{"id":276,"date":"2022-10-03T13:45:09","date_gmt":"2022-10-03T05:45:09","guid":{"rendered":"https:\/\/www.yuyiares.com\/?p=276"},"modified":"2022-10-03T14:02:57","modified_gmt":"2022-10-03T06:02:57","slug":"ceh-v11-moudle-4-enumeration","status":"publish","type":"post","link":"https:\/\/www.yuyiares.com\/?p=276","title":{"rendered":"CEH v11 Moudle 4 – Enumeration"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

0x00 \u5e38\u7528\u7684port<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
  • UDP 137 (NETBIOS Name SErvice)<\/span><\/li>
  • TCP 139 (NEtBIOS Session Service)(SNB over NetBIOS)<\/span><\/li>
  • UDP 161<\/span><\/strong> (Simple Network Management Protocol, SNMP)<\/span><\/li>
  • TCP\/UDP 162<\/span><\/strong> SNMP Trap<\/span><\/li>
  • TCP\/UDP 53 (DNS)<\/span><\/li>
  • TCP\/UDP 135(Microsoft RPC )<\/span><\/li>
  • TCP\/UDP 389 (LDAP)<\/span><\/li>
  • TCP 2049 (NFS)<\/span><\/li>
  • TCP 25 (SMTP)<\/span><\/li>
  • (TCP\/UDP 445) SMB over TCP<\/span><\/li>
  • SNMP Ttap TCP\/UDP 162<\/span><\/li>
  • ISAKMP\/Internet Key Exchange (IKE) UDP 500<\/span><\/li>
  • SSH TCP 22<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t

    0x01 Enumeration Concepts (\u679a\u8209)<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t
    • Get user names using email IDs<\/span><\/li>
    • Get information using default passwords<\/span><\/li>
    • Get user names using SNMP<\/span><\/li>
    • Brute force AD<\/span><\/li>
    • Get user groups from Windows<\/span><\/li>
    • Get information using DNS zone transfers<\/span><\/li>
    • NetBios, LDAP, NTP, DNS<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t

      0x02 SNMP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t
      • nmap \u6307\u4ee4:\u00a0 <\/span>nmap -sU -p 161 <Target IP Address><\/code><\/li>
      • auxiliary\/scanner\/snmp\/snmp_enum
        <\/span>
        • \u6307\u4ee4: snmp-check <Target IP Address><\/code><\/li><\/ul><\/li>
        • snmp-check<\/code><\/li>
        • GUI<\/span>
          • Engineer\u2019s Toolset<\/span><\/li>
          • SNMPScanner<\/span><\/li>
          • OpUtils 5<\/span><\/li>
          • SNScan<\/span><\/li><\/ul><\/li>
          • Management Information Base (MIB)<\/span>
            • MIB \u662f\u4e00\u500b\u865b\u64ec\u6578\u64da\u5eab\uff0c\u5176\u4e2d\u5305\u542b SNMP \u7ba1\u7406\u7684\u6240\u6709\u7db2\u7d61\u5c0d\u8c61\u7684\u6b63\u5f0f\u63cf\u8ff0\u3002MIB elements are recognized using object identifiers (OIDs)<\/span>
              • DHCP.MIB<\/span><\/li>
              • HOSTMIB.MIB:\u76e3\u63a7\u548c\u7ba1\u7406\u4e3b\u6a5f\u8cc7\u6e90<\/span><\/li>
              • LNMIB2.MIB\uff1a\u5305\u542b\u5de5\u4f5c\u7ad9\u548c\u670d\u52d9\u5668\u670d\u52d9\u7684\u5c0d\u50cf\u985e\u578b<\/span><\/li>
              • MIB_II.MIB\uff1a\u4f7f\u7528\u7c21\u55ae\u7684\u67b6\u69cb\u548c\u7cfb\u7d71\u7ba1\u7406\u57fa\u65bc TCP\/IP \u7684 Internet<\/span><\/li>
              • WINS.MIB\uff1a\u7528\u65bc Windows Internet \u540d\u7a31\u670d\u52d9 (WINS)<\/span><\/li><\/ul><\/li><\/ul><\/li>
              • \u5176\u4ed6\u5de5\u5177<\/span>
                • snmpcheck<\/span><\/li>
                • softperfect network Scanner<\/span><\/li>
                • Network Performance Monitor<\/span><\/li>
                • OpUtils<\/span><\/li>
                • PRTG Network Monitor<\/span><\/li>
                • Enginner\u2019s Toolset<\/span><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                  \n\t\t\t\t
                  \n\t\t\t\t\t

