Windows Internal Network Topology and Enumeration

Taken from: http://bnewtoncis185.blogspot.co.uk/

Enumeration is the process of extracting the following information from a network resources or shares on the network, usernames or groups assigned on the network and users’ passwords and recent logon times. To be able to determine what resources or shares are on a network a security tester must use port scanning and footprinting first to determine what the OS is used. Since enumeration is more intrusive because you’re not just identifying a resource; you’re attempting to access it.

If the OS you are looking at is a Windows system there are a lot of tools that are built into the Windows OS that you could use to enumerate a system. One of these tools is NBTscan which is used to to find NetBIOS on a system. Network Basic Input Output System (NetBIOS) is a Windows programming interface that allows computers to communicate across a local area network (LAN). A computer name that you assign to a Windows system is called the NetBIOS name and has a limited of 16 characters; the last reserved for a hexadecimal number (00 to FF) that identifies the service running on the computer. The name must be unique on a network.

One of the biggest vulnerabilities of NetBIOS systems is a null session. A null session is a unauthenticated connection to a Windows computer that uses no logon and password values. NetBIOS enumeration tools are powerful in the Windows systems. The Nbtscan command will show you the NetBIOS tables which will show the domain controller and the user accounts that are used on the system.

Another tool is the net view command, which gives a quick way to the shared resources on a computer or server.

There is a