OK.
SNMP Service Properties (Local Computer)
G e n e ra l Log O n R eco v ery Agent rap s |
T l
| Z- ep en aencies
S e n d au th e n ticatio n trap A c c e p t e d com m unity n am es
\ c c e p t S N M P p a c k e t s from a n y host A c c e p t S N M P p a c k e t s from t h e s e h osts
L e a m m ore ab o u t S N M P
O K
C a n c e l
A p p ly
FIG U RE 5.3: setting SNMP Services
5. Install SolarWinds-Toolset-V10, located 111 D:\CEH-Tools\CEHv8 Module

04 Enumeration\SNMP Enumeration Tools\SolarWinds IP N etw ork Browser.
6. Launch the S ta rt menu by hovering the mouse cursor on the lower-left corner of the desktop.
FIGURE 5.4: W indow sS erver 2012 Desktopview
& Perform robust network diagnostics for troubleshooting and quickly resolving complex netw ork issues w ith tools such as Ping Sweep, DNS Analyzer, and Trace Route
7. Click the W o rksp ace Studio window.

S t a r t
Studio
app to open the SolarW inds
W orkspace
A d m in is t r a t o r ^
Server Manager
Windows PowerShel
Google Chrome
Hyper-V Manager
Workspace Studio
IL
Computer
IT
Control Panel
* HyperV Virtual Machine...
f t SQL Server Installation Center...
? Command Prompt InternetEx p lo rer F3 Mozilla Firefox
ProxySwiL. Standard
< Global Network Inventory
1ft Nmap Zenmap GUI
I I
FIGURE 5 .5: W indow sS erver 2012 A pps
6.
The main window of SolarWinds W orkspace Studio
is shown in the
following figure.
SolarWinds Workspace Studio

File Tabs Yiew Devices Interfaces Gadgets External Tocls Help Settings... Q Page Setup...
* "!
Compare Engineer s Toolset- I ^N ew Tab 5 Save Selected Tabs aa
Add New De/ice..
Manage SNMP Credentials Manage Tehec/SSH Credentials
!5 Switch Poit Mapper _ Telnet/SSH
* A
Interface Chart
TraceRoute
^ ^ I S
rSarG Cevices P 1 Recently ts e o
G ettin g Started * *
V xI I
I*
^ ^
Devices
GrojpDy. Gftxp Kane
O SETTING G e ttin g S tarte d UP WORKSPACE STUDIO COESTT HAVE TO EE SCARY

Step 1 - Register the ne:wori devices you wcuH iieto montor. Add Device Step 2 - Drag gadgets fromthe explorer at feft to this w 3rtspace and associate them with a device.
EM ]
Id
[ 0 ofC0t<*(s)seated _ Sfow Q Q U On*rr*s | E>t::re X
Step 3 - Add tabs to create grojps cf gadgets 0* aganze then any way you wart.
New Tab & L
' Gadgets
d Q Mcn<o1 ng 0 CllCPUandMerroY -m I m.etâce Chart ln!ef*aee Gauge
O O M o re H e lpRCC3TOOCTYOU : TH ERRE30U
< Memory Gauges M EM O RYST A T IST IC CTO RO N EO RTW OH O STS ...
II
T
C lear
>
Setrin as
Interface Table
___
TFTP Service Status R u n n in g
[L Tdt If,
Gadgets
Evert Viewer TFTP Service *> Dday: 2 C seconds
FIGURE 5.6S o larw indsw orkspace stu d iom ainw indow
7. Click External Tools, and then select Classic tools

