CEH v8 Labs Module 04 Enumeration PDF

CEH Lab Manual
Enumeration
Module 04
Enumeration
E n u m e r a t i o n i s th e p r o c e s s o f e x tr a c tin g u s e r n a m e s , m a c h in e n a m e s , n e tir o r k
r e s o u r c e s , s h a r e s , a n d s e r v ic e s f r o m
a s y s te m . E
n u m e r a t i o n i s c o n d u c te d i n a n
i n t r a n e t e n v ir o n m e n t.
I CON
KEY
/ Valuable
information
y Test your
knowledge
Web exercise
Workbook review
Lab Scenario
Penetration testing is much more than just running exploits against vulnerable
systems like we learned 111 the previous module. 111 fact a penetration test begins
before penetration testers have even made contact with the victim systems.
As an expert ethical hacker and penetration tester you must know how to
enum erate target networks and extract lists of computers, user names, user
groups, ports, operating systems, machine names, network resources, and services
using various enumeration techniques.
Lab Objectives
The objective of tins lab is to provide expert knowledge
enumeration and other responsibilities that include:
011
network
User name and user groups

Lists of computers, their operating systems, and ports
Machine names, network resources, and services
Lists of shares
011
individual hosts
011
the network
Policies and passwords

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Lab Environment
To earn out die lab, you need:
Windows Server 2012 as host machine
Windows Server 2008, Windows 8 and Windows 7 a s virtual machine
A web browser with an Internet connection

Administrative privileges to mil tools
Lab Duration
Time: 60 Minutes
Overview of Enumeration
Enumeration is the process of extracting user names, machine names, network
resources, shares, and services from a system. Enumeration techniques are
conducted 111 an intranet environment.
C E H L ab M an u al P ag e 267
E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

All Rights Reserved. Reproduction is Stricdy Prohibited.
Module 04 - Enumeration
TASK 1
Overview
Lab Tasks
Recommended labs to assist you 111 Enumeration:
Enumerating a Target Network Using Nmap Tool
Enumerating NetBIOS Using the SuperScan Tool
Enumerating NetBIOS Using the NetBIOS Enumerator Tool
Enumerating a Network Using the S oftP erfect Network Scanner
Enumerating a Network Using SolarWinds T oolset
Enumerating the System Using Hyena
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on
your targets security posture and exposure.
P L EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D T O T H I S L AB .
C E H L ab M an u al Page 268

Enumerating a Target Network

Using Nmap
E n u m e r a t i o n i s th e p r o c e s s o f e x t r a c tin g u s e r n a m e s , m a c h in e n a m e s , n e t i r o r k
r e s o u r c e s , s h a r e s , a n d s e r v ic e s f r o m
I CON
KEY
._ Valuable
information
Test your
knowledge
OT Web exercise
c a Workbook review
a s y s te m .
Lab Scenario
111 fact, a penetration test begins before penetration testers have even made contact
with the victim systems. During enumeration, information is systematically collected
and individual systems are identified. The pen testers examine the systems in their
entirety, which allows evaluating security weaknesses. 111 tliis lab, we discus Nmap; it
uses raw IP packets 111 novel ways to determine what hosts are available on die
network, what services (application name and version) those hosts are offering, what
operating systems (and OS versions) they are running, what type of packet
biters/firewalls are 111 use, it was designed to rapidly scan large networks. By using
the open ports, an attacker can easily attack the target machine to overcome this
type of attacks network filled with IP filters, firewalls and other obstacles.
As an expert ethical hacker and penetration tester to enum erate a target

network and extract a list ot computers, user names, user groups, machine names,
network resources, and services using various enumeration techniques.
Lab Objectives
The objective ot tins lab is to help students understand and perform enumeration
on target network using various techniques to obtain:
User names and user groups
Lists of computers, their operating systems, and the ports on them
Machine names, network resources, and services
Lists of shares on the individual hosts on die network

& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Lab Environment
To perform die kb, you need:
A computer running Windows Server 2008 as a virtual machine
A computer running with Windows Server 2012 as a host machine
Nmap is located at D:\CEH-Tools\CEHv8 Module 04
Enumeration\Additional Enumeration Pen Testing Tools\Nmap
Administrative privileges to install and mil tools
Lab Duration
Time: 10 Minutes
Take a snapshot (a
type o f quick backup) o f
your virtual machine before
each lab, because if
something goes wrong, you
can go back to it.
Enumeration is die process of extracting user names, machine names, network

resources, shares, and services from a system. Enumeration techniques are
conducted 111 an intranet environment
Lab Tasks
The basic idea 111 diis section is to:
Perform scans to find hosts with NetBIOS ports open (135,137-139, 445)
Do an nbtstat scan to find generic information (computer names, user
names, ]MAC addresses) on the hosts
Create a Null Session to diese hosts to gain more information
Install and Launch Nmap 111 a Windows Server 2012 machine
TASK 1
1. Launch the Start menu by hovering the mouse cursor on the lower-left
corner of the desktop.
Nbstat and Null

S essio n s
3 Windows Server 2012
/ Zenmap file installs

the following files:
* Nmap Core Files
* Nmap Path
winaows btrvw tt)>Ke*<$eurK!1aau Lucmr

Fvaliatior cepj Bum Mtt
FIGURE 1.1: Windows Server 2012Desktop view
Click the Nmap-Zenmap GUI app to open the Zenm ap window.
WinPcap 4.1.1
Network Interface
Im port
Zenmap (GUI frontend)
C E H L ab M anual Page 270

5 t3 T t
Administrator
Server
Manager
Windows
PowerShell
Google
Chrome
Hyper-V
Manager
Nmap Zenmap
GUI
r=
ft
Computer
Central
Panel
Hyper-V
Virtual
Machine...
SQL Server
Installation
Center...
*J
Command
Prompt
liflgnr
Mozilla
Firefox
Global
Network
Inventory
MegaPing
HTTPort
3.SNFM
sS
!*
0c*3Of
1!
FIGURE 1.2: Windows Server 2012Apps
3. Start your virtual machine running WMcwsSetver2008

4. Now launch die nmap tool 111 die Windows Server 2012 host machine.
5. Perform nmap -O scan for die Windows Server 2008 virtual machine
(10.0.0.6) network. Tins takes a few minutes.
HU Use the ossscanguess option for best
results in nmap.
Note: IP addresses may vary 111 your lab environment.

Zenmap
Scjn
Target:
Tools
Profile
Help
[v ]
10.0.0.6
Command:
Profile:
[Scan]
|Cancel
nmap 10.0.0.6 0
Nmap Output Ports / Hosts [ Topology | Host Details | Scans
FIGURE 1.3: H ie Zenmap Main window
Nmap performs a sca n for die provided target IP address and outputs die
results on die Nmap Output tab.
Nmap.org is die
official source for
downloading N m ap source
code and binaries for
N m ap and Zenmap.
Your tirst target is die computer widi a Windows operating system on

which you can see ports 139 and 445 open. Remember tins usually works
onlv aga in st W indows but may partially succeed it other OSes have diese
ports open. There may be more dian one system diat has NetBIOS open.

