Chapter 6. Enumerating Target

INFORMATION GATHERING – Enumerating Target

Enumeration is defined as the process of extracting user names, machine names, network resources, shares and services from a system. In this phase, the attacker creates an active connection to the system and performs directed queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit in the System gaining phase.

Note
This is processes performed by intruders or hackers to system network resources, users and groups, web servers and installed applications etc.

Techniques for Enumeration

  • Extracting user names using email ID’s
  • Extract information using the default password
  • Brute Force Active Directory
  • Extract user names using SNMP
  • Extract user groups from Windows
  • Extract information using DNS Zone transfer

Enumerating Tools
There are a lot of tools available to perform enumerating scanning. Some of the most popular tools  are nmap, zenmap, nikto2 and WPScan. 

  • Nmap is a powerful network security tool written by Gordon Lyon. It was released almost 20 years ago (in 1997) and has since become the de facto standard for network mapping and port scanning, allowing network administrators to discover hosts and services on a computer network, and create a map of the network.
  • Zenmap is the official Nmap Security Scanner GUI. It performs the same functions as that of nmap. The only difference is that you get to see everything graphically instead on the console logs provided by nmap.
  • Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.
  • WPScan  is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

In the previous post,  we have discussed about nmap and zenmap and also performed some information gatthering technique using the tools. In this post, we will use Nikto and WPScan to target the same domain for possible information sourcing. Both tools provides additional options for different target. See –help for more information.

Nikto Tools

  • Using Nikto to perform scanning on a secure or hidden domain IP might result to no information found result. We have performed multiple scanning on the same target team1.pentest.id  with no result. 
  • After using Censys to reveal the real IP of team1.pentest.id domain, we performed the same process again and we were able to gather information about the target.
    The web server, Operating System, database or the server and it’s version.


WPScan Tools

  • Performing wpscan –url team1.pentest.id –enumerate  u, we are able to gather information about the target.
    The host server, database version and some entry points
    “/wp-login.php and /password.lst”
  • We are also able to gather information about some of the plugins installed.
  • We also gather information about the users available on the target database.

References

 

 

Previous Chapter | Next Chapter