1. CS3695/M6-109 – Network Vulnerability Assessment & Risk Mitigation–
Enumeration Additional Materials CEH v.8

2. Objectives Be able to list the 3 categories of enumeration
Know that enumeration techniques are very OS dependent
What types of information can be pulled from a null session
Know the different shares
Be able to Banner Grab a service to identify it.
Understand how to use vrfy and expn on a mail server
Be introduced to the use of netcat, NFS, NIS, tftp and RPC.

3. What We Have... Footprinting: Scanning IP Addresses/range of addresses
Maybe user account formats, policy, POCs
Scanning
IP Addresses of machines we can get to
Services they are running (via port numbers)
OS’s

4. What We Still Need... What we need next is to
Identify exact
user accounts
shared resources
processes/applications, down to the version
This is enumeration and is categorized by
Network resources and shares
Users and groups
Applications and banners

5. Enumeration & the OS
Getting specific information from a system is very dependent upon the OS of the target!
We will break down enumeration into OS specific techniques...

6. OS Independent Enumeration
That said, lets look at a generic (non-OS specific) technique used to identify service found on a specific port
From our scan, we should have a list of listening ports
If you telnet to these ports, even though they are not a telnet server (such as port 80) it may give us some information
This is called Banner Grabbing

7. Banner Grabbing
When you telnet to a listening non-telnet port, it may supply you with a banner of what the service running on that port is down to its version!

8. Give’m the “Finger” Remotely
Used to gather user information…
Created for a smaller, friendlier Internet
finger {note that is an “L”}
finger {note that is a zero}
Port 79
Gives names of logged on users and their idle times… maybe
Used mainly to see who’s watching and maybe some social engineering…

9. Mail Verification Use telnet to confirm mail addresses:
SMTP will allow the use of vrfy and expn
vrfy is used to verfy an address
Usually addresses are the same as user accounts
expn is used to see the real address of an alias
Good to know where it is actually going…
If you were to telnet to an organization, it might look something like this (all information here is fictitious and any resemblance to real information is strictly coincidental…)
telnet mail.geneseo.edu 25
Trying
Connected to helios.geneseo.edu.
Escape character is '^]'.
220 helios.geneseo.edu ESMTP Sendmail /8.12.5; Sun, 23 Feb :30: (EST)
vrfy bean
Samuel N Bean
expn bean
vrfy root
Super-User
expn root
Mark T. Valites
Kirk M. Anne
Super-User
quit
helios.geneseo.edu closing connection
Connection closed by foreign host.

10. Mail Verification telnet mail.geneseo.edu 25 Trying 137.238.1.100...
Connected to helios.geneseo.edu.
Escape character is '^]'.
220 helios.geneseo.edu ESMTP Sendmail {omitted}
vrfy bean
Samuel N Bean
expn bean
vrfy root
Super-User
expn root
Mark T. Valites
Kirk M. Anne
Super-User
quit
helios.geneseo.edu closing connection
Connection closed by foreign host.
Mail Verification
If you were to telnet to an organization, it might look something like this (all information here is fictitious and any resemblance to real information is strictly coincidental…)
telnet mail.geneseo.edu 25
Trying
Connected to helios.geneseo.edu.
Escape character is '^]'.
220 helios.geneseo.edu ESMTP Sendmail /8.12.5; Sun, 23 Feb :30: (EST)
vrfy bean
Samuel N Bean
expn bean
vrfy root
Super-User
expn root
Mark T. Valites
Kirk M. Anne
Super-User
quit
helios.geneseo.edu closing connection
Connection closed by foreign host.

11. TFTP … If you find port 69 open, its for TFTP
Trivial File Transfer Protocol
Simpler to use than the File Transfer Protocol (FTP) but less capable.
User authentication and directory visibility are not allowed.
Described formally in RFC 1350.
Also a good link is :
Ref:
$ tftp
tftp> get /etc/passwd /tmp/passwd.cracklater

12. Window’s Enumeration
Window’s dependency/use of certain protocols leaves it very vulnerable...
NetBIOS
Server Message Block (SMB)
Remote Procedure Calls (RPC)
As well as MS’s desire to make everything “work together” seamlessly creates additional areas of exploit