Zenmap
TASK 2
Scan
Tools
rofile
Help
Command:
||Scani
nmap -0 10.0.0.6
Services
Nmap Output Ports / Hosts | Topology | Host Details | Scans |

nmap -0 10.0.0.6
OS < Host
-
Profile
10.0.0.6
Find hosts with

NetBIOS ports
open
10.0.0.6
S ta r t in g
Nmap 6 .0 1
( h ttp ://n m a p .o r g
) a t 2 0 1 2 -0 9 -0 4 1 0 :5 5
Nmap sca n r e p o r t f o r 1 0 . 0 . 0 . 6
H o s t i s up ( 0 .0 0 0 1 1 s l a t e n c y ) .
N o t show n: 993 f i l t e r e d p o r t s
PORT
STATE SERVICE
1 3 5 / tc p
open
m srpc
1 3 9 / tc p
open
n e t b io s - s s n
open
4 4 5 /tc p
r o ic r o s o f t - d s
open
5 5 4 / tc p
rts p
open
2 8 6 9 /tc p
ic s l a p
5 3 5 7 /tc p
open
w sdapi
1 0 2 4 3 /tc p open
unknown
( M ic r o s o f t )
MAC A d d re s s : W a rn in g : OSScan r e s u l t s may b
n o t f i n d a t l e a s t 1 open and 1 c lo s e d p o r t
D e v ic e t y p e : g e n e r a l p u rp o s e
R u n n in g : M i c r o s o f t W indows 7 | V i s t a | 2008
OS CPE: c p e : / o : m i c r o s o f t : w in d o w s _ 7 : : p r o f e s s io n a l c p e : /
o : m ic r o s o f t : w in d o w s _ v is t a : : c p e : /
n r r n c n ^ t u i n H n w c
Filter Hosts
%/ c t s c n l
rn s /
FIGURE 1.4: The Zenmap output window
8. Now you see that ports 139 and 445 are open and port 139 is using
NetBIOS.
9.
Now launch die com m and prompt 111 W indows Server 2008 virtual
machine and perform nbtstat on port 139 ot die target machine.
10. Run die command nbtstat -A 10.0.0.7.

_x
c A d m in is tr a to r C om m and P ro m p t
C : \ U s e r s \ A d n in is tr a t o r > n b ts t a t
N map has
traditionally been a
command-line tool run
from a U N IX shell or
(more recently) a Windows
command prompt.
L o c a l A re a C o n n e c tio n 2 :
Node I p A d d r e s s : [ 1 0 . 0 . 0 . 31
N e tB IO S
R e m o te
Nane
W IN - D 3 9 M R S H L9E 4<0 0 >
WORKGROUP
<00>
W IN -D 3 9 M R 5 H L 9 E 4 < 2 0 >
MAC A d d r e s s
= D . J l. A
-A
1 0 .0 .0 .?
S cope
Id :
M a c h in e
[1
Name T a b l e
Type
S ta tu s
U N IQ U E
GROUP
U N IQ U E
R e g is te re d
R e g is te re d
R e g is te re d
J1_-2D
C :\U s e r s \A d n in is tr a to r >
zl
FIGURE 1.5: Command Prompt with die nbtstat command
11. We have not even created a null s e s s io n (an unaudienticated session) yet,
and we can still pull tins info down.
3
t a s k
12. Now cr e a te a null session.
Create a Null
Session

13. 111 the command prompt, type net u se \\X.X.X.X\IPC$ /u: (where
X.X.X.X is die address of die host machine, and diere are no spaces
between die double quotes).
cs.Administrator:Command Prompt
C:\'net use \\10.0.0.7\IPC$ ""/u:""
Local name
Renote name
W10.0.0.7\IPC$
Resource type
IPC
Status
OK
# Opens
0
tt Connections
1
The command completed successfully.
&
N et Command
Syntax: N E T [
ACCOUNTS |
COM PUTER | C O N FIG
| C O N T IN U E | FILE |
G R O U P | H ELP |
HELPM SG |
LOCALGROUP | NAME
| PAUSE | PRIN T |
SEN D | SESSION |
SHARE | START |
STATISTICS | STOP |
TIM E | USE | USER |
VIEW ]
C:\>
FIGURE 1.6: The command prompt with the net use command
14. Confirm it by issuing a genenc net u se command to see connected null
sessions from your host.

15. To confirm, type net u se, which should list your new ly created null
session.
FIGURE 1.7: The command prompt ,with the net use command
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on

T ool/U tility
Inform ation C ollected/O bjectives Achieved

T arget M achine: 10.0.0.6
N m ap
List of O pen Ports: 135/tcp, 139/tcp, 445/tcp,

554/tcp, 2869/tcp, 5357/tcp, 10243/tcp
N etB IO S Rem ote m achine IP address: 10.0.0.7
O utput: Successful connection of Null session
PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

R E L A T E D T O T H I S LAB.
Questions
1. Evaluate what nbtstat -A shows us for each of the Windows hosts.
2. Determine the other options ot nbtstat and what each option outputs.
3. Analyze the net u se command used to establish a null session on the target
machine.
Internet C onnection Required
Yes
0 No
Platform Supported
0 Classroom
0 !Labs

Lab
Enumerating NetBIOS Using the

SuperScan Tool
S/tperScan is a TCP po/t scanner, pinger, and resolver. The tool'sfeatures include
extensive Windows host enumeration capability, TCP S Y N scanning, and UDP
scanning.
I CON
KEY
[Z7 Valuable
information
Test your
knowledge
Web exercise
m Workbook review
Lab Scenario
During enumeration, information is systematically collected and individual systems
are identified. The pen testers examine the systems 111 their entirety; tins allows
evaluating security weaknesses. 111 this lab we extract die information of NetBIOS
information, user and group accounts, network shares, misted domains, and
services, which are either running or stopped. SuperScan detects open TCP and
UDP ports on a target machine and determines which services are nuining on those
ports; by using this, an attacker can exploit the open port and hack your machine. As
an expert ethical hacker and penetration tester, you need to enumerate target
networks and extract lists of computers, user names, user groups, machine names,
network resources, and services using various enumeration techniques.
Lab Objectives
The objective of tins lab is to help students learn and perform NetBIOS
enumeration. NetBIOS enumeration is carried out to obtain:
List of computers that belong to a domain
List of shares on the individual hosts on the network

Lab Environment
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
To earn* out die kb, you need:

SuperScan tool is located at D:\CEH-Tools\CEHv8 Module 04
Enumeration\NetBIOS Enumeration Tools\SuperScan
You can also download the latest version of SuperScan from tins link
http://www.mcatee.com/us/downloads/tree-tools/superscan.aspx
A computer running Windows Server 2012 as host machine
Windows 8 running on a virtual macliine as target machine
Administrative privileges to install and run tools

A web browser with an Internet connection
You can also

download SuperScan from
http: / /\v\v\v. foundstone.co
Lab Duration
Time: 10 Minutes
Overview of NetBIOS Enumeration

1. The purpose ot NetBIOS enumeration is to gather information, such as:
a. Account lockout threshold
b. Local groups and user accounts
SuperScan is not
supported by Windows
95/98/M E .
c.
Global groups and user accounts
2. Restnct anonymous bypass routine and also password checking:

a.
Checks for user accounts with blank passwords
b. Checks for user accounts with passwords diat are same as die
usernames 111 lower case
Lab Tasks
m. TASK 1
1. Double-click the SuperScan4 file. The SuperScan window appears.
Perform
Enumeration

All Rights Reserved. Reproduction is Strictly Prohibited.
Windows XP Service
Pack 2 has removed raw
sockets support, which
now limits SuperScan and
many other network
scanning tools. Some
functionality can be
restored by running the net
stop Shared Access at the
Windows command
prom pt before starting
SuperScan.
isJ SuperScan features:

Superior scanning speed
Support for unlimited IP
ranges
Improved host detection
using multiple ICMP
mediods
TCP SYN scanning
U D P scanning (two
mediods)
2. Click the Windows Enumeration tab located on the top menu.