-> IP N etw ork Browser.
SolarWinds Workspace Studio
File Tabs View Devices Interfaces Gadgets [ Extcmaôols fj
-> N etw ork Discovery
T=TO
1 . , ^NewTob Save Selected Tabs
I Help
ngj. Q Poge Setup...
g f? Add New Dcvicc...
Manage SNMP Credentials ^ , Telnet/SSH
Create New External Tod... Recently Used Remote Dcsrtoo
B Deploy an array of network discovery tools including Port Scanner, Sw itch Port Mapper, and Advanced Subnet C alculator.
S S Switch P a t Mapper
u u l Interface Chart
jetting Startedl
________________
Cisco Tools IP Address Management LdunchPad Network Discovery Network Monitoring ] : It*)
in
O
Groupb y: GnupNane *
C cttin gs L SETTING J P /WORKSPACE STUDO OOESNT HAVE TO
U E 2
10311 a |
DNS Audit IP Address Management IP Network Browser Etui Q ti |
St6p 1 - Register the network devices you wouH l*e te n
f^l Devices
P 1Recently Jsed Step 2 - Drag gadgets frcm the explorer at lei tc this wort
Ping Diagnostic Security SWMP Tools
of D devce(s) seecte:
Step 3 - A(M taos :0 create groups or gacgets or orgarize
MAC Address Discovery Network Sonar Ping Ping Sweep Port Scanner SNMP Sweep Subnet List Switch Port Moppet
Star cro^raiies
jtJ
d a
^ @ "! TFTP Service Statu* Rjnning Clear
Monitoring
f o f ^ i CPU and Wenory a i Interface Chart & interface Cauge ntefaceTaWe
SHtma*
| Step ]
gy
Gadgets
Event Viewer TFTP Service
FIGURE 5.7: MenuE scalationfor IP netw orkbrow ser
8.
shown. Enter die Windows 8 Virtual Machine and click Scan Device ( the IP address will be different 111 your network).
IP address (10.0.0.7)
IP N etw ork Browser will be
1ST
IP Network Brow ser
P SolarWinds Toolset applications use several methods to co llect data about the health and perform ance of your network, including ICMP, SNMPv3, DNS and Syslog. Toolset does NOT require deployment of proprietary agents, appliances, or garden gnomes on the network.
Nevr
t
Re :tart
Export
m
Prin
%
Copy
*
Copy
Stop Zoom
m
Ping
0
Telnet
Trace
3
Config
Surf
0 1^ Settings
Help
IP Network Browser
S c a n a S in g le D e v ic e ___________
3
S c a n a Su b n et Subnet Address Subnet Mask
3 '
1 2 5 5 .2 5 5 .2 5 5 .0
jd .
Scan Suhnel
Scan an IP Address Ranqe

Dcgining IP Addicss tnding IP Addtess E n g i n e e r s T o o ls e t v 1 0 - E v a l u a t i o n
FIGURE 5 .8: IP NetworkB row serw indow s
9. It will show die result 111 a line with die IP address and name ot die computer diat is being scanned. 10. Now click the Plus (+) sign before die IP address.
File Edit
IP Network Browser [ 10.0.0.7 J

