1. Enumeration After scanning for live systems and services, hackers will probe the services more carefully looking for weaknesses This involves active connections!

2. Enumeration Hackers will try to gain information about: User Accounts Shared resources Software with vulnerabilities

3. Banner Grabbing Gain more information about servers and services C:\>telnet www.adamsmith.ac.uk 80 http/1.0 400 bad request Sever: IIS 1.1

4. Null sessions A NULL session connection is an unauthenticated connection. From a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information. These techniques can, and will provide information on passwords, groups, services, users and even active processors. NULL session access can also even be used for escalating privileges and perform DoS attacks.

5. Netcat Swiss army knife for TCP IP

6. Common Probed Ports HTTP port 80 SMTP port 25 FTP port 21 Telnet port 23 DNS port 53

7. Common command line tools Telnet Ftp Nslookup Tftp Finger Net Nbtstat RPC port 135 NetBIOS port 137

8. Zone transfers C:/>nslookup ls –d labfarce.org Know your DNS record types

9. Blocking Zone Transfers On the forward lookup zone properties DEMO:

10. Sam spades Crawl Gives information about websites such as Login and passwords

11. NetBIOS scanners Enumerates file shares Dumpsec www.somarsoft.comwww.somarsoft.com Legion

12. Enumerating Users Dumpsec User2sid Sid2user Example: User2sid \\192.168.0.1 “domain user”\\192.168.0.1 Sid2user \\ 192.168.0.1 5 21 8915387 1678654 5678654 500192.168.0.1 Note: Default Rids admin 500 Guest 501

13. Enum www.bindviw.com/support/razor/utilities

14. IP Browser From Solar Winds NS auditor

15. Active Directory Administration Tool idp.exe

16. Other OSs All Operating Systems have their own leaks

17. Counter measures Shut down un-necessary services Restrict information returned from server Microsoft IIS lockdown tool and URLScan