3. Enter the Hostname/IP/URL 111 the text box. 111 this lab, we have a
Windows 8 virtual machine IP address. These IP addresses may van 111
lab environments.
4. Check the types of enumeration you want to perform.
Now, click Enumerate.
%
IP address import
supporting ranges and
CIDR formats
>^Tx
SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools | Windows Emmefabon"| About |
H o stn a m e /IP /U R L
10008
Enumerate
Options...
Clear
Enumeration Type
Simple HTM L report

generation
0 NetBIOS Name Table

0 NULL Session
0 MAC Addresses
Source port scanning
0 Workstation type
Fast hostname resolving
0 Users
Groups
0 RPC Endpoint Dump

0 Account Policies
Extensive banner
grabbing
0 Shares
0 Domains
0 Remote Tme of Day
Massive built-in port list

description database
0
0
IP and port scan order

randomization
Logon Sessions
0 Drives
Trusted Domains
0 Services
0 Registry
A collection o f useful
tools (ping, traceroute,
Whois etc.)
Extensive Windows host
enumeration capability
-J
Ready
FIGURE 2.2: SuperScan main window with IP address

6. SuperScan starts enum erating the provided hostname and displays the
results 111 the right pane of the window.
%
You can use
SuperScan to perform port
scans, retrieve general
network information, such
as name lookups and
traceroutes, and enumerate
Windows host information,
such as users, groups, and
services.
SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools
H o stn a m e /I P /U R L
W ndow s Enumeration | About |
10.0.0.8
Enumerate
Options...
NetBIOS information on 10.0.0.8
Enumeration Type
NetBIOS Name Table
W\ NULL Session
0
'
MAC Addresses
4 names in table
AOMIN
WORKGROUP
ADMIN
WORKGROUP
0 Workstation type
0
Users
Groups
RPC Endpoint Dump
00
00
20
IE
UNIQUE
CROUP
UNIQUE
GROUP
Workstation service name

Workstation service name
Server services name
Group name
MAC address 0
'
0 Account Policies
0
0
un
s.
Attempting a NULL session connection on 10.0.0.8
Shares
Domains
Remote Tne of Day
Logon Sessions
Drives
Trusted Domains
Services
Registiy
on 10.0.0.8
Workstation/server type on 10.0.0.8
Users on 10.0.0.8
Groups on 10.0.0.8
RPC endpoints on 10.0.0.8

Entry 0
Ready
FIGURE 2.3: SuperScan main window with results
7. Wait for a while to com p lete the enumeration process.

8. Atter the completion of the enumeration process, an Enumeration
com pletion message displays.
%
1 ^ 1
SuperScan 4.0
W ndow s Enumeration [About |
10.0.0.8
Enumerate |
Options...
Enumeration Type
Your scan can be

configured in die H ost and
Service Discovery and Scan
Options tabs. The Scan
Options tab lets you
control such tilings as
name resolution and
banner grabbing.
Clear
M
NetBIOS Name Table
NULL Session
MAC Addresses
0 Workstation type
0
Users
Groups
RPC Endporrt Dump
Shares on 10.0.0.8
Domains on 10.0.0.8
Remote time of day on 10.0.0.8
0 Account Pofccies
on
a>
Logon sessions on 10.0.0.8
Shares
Domasis
Remote Time of Day
Logon Sessions
Drives
Trusted Domains
Services
Registry
Drives on 10.0.0.8
Trusted Domains on 10.0.0.8
Remote services on 10.0.0.8
Remote registry items on 10.0.0.8
Enumeration complete 1
1
Ready
Erase Results
9. Now move the scrollbar up to see the results of the enumeration.

10. To perform a new enumeration on another host name, click the Clear
button at the top right of the window. The option erases all the
previous results.
'IT
10008
Enumeration Type
Q SuperScan has four

different ICMP host
discovery methods
available. This is useful,
because while a firewall
may block ICMP echo
requests, it may not block
other ICMP packets, such
as timestamp requests.
SuperScan gives you die
potential to discover more
hosts.
NetBIOS Name Table
NULL Session
MAC Addresses
0 Workstation type
0
Users
Groups
RPC Endpoint Dump
0 Account Pofccies
0
03
1 ^
SuperScan 4.0
Shares
Domans
Remote Tm e 0/ Day
Logon Sessions
Drives
Trusted Domains
Services
Registiy
Windows Enumeration | About |
Enumerate |
Binding:
Object Id:
Annotation:
Entry 25
Interface:
1.0
Binding:
Object Id:
Annotation:
Entry 26
Interface:
1.0
Binding:
Object Id:
Annotation:
Entry 27
Interface:
1.0
Binding:
Object Id:
Annotation:
Entry 28
Interface:
Oea,
ncacn_ip_tcp:10.0.0.8[49154]
0 0 0 0 0 0 0 0 -0 0 0 0 -0 0 0 0 -0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0
"XctSrv service"
Ia0d010f-lc33-432c-b0f5-8cf4e8053099" ver
"ncacn_np:10.0.0.8[\\PIPE\\at*vc]"
" 0 00 0 00 00 - 0 00 0 - 0 00 0- 0 00 0- 0 00 0 00 00 0 00 0
"IdSagSrv trvic"
Ia0d010f-lc33432cb 0 f S 8 cf4a3053099" ver
"ncacn_ip_tcp:10.0.0.8[49154]
0 0 0 0 0 0 0 0 -0 0 0 0 -0 0 0 0 -0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0
"IdSegSrv service"
"880fd55e-43b9-lle0-bla8-cf4edfd72085" ver
"ncacn_np:10.0.0.8 [WPIPSWatsvc] "
" 00000000- 0000- 0000- 0000- 000000000000
"KAPI Service endpoint"

"880fd55e-43b9-lle0-bla8-cf4edfd72085 ver
1.0
Binding:
Object Id:
Annotation:
Entry 29
Interface:
"ncacn_ip_tcp:10.0.0.8[49154]
0 00 0 00 00 - 0 000- 0 00 0- 0 00 0- 0 00 0 00 00 0 00 0
KAPI Service endpoint"

"880fdS5e-43b9-lle0-bla8-cf4edfd72085" ver
Ready
Lab Analysis
Analyze and document die results related to die lab exercise. Give your opinion on
T ool/U tility

E num erating Virtual M achine IP address: 10.0.0.8
Perform ing E num eration Types:
SuperScan Tool
Null Session
MAC Address
Work Station Type
Users
Groups
Domain
Account Policies
Registry
O utput: Interface, Binding, Objective ID, and

Annotation


Questions
1. Analyze how remote registry enumeration is possible (assuming appropriate
access nghts have been given) and is controlled by the provided registry.txt
tile.
2. As far as stealth is concerned, tins program, too, leaves a rather large
footprint in die logs, even 111 SYN scan mode. Determine how you can
avoid tins footprint 111 the logs.
Yes
0 No
Platform Supported
0 Classroom
0 !Labs

3
Enumerating NetBIOS Using the
NetBIOS Enumerator Tool
Enumeration is theprocess of probing identified servicesfor known weaknesses.
I CON
KEY
/ Valuable
information
Test your
knowledge
g
Web exercise
Workbook review
Lab Scenario
Enumeration is the first attack 011 a target network; enumeration is the process of
gathering the information about a target machine by actively connecting to it.
Discover NetBIOS name enumeration with NBTscan. Enumeration means to
identify die user account, system account, and admin account. 111 tins lab, we
enumerate a machines user name, MAC address, and domain group. You must
have sound knowledge of enumeration, a process that requires an active connection
to the machine being attacked. A hacker enumerates applications and banners 111
addition to identifying user accounts and shared resources.
Lab Objectives
The objective of this lab is to help students learn and perform NetBIOS
enumeration.
Tlie purpose of NetBIOS enumeration is to gather the following information:
Account lockout threshold
Local groups and user accounts
Global groups and user accounts
To restrict anonymous bypass routine and also password checking for

user accounts with:
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Blank passwords
Passwords that are same as the username
111
lower case
Lab Environment
To earn out die lab, you need:

NETBIOS Enumerator tool is located at D:\CEH-Tools\CEHv8 Module

04 Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator
You can also download the latest version of NetBIOS Enumerator from
the link h ttp :// nbtenum.sourceforge.11et/
If you decide to download the latest version, then screenshots shown m
the lab might differ
Run tins tool 111 W indows Server 2012
Administrative privileges are required to run this tool
Lab Duration
Time: 10 Minutes
Enumeration involves making active connections, so that they can be logged.
Typical information attackers look for 111 enumeration includes user account names
for future password guessing attacks. NetBIOS Enumerator is an enumeration tool
that shows how to use rem ote network support and to deal with some other
interesting web techniques, such as SMB.
Lab Tasks
NetBIOS Enumerator
fkjIP range to scan
from: |
to :||
Scan
Clear
Settings
Performing
Enumeration
using NetBIOS
Enumerator
1. To launch NetBIOS Enumerator go to D:\CEH-Tools\CEHv8 Module 04