Nodes MBs Discovery Subnet 4 Copy View % Copy Help
1-
& NetFlow R ealtim e is intended for granular, real-tim e troubleshooting and analysis of N etFlow statistics on single interface and is lim ited to a 1 hour capture
NeA
y
Restart E>port
m
Print
Stop
* Zoom |
Ping
1 Telnet
Trace
@ Confg
e Surf
Setting:
rf
Help
A
\0 ,A/
vo
n A
o V
k ^ 4 y A > >* / / / w
< ^4 y o v<y
r J?
\ |
A oV
J 4 eV
j& Y
< & */
V V*
(IS *
./
A U
& , 3 / \ r r * J?
S Jbre* Scan Ccmoteed
FIGURE 5 .9: IP NetworkB row serw indow sre s u ltsp ag e
11. It will list all die information ot die targeted IP address.
IP Network Browser [ 100.0.7 J File Edit Node* MlBs Discovery Subnet View Help
' *
Export
m
Print
Copy
Copy
Stop
Zoom
Ping
0 }
Telnet
&
Tra< Config Surf
s f
Setting!
& To start anewtab, go to tabs on the m enu bar and choose newtab. Right-click on a tab to bring up options (Import, Export, Renam e, S ave, Close). You can add tools to tabs from the G adgets bos in the lower left or directly from the gadgets m enu. A good way to approach it is to collect all the tools you need for a given task (troubleshooting Internet connectivity, for exam ple) on one tab. Next tim e you face that situation sim ply open that tab
ST
J j S*3ten Naxw: WDI-D39MP5HL9E4 D escription: Harcware: In tel64 Family 6 Hcdel 42 .
-eppinc 7 AI/&T CCMPAIIBLI - Softwar! : W indow s Version S.2 (Build 6
a t !- .:
J J s y s O b ;c rD : 1 . 3 . 6 . 1 . 4 . 1 . 3 1 1 . 1 . 1 . 3 . I . 2 0 Last Boot: 9/5/2012 9:13:49 AM
Ti
qp
4^
Router (will forvard IF packets ?) : N o
Is *
Adirlnittritor C Cuh: A
f i UM5*JAaC.ll USSR A tn a Shared D iln t t n TC9/ZF ^cworks IPX hvcworic -E ^ 0.0.9.0
vO %
<! 1
O'
s i? A>
A oV
. <
^
J?
< $ > :0 .0 0o
S 3> 10.0.0.7 ti: 10.0.0.26S S ^ 127.9.0.0 E ^ 127.9.0.1 < $ > 127.266256.266 SjtrelSc4r ComptetiC
2 5 5a 255.255 255.255
4 C* a rV*
K%^
'S > \
FIGURE 5.10: IP NetworkB row serw indow s re s u ltsp ag e
La b A n a ly sis
Analyze and document die results related to die lab exercise. Tool/Utility Information Collected/Objectives Achieved Scan Device IP Address: 10.0.0.7 Output: Interfaces Services SolarWinds Tool Accounts Set Shares Hub Ports TCP/IP Network IPX Network Routes
Q uestio ns
1. Analyze die details of die system such as user accounts, system MSI, hub ports, etc.
Etliical Hacking and Countermeasures Copyright by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
2. Find the IP address and Mac address of the system. Internet Connection Required Yes Platform Supported 0 Classroom 0 !Labs
Ethical Hacking and Countermeasures Copyright by EC-Council A ll Rights Reserved. Reproduction is Strictly Prohibited.
E n u m e r a tin g t h e S y s t e m U s in g H yen a
H y e n a u ses a n E x p lo r e r -s ty k in terfa ce f o r a ll operations, in clu d in g rig h t m o u se click p o p - ip c o n te x t m e n u s f o r a ll objects. M a n a g e m e n t o f users, g ro u p s (b o th lo ca l a n d g lo b a l), shares, d o m a in s, com puters, services, devices, events, file s , p r in te r s a n d p r in t jo b s , sessions, open file s , d is k space, u se r rights, m essaging, e x p o /tin g , j o b scheduling, processes, a n d p r in tin g a re a ll su p p o /ted .
I C ON
KEY
La b S cen ario
The hacker enumerates applications and banners 111 addition to identifying user accounts and shared resources. 1 1 1 tliis lab. Hyena uses an Explorer-style interface for all operations, management of users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers and print jobs, sessions, open tiles, disk space, user nghts, messaging, exporting, job scheduling, processes, and printing are all supported. To be an expert ethical hacker and penetration tester, you must have sound knowledge of enumeration, which requires an active connection to the maclune being attacked.
/ Valuable information ' Test your ____ knowledge______ m Web exercise Q Workbook review
La b O b jectives
The objective of this lab is to help students learn and perform network enumeration: Users information 111 the system Services running 111 the system
La b Environm ent
To perform the lab, you need: A computer running Windows Server 2012 Administrative privileges to install and run tools You can also download tins tool from following link http: / / www. svstemtools.com/hvena/download.htm
If you decided to download latest version of dns tool screenshots may differ
La b Duration
Time: 10 Minutes

Enumeration is die process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted 111 an intranet environment
La b T a s k s
The basic idea 111 diis section is to: 1.
E t a s k 1
Navigate to D:\CEH-Tools\CEHv8 Module 04

Enumeration Tools\Hyena
Enumeration\NetBIO
Installation of Hyena
Double-click Hyena_English_x64.exe. You can see die following window. Click N ext
H y e n a v 9 .0 - In s t a llS h ie ld W i z a r d
You can download die Hyena from http://u n v 1v.systemtools.com /hyena/hyena_ne1v.htm
ca
FIGURE 6.1 :InstallationofH yena
3. 4.
The S o ftw a re L icense A g re e m e n t window appears, you must accept the agreement to install Hyena. Select I a c c e p t click Next.
th e term s o f th e licen se a g re e m e n t
to continue and
FIGURE 6.2: S elect dieA greem ent
5. 6.
Choose die destination
location
to install Hyena.
x
Click Next to continue the installation.