                  0x03 Windows System Basics<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                  \n\t\t\t\t
                  \n\t\t\t\t\t\t\t\t\t
                  • Security Context – \u7528\u6236\u7684\u8eab\u5206\u8207\u8a8d\u8b49\u8cc7\u8a0a<\/span><\/li>
                  • Security Identifier (SID) – \u8b58\u5225\u4f7f\u7528\u8005\u3001\u7fa4\u7d44\u548c\u5e33\u6236<\/span><\/li>
                  • Resource Identifier (RID) – \u6a19\u793aSID\u5e33\u6236\u7684\u6b0a\u9650
                    <\/span><\/li>
                  • USER NUMBER<\/span>
                    • SID \u6700\u5f8c\u9762\u70ba\u4f7f\u7528\u8005\u865f\u78bc<\/span><\/li>
                    • Example SID: S-1-5-21-3874928736-367528774-1298337465**-500**<\/span><\/li>
                    • Administrator Account – SID of 500<\/span><\/li>
                    • Regular Accounts – start with a SID of 1000<\/span><\/li>
                    • Linux Systems used user IDs (UID) and group IDs (GID). Found in \/etc\/passwd<\/span><\/li><\/ul><\/li>
                    • SAM Database<\/span>
                      • file where all local passwords are stored (encrypted) (\u6240\u6709\u5bc6\u78bc)<\/span><\/li>
                      • Stored in C:\\Windows\\System32\\Config<\/span><\/li><\/ul><\/li>
                      • Linux Enumeration Commands in PowerShell or CmdPrompt<\/span>
                        • finger – \u4f7f\u7528\u8005\u548c\u96fb\u8166\u7684\u8cc7\u8a0a <\/span><\/li>
                        • rpcclient – info on RPC in the environment<\/span><\/li>
                        • showmount – \u986f\u793a\u6240\u6709\u7684shared directories
                          <\/span><\/li><\/ul><\/li>
                        • Look for share resources (NetBIOS)<\/span>
                          • net view \\sysName<\/strong>
                            <\/span><\/li><\/ul><\/li>
                          • Windows SysInternals<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                            \n\t\t\t\t
                            \n\t\t\t\t\t

                            0x04 NetBIOS Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                            \n\t\t\t\t
                            \n\t\t\t\t\t\t\t\t\t
                            • \u6307\u4ee4 :nmap -O <target><\/code><\/li>
                            • UDP port 137 or TCP port 138\/139<\/span><\/li>
                            • nbtstat displays protocol statistics and current TCP\/IP connections using NetBIOS over TCP\/IP.<\/span>
                              • nbtstat gives your own info<\/span><\/li>
                              • \u6307\u4ee4 :nbtstat -a<\/code>
                                • list the remote machine\u2019s name table given its name<\/span><\/li>
                                • (\u4ecb\u9762\u5361\u72c0\u614b) \u5217\u51fa\u6307\u5b9a\u5176\u540d\u7a31\u7684\u9060\u7aef\u96fb\u8166\u540d\u7a31\u8868\u683c<\/span><\/li><\/ul><\/li>
                                • \u6307\u4ee4 : nbtstat -A<\/code>
                                  • list the remote machine\u2019s name table given its IP address<\/span><\/li>
                                  • (\u4ecb\u9762\u5361\u72c0\u614b) \u5217\u51fa\u6307\u5b9a\u5176 IP \u4f4d\u5740\u7684\u9060\u7aef\u96fb\u8166\u540d\u7a31\u8868\u683c\u3002<\/span><\/li><\/ul><\/li>
                                  • \u6307\u4ee4 :nbtstat -n<\/code>
                                    • gives local table<\/span><\/li>
                                    • (\u540d\u7a31) \u5217\u51fa\u672c\u6a5f NetBIOS \u540d\u7a31<\/span><\/li><\/ul><\/li>
                                    • \u6307\u4ee4 :nbtstat -c<\/code>
                                      • gives cache information<\/span><\/li>
                                      • (\u5feb\u53d6) \u5217\u51fa NBT \u5feb\u53d6\u7684\u9060\u7aef\u96fb\u8166\u540d\u7a31\u548c\u5b83\u5011\u7684 IP \u4f4d\u5740\u3002<\/span><\/li><\/ul><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                        \n\t\t\t\t
                                        \n\t\t\t\t\t