Enumeration\NetBIOS Enumeration Tools\NetBIOS Enumerator, and
double-click NetBIOS Enumerater.exe.
1X
TASK 1
Your local ip:

10.0.0.7
[1...254]
Debug window
NetBIOS is designed
to help troubleshoot
NetBIOS name resolution
problems. W hen a network
is functioning normally,
NetBIOS over T C P /IP
(NetBT) resolves NetBIOS
names to IP addresses.
FIGURE 3.1: NetBIOS Enumerator main window

2. In the IP range to scan section at the top left of the window, enter an IP
range in from and to text fields.
3. Click Scan.
m
Feature:
T ZL ^1 *
NetBIOS Enumerator
Added port scan
G U I - ports can be
added, deleted, edited
Dynamic memory
management
IP range to scan
fron :| 10.0.0.1
to | 10.0.0.501
Scan
Clear
'
Settings
Your local ip:

10.0.0.7
[1...254]
Debug window
Threaded work (64 ports

scanned at once)
Network function
SMB scanning is also
implemented and running.
FIGURE 3.2: NetBIOS Enumerator with IP range to scan
4. NetBIOS Enumerator starts scanning for die range of IP addresses

provided.
m The network
function,
N etServerGetlnfo, is also
implemented in this tool.
5. After the compledon of scanning, die results are displayed in die left pane
of die window.
6. A Debug window section, located 111 the right pane, shows the scanning of
die inserted IP range and displays Ready! after completion of the scan.

NetBIOS Enumerator
f i ) IP rang e to scan
Scan
from :| 1 0 .0 .0 .1
]1 0 .0 .0 .7
to : | 1 0 .0 .0 .5 0
B?
0
[1 ...2 5 4 ]
Debog window
1 0 .0 .0 .3 [W IN-ULY858KHQIP]
|U
N etB IO S Names (3)

^
Q=* The protocol SNMP

is implemented and
running on all versions o f
Windows.
Settings
Your local ip:
l~ 2 f
W IN -U LY858KH Q IP - W orkstation Service
Scanning from:
to : 1 0 .0 .0 .5 0
R eady!
WORKGROUP - Domain Name

W IN -U LY858KH Q IP - R le Server Service
U sername: (No one logged on)
Domain: WORKGROUP
Of Round Trip Tim e (RTT): 3 ms - Tim e To Live ( m i
S ?
3
1 0 .0 .0 .6 [ADMIN-PC]
H I N etB IO S Names (6)
A DMIN-PC - W orkstation Service
WORKGROUP - Domain Name

A DMIN-PC - R le Server Service
WORKGROUP - Potential M aster Browser
WORKGROUP - M aster Browser

_ M S B R O W S E _ - M a s t e r Browser
Username: (No one logged on)

I ET Domain: WORKGROUP
,r
-1
5 Of Round Trip Tim e (RTT): 0 m s -T im e T o U ve (TT1.

B
1 0 .0 .0 .7 [W IN -D 39M R 5H L9E4]
0 E 3 N etB IO S Names (3)

! Q Username: (No one logged on)
[
Of Domain: WORKGROUP
#< - .t.
5- O f Round Trip Tim e (RTT): 0 ms -T im e To Lrve ( T H ^
FIGURE 3.3: NetBIOS Enumerator results
7. To perform a new scan
01 rescan,
click Clear.
8. If you are going to perform a new scan, die previous scan results are
erased.
Lab Analysis
Analyze and document die results related to die lab exercise.
T ool/U tility

IP Address Range: 10.0.0.1 10.0.0.50
Result:
N etB IO S
E num erator
Tool
Machine Name
NetBIOS Names
User Name
Domain
MAC Address
Round Trip Time (RTT)



Yes
0 No
Platform Supported
0 Classroom
0 !Labs

Enumerating a Network Using

SoftPerfect Network Scanner
SoftPerfectNetirork Scanner is afree multi-threaded IP, NetBIOS, and SN M P
scanner nith a modern interface and many advancedfeat!ires.
I CON
KEY
[^ 7 Valuable
information
y
Test your
knowledge
Web exercise
Workbook review
Lab Scenario
To be an expert ethical hacker and penetration tester, you must have sound
knowledge of enumeration, which requires an active connection to the machine
being attacked. A hacker enumerates applications and banners 111 addition to
identifying user accounts and shared resources, hi this lab we try to resolve host
names and auto-detect vour local and external IP range.
Lab Objectives
The objective of this lab is to help students learn and perform NetBIOS
enumeration. NetBIOS enumeration is carried out to detect:
Hardware MAC addresses across routers
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Hidden shared folders and writable ones

Internal and external IP address
Lab Environment
To carry out the lab, you need:
SoftPerfect Network Scanner is located at
D:\CEH-Tools\CEHv8
Module 04 Enumeration\SNMP Enumeration T ools\SoftPerfect
Network Scanner
You can also download the latest version of SoftP erfect Network
Scanner from the link
http: / / www.sottpertect.com/products/networkscanner/

If you decide to download the latest version, then screenshots shown

the lab might differ
111
Run tliis tool 111 W indows 2012 server

You can also

download SoftPerfect
Network Scanner from
http://w w w .SoftPerfect.
com.
Lab Duration
Tune: 5 A!unites
Enumeration involves an active connection so diat it can be logged. Typical
information diat attackers are looking for nicludes user account nam es for future
password-guessnig attacks.
Lab Task
E TASK 1
1. To launch SoftPerfect Network Scanner, navigate to D:\CEH-Tools\CEHv8

Module 04 Enumeration\SNMP Enumeration Tools\SoftPerfect Network
Scanner
Enumerate
Network
2. Double-click n etscan .exe

L^J
File View Actions Options Bookmarks Help
y
Range From f g
IP Address
. 0 .0
.0
Host Name
| to |~ 0
MAC Address
* A
r j * *
0 . 0 . 0
I 3
Q (0 Web-site
f>
Start Scanning *
Response Time
SoftPerfect allows
you to mount shared
folders as network drives,
browse them using
Windows Explorer, and
filter the results list.
Ready
Threads
Devices
0 /0
Scan
FIGURE 4.1: SoftPerfect Network Scanner main window
3. To start scanning your network, enter an IP range 111 die Range From field
and click Start Scanning.

0
0
1 -1
L3 H
Range From I
B
E0 . 0
. 0
to
10
. 50 a
Web-site
Start Scanning
II
Response Time
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Ready_______________ Threads_______Devices
0 /0
FIGURE 4.2: SoftPerfect setting an IP range to scan
4. The statu s bar displays the status ot the scamied IP addresses at die
bottom of die window.
>*j
File View Actions Options
| X fc* V IP A
Range From r 0 . 0
F Address
?
| To |
10
MAC Address
Response Tme
0!
0 ms
10.0.0.1
10.0.0.2
WIN-MSSELCK4...
-1...
ffl
10.0.0.3
WIN-ULY858KH...
0!
1-0...
1ms
, 10.0.0.5
WIN-LXQN3WR...
0!
S-6...
4 ms
ISA 10.0.0.6
ADMIN-PC
0'
1-0...
0 ms
e 10.0.0.7
WIN-039MR5H...
5-C...
0 ms
Igu 10.0.0.8
ADMIN
0!
t-0...
0 ms
1u 10.0.0.10
WIND0WS8
Ot
.8-6...
2 ms
. 50
Host Name
B
a
Q SoftPerfect Network
Scanner can also check for
a user-defined port and
report if one is open. It can
also resolve host names
and auto-detect your local
and external IP range. It
supports remote shutdown
and Wake-On-LAN.
Bookmarks Help
g J=l A
~| a
Web-site
IB Stop Scanning
jj
2ms
FIGURE 4.3: SoftPerfect status bar
5. To view die properties of an individual IP address, nght-click diat

particular IP address.