H y e n a v 9 .0 In s t a llS h ie ld W i z a r d
Choose Destination Location
S e le c tfo ld e rw h e res e tu pw ill in s ta llfile s .
m In addition to supporting standard W indows system m anagem ent functions, Hyena also includes extensive Active Directory integration
In sta llH y e n av 9 .0to : C :\P ro g ra m F ies\H y en a
Change...
FIGURE 6 .3 :S electin gfolder for in stallatio n
7.
The Ready to
install the Program
window appears. Click Install
H y e n a v 9 .0 - I n s t a l l S h i e l d W i z a r d
Ready to Install the Program

The wizard is ready to begin installatic
C lic kIn s ta ll tob e g inth ein s ta la tio n Ify o uw a n ttore v ie w o rc h a n g ea n ye r fy o u rre ta lia tio ns e ttin g s ,c lic kB a c k .C lic kC a n c e l toe x itth e w iz a rd .
ILU Hyena can be used on anyW indows client to m anage anyW indows NT, W indows 2000, W indows XP/Vista, W indows 7, or W indows Server 2003/2008/2012 installation
FIGURE 6.4: sele c tin ginstallatio ntype
8.
The InstallShield Wizard complete window appears. Click Finish ro complete die installation.
InstallShield Wizard Complete
T h eIn s ta llS h ie ldW iz a rdh a ss u c c e s s fu l in s ta le dH y e n av 9 .0 .C lic kF in is htoe x itth ew iz a rd .
FIGURE 6.5: R eadytoinstall w indow
Enumerating system Information
9.
Launch the S tart menu by hovering the mouse cursor 011 the lowerleft corner of the desktop.
FIGURE 6.6: W indow sSeiver 2012 Desktopview & Hyena also includes full exporting capabilities and both Microsoft Access and Excel reporting and exporting options
10.
Click the Hyena app to open the Hyena window.
FIGURE 6.7: W indow sS erver 2012 A pps
11. The Registration window will appear. Click OK to continue. 12. The main window of Hyena is shown 111 following figure.
13. Click + to expand Local workstation, and then click Users.

J
H y e n a v9 .0
'
H e E d it W e wT o o ls H e lp - Jfr W 1 N -D 3 9 M R 5 H L 9 E 4(L o c a lW o rk sta tio n )! j 5 1 D riv e s j g "L o c a lC o n n e c tio n s - cygSU E A d m in istra to r 4C G u e st 4 C Ja so n(Ja so n ) &CJu g g y b o y(Ju g g y b o y ) & M a rtin(M a rtin ) CS h ie la(S h ie la ) J1 L o c a lG ro u p s > ' P rin te rs ^S h a re s 8S e ssio n s &O p e nF ile s S e rv ic e s gp D e v ic e s 4> E v e n ts 9D is kS p a c e j ' U se rR ig h ts I 9 P e rfo rm a n c e ,a S c h e d u le dJo b s : R e g istry j . W M I +^ E n te rp rise
aa 11
Hyen a v9.0
c a Additional command-line options were added to allow starting Hyena and automatically inserting and selecting/expanding a domain, server, or computer.
6u se r(s)fo u n do n,\\W 1 N -D 3 9 M R 5 H L 9 E 4 '

FIGURE 6.9: Expand the Systemu sers
14. To check the services running on the system, double-click S ervices