13. NetBIOS Network Basic Input/Output System
Protocol created by IBM, adopted by Microsoft
Service (APIs Application Programming Interfaces) set up to identify unique users, groups, domains on a small network
Used instead of DNS/IP/MAC address scheme
Think MS WINS Server…
Extremely useful to the hacker for the APIs is can access
MS set up NetBIOS to share unique users, groups, etc, to unauthenticated hosts!
Here is a good reading on the topic if you need to refresh on this:
EXAMINING THE ORIGINS OF NETBIOS Network Basic Input/Output System was designed for IBM by an organization named Sytek, Inc. It was created to provide an easy-to-use programming interface for connections between computers over a network. Microsoft began developing products for the MS-Net and LAN Manager (the predecessor to Windows NT) using the NetBIOS interface, anticipating the popularity of the standard. Ironically, the standard is only popular today because of Microsoft’s implementation of it. NetBIOS is an application programming interface, providing a set of functions that applications use to communicate across networks. It is similar in function to named pipes and sockets; it allows application programmers to add network capabilities to applications while minimizing the amount of code that must be dedicated to actually transporting the data. NetBEUI, the NetBIOS Enhanced User Interface, was created as a data-link-layer frame structure for NetBIOS. A simple mechanism to carry NetBIOS traffic, NetBEUI has been the protocol of choice for small MS-DOS- and Windows-based workgroups. NetBIOS no longer lives strictly inside of the NetBEUI protocol, however. Microsoft worked to create the international standards described in RFC 1001 and RFC 1002, NetBIOS over TCP/IP (NBT). UNDERSTANDING THE ADVANTAGES OF NBT One of the greatest advantages of Microsoft’s implementation of NetBIOS is that it provides a consistent programming interface regardless of the network protocol used. For those familiar with the OSI model, NetBIOS exists at the Session level, as illustrated in Table Because it is completely independent of the protocol, applications such as Server Manager and User Manager work on systems that are running IPX/SPX, TCP/IP, or NetBEUI. This is in contrast to most network applications that are developed specifically for use with a single network protocol, such as the entire Internet suite of applications (Telnet, FTP, and so on). Sound amazing? The drawbacks are equally astounding. Internetworking with TCP/IP is the fastest growing area of modern computing. This is a good thing; soon, we will be able to forget about other network protocols. NetBIOS’s advantages no longer outweigh its disadvantages, but we are still required to use it or find other ways to administer our Windows NT machines. Microsoft has promised to phase it out of their operating systems, but only time will tell. In this chapter, I hope to build your understanding of the protocol so that you may better work with it or work around it, whichever you decide. Now that you have an understanding of what NetBIOS is, where it came from, and why we are still burdened with it, we will begin to explore its most visible aspect. NetBIOS naming causes the majority of problems on networks for a variety of reasons. The next section provides a high level of detail about the naming standards and provides you with the information you need to troubleshoot naming problems. Even better, it will allow you to avoid future naming problems in networks and systems that you engineer. EXPLORING NETBIOS NAMING CONVENTIONS NetBIOS was designed to be used on the LAN, and the naming architecture reflects that philosophy. The NetBIOS name is often based on the computer name within NT, and it is used to identify servers for most types of communication, including file sharing and domain authentications. It is important to understand how these names work to effectively plan a network using NT servers; name resolution is one of the most common sources of problems on NT-based networks. NetBIOS names, as specified by the standard, are 16 characters in length. Computer names, as specified by Microsoft, are only 15. The sixteenth character is reserved and is used to identify the type of name during network communications, distinguishing between domain names, computer names, workgroup names, and others. This length is entirely inflexible–if the computer name is “TERI,” the remaining 11 characters are padded with 0’s. The entire NetBIOS name becomes “TERI [00] [00] [00] [00] [00] [00] [00] [00] [00] [00] [00] [20].” All NetBIOS names fall into one of two categories: unique names and group names. Unique names are just that: they identify a specific entity and cannot be claimed by anyone else on a given network. The most common unique name is the computer name. Group names are used to identify workstations as having a membership in a logical organization such as a domain or workgroup. All NetBIOS communications occur using these names; remember that NetBIOS operates above the network-layer protocol and therefore has no knowledge of such things as IP addresses. However, once the connection is established, the additional overhead of the name no longer needs to be carried: MAC addresses and IP addresses are used instead. Later in this chapter I’ll cover, in excruciating detail, how exactly NetBIOS over TCP/IP finds IP addresses given NetBIOS names. Table 10-2 lists the most common NetBIOS name entries and a description of each. NetBIOS Computer Names Versus DNS Hostnames Perhaps the greatest of the many frustrations of using NBT is that each machine must have two names: a NetBIOS computer name and a DNS hostname. The two have several similarities: they both resolve IP addresses to server names, and they are both unique on a network. DNS has several distinct advantages over NetBIOS names, however. DNS hostnames are hierarchical, allowing a fully qualified domain name in the format of “ This also makes DNS more scalable; certainly there is more than one NT server on the Internet with the NetBIOS name of “ True hostnames are used and supported across many platforms besides NT, making DNS more compatible. So why use NetBIOS names at all? For those of us using homogenous TCP/IP networks, there is no good reason. Microsoft has recognized this and is making efforts to phase out their use in NT 5.0 (no promises!). For the time being, the necessity of using these names can cause several potential problems to arise. To make your life less complicated, make an effort to synchronize DNS and NetBIOS names on all servers. This only works up to a point, however. Only a single NetBIOS name may be bound to a server at any time; in contrast, a server may have any number of DNS entries. Try to reduce your dependency on NetBIOS names as much as possible; Microsoft was kind enough to include the ability to refer to DNS hostnames within URLs. For example, instead of connecting to a share using the URL \\ELVIS\SHARE, use \\elvis.idgbooks.com\share or \\ \share. BREAKING DOWN NBT BY SERVICE The services that NetBIOS over TCP/IP provide fall into three categories: the NetBIOS Name service, the NetBIOS Datagram service, and the NetBIOS Session service. Each service provides a distinct set of functions to applications and has a unique impact on a network. Most applications that use TCP/IP make use of a Well-Known Port, a port that is registered internationally for use with a specific application. For example, Web requests use port 80 and FTP requests use ports 20 and 21. NetBIOS over TCP/IP (NBT) uses a separate port number for each of the three services: two UDP ports (137 and 138) and TCP port 139. Table 10-3 gives a summary of the individual services, the TCP and UDP ports they use by default, and their typical usage. To better troubleshoot problems with browsing, domain authentication, trusts, and file sharing, it is important to understand, in detail, how and why these three services are used. If you work in a routed environment, pay particular attention to the port numbers to understand what routers should and should not filter to support different functionality. Once you understand the intricacies of each service, you can make use of a protocol analyzer such as Microsoft’s Network Monitor to narrow down problems. Network Monitor is an excellent tool for examining frames sent using these services because it automatically decodes many of the cryptic fields within the frames. NetBIOS Name Service The NetBIOS Name service provides for name resolution within a single network segment. It is also called upon by services that must listen for a specific NetBIOS name to be used on the network, both to register the name and to release the name. It is used by computers that are part of a domain to locate a domain controller on the local network segment for domain authentication. NetBIOS connections involve several different steps. When a connection is requested, the first is to resolve the name of the server to something more useful, like an IP address. This step, which sounds simple, causes more NetBIOS problems than anything else! Microsoft recognizes this problem and has provided several different methods of name resolution, outlined in greater detail in the sections to follow. For now, understand that only name resolution through broadcasts uses the NetBIOS Name server. WINS queries and responses use the NetBIOS Datagram service. If the name is currently cached, no request is made. The NetBIOS Name service always uses the UDP protocol, which exists at the transport layer of the OSI model. The advantages and disadvantages of UDP carry over to the NetBIOS Name service. To its advantage, it carries little overhead by avoiding the three-way handshake of TCP and using fewer header fields. Its connectionless property is also a disadvantage because it provides no method of notifying the sender if a packet is not carried across the network properly. The specific transport-layer port number that NetBIOS Name service packets use is UDP port 137. Recognizing this port number is important when troubleshooting using tools such as protocol analyzers. The Messenger service is an excellent example because it uses all three NetBIOS services, depending on the situation. The NET SEND command can be used to direct messages to a specific computer, a specific user, or an entire domain. If a message is sent to a computer, the NetBIOS Name service is used to find that computer by sending a broadcast on the local network. If a message is sent to a user, a broadcast is sent to the network and is processed by all machines for which the Messenger service has registered a NetBIOS name (consisting of the username and a sixteenth character of <03>). Each machine that has registered that name responds to the query. At this point, the NetBIOS Session service is called upon to actually deliver the message. The three services, their transport layer port numbers, and typical usage of each service are detailed in Table The NetBIOS Name service is not extremely well-adapted to typical, routed TCP/IP networks; it was designed to be used on LANs. However, there are several workarounds to smooth out problems. Routers, by default, simply ignore UDP broadcasts. This makes a lot of sense; the whole purpose of a router is to block that type of traffic. Unfortunately, this means that name resolution using the NetBIOS Name service only works on a single network segment, and adding a single router requires the use of an LMHOSTS file at each host or the WINS service. To avoid this problem, most router manufacturers provide a way to forward these broadcasts between subnets, making the router act more like a bridge. Enabling this feature is a quick way to ensure that name resolution continues to work properly when segmenting a TCP/IP network; without it, users would be able to connect only to servers within their broadcast domain.