R an g e From
B3
To
IP A ddress
ei
10 0 0.1
11
10.0.0.2
..
j 10.0.0.3
El eta 10.0.0.5
e u 10.0.0.6
s eb
eu
1 0 .0 .0 .7
..
10 0 0.8
eta 10.0.0.10
10
R esponse Tim e
0 ^ ^-2...
0m s
VVIN-MSSELCK4.. D
-l...
WIN-UL'f
Open
Computer
W IN -L X Q
j^> Start Scanning *
2m s
>
A D M IN -P
Copy
W IN -D 39
Properties
A D M IN
50
MAC Address
Rescan Computer
W IN D O W
Wake-On-LAN
Remote Shutdown
Remote Suspend / Hibernate
Send Message...
Create Batch File...
Devices
8 /8
FIGURE 4.4: SoftPerfect IP address scanned details
Lab Analysis
T ool/U tility

IP Address Range: 10.0.0.1 10.0.0.50
SoftPerfect
N etw ork
Scanner
Result:
IP Address
Host Names
MAC Address
Response Time
P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S

Questions
1. Examine die detection of die IP addresses and MAC addresses across
routers.
2. Evaluate die scans for listening ports and some UDP and SNMP services.
C E H L ab M an u al P ag e 289

3. How would you launch external third-party applications?

Internet Connection Required
Yes
0 No
Platform Supported
0 Classroom
0 !Labs

Lab
Enumerating a Network Using

SolavWinds Toolset
The SolarWinds Toolsetprovides the toolsyon need ns a network engineer
or netn ork consultant to get your job done. Toolset includes best-of-breed
solutions that work sit/ply and precisely, providing the diagnostic, peiformance,
and bandwidth measurements you want, without extraneous, nnnecessay
features.
I CON
KEY
/ Valuable
information
Test your
knowledge
Web exercise
m
Workbook review
Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Lab Scenario
Penetration testing is much more than just running exploits against vulnerable
systems like we learned 111 the previous module. 111 fact a penetration test begins
before penetration testers have even made contact with die victim systems. Rather
dian blindly dirowing out exploits and praying diat one of them returns a shell,
penetration tester meticulously study the environment for potential weaknesses and
their mitigating factors. Bv the time a penetration tester runs an exploit, he or she is
nearly certain diat it will be successful. Since failed exploits can in some cases cause a
crash or even damage to a victim system, or at die very least make the victim 1111exploitable 111 the future, penetration testers won't get the best results. 111 tins lab we
enumerate target system services, accounts, hub ports, TCP/IP network, and routes.
You must have sound knowledge of enumeration, which requires an active
connection to the macliine being attacked. A hacker enumerates applications and
banners 111 addition to identifying user accounts and shared resources.
Lab Objectives
The objective of tins lab is to help students learn and perform NetBIOS
enumeration. NetBIOS enumeration is carried out to detect:
Hardware MAC addresses across routers
Hidden shared folders and writable ones
Internal and external IP addresses

Lab Environment
To earn out the lab, you need:
You can also

download SoftPerfect
Network Scanner from
http://www.solarwinds
.com
SolarW inds-Toolset-V10 located at D:\CEH-Tools\CEHv8 Module 04

Enumeration\SNMP Enumeration Tools\SolarW inds IP Network
B rowser
You can also download the latest version of SolarWinds T oolset

Scanner Irom the link http:/ / www.solarwmds.com/
If you decide to download the la te st version, then screenshots shown
111 the lab might differ
Run this tool 111 W indows Server 2012 Host machine and W indows
Server 2008 virtual machine

Follow the wizard-driven installation instructions
Lab Duration
Time: 5 Minutes
Enumeration involves an active connection so that it can be logged. Typical
information diat attackers are looking for includes user account nam es lor future
password guessing attacks.
Lab Task
W TASK 1
Enumerate
Network
1. Configure SNMP services and select Start ^Control Panel

^Administrative Tools ^Services.
_
File Acton ViM Help
4 *.S j 5
E3 Cut troubleshooting
time in half using the
Workspace Studio, which
puts the tools you need for
common situations at your
fingertips
B 3
f t Stiver
ShH Hardware Detect!:n
S^Smir Card
4 Smart Card Removal Policy
E SNMP Service
Oescnptior:
Lrvjfck: Smpk Network
4 SNMP Trap
Management Protocol (SNMP)
^ Software Protection
requests to be processed by this
^ Spccial Administration Comclr Hdpct
cornputer If this service 15stopped,
the computer will be unoble to
4 Spot Verifier
proem SNMP irquettt. If this servic. &SGI Full-text Filter Daemon launcher -.
k disabled, any services that explicit!)
* SQL Server (MSSQLSERVER)
depend on it will fail to start.
&SQL Server Agent (MSSQLSERVER)
S*,SQL Server Analyse Services (MSSQLS
SQL Server Browser
& SQL Server Distributed Replay CSert
6 SQL Server Distributed Replay Cortrcl S* SQL Server Integration Services 110
5* SQL Server Reporting Services (MSSQL Q SQL Server YSS Writer
SfcSSDP Discovery
Superfetch
& System Event Nctficaton Scrvicc
$ , Task Scheduler
S i TCP/IP NetBIOS Helper
Dcscnpton
Supports We, paProvide* notifica..
Manages k c i ! ! ..
A!lcss th systr..
Enafcks Simple...
Recedes trap m#_.
Enables the dow ..
A lcm admreit(..
Verifies potential..
Service to launch .
Provides stcrcge...
Executesjobs. m...
Supplies online a-.
Provides SQL Ser..
One or more Dist..
Provides trace re...
Provides manag..
Manages, execut..
Provides the inte..
Discover* rehvor.
Maintains end i .
Monitors system
Enables a user to..
Provides support..
Status
Running
Running
Running
Running
Running
Running
Running
Running
Running
Running
Running
Running
Startup type
Automatic
Automatic
Disabled
Manual
Automatic
Manual
Automatic (D...
Manual
Manual (Trig...
Manual
Automatic
Manual
Automatic
Disabled
Manual
Manual
Automatic
Automatic
Automatic
Disabled
Manual
Automatic
Automatic
Automatic (T.
Log On As
Local Syste...
Local Syne...
Local Servict
Local Syste ..
Local Syne.. 1
Local Service
Network S..
Local Syste...
Local Syste..
NT Service...
NT Service...
NT Scrvice..
NT Service...
Local Service
NT Service...
NT Service...
NT Service...
NT Service...
Local Syste..
Local Service
Local Syste..
Local Syste..
Local SysteLocal Service
\ Extended >vStandard /
FIGURE 5.1: Setting SNMP Services

2. Double-click SNMP service.

3. Click die Security tab, and click Add... The SNMP Services Configuration
window appears. Select READ ONLY from Community rights and Public 111
Community Name, and click Add.
SNMP Service Properties (Local Computer)
Security
General ] Log On [ Recovery [ Agent [ Traps
Dependencies
@ Send authentication trap

Accepted community names
Community
Rights
Add...
Edit
Remove
D Accept SNMP packets from any host
IP Monitor and
alert in real tim e
on network
availability and
health with tools
including RealTime Interface
Monitor, SNMP
Real-Time Graph,
and Advanced
CPU Load
SNMP Service Configuration

Community rights:___________________
! reado nly
^1
Cancel
Community Name:
|public
Leam more about SNfflP
Cancel
OK
Apply
FIGURE 5.2: Configuring SNMP Services
4.
Select A ccept SNMP packets from any host, and click OK.
SNMP Service Properties (Local Computer)
General
Log On
Recovery
Agent
raps |
| Z-epenaencies
0 Send authentication trap

Accepted community names
\ccept SNMP packets from any host
O Accept SNMP packets from these hosts
Leam more about SNMP
OK
Cancel
Apply

FIGURE 5.3: setting SNMP Services
5. Install SolarWinds-Toolset-V10, located 111 D:\CEH-Tools\CEHv8 Module

04 Enumeration\SNMP Enumeration Tools\SolarWinds IP Network
Browser.
6. Launch the Start menu by hovering the mouse cursor on the lower-left
corner of the desktop.
FIGURE 5.4: Windows Server 2012Desktop view
& Perform robust

network
diagnostics for
troubleshooting
and quickly
resolving com plex
network issu e s
with tools such as
Ping Sw eep, DNS
Analyzer, and
Trace Route
7. Click the W orkspace Studio app to open the SolarWinds W orkspace

Studio window.
Start
Server
Manager
Administrator
Windows
PowerShel
Workspace
Studio

SQL Server
Installation
Center...
Command
Prompt
Mozilla
Firefox
ProxySwiL..
Standard
F3
<
IT
Computer
Control
Panel
Hyper-V
Manager
HyperV
Virtual
Machine...
IL
Internet Explorer
Google
Chrome
Global
Network
Inventory
II
1
ft
Nmap Zenmap
GUI
O
FIGURE 5.5: Windows Server 2012Apps
6. nie main window of SolarWinds W orkspace Studio is shown in the

following figure.