H y e n a v9 .0 S e r v ic e s o n W W IN - D 3 9 M R 5 H L 9 E 4
R e E d W e wT o o ts H e lp
V *s & x a :s [e ] o ^ v
- V 7 IN -D 3 9 M R 5 H L 9 E 4(L o c a lW o rk sta tio n ) D riv e s & L o c a lC o n n e c tio n s I U se rs . cA d m in istra to r C G u e st | 5 c Ja so n(Ja so n ) CJu g g y b o y(Ju g g y b o y ) ^ CM a rtin(M a rtin ) CS h ie la(S h ie la ) 5L o c a lG ro u p s g 4^ P rin te rs f f iQ S h a re s S" S e ssio n s iL J Q p en h les Lj&EEZaU 2PD e v ic e s B E E v e n ts OD is kS p a c e SS U se rR ig h ts *9 P e rfo rm a n c e I 0 S c h e d u le dJo b s R e g istry i & WM I ^ E n te rp n se K //w w w .sy ste m to o ls.c o m
3 ! 3 1y b !
aa
Services on W W IN - D 3 9 M R 5 H L 9 E 4
$ 5 A d o b e A R M se rv ic eA d o b eA c ro b a tU p ... { } A e L o o k u p S v c A p p lic a tio nE x p e rie ... A p p lic a tio nL a y e rG ... ALG A IIU se rin sta llA g e n tW in d o w sA ll-U se rI ... A p p lic a tio nH o stH ... A p p H o stS v c A p p lic a tio nId e n tity A p p lD S v c A p p lic a tio n In fo rm ... A p p in fo A p p lic a tio nM a n a g ... $ 5 A p p M g m t A u d io E n d p o m tB ... W in d o w sA u d ioE n ... A u d io srv W in d o w sA u d io 6F E B a seF ilte rin gE n g in e 0 -B IT S B a c k g ro u n dIn te llig ... B ro k e rln fra stru c t... B a c k g ro u n dT a sk sI ... B ro w se r C o m p u te rB ro w se r C e rtP ro p S v c C e rtific a teP ro p a g a ... C O M S y ste m A p p ... C O M S y sA p p 0C ryptS vc C ry p to g ra p h icS e rv i... D co m L au n ch D C O M S e rv e rP ro c e ... d e fra g sv c O p tim iz ed riv e s D e v ic e A sso c ia tio ... D e v ic eA sso ciatio n ...
Name________________ Display Nam e_________ Status______
R u n n in g S to p p e d S to p p e d S to p p e d R u n n in g S to p p e d S to p p e d R u n n in g S to p p e d S to p p e d R u n n in g R u n n in g R u n n in g S to p p e d S to p p e d S to p p e d R u n n in g R u n n in g S to p p e d S to p p e d
1 5 6se rv ic e sfo u n do n \\W 1 N -D 3 9 M R 5 H L 9 E 4 1 /1 5 6 o b je c ts

FIGURE 6.10: Sendees running in the system
15. To check the U ser Rights, click + to expand it.
H y e n a v9 .0 - 3 D r iv e s o n A \ W IN - D 3 9 M R 5 H L 9 E 4 '
' r *
H e E d t VtcH T o o ls H d p
y *3 a X * 3 * ::: 5 = ] Q SI
C M a rtin(M a rtin ) CS h ie la(S h ie la ) ^ L o c a lG ro u p s P n n te rs +^ S h a re s S S e ssio n s j ^ O p e nF ile s Qb S e rv ic e s D e v ic e s f f i& E v e n ts ^ D is kS p a c e g h tsI ft B a c k u pO p e ra to rs U se rs A d m in istra to rs E v e ry o n e S e T c b P riv ile g e(A c ta sp a rto fth eo p e ra S e M a c h m e A c c o u n tP riv ile g e(A d dw o rk & S t S e B a c k u p P riv ile g e(B a c ku pfile sa n dd ii-, iL S e C h a n g e N o tify P riv ile g e(B y p a sstra v e r S e U n so lic ite d ln p u tP riv ile g e(S e U n so lic ii ^ S e S y ste m tim e P riv ile g e(C h a n g eth esy s -| -S e C re a te P a g e file P riv ile g e(C re a teap a g21 S e C re a te T o k e n P riv ile g e(C re a teato k i = :a 7 w w w .sy ste fn to o ls.c o m
* C Ju g g y b o y(Ju g g y b o y )
fl J 3ai fe E3
3 Drives on \\W IN -D 3 9 M R 5 H L9 E 4
S e rv e r* D riv e W IN -D 3 9 M R ... C W 1 N -D 3 9 M R ... D W IN -D 3 9 M R ... E
F o rm a t N T F S N T F S N T F S
T o ta l 9 7 .3 1G B 9 7 .6 6G B 2 7 0 .4 5G B
U se d 8 7 .1 5G B 2 .9 0G B 1 .7 0G B
3D riv e so n" W W 1 N -D 3 9 M R 5 H L 9 E 4 1
FIGURE 6.11: U sers R ights
^^^biects
16. J
To check the Scheduled jobs, click + to expand it.

