Enumeration p2

Lab 1

Enumerating a Target Network Using Nmap

Enumeration is the process of extracting user names , machine names , network resources , shares , and services from a system 

Lab Scenario

In fact, a penetration test begins before penetration testers have even made contact with the victim systems. During enumeration, information is systematically collected and individual systems are identified. The pen testers examine the systems in their entirety, which allows evaluating security weaknesses. in tliis lab, we discus Nmap; it uses raw IP packets in novel ways to determine what hosts are available on die network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet biters/firewalls are in use, it was designed to rapidly scan large networks. By using the open ports, an attacker can easily attack the target machine to overcome this type of attacks network filled with IP filters, firewalls and other obstacles. As an expert ethical hacker and penetration tester to enumerate a target network and extract a list ot computers, user names, user groups, machine names, network resources, and services using various enumeration techniques.

Lab Objectives

The objective ot tins lab is to help students understand and perform enumeration on target network using various techniques to obtain:

■ User names and user groups
■ Lists of computers, their operating systems, and the ports on them
■ Machine names, network resources, and services
■ Lists of shares on the individual hosts on die network
■ Policies and passwords


Lab Environment

To perform die kb, you need:

■ A computer running Windows Server 2008 as a virtual machine
■ A computer running with Windows Server 2012 as a host machine
■ Nmap is located at D:\CEH-Tools\CEHv8 Module 04 Enumeration\Additional Enumeration Pen Testing Tools\Nmap
■ Administrative privileges to install and mil tools

Lab Duration

Time: 10 Minutes

Overview of Enumeration

Enumeration is die process of extracting user names, machine names, network resources, shares, and services from a system. Enumeration techniques are conducted in an intranet environment

Lab Tasks

The basic idea in diis section is to:
■ Perform scans to find hosts with NetBIOS ports open (135,137-139, 445)
■ Do an nbtstat scan to find generic information (computer names, user names, ]MAC addresses) on the hosts
■ Create a Null Session to diese hosts to gain more information
■ Install and Launch Nmap in a Windows Server 2012 machine
1. Launch the Start menu by hovering the mouse cursor on the lower-left corner of the desktop.

FIGURE 1.1: Windows Server 2012—Desktop view

2. Click the Nmap-Zenmap GUI app to open the Zenmap window.

FIGURE 1.2: Windows Server 2012—Apps

3. Start your virtual machine running WMcwsSetver2008
4. Now launch die nmap tool 111 die Windows Server 2012 host machine.
5. Perform nmap -O scan for die Windows Server 2008 virtual machine (10.0.0.6) network. Tins takes a few minutes.
Note: IP addresses may vary 111 your lab environment.

FIGURE 1.3: Hie Zenmap Main window

6. Nmap performs a scan for die provided target IP address and outputs die results on die Nmap Output tab.
7. Your tirst target is die computer widi a Windows operating system on which you can see ports 139 and 445 open. Remember tins usually works onlv against Windows but may partially succeed it other OSes have diese ports open. There may be more dian one system diat has NetBIOS open

FIGURE 1.4: The Zenmap output window

8. Now you see that ports 139 and 445 are open and port 139 is using NetBIOS.
9. Now launch die command prompt 111 Windows Server 2008 virtual machine and perform nbtstat on port 139 ot die target machine.
10. Run die command nbtstat -A 10.0.0.7.

FIGURE 1.5: Command Prompt with die nbtstat command

11. We have not even created a null se ssion (an unaudienticated session) yet, and we can still pull tins info down.

12. Now create a null session.

13. 111 the command prompt, type net use \\X.X.X.X\IPC$ /u:”” (where X.X.X.X is die address of die host machine, and diere are no spaces between die double quotes).

FIGURE 1.6: The command prompt with the net use command

14. Confirm it by issuing a genenc net use command to see connected null sessions from your host.
15. To confirm, type net use, which should list your newly created null session.

FIGURE 1.7: The command prompt ,with the net use command

Lab Analysis

Analyze and document die results related to die lab exercise. Give your opinion on your target’s security posture and exposure.

Questions

1. Evaluate what nbtstat -A shows us for each of the Windows hosts.
2. Determine the other options ot nbtstat and what each option outputs.
3. Analyze the net use command used to establish a null session on the target machine.