14. NetBIOS Cont Transport Layer Protocol NetBIOS Service Name
TCP, UDP Port Number
Description
NetBIOS Name service
UDP 137
Used to resolve NetBIOS on a local network segment using broadcasts
NetBIOS Datagram service
UDP 138
Used to transfer data between applications when a broadcast must be used or when speed is more important than data integrity
NetBIOS Session service
TCP 139
Used to transfer data between applications when broadcasts are not required and when data integrity is more important than speed

15. NetBEUI NetBIOS Enhanced User Interface
Created as a data-link-layer frame structure for NetBIOS.
A simple mechanism to carry NetBIOS traffic
NetBIOS no longer lives strictly inside of the NetBEUI protocol (OUTDATED PROTOCOL)
Microsoft worked to create the international standards described in RFC 1001 and RFC 1002, NetBIOS over TCP/IP (NBT)

16. SMB & NetBIOS SMB (Server Message Block) protocol
Used among other things for file sharing in Windows NT/2000/XP.
In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP).
In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly over TCP/IP, without the extra layer of NetBT.
For this they use TCP port 445.
Will make calls in parallel to NBT…

17. Use of NetBIOS/SMB
SMB and NetBIOS standards include API’s (basically function calls) that can be used for good or evil...
Allows hosts to communicate info to each other
Allows hackers to obtain the same info for a different purpose…

18. DCOM Distributed Component Object Model
Proprietary Microsoft technology
Allows communication among software components distributed across networked computers.
Service Control Manager (also known as the Remote Procedure Call (RPC) Endpoint Mapper) uses this port in a manner similar to SUN's UNIX use of port 111.
The SCM server running on the user's computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.
TCP Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other things.

19. nbtstat
nbtstat is a tool that calls up the NetBIOS name table from a remote host...
NO AUTHENTICATION REQUIRED!
Extracts system name, domain, logged on users and services running...
See table 10-2 in the additional readings for a breakdown of the NetBIOS codes <AA>

20. Null Sessions
Null sessions allow unauthenticated hosts to share information with each other...
We can exploit CIFS/SMB & NetBIOS with null sessions!
Requires port 139 and/or 445!
Format:
C:>net use \\ \IPC$ “” /u:””

21. Null Sessions
Once a null session is created, we can use it to extract information:
domains
host names
user accounts
security policy

22. Net View the net view command is used to extract some of this info
net view /domain
shows domains that host knows about
net view /domain:specific_domain
shows computers in that domain

23. Net View for Shares
Shares the host has can be enumerated via net view:
net view \\host_name
these include: C$
ADMIN$
IPC$
SYSVOL
NETLOGON

24. C$
The system creates a dollar sign share for the root of every mounted volume. This gives administrators access to the volumes and remote computers. The $ indicates that the share is hidden.

25. ADMIN$
This share gives access to the system directory, which is WINNT by default and is represented by the environmental variable %systemroot%. You can map a drive to ADMIN$ share without needing to know the drive letter that contains the system files.

26. IPC$
This share gives access to a symbolic link called “Inter-process Connection” (IPC). It is used to support remote procedure call (RPC) connections.

27. SYSVOL
This is a WIN2K share. It gives access to the \winnt\sysvol\sysvol directory. This is a folder that stores information such as logon scripts and group policies that are to be replicated among domain controllers. The location of the sysvol folder is selected when the server is promoted to a domain controller.

28. NETLOGON
This share gives access to the \winnt\sysvol\sysvol\scripts directory. All Windows clients look for the NETLOGON share when they authenticate to a Domain Controller. This folder contains user policies and scripts.