H y e n a v 9 .0 - 77 t o t a l s c h e d u le d jo b s .
F ile E d W e wT o o ls H e lp
y* 3< x3 :: |e | o ^ y
H yenawill execu tedie m ost current GroupPolicy editor, GPM E.m sc, if it is present onthe s ystem
ft C Ju g g y b o y(Ju g g y b o y ) c M a rtin(M a rtin ) 9 CS h ie la(S h ie la ) $ L o c a lG ro u p s &^ P rin te rs 1 S h a re s S' S e ssio n s O p e nF ile s 9S e rv ic e s 2PD e v ic e s ffi-AE v e n ts ^ D is kS p a c e ffi-S U se rR ig h ts EB P e rfo rm a n c e | fo ]S c h e d u le dJo b s| -C 0M ic ro so ft W in d o w s ;C .N E TF ra m e w o rk ffi@A c tiv eD ire c to ryR ig h tsM a n a g e i : A p p ID IA p p lic a tio nE x p e rie n c e A p p lic a tio n D a ta j L < 9A u to c h k
A j .3;j r b
7 7 t o t a l s c h e d u le d jo b s .
a a [H o
S e rv e r* N a m e S ta tu s C Ie a n e rS k ip U A C R e a d y 0 W IN -D 3 9 M R ... C o o g le U p d a te T a sk M a c ... R e a d y 0 W IN -D 3 9 M R ... G o o g le U p d a te T a sk M a c ... R e a d y 0 W IN -D 3 9 M R ... G o o g le U p d a te T a sk U se rS ... R e a d y 0 W IN -D 3 9 M R ... G o o g le U p d a te T a sk U se rS ... R e a d y 0 W IN -D 3 9 M R ... G p tim iz eS ta rtM e n uC a ... R e a d y 5 ]W IN -D 3 9 M R ... O E TF ra m e w o rkN G E N ... R e a d y 0 W IN -D 3 9 M R ... .N E TF ra m e w o rkN G E N ... R e a d y 0 W IN -D 3 9 M R ... .N 0 W IN -D 3 9 M R ... A D R M SR ig h tsP o lic yT ... D isa b le d D R M SR ig h tsP o lic yT ... R e a d y 0 W IN -D 3 9 M R ... A o lic y C o n v e rte r D isa b le d 0 W IN -D 3 9 M R ... P m a rtS c re e n S p e c ific R e a d y 0 W IN -D 3 9 M R ... S e n fie d P u b lish e rC e rtS to ... D isa b le d S]W IN -D 39 M R ... V 0 W IN -D 3 9 M R ... A itA g e n t R e a d y ro g ra m D a ta U p d a te r R e a d y 0 W IN -D 3 9 M R ... P ta rtu p A p p T a sk R e a d y 0 W IN -D 3 9 M R ... S 0 W IN -D 3 9 M R ... C le a n u p T e m p o ra ry S ta te R e a d y 0 W IN -D 3 9 M R ... P ro x y R e a d y -3 Certif icateServicesClient 0 W IN -D 3 9 M R ... S y ste m T a sk R e a d y EB U S Chkdsk se rT a sk R e a d y W IN -D 3 9 M R ... U ffi^ C u sto m e rE x p e rie n c eIm p ro v e m 0 6re g istrye n trie sfo u n do nW W 1 N -D 3 9 M R 5 H L1/77o b je c ts
FIGURE 6.12: Scheduled jobs
T rig g e rT y p e^ M u ltip leT rig c D a ily D a ily D a ily O nId le M u ltip leT rig c A tL o go n A tL o go n A tS ta rtu p
A tS ta rtu p M u ltip leT rig c M u ltip leT rig c
h ttp ://w w w .sy ste m to o ls.c o m
La b A n a ly sis
Analyze and document the results related to die lab exercise. Give your opinion 011 your targets securityposture and exposure.
Tool/Utility
Information Collected/Objectives Achieved
Intention : Enumerating the system Output:

Local Connections Users Local Group Shares Shares Sessions Services Events User Rights Performance Registry
Hyena
mn
P L E A S E T A L K TO Y O U R I N S T R U C T O R I F Y O U H A V E Q U E S T I O N S R E L A T E D TO T H I S L AB .
Internet Connection Required
Y es Platform Supported 0 Classroom
0 0
No !Labs

CEH v8 Labs Module 04 Enumeration PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CEH v8 Labs Module 04 Enumeration PDF

Încărcat de

Drepturi de autor:

Formate disponibile

CEH Lab M anual

/ Valuable information y Test your knowledge

Web exercise Workbook review

Policies and passwords

A web browser with an Internet connection Administrative privileges to nm tools

O verview of Enum eration

C E H Lab Manual Page 267

M odule 04 - Enum eration

Enumerating a Network Using the S o ftP e rfe c t

C E H Lab Manual Page 268

M odule 04 - Enum eration

Test vour knowledge

O T Web exercise c a Workbook review

C E H Lab Manual Page 269

M odule 04 - Enum eration

Administrative privileges to install and mil tools

O verview of Enum eration

Nbstat and Null Sessions

3 W in d o w s Se rv er 2012 winaowsbtrvw tt)>Ke*<$eurK!1 aau Lucmr Fvilutor cepj fejiri M O T

FIGURE 1 .1 :W indow sS erver 2012 Desktopview

Click the N m ap-Zenm ap

app to open the Z en m ap window.

C E H Lab Manual Page 270

M odule 04 - Enum eration

Nmap Zenmap GUI

f t SQL Server Installation Center...

Global Network Inventory

IP addresses may vary 111 your lab environment.

Ports / Hosts [ Topology | Host Details | Scans

FIGURE 1 .3 : Hie Zenm apMainw indow

and outputs die

C E H Lab Manual Page 271

M odule 04 - Enum eration

Services O S < Host

Ports / Hosts | T op olog y | H ost Details | Scans |

FIGURE 1 .4: The Zenm apoutputw indow

zl FIGURE 1 .5 : Com m andProm pt w ithdienbtstat com m and

12. Now c re a te a null session.

C reate a Null Session

C E H Lab Manual Page 272

M odule 04 - Enum eration

it by issuing a genenc n et sessions from your host.

command to see connected null

15. To confirm, type n et session.

which should list your new ly

FIGURE 1 .7 : The com m andprom pt , w iththenet u secom m and

C E H Lab Manual Page 273

M odule 04 - Enum eration

In fo rm atio n C o lle c te d /O b je c tiv e s A chieved T a rg e t M achine:

135/tcp, 139/tcp, 445/tcp, 554/tcp, 2869/tcp, 5357/tcp, 10243/tcp 10.0.0.7

N e tB IO S R em ote m ach in e IP address:

Successful connection of Null session

C E H Lab Manual Page 274

M odule 04 - Enum eration

E n u m e r a tin g N e tB I O S U s in g t h e S u p erS ca n T ool

[Z7 Valuable information

Test your knowledge Web exercise Workbook review

C E H Lab Manual Page 275

M odule 04 - Enum eration

A computer running Windows Server 2012 as host machine

O verview of N etB IO S Enum eration

Account lockout threshold