                                        0x05 Linux System Basics<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                        \n\t\t\t\t
                                        \n\t\t\t\t\t\t\t\t\t
                                        • Enum4linux<\/span>
                                          • tool for enumerating information from Windows and Samba systems<\/span><\/li>
                                          • \u6307\u4ee4 :enum4linux -u CEH -p Pa55w0rd -U 10.0.2.23<\/code>
                                            • -u<\/code> Username, <\/span>-p<\/code> Password, <\/span>-U<\/code> users information<\/span><\/li><\/ul><\/li><\/ul><\/li>
                                            • finger<\/span>
                                              • who is currently logged in, when and where.<\/span><\/li><\/ul><\/li>
                                              • w<\/span>
                                                • \u986f\u793a\u8ab0\u767b\u9304<\/li>
                                                • \u986f\u793a\u4ed6\u5011\u6b63\u5728\u505a\u9ebc\u3002<\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                  \n\t\t\t\t
                                                  \n\t\t\t\t\t

                                                  0x06 NTP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                  \n\t\t\t\t
                                                  \n\t\t\t\t\t\t\t\t\t
                                                  • Runs on TCP ports 389 and 636 (over SSL)<\/span><\/li>
                                                  • nmap\u6307\u4ee4 : <\/span>sudo nmap -sT -O <target IP address><\/code><\/li>
                                                  • Tools for Enumeration LDAP:<\/span>
                                                    • Softerra<\/span><\/li>
                                                    • JXplorer<\/span><\/li>
                                                    • Lex<\/span><\/li>
                                                    • LDAP Admin Tool<\/span><\/li>
                                                    • Active Directory Explorer<\/span><\/li>
                                                    • Softerra LDAP Administrator<\/span><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                      \n\t\t\t\t
                                                      \n\t\t\t\t\t

                                                      0x07 NTP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                      \n\t\t\t\t
                                                      \n\t\t\t\t\t\t\t\t\t
                                                      • Runs on UDP 123<\/span><\/li>
                                                      • \u6307\u4ee4 : nmap -sU -pU:123 -Pn -n --script=ntp-monlist <target><\/code><\/li>
                                                      • \u99ed\u5ba2\u900f\u904eNTP\u53d6\u5f97list of connected hosts<\/span>
                                                        • client IP(\u542bsystem name \u3001OS)<\/span><\/li>
                                                        • \u5982\u679c NTP \u670d\u52d9\u5668\u4f4d\u65bc\u975e\u8ecd\u4e8b\u5340 (DMZ)\u9084\u53ef\u4ee5\u62ff\u5230\u5167\u90e8IP<\/span><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                          \n\t\t\t\t
                                                          \n\t\t\t\t\t

                                                          0x08 SMTP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                          \n\t\t\t\t
                                                          \n\t\t\t\t\t\t\t\t\t
                                                            • SMTP: TCP 25 –> [outbound email]<\/span><\/li>
                                                            • IMAP: TCP 143 \/ 993(over SSL) –> [inbound email]<\/span><\/li>
                                                            • POP3: TCP 110 \/ 995(over SSL) –> [inbound email]<\/span><\/li><\/ul><\/li>
                                                            • \u6307\u4ee4: nmap -p25 --script smtp-commands <target IP><\/code><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                              \n\t\t\t\t
                                                              \n\t\t\t\t\t

                                                              0x09 NFS Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                              \n\t\t\t\t
                                                              \n\t\t\t\t\t\t\t\t\t
                                                              • \u900f\u904e Rpcinfo -p <target IP> \u5217\u8209\u51fa\u4f86<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                \n\t\t\t\t
                                                                \n\t\t\t\t\t

                                                                0x10 SMTP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                \n\t\t\t\t
                                                                \n\t\t\t\t\t\t\t\t\t
                                                                • \u90f5\u4ef6\u7cfb\u7d71\u901a\u5e38\u4f7f\u7528\u5e36\u6709 POP3 \u548c IMAP \u7684 SMTP\u5b83\u5728 TCP PORT 25\u6216 587 \u4e0a\u904b\u884c\u3002<\/span><\/li>
                                                                • SMTP \u63d0\u4f9b\u4ee5\u4e0b\u4e09\u500b\u5167\u7f6e\u547d\u4ee4\u3002<\/span>
                                                                  • VRFY-Validates users\u9a57\u8b49\u4f7f\u7528\u8005<\/span><\/li>
                                                                  • EXPN-\u67e5\u8a62\u5225\u540d\u5c0d\u61c9\u7684email<\/span><\/li>
                                                                  • RCPT TO-\u5b9a\u7fa9\u6d88\u606f\u7684\u63a5\u6536\u8005<\/span><\/li><\/ul><\/li>
                                                                  • \u5de5\u5177<\/span>
                                                                    • NetScanTools Pro<\/span><\/li>
                                                                    • smtp-user-enum<\/span>
                                                                      • \u7528\u6236\u540d\u731c\u6e2c\u5de5\u5177\u4e3b\u8981\u7528\u65bc\u91dd\u5c0d\u9ed8\u8a8d\u7684 Solaris SMTP \u670d\u52d9\u3002\u53ef\u4ee5\u4f7f\u7528 EXPN\u3001VRFY \u6216 RCPT TO\u3002<\/span><\/li><\/ul><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                        \n\t\t\t\t
                                                                        \n\t\t\t\t\t

                                                                        0x11 DNS Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                        \n\t\t\t\t
                                                                        \n\t\t\t\t\t\t\t\t\t
                                                                        • \u5de5\u5177<\/span>
                                                                          • dig <\/span><\/li>
                                                                          • nslookup <\/span><\/li>
                                                                          • DNSRecon<\/span><\/li><\/ul><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                            \n\t\t\t\t
                                                                            \n\t\t\t\t\t

                                                                            0x12 VoIP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                            \n\t\t\t\t
                                                                            \n\t\t\t\t\t\t\t\t\t
                                                                            • VOIP\u4f7f\u7528Session Initiation Protocol(SIP)\u4f86\u555f\u7528\u5f71\u97f3\u50b3\u8f38<\/span><\/li>
                                                                            • SIP\u901a\u5e38\u4f7f\u7528UDP\/TCP2000 2001 5050 5061<\/span><\/li>
                                                                            • \u53ef\u900f\u904e\u9019\u4e9b\u8cc7\u8a0a\u4f86\u53d6\u5f97VOIP\u7684getway\u6216\u662fserver\u3001IP-PEX\u7b49\u7b49\u8cc7\u8a0a\uff0c\u9032\u800c\u57f7\u884cDOS\u3001session hijacking\u3001Caller ID Spoofing\u3001 eavesdropping(\u7aca\u807d) \u7b49<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                              \n\t\t\t\t
                                                                              \n\t\t\t\t\t

                                                                              0x13 IPV6 Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                              \n\t\t\t\t
                                                                              \n\t\t\t\t\t\t\t\t\t
                                                                              • Enyx<\/span><\/li>
                                                                              • IPv6 Hackit<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                                \n\t\t\t\t
                                                                                \n\t\t\t\t\t

                                                                                0x14 BGP Enumeration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
                                                                                \n\t\t\t\t
                                                                                \n\t\t\t\t\t\t\t\t\t
                                                                                • TCP 175<\/span><\/li>
                                                                                • The Border Gateway Protocol \u908a\u754c\u7db2\u95dc\u5354\u8b70 (BGP) \u662f\u4e00\u7a2e\u8def\u7531\u5354\u8b70\uff0c\u7528\u65bc\u5728 Internet \u4e0a\u7684\u4e0d\u540c\u81ea\u6cbb\u7cfb\u7d71 (AS) (\u81ea\u6cbb\u7cfb\u7d71) \u4e4b\u9593\u4ea4\u63db\u8def\u7531\u548c\u53ef\u9054\u6027\u4fe1\u606f\u3002<\/span><\/li>
                                                                                • \u7531\u65bc\u8a72\u5354\u8b70\u7528\u65bc\u5c07\u4e00\u500b AS \u9023\u63a5\u5230\u5176\u4ed6 AS\uff0c\u56e0\u6b64\u4e5f\u7a31\u70ba\u5916\u90e8 BGP\uff08eBGP\uff09\u3002<\/span><\/li>
                                                                                • BGP \u5728port 179 \u4e0a\u5275\u5efa\u5176 TCP \u6703\u8a71\u3002\u653b\u64ca\u6216\u662fBGP\u8a2d\u5b9a\u932f\u8aa4\u90fd\u6703\u5c0e\u81f4\u7db2\u8def\u7671\u7613\uff0c\u4f8b\u5982\u7576\u5e74\u7684FaceBook\u8a2d\u5b9a\u932f\u8aa4\u7671\u7613\u4e866\u5c0f\u6642\uff0c\u9084\u6709\u5c0d\u5cb8\u7684\u9577\u57ce\u4e5f\u662f\u900f\u904e\u9019\u500b\u4f86\u5be9\u67e5\u54ea\u4e9b\u7db2\u7ad9\u9023\u4e0d\u4e0a<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

                                                                                  0x00 \u5e38\u7528\u7684port UDP 137 (NETBIOS Name SErvice) TCP 139 (NEtBIOS Session Service)(SNB over NetBIOS) UDP 161 (Simple Network Management Protocol, SNMP) TCP\/UDP 162 SNMP Trap TCP\/UDP 53 (DNS) TCP\/UDP 135(Microsoft RPC ) TCP\/UDP 389 (LDAP) TCP 2049 (NFS) TCP 25 (SMTP) (TCP\/UDP 445) SMB over TCP SNMP Ttap TCP\/UDP 162 ISAKMP\/Internet Key Exchange (IKE) UDP 500 SSH TCP 22 0x01 Enumeration Concepts (\u679a\u8209) Get user names using email IDs Get information using default passwords Get user names using SNMP Brute force AD Get user groups from Windows Get information using DNS zone transfers NetBios, LDAP, NTP, DNS 0x02 SNMP Enumeration nmap \u6307\u4ee4:\u00a0 nmap -sU -p 161 <Target IP Address> auxiliary\/scanner\/snmp\/snmp_enum \u6307\u4ee4: snmp-check <Target IP Address> snmp-check GUI Engineer\u2019s Toolset SNMPScanner OpUtils 5 SNScan Management Information Base (MIB) MIB \u662f\u4e00\u500b\u865b\u64ec\u6578\u64da\u5eab\uff0c\u5176\u4e2d\u5305\u542b SNMP \u7ba1\u7406\u7684\u6240\u6709\u7db2\u7d61\u5c0d\u8c61\u7684\u6b63\u5f0f\u63cf\u8ff0\u3002MIB elements are recognized using object identifiers (OIDs) DHCP.MIB HOSTMIB.MIB:\u76e3\u63a7\u548c\u7ba1\u7406\u4e3b\u6a5f\u8cc7\u6e90 LNMIB2.MIB\uff1a\u5305\u542b\u5de5\u4f5c\u7ad9\u548c\u670d\u52d9\u5668\u670d\u52d9\u7684\u5c0d\u50cf\u985e\u578b MIB_II.MIB\uff1a\u4f7f\u7528\u7c21\u55ae\u7684\u67b6\u69cb\u548c\u7cfb\u7d71\u7ba1\u7406\u57fa\u65bc TCP\/IP \u7684 Internet WINS.MIB\uff1a\u7528\u65bc Windows Internet \u540d\u7a31\u670d\u52d9 (WINS) \u5176\u4ed6\u5de5\u5177 snmpcheck softperfect network Scanner Network Performance Monitor OpUtils PRTG Network Monitor Enginner\u2019s Toolset 0x03 Windows System Basics Security Context – \u7528\u6236\u7684\u8eab\u5206\u8207\u8a8d\u8b49\u8cc7\u8a0a Security Identifier (SID) – \u8b58\u5225\u4f7f\u7528\u8005\u3001\u7fa4\u7d44\u548c\u5e33\u6236 Resource Identifier (RID) – \u6a19\u793aSID\u5e33\u6236\u7684\u6b0a\u9650 USER NUMBER SID \u6700\u5f8c\u9762\u70ba\u4f7f\u7528\u8005\u865f\u78bc Example SID: S-1-5-21-3874928736-367528774-1298337465**-500** Administrator Account – SID of 500 Regular Accounts – start with a SID of 1000 Linux Systems used user IDs (UID) and group IDs (GID). Found in \/etc\/passwd SAM Database file where all local passwords are stored (encrypted) (\u6240\u6709\u5bc6\u78bc) Stored in C:WindowsSystem32Config Linux Enumeration Commands in PowerShell or CmdPrompt finger – \u4f7f\u7528\u8005\u548c\u96fb\u8166\u7684\u8cc7\u8a0a rpcclient – info on RPC in the environment showmount – \u986f\u793a\u6240\u6709\u7684shared directories Look for share resources (NetBIOS) net view sysName Windows SysInternals 0x04 NetBIOS Enumeration \u6307\u4ee4 :nma…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-276","post","type-post","status-publish","format-standard","hentry","category-research-study"],"yoast_head":"\nCEH v11 Moudle 4 - Enumeration - Ares Vlog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.yuyiares.com\/?p=276\" \/>\n<meta property=\"og:locale\" content=\"zh_TW\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CEH v11 Moudle 4 - Enumeration - Ares Vlog\" \/>\n<meta property=\"og:description\" content=\"0x00 \u5e38\u7528\u7684port UDP 137 (NETBIOS Name SErvice) TCP 139 (NEtBIOS Session Service)(SNB over NetBIOS) UDP 161 (Simple Network Management Protocol, SNMP) TCP\/UDP 162 SNMP Trap TCP\/UDP 53 (DNS) TCP\/UDP 135(Microsoft RPC ) TCP\/UDP 389 (LDAP) TCP 2049 (NFS) TCP 25 (SMTP) (TCP\/UDP 445) SMB over TCP SNMP Ttap TCP\/UDP 162 ISAKMP\/Internet Key Exchange (IKE) UDP 500 SSH TCP 22 0x01 Enumeration Concepts (\u679a\u8209) Get user names using email IDs Get information using default passwords Get user names using SNMP Brute force AD Get user groups from Windows Get information using DNS zone transfers NetBios, LDAP, NTP, DNS 0x02 SNMP Enumeration nmap \u6307\u4ee4:\u00a0 nmap -sU -p 161 <Target IP Address> auxiliary\/scanner\/snmp\/snmp_enum \u6307\u4ee4: snmp-check <Target IP Address> snmp-check GUI Engineer\u2019s Toolset SNMPScanner OpUtils 5 SNScan Management Information Base (MIB) MIB \u662f\u4e00\u500b\u865b\u64ec\u6578\u64da\u5eab\uff0c\u5176\u4e2d\u5305\u542b SNMP \u7ba1\u7406\u7684\u6240\u6709\u7db2\u7d61\u5c0d\u8c61\u7684\u6b63\u5f0f\u63cf\u8ff0\u3002MIB elements are recognized using object identifiers (OIDs) DHCP.MIB HOSTMIB.MIB:\u76e3\u63a7\u548c\u7ba1\u7406\u4e3b\u6a5f\u8cc7\u6e90 LNMIB2.MIB\uff1a\u5305\u542b\u5de5\u4f5c\u7ad9\u548c\u670d\u52d9\u5668\u670d\u52d9\u7684\u5c0d\u50cf\u985e\u578b MIB_II.MIB\uff1a\u4f7f\u7528\u7c21\u55ae\u7684\u67b6\u69cb\u548c\u7cfb\u7d71\u7ba1\u7406\u57fa\u65bc TCP\/IP \u7684 Internet WINS.MIB\uff1a\u7528\u65bc Windows Internet \u540d\u7a31\u670d\u52d9 (WINS) \u5176\u4ed6\u5de5\u5177 snmpcheck softperfect network Scanner Network Performance Monitor OpUtils PRTG Network Monitor Enginner\u2019s Toolset 0x03 Windows System Basics Security Context – \u7528\u6236\u7684\u8eab\u5206\u8207\u8a8d\u8b49\u8cc7\u8a0a Security Identifier (SID) – \u8b58\u5225\u4f7f\u7528\u8005\u3001\u7fa4\u7d44\u548c\u5e33\u6236 Resource Identifier (RID) – \u6a19\u793aSID\u5e33\u6236\u7684\u6b0a\u9650 USER NUMBER SID \u6700\u5f8c\u9762\u70ba\u4f7f\u7528\u8005\u865f\u78bc Example SID: S-1-5-21-3874928736-367528774-1298337465**-500** Administrator Account – SID of 500 Regular Accounts – start with a SID of 1000 Linux Systems used user IDs (UID) and group IDs (GID). Found in \/etc\/passwd SAM Database file where all local passwords are stored (encrypted) (\u6240\u6709\u5bc6\u78bc) Stored in C:WindowsSystem32Config Linux Enumeration Commands in PowerShell or CmdPrompt finger – \u4f7f\u7528\u8005\u548c\u96fb\u8166\u7684\u8cc7\u8a0a rpcclient – info on RPC in the environment showmount – \u986f\u793a\u6240\u6709\u7684shared directories Look for share resources (NetBIOS) net view sysName Windows SysInternals 0x04 NetBIOS Enumeration \u6307\u4ee4 :nma...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.yuyiares.com\/?p=276\" \/>\n<meta property=\"og:site_name\" content=\"Ares Vlog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-03T05:45:09+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-10-03T06:02:57+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005:\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u4f30\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/#\\\/schema\\\/person\\\/3d4db07eab24e08cc9eea662ef3053ac\"},\"headline\":\"CEH v11 Moudle 4 – Enumeration\",\"datePublished\":\"2022-10-03T05:45:09+00:00\",\"dateModified\":\"2022-10-03T06:02:57+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276\"},\"wordCount\":503,\"commentCount\":0,\"articleSection\":[\"Research & Study\"],\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.yuyiares.com\\\/?p=276#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276\",\"url\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276\",\"name\":\"CEH v11 Moudle 4 - Enumeration - Ares Vlog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/#website\"},\"datePublished\":\"2022-10-03T05:45:09+00:00\",\"dateModified\":\"2022-10-03T06:02:57+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/#\\\/schema\\\/person\\\/3d4db07eab24e08cc9eea662ef3053ac\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276#breadcrumb\"},\"inLanguage\":\"zh-TW\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.yuyiares.com\\\/?p=276\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/?p=276#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.yuyiares.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CEH v11 Moudle 4 – Enumeration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/#website\",\"url\":\"https:\\\/\\\/www.yuyiares.com\\\/\",\"name\":\"Ares Vlog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.yuyiares.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-TW\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.yuyiares.com\\\/#\\\/schema\\\/person\\\/3d4db07eab24e08cc9eea662ef3053ac\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-TW\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7a48eb75ce0e81d088764746bc78b3a75ae3f2fbe40d6f69bbc7cfd2fa004a03?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7a48eb75ce0e81d088764746bc78b3a75ae3f2fbe40d6f69bbc7cfd2fa004a03?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/7a48eb75ce0e81d088764746bc78b3a75ae3f2fbe40d6f69bbc7cfd2fa004a03?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/www.yuyiares.com\"],\"url\":\"https:\\\/\\\/www.yuyiares.com\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CEH v11 Moudle 4 - Enumeration - Ares Vlog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.yuyiares.com\/?p=276","og_locale":"zh_TW","og_type":"article","og_title":"CEH v11 Moudle 4 - Enumeration - Ares Vlog","og_description":"0x00 \u5e38\u7528\u7684port UDP 137 (NETBIOS Name SErvice) TCP 139 (NEtBIOS Session Service)(SNB over NetBIOS) UDP 161 (Simple Network Management Protocol, SNMP) TCP\/UDP 162 SNMP Trap TCP\/UDP 53 (DNS) TCP\/UDP 135(Microsoft RPC ) TCP\/UDP 389 (LDAP) TCP 2049 (NFS) TCP 25 (SMTP) (TCP\/UDP 445) SMB over TCP SNMP Ttap TCP\/UDP 162 ISAKMP\/Internet Key Exchange (IKE) UDP 500 SSH TCP 22 0x01 Enumeration Concepts (\u679a\u8209) Get user names using email IDs Get information using default passwords Get user names using SNMP Brute force AD Get user groups from Windows Get information using DNS zone transfers NetBios, LDAP, NTP, DNS 0x02 SNMP Enumeration nmap \u6307\u4ee4:\u00a0 nmap -sU -p 161 <Target IP Address> auxiliary\/scanner\/snmp\/snmp_enum \u6307\u4ee4: snmp-check <Target IP Address> snmp-check GUI Engineer\u2019s Toolset SNMPScanner OpUtils 5 SNScan Management Information Base (MIB) MIB \u662f\u4e00\u500b\u865b\u64ec\u6578\u64da\u5eab\uff0c\u5176\u4e2d\u5305\u542b SNMP \u7ba1\u7406\u7684\u6240\u6709\u7db2\u7d61\u5c0d\u8c61\u7684\u6b63\u5f0f\u63cf\u8ff0\u3002MIB elements are recognized using object identifiers (OIDs) DHCP.MIB HOSTMIB.MIB:\u76e3\u63a7\u548c\u7ba1\u7406\u4e3b\u6a5f\u8cc7\u6e90 LNMIB2.MIB\uff1a\u5305\u542b\u5de5\u4f5c\u7ad9\u548c\u670d\u52d9\u5668\u670d\u52d9\u7684\u5c0d\u50cf\u985e\u578b MIB_II.MIB\uff1a\u4f7f\u7528\u7c21\u55ae\u7684\u67b6\u69cb\u548c\u7cfb\u7d71\u7ba1\u7406\u57fa\u65bc TCP\/IP \u7684 Internet WINS.MIB\uff1a\u7528\u65bc Windows Internet \u540d\u7a31\u670d\u52d9 (WINS) \u5176\u4ed6\u5de5\u5177 snmpcheck softperfect network Scanner Network Performance Monitor OpUtils PRTG Network Monitor Enginner\u2019s Toolset 0x03 Windows System Basics Security Context – \u7528\u6236\u7684\u8eab\u5206\u8207\u8a8d\u8b49\u8cc7\u8a0a Security Identifier (SID) – \u8b58\u5225\u4f7f\u7528\u8005\u3001\u7fa4\u7d44\u548c\u5e33\u6236 Resource Identifier (RID) – \u6a19\u793aSID\u5e33\u6236\u7684\u6b0a\u9650 USER NUMBER SID \u6700\u5f8c\u9762\u70ba\u4f7f\u7528\u8005\u865f\u78bc Example SID: S-1-5-21-3874928736-367528774-1298337465**-500** Administrator Account – SID of 500 Regular Accounts – start with a SID of 1000 Linux Systems used user IDs (UID) and group IDs (GID). Found in \/etc\/passwd SAM Database file where all local passwords are stored (encrypted) (\u6240\u6709\u5bc6\u78bc) Stored in C:WindowsSystem32Config Linux Enumeration Commands in PowerShell or CmdPrompt finger – \u4f7f\u7528\u8005\u548c\u96fb\u8166\u7684\u8cc7\u8a0a rpcclient – info on RPC in the environment showmount – \u986f\u793a\u6240\u6709\u7684shared directories Look for share resources (NetBIOS) net view sysName Windows SysInternals 0x04 NetBIOS Enumeration \u6307\u4ee4 :nma...","og_url":"https:\/\/www.yuyiares.com\/?p=276","og_site_name":"Ares Vlog","article_published_time":"2022-10-03T05:45:09+00:00","article_modified_time":"2022-10-03T06:02:57+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005:":"admin","\u9810\u4f30\u95b1\u8b80\u6642\u9593":"4 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.yuyiares.com\/?p=276#article","isPartOf":{"@id":"https:\/\/www.yuyiares.com\/?p=276"},"author":{"name":"admin","@id":"https:\/\/www.yuyiares.com\/#\/schema\/person\/3d4db07eab24e08cc9eea662ef3053ac"},"headline":"CEH v11 Moudle 4 – Enumeration","datePublished":"2022-10-03T05:45:09+00:00","dateModified":"2022-10-03T06:02:57+00:00","mainEntityOfPage":{"@id":"https:\/\/www.yuyiares.com\/?p=276"},"wordCount":503,"commentCount":0,"articleSection":["Research & Study"],"inLanguage":"zh-TW","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.yuyiares.com\/?p=276#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.yuyiares.com\/?p=276","url":"https:\/\/www.yuyiares.com\/?p=276","name":"CEH v11 Moudle 4 - Enumeration - Ares Vlog","isPartOf":{"@id":"https:\/\/www.yuyiares.com\/#website"},"datePublished":"2022-10-03T05:45:09+00:00","dateModified":"2022-10-03T06:02:57+00:00","author":{"@id":"https:\/\/www.yuyiares.com\/#\/schema\/person\/3d4db07eab24e08cc9eea662ef3053ac"},"breadcrumb":{"@id":"https:\/\/www.yuyiares.com\/?p=276#breadcrumb"},"inLanguage":"zh-TW","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.yuyiares.com\/?p=276"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.yuyiares.com\/?p=276#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.yuyiares.com\/"},{"@type":"ListItem","position":2,"name":"CEH v11 Moudle 4 – Enumeration"}]},{"@type":"WebSite","@id":"https:\/\/www.yuyiares.com\/#website","url":"https:\/\/www.yuyiares.com\/","name":"Ares Vlog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.yuyiares.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-TW"},{"@type":"Person","@id":"https:\/\/www.yuyiares.com\/#\/schema\/person\/3d4db07eab24e08cc9eea662ef3053ac","name":"admin","image":{"@type":"ImageObject","inLanguage":"zh-TW","@id":"https:\/\/secure.gravatar.com\/avatar\/7a48eb75ce0e81d088764746bc78b3a75ae3f2fbe40d6f69bbc7cfd2fa004a03?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/7a48eb75ce0e81d088764746bc78b3a75ae3f2fbe40d6f69bbc7cfd2fa004a03?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7a48eb75ce0e81d088764746bc78b3a75ae3f2fbe40d6f69bbc7cfd2fa004a03?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/www.yuyiares.com"],"url":"https:\/\/www.yuyiares.com\/?author=1"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=\/wp\/v2\/posts\/276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=276"}],"version-history":[{"count":3,"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=\/wp\/v2\/posts\/276\/revisions"}],"predecessor-version":[{"id":279,"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=\/wp\/v2\/posts\/276\/revisions\/279"}],"wp:attachment":[{"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yuyiares.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}