* "!
SolarW inds W orkspace Studio

File
Tabs
Yiew
Devices
Add New De/ice..
Interfaces
Gadgets
Compare Engineer s Toolset- I
Help
Manage SNMP Credentials Manage Tehec/SSH Credentials
!5 Switch Port Mapper _ Telnet/SSH 4A Interface Chart

^ ^
External Tocls
Devices
r\r*
Getting Started *
O
^N ew Tab 5 Save Selected Tabs
V
x II
aa
!*
G e ttin g Started
SETTING UP WORKSPACE STUDIO COESTT HAVE TO BE SCARY
GrojpDy. Cro_p rtane

rSarG
Settings... Q Page Setup...
t TraceRoute
Step 1 - Register the ne:wori devices you wcuH iie to montor.
^ ^
EM]
Add Device
Cevices
Q j Recently tseo
Step 3 - Add tabs to create grojps cf gadgets 0* crganze then any way you wart.
I 0 of Cdev<*(s) selected
_ Stow QQUOrarres
| E>t::re
Gadgets
d Q
Mcn<o1ng
M ore Help
OTHER RC30URCC3 TO GCTYOU :
CllCPUandMerro'y
M em ory G a u g e s
MEMORY STATISTICS TOR ONE OR TWO HOSTS
- mI Interface CHait
ln!er?aee Gauge
<
Interface Table
.1.
>
TFTP Service
Clear
Status Running
[ l Tdb*
1^,
New Tab & L
'
II
Id
Step 2 - Drag gadgets from the explorer at feft to this w3rt space and associate them with a device.
Sefcinas
Gadgets
Evert Viewer TFTP Service
FIGURE 5.6 Solarwinds workspace studio main window
7. Click External Tools, and then select Classic tools -> Network Discovery
-> IP Network Browser.
T=TO
SolarW inds W orksp a ce Stu d io

File
Tabs
View
Devices
gf? Add New Device...
B Deploy an array o f
n etw ork discovery tools
including Port Scanner,
Switch Port Mapper, and
Advanced Subnet
Calculator.
SS Switch Pert Mapper
Interfaces
Gadgets [ Extcma^ools I Help
Manage SNMP Credentials

^ , Telnet/SSH
uul
tj
Interface Chart
oe!tmg Started '
O
Groupby: GnupNan* *
Create New External Tod...
Remote Dcsrtoo
C cttin g sL
SETTING JP /WORKSPACE STUDO DOESN'T HAVE TO
St6p 1 - Register the network devices you wouH l*e te n
1., ^N e w To b
Save Selected Tabs
____________
in
Cisco Tools
IP Address Management
Network Monitoring
Step 2 - Drag gadgets frcm the explorer at le i tc this wort
] :
It*)
Ping Diagnostic
of Ddevee(s) seecte:
Step 3 - A(M taos :0 create groups or gacgets or orgarize
Starcro^raiies
10311a |
LdunchPad
Network Discovery
Devices
P 1Recently Jsed
ngj. Q Poge Setup...
Recently Used
DNS Audit
IP Address Management
IP Network Browser
Security
Etyr
SMMP Tools
Q
ti
MAC Address Discovery

Network Sonar
Ping
Ping Sweep
jt J Monitoring
da
Port Scanner
SNMP Sweep
f o f ^ l CPU and Wenory
Subnet List
a i Interface Chart
"!
Switch Port Moppet
& interface Cauge

nteraceTaWe
TFTP Service
Statu* Rjnning
gy
Clear
SHtma*
| Step ]
Gadgets
Event Viewer TFTP Service
FIGURE 5.7: Menu Escalation for IP network browser
8. IP Network Browser will be shown. Enter die Windows 8 Virtual Machine

IP address (10.0.0.7) and click Scan Device ( the IP address will be
different 111 your network).

1ST
P SolarWinds
Toolset
applications use
several m ethods
to co llect data
about the health
and performance
of your network,
including ICMP,
SNMPv3, DNS and
Syslog. Toolset
does NOT require
deployment of
proprietary
agents,
appliances, or
garden gnom es
on the network.
IP Network Browser
t m % *
Nevr
Re *a rt
Export
Prin
Copy
Cop/
m 0 3 0 1^
Zoom
Stop
Ping
Telnet
Config
Trace
Surf
Settings
Help
IP Network Browser
Scan a S ingle D evice_________
3 3 '
Scan a S u bn et
jd
Subnet Address
Scan Suhnel
Subnet Mask
1255.255.255.0
Scan an IP A d d re s s R anqe
Dcgining IP Addicss
tnding IP Addtess
Engineers Toolset v10 - Evaluation
FIGURE 5.8: IP Network Browser windows
9. It will show die result 111 a line widi die IP address and name ot die
computer diat is being scanned.
10. Now click the Plus (+) sign before die IP address.

File Edit
& NetFlow
Realtime is
intended for
granular, real-time
troubleshooting
and analysis of
NetFlow sta tistics
on single
interface and is
limited to a 1 hour
capture
NeA
1 -
IP N etw ork Brow ser [ 1 0 .0.0.7 J

Nodes
Restart
MBs
Discovery
y m
E>port
Print
Subnet
4
Copy
View
%
Copy
*
Zoom
Stop
Ping
1
Telnet
Trace
@
Confg
e
Surf
rf
Setting:
Help
nA
4 V ^
<
oV
A o V
.o
\0 ,A /
W
Help
\|
o
v<y
r J?
> >*
/ /
j&
< & */
J
4
Y
eV
V -V*
./
( IS *
AU
3 / \
r r
*
J ?
&
S Jbre* Scan Ccmoteed
FIGURE 5.9: IP Network Browser windows results page
11. It will list all die information ot die targeted IP address.
E thical H a ck in g and C ounterm easures Copyright by EC-Council

- *
IP Network Browser [ 100.0.7 J

File Edit
Node*
MlBs
Export
& To start a new tab, go

to tabs on the menu bar
and choose new tab.
Right-click on a tab to
bring up options (Import,
Export, Rename, Save,
Close). You can add tools
to tabs from die Gadgets
b o s in die lower left or
direcdy from the gadgets
menu. A good way to
approach it is to collect all
the tools you need for a
given task (troubleshooting
Internet connectivity, for
example) on one tab. Next
time you face that situation
simply open diat tab
Discovery
Print
Subnet
Copy
View
Help
* 0} s
Copy
Stop
Zoom
Ping
Telnet
Tra<
'
& sf
Config
Surf
Setting!
ST
Jj Ss3ten Naxie: WDI-D39MP5HL9E4
J Description; Harcware: Intel64 Family 6Hcdel 42 . -eppinc 7 AI/&TCCMPAIIBLI - Softwar! : Windows V e rsio n
qp
Ti
a t !- .:
4^
JJ sysOb;crD: 1.3.6.r.4.1.311.r.1.3.1.2
Is*
0 Last Boot: 9/5/2012 9:13:49 AM
Router ( w ill fsrvard IF packets ?) : No
vO%
Adirinittritor
C Gueas
S.2 (B u ild 6
f i UM5*JAaC.ll USSR
A tn a
O'
Shared Dilnttn
<!
TC9/ZF Networks
IPX hetworic
E ^ 0 .0 .9 .0
<$>:0.0 0 0
255 a
S
ti:
S
E
255.255
255.255
3> 1 0 .0 .0 .7
10.0.0.26S
^ 1 2 7.0.0 .0
^ 1 2 7.0.0 .1
<$> 127.266.356.266
<
A o .V
si? A>
J?
K%^
4C*
a rV*
'S> \
S jLtisl Sc<jr CoiufetsC
FIGURE 5.10: IP Network Browser windows results page
Lab Analysis
Tool/Utility
Information Collected/Objectives Achieved

Scan Device IP Address: 10.0.0.7
O utput:
SolarWinds Tool
Set
Interfaces
Services
Accounts
Shares
Hub Ports
T C P/IP Network
IPX Network
Routes
P L E A S E TALK T O Y OU R I N S T R U C T O R IF YOU HAV E Q U E S T I O N S

Questions
1. Analyze the details of die system such as user accounts, system MSI,
hub ports, etc.

2. Find the IP address and Mac address of the system.

Yes
0 No
Platform Supported
0 Classroom
0 !Labs

Enumerating the System Using

Hyena
Hyena uses an Explorer-styk interfacefora// operations, including right mouse dick
pop-/p context menusfor all objects. Management of users, groups (both local and
global), shares, domains, computers, services, devices, events,files, printers andprint
jobs, sessions, openfiles, disk space, user rights, messaging, expo/ting job scheduling,
processes, andprinting are all suppo/ted.
I CON KEY
Lab Scenario
/ Valuable
information
The hacker enumerates applications and banners m addition to identifying user

accounts and shared resources. 111 tliis lab. Hyena uses an Explorer-style interface
for all operations, management of users, groups (bodi local and global), shares,
domains, computers, services, devices, events, tiles, printers and print jobs, sessions,
open tiles, disk space, user nglits, messaging, exporting, job scheduling, processes,
and printing are all supported. To be an expert ethical hacker and penetration tester,
you must have sound knowledge of enumeration, which requires an active
connection to the maclune being attacked.
' Test your

____ knowledge______
m
Web exercise
Q Workbook review
Lab Objectives
The objective of this lab is to help suidents learn and perform network
enumeration:
Users information 111 the system
Services running 111 the system
& Tools
dem onstrated in
this lab are
available in
D:\CEHTools\CEHv8
Module 04
Enumeration
Lab Environment
To perform the lab, you need:
A computer ranning Windows Server 2012
Administrative privileges to install and run tools
You can also download tins tool from following link
http: / / www. systemtools.com/livena/download.litm
If you decided to download latest version of tins tool screenshots may differ
Lab Duration
Time: 10 Minutes
Enumeration is die process of extracting user names, machine names, network
resources, shares, and sendees from a system. Enumeration techniques are
conducted 111 an intranet environment
Lab Tasks
The basic idea 111 diis section is to:
1.
E
t a s k
Navigate to D:\CEH-Tools\CEHv8 Module 04 Enumeration\NetBIO

Enumeration Tools\Hyena
Double-click Hyena_English_x64.exe. You can see die following window.

Click Next
Installation of
Hyena
Hyena v9.0 - InstallShield Wizard
ca
You can download

the Hyena from
h ttp :/
/ u n v 1v . s y s t e m t o o l s . c o m
h y e n a / h y e n a _ n e 1v . h t m
FIGURE 6.1: Installation o f Hyena
3.
The Softw are L icen se A greem ent window appears, you must accept
the agreement to install Hyena.
4.
Select I a c c e p t th e term s of th e lic e n se agreem en t to continue and

click Next.

FIGURE 6.2: Select die Agreement
5.
Choose die destination location to install Hyena.
6.
Click Next to continue the installation.

x
Hyena v9.0 InstallShield Wizard

C h o o s e D e s tin a tio n L o c a tio n
S e lect folder w here setup will install files.
In addition to
supporting standard
Windows system
management functions,
Hyena also includes
extensive Active Directory
integration
Install H yen a v 9 .0 to:

C :\Program F ie s\H y e n a
Change...
FIGURE 6.3: Selecting folder for installation
7.
The Ready to install th e Program window appears. Click Install

Hyena v9.0 - InstallShield Wizard
R e a d y to In s ta ll th e P ro g ra m
The wizard is ready to begin installatic
C lick Install to begin the insta latio n

If yo u w ant to review or cha ng e any erf your re ta lia tio n settings, clic k Ba ck. C lick C ancel to exit the
wizard.
ILU Hyena can be used on

any Windows client to
manage any Windows NT,
Windows 2000, Windows
XP/Vista, Windows 7, or
Windows Server
2003/2008/2012
installation
FIGURE 6.4: selecting installation type
8.
The InstallShield Wizard com plete window appears. Click Finish ro

complete die installation.
In s ta llS h ie ld W iz a r d C o m p le te
T he InstallShield W iza rd has s u c c e s s fu l insta le d H yena v9.0. C lick Finish to exit the wizard.
FIGURE 6.5: Ready to install window
Enumerating
system
Information
9.
Launch the Start menu by hovering the mouse cursor on the lowerleft corner of the desktop.

FIGURE 6.6: Windows Seiver 2012Desktop view
& Hyena also

includes full
exporting
capabilities and
both Microsoft
A c c e ss and Excel
reporting and
exporting options
10.
Click the Hyena app to open the Hyena window.
FIGURE 6.7: Windows Server 2012 Apps
11. The Registration window will appear. Click OK to continue.

12. The main window of Hyena is shown 111 following figiire.

13. Click + to expand Local workstation, and then click Users.

'
Hyena v9.0
J
He
Edit
Wew
Tools
- J fr W1N-D39MR5HL9E4 (Local Workstation)!
" Local Co n n ec tio n s
cygSU
Drives
4 C
Guest
Jason (Jason)
a a 11
Hyena v9.0
J u g g y b o y (Juggyboy)
Martin (Martin)
A dm inistrator
4 C
&
Help
Shiela (Shiela)
J 1 Local Groups
>'
Printers
Shares
S essio n s
&
O p en Files
Services
g p D evices
ffi 4 >Events
9
'
j
I
c a Additional
com m and-line options
were added to allow
starting Hyena and
automatically inserting
and selecting/ expanding
a dom ain, server, or
com puter.
Disk Sp ace
User Rights
P erform ance
, a
:
S c h ed u led Jobs
Registry
WMI
+ ^
Enterprise
6 user(s) fo u n d o n ,\\W1N-D39MR5HL9E4'
FIGU RE 6.9: Expand the System users
14. To check the services running on the system, double-click S erv ices
Hyena v9.0 Services on WWIN-D39MR5HL9E4
Re
Ed
Wew
Toots
Help
VVIN-D39MR5HL9E4 (Local W orkstation)

^
Drives
&
Local C o n n ec tio n s
a
Services on WWIN-D39MR5HL9E4
Users
.
Name________________ Display Nam e_________ Status______
A dm inistrator
$ 5 AdobeA R M service
A d ob e A crobat Up...
Running
A eL ookupSvc
A pp lication Experie...
Stop ped
ALG
A pp lication Layer G...
Stop ped
AIIUserlnstallAgent W in dow s A ll-U ser I...
Stop ped
A ppH ostSvc
A pp lication H ost H...
Running
ApplDSvc
A pp lication Identity
Stop ped
Printers
A ppinfo
A pp lication Inform...
Stop ped
Shares
$ 5 A ppM gm t
A pp lication M anag...
Running
S " Sessions
A udioEndpointB ...
W in dow s A ud io En...
Stop ped
iLJ Q penhles
A udiosrv
W in dow s A udio
Stop ped
BFE
B ase Filtering Engine
R unning
0 BITS
B ackground Intellig...
R unning
Brokerlnfrastruct...
B ackground Tasks I...
R unning
Disk Sp ace
Browser
C om p uter Browser
Stop ped
S S
User Rights
CertPropSvc
C ertificate Propaga...
Stop ped
* 9
P erform ance
C O M S y sA p p
COM System App...
Stop ped
S c h ed u led Jobs
Ocrypt^vc
C ryptographic Servi...
Running
D com L au nch
DCOM Server Proce...
R unning
defragsvc
O p tim ize drives
Stop ped
D eviceA ssociatio...
D evice A s s o c ia tio n ...
Stop ped
Guest
Jason (Jason)
J ug g y b o y (Juggyboy)
Martin (Martin)
Shiela (Shiela)
5
g ^
ffi Q
Local Groups
U&fZEELl
2 P D evices
BE d L Events
O
Registry
i &
^
WMI
Enterpnse
K//w w w .sy s te m to o ls.c o m
156 services fo u n d o n \\W 1 N -D 3 9 M R 5 H L 9 E 4 1 /1 5 6 o b jects
FIGU RE 6.10: Sendees running in the system
15. To check the U ser Rights, click + to expand it.

' r *
Hyena v9.0 - 3 Drives on A\WIN-D39MR5HL9E4'

He
VtcH
Edt
Tools
y *3 a X
*
Hdp
3* :::
Martin (Martin)
Shiela (Shiela)
5=] Q
fl J
SI
Server
Shares
S S e ssio n s
j^
fe E3
3 Drives on \\WIN-D39MR5HL9E4
Local Groups
Pnnters
+ ^
3 a i
Ju g g y b o y (Juggyboy)
O p en Files
Drive
Form at
Total
U sed
W 1N -D 39M R ... C
NTFS
97.31 GB
87.15 GB
W 1N -D 39M R ... D
NTFS
97.66 GB
2.90 GB
W IN -D 3 9 M R ... E
NTFS
270.45 GB
1.70 GB
Q b Services
Devices
ffi &
^
Events
Disk Sp ace
g h ts I
f t Backup Operators
Users
A dm inistrators 3 1 (
Everyone
SeTcbP rivilege (Act as part of th e opera
S eM ach m eA ccou ntP rivilege (Add work &
St SeBackupPrivilege (Back up files and dii-,
i L S eC han geN otifyPrivilege (Bypass traver
SeU nsolicitedln pu tPrivilege (Selln solicii ^
S eSystem tim eP rivilege (C h ange th e sys - |
- SeC reateP agefileP rivilege (Create a pag
21
:a
SeC reateTo ken Privilege (Create a toki =
3 Drives o n "WW1N-D39MR5HL9E41
7 w w w .sy ste fn to o ls.co m
^^^biects
FIGURE 6.11: Users Rights
16. To check the S cheduled jobs, click + to expand it.

J
File
m Hyena will execute the

most current Group Policy
editor, GPME.msc, if it is
present on the system
Hyena v9.0 - 77 total scheduled jobs.

Ed
Wew
Tools
Help
y *3< x 3 :: |e| o 1$
ft C
J u g g y b o y (Juggyboy)
Martin (Martin)
Shiela (Shiela)
Local Groups
& ^
Printers
77 total scheduled jobs.

Server
S'
1 Shares
S essio n s
O p en Files
9
Services
2 P D evices
f f i - A Events
^
A j .3;j r b
a a [Ho
Disk S p ace
N am e
Status
Trigger Type
0 W IN -D 3 9 M R ... CCIeanerSkipUAC
Ready
0 W IN -D 3 9 M R ... GoogleU pdateT askM ac...
Ready
M ultiple Trigc
0 W IN -D 3 9 M R ...
GoogleU pdateT askM ac...
Ready
Daily
0 W IN -D 3 9 M R ...
G ooglellpdateT askU serS... Ready
Daily
0 W IN -D 3 9 M R ...
GoogleU pdateTaskU serS... Ready
Daily
5 ]W IN -D 39M R ...
O p tim ize Start M en u Ca...
Ready
On Idle
0 W IN -D 3 9 M R ...
.NET Fram ework NGEN ...
Ready
ffi-S User Rights
0 W IN -D 3 9 M R ... .NET Fram ework NGEN ...
Ready
E B
0 W IN -D 3 9 M R ... AD RMS R ights P olicy T...
D isabled
M ultiple Trigc
0 W IN -D 3 9 M R ... AD RMS R ights P olicy T...
Ready
At Log on
P erform ance
| f o ] Sch ed u led Jobs |

-
M icrosoft
0 W IN -D 3 9 M R ...
W in dow s
; ^
ffi @
:
0 W IN -D 3 9 M R ...
Sm artScreenSpecific
Ready
At Log on
S]WIN-D39MR...
V enfiedPublisherCertSto...
D isabled
At Startup
A ctive D irectory R ights M anage!
0 W IN -D 3 9 M R ... A itA gent
Ready
0 W IN -D 3 9 M R ... Program DataU pdater
Ready
0 W IN -D 3 9 M R ... StartupAppTask
Ready
0 W IN -D 3 9 M R ... C leanupTem poraryState
Ready
AppID
A pplicationD ata
jL<9 A utoch k
- 3 CertificateServicesClient
EB US Chkdsk
ffi ^
D isabled
.NET Framework
I A pp lication Experience
P olicyC onverter
C usto m er Experience Im provem
h ttp ://w w w .sy stem to o ls.co m
0 W IN -D 3 9 M R ...
Proxy
Ready
At Startup
0 W IN -D 3 9 M R ...
System T ask
Ready
M ultiple Trigc
0 W IN -D 3 9 M R ...
UserTask
Ready
M ultiple Trigc
6 registry entries f o u n d o n WW1N-D39MR5HL 1 / 7 7 objects
FIGURE 6.12: Scheduled jobs
Lab Analysis
Analyze and document the results related to die lab exercise. Give your opinion on

Tool/Utility
Information Collected/Objectives Achieved

Intention : Enumerating the system
Outpvit:
H yena
Local Connections
Users
Local Group
Shares
Shares
Sessions
Services
Events
User Rights
Performance
Registry
mn


Yes
0 No
Platform Supported
0 Classroom
0 !Labs


CEH v8 Labs Module 04 Enumeration PDF

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CEH v8 Labs Module 04 Enumeration PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

CEH Lab Manual

User name and user groups

Policies and passwords

A web browser with an Internet connection

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

P L EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Enumerating a Target Network

As an expert ethical hacker and penetration tester to enum erate a target

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Administrative privileges to install and mil tools

Enumeration is die process of extracting user names, machine names, network

Nbstat and Null

3 Windows Server 2012

/ Zenmap file installs

winaows btrvw tt)>Ke*<$eurK!1aau Lucmr

FIGURE 1.1: Windows Server 2012Desktop view

Click the Nmap-Zenmap GUI app to open the Zenm ap window.

C E H L ab M anual Page 270

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

FIGURE 1.2: Windows Server 2012Apps

3. Start your virtual machine running WMcwsSetver2008

Note: IP addresses may vary 111 your lab environment.

FIGURE 1.3: H ie Zenmap Main window

Your tirst target is die computer widi a Windows operating system on

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Nmap Output Ports / Hosts | Topology | Host Details | Scans |

Find hosts with

FIGURE 1.4: The Zenmap output window

10. Run die command nbtstat -A 10.0.0.7.

12. Now cr e a te a null session.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

14. Confirm it by issuing a genenc net u se command to see connected null

sessions from your host.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Inform ation C ollected/O bjectives Achieved

List of O pen Ports: 135/tcp, 139/tcp, 445/tcp,

PL EA S E TALK T O YOUR I N S T R U C T O R IF YOU HAVE Q U E S T I O N S

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

Enumerating NetBIOS Using the

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

To earn* out die kb, you need:

Windows 8 running on a virtual macliine as target machine

Administrative privileges to install and run tools

You can also

Overview of NetBIOS Enumeration

Global groups and user accounts

2. Restnct anonymous bypass routine and also password checking:

Checks for user accounts with blank passwords

1. Double-click the SuperScan4 file. The SuperScan window appears.

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council

isJ SuperScan features:

2. Click the Windows Enumeration tab located on the top menu.

Simple HTM L report

0 NetBIOS Name Table

Source port scanning

Fast hostname resolving

0 RPC Endpoint Dump

Massive built-in port list

IP and port scan order

FIGURE 2.2: SuperScan main window with IP address

C E H L ab M anual Page 277

E th ical H a ck in g a nd C ounterm easures Copyright by EC-Council