29. Port Summary
So it is VERY bad to have the following ports open to the Internet:
135 DCOM RPC (TCP)
137 NetBIOS Name Server (UDP)
138 NetBIOS Datagram Service (UDP)
139 NetBIOS Session Service (TCP)
445 SMB (TCP)

30. Use of SuperScan4
SuperScan4 is a tool that will automate a lot of what has already been covered, as well as grabbing user names and security policy...

31. Enumerated Info What can we get from net view or DumpSec?
Account Policy
How many attempts till lockout? How long?
User account names
50% of the battle for user account & pwd
Shares that you can log into
once you have the user account and pwd..

33. Enumerating User Accounts
The text does a good job covering these applications, but is good to know these two specifically!
User2sid
Have a user name, need the SID
Sid2user
Have an SID/RID (like 500 ;-) and want user name
500 is ALWAYS the Administrator Account, even if renamed!!!

34. Using the Info Once you have shares and user accounts
can try to brake in with guessed passwords
With net use command (for IPC), account does not lock out no matter what the policy.
Best to use automated tools for this
NAT10: NetBIOS Auditing Tool
Legion
You will learn more about these in the Gaining Access module and have the chance to do this in the lab...

35. SNMP

36. SNMP Background Simple Network Management Protocol
Application layer protocol
Exchange of management information between network devices.
Enables the management of monitoring and management of networked devices from a central server.
Usually found on UDP ports: 161, 162, 193, 199, 391, and 1993
Ref:

37. SNMP Continued
An SNMP-managed network consists of three key components:
Network-management systems (NMSs)
Managed devices
Agents on each device

38. SNMP Components An NMS monitors and controls managed devices.
NMSs provide the bulk of the processing and memory resources required for network management.
One or more NMSs must exist on any managed network.
A managed device is a physical network node (that contains an SNMP agent)
Collects and stores management information
routers and access servers, switches and bridges, hubs, computer hosts, or printers.
An agent is a software module (that resides in a managed device).
An agent has local knowledge of management information and translates that information into a form compatible with SNMP.
A Management Information Base (MIB) is a collection of information accessed using SNMP. They are comprised of managed objects and are identified by object identifiers.

39. SNMP Basic Commands
Managed devices monitored and controlled using four basic SNMP commands:
Read/Get: used by an NMS to monitor devices.
Write/Set: used by an NMS to control devices.
Trap:used by managed devices to report events to the NMS.
Traversal operations are used by the NMS to determine which variables a managed device supports and to sequentially gather.

40. SNMP Community Strings
Most basic form of SNMP security is the Community String.
They are like passwords.
One community string is for read-only access to a network element:
The default value is often "public".
Using this community string like a password, the NMS can retrieve data from network elements.
NMS uses read-write community string to change MIB variables on a network element
The default value for this is often "private".
Ref:

41. SNMP Enumeration
Common to find Routers, as well as Windows 2000/2003/2008 with SNMP on!
Using public as the default community string, you may be able to read MIB variables such as user names, shares, running software and connected devices!

42. UNIX Enumeration
UNIX usually does not give up as easily the kind of information that NetBIOS does…
Most of the techniques heavily use the kind of information gathering from port scans and OS ID techniques outlined previously.

43. NetCat
Netcat has more uses then just forcing a shell back (as we will learn later in Gaining Access)…
Can do a type of banner grabbing with netcat that produces more information then just telnet…
nc -v 80
Can even nudge more info with additional input:
nc -v 80 < nudge.txt
Nudge.txt might contain lines such as GET /HTTP/1.0

44. Enumerating NFS
If NFS (exported Network File System) is running (usually on port 2049), try:
showmount -e <IP Address>
Shows what directories are being shared
The -e shows the server’s export list
Network File System Overview
The Network File System (NFS) is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local. For example, users can use operating system commands to create, remove, read, write, and set file attributes for remote files and directories.
The NFS software package includes commands and daemons for NFS, Network Information Service (NIS), and other services. Although NFS and NIS are installed together as one package, each is independent and each is configured and administered individually.
showmount Command
Purpose
Displays a list of all clients that have remotely mounted file systems.
Syntax
/usr/bin/showmount [ -a ] [ -d ] [ -e ] [ Host ]
Description
The showmount command displays a list of all clients that have remotely mounted a file system from a specified machine in the Host parameter. This information is maintained by the mountd daemon on the Host parameter. This information is saved in the /etc/rmtab file in case the server crashes. The default value for the Host parameter is the value returned by the hostname command.
Note: If a client crashes, its entry will not be removed from the list until the client reboots and starts the umount -a command.
Flags
-a Prints all remote mounts in the format HostName:Directory, in which HostName is the name of the client and Directory is a directory pathname that has been remotely mounted.
-d Lists only directories that have been remotely mounted by clients.
-e Prints the list of exported directories.
Examples
1. To display a list of all remote directories mounted by a host, enter:
/usr/bin/showmount -a zeus
In this example, the showmount command produces a list of all of the remote directories mounted by the clients on the host machine named zeus .
2. To display a list of only the directories mounted by a client on the host, enter:
/usr/bin/showmount -d athena
In this example, the showmount command produces a list of all remote directories mounted by the client machines on the host named athena.
3. To print a list of all directories exported from a machine, enter:
/usr/bin/showmount -e zeus
In this example, the showmount command produces a list of all remote directories exported by the host machine named zeus.
Files
/etc/rmtab Contains information about the current state of all exported directories.
/etc/xtab
                          Lists currently exported directories.

45. NIS Enumeration
NIS (Network Information System) is a network naming and administration system for smaller networks
Found on port 778 (service ypserv)
Each host client or server computer in the system has knowledge about the entire system
A user at any host can get access to files or applications on any host in the network with a single user identification and password
Once you know the NIS Domain name of the server, you can obtain a map of the network with a simple RPC query…
Can grab password map (ypx) and crack on it remotely using tools such as crack .
Tools such as pscan -n can assist with this!
Ref: whatis.com def of NIS (
NIS (Network Information System) is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system. A user at any host can get access to files or applications on any host in the network with a single user identification and password. NIS is similar to the Internet's domain name system (DNS) but somewhat simpler and designed for a smaller network. It's intended for use on local area networks.
NIS uses the client/server model and the Remote Procedure Call (RPC) interface for communication between hosts. NIS consists of a server, a library of client programs, and some administrative tools. NIS is often used with the Network File System (NFS). NIS is a Unix-based program

46. RPCs Remote Procedure Calls (RPCs)
Found on ports 111 (Linux) & (Sun)
The listening service is portmaster or rpcbind
Used for remote applications to talk to each other…
rpcinfo is like finger for enumerating apps
Tells the services running by port number
nmap basically does this for us already…
Use the -sR switch (RPC scan)

47. Example RPC Enumeration

48. Enumerating Linux User Accounts
If you can get onto a linux host, the very first enumeration technique to use is to list all the users accounts on that host!
To do this, look at the /etc/passwd file
File used to store accounts and their associated properties.
This file is readable by everyone
Passwords usually encrypted in the shadow file and readable only by root.

49. AD vs. LDAP vs. Kerberos Kerberos Active Directory (AD)
Authentication and Access Granting Service
Active Directory (AD)
Windows database
Query for access control to objects, for example
Light Weight Access Protocol (LDAP)
Protocol for clients to query and manage information in a Directory Service (like AD)
TCP port 389
AD:
hierarchical framework of objects. The objects fall into three broad categories: resources (e.g., printers), services (e.g., ), and users (user accounts and groups). The AD provides information on the objects, organizes the objects, controls access and sets security
Ref:
The Lightweight Directory Access Protocol, or LDAP
is an application protocol for querying and modifying directory services running over TCP/IP.
A directory is a set of objects with attributes organized in a logical and hierarchical manner. A simple example is the telephone directory, which consists of a list of names (of either persons or organizations) organized alphabetically, with each name having an address and phone number associated with it.
Ref:

50. Working Together AD: Access Control
Authorizes access to objects stored locally or in LDAP
LDAP: Protocol for querying access permissions
Can store passwords
Kerberos: Authentication
Used to Authenticate a user
LDAP can also do this directly without Kerberos
SAM password file accessed by Kerberos

51. Enumeration is the 3rd Step
Remember…
Registered names lead to IP addresses
IP addresses lead to ports
Ports lead to services
Services lead to…
Versions of
Applications OS
Services
User Accounts
Shares
Versions lead to exploits and access…
Access leads to higher privileges…
Foot-
printing…
Scanning…
Enumeration…
Gaining Access…
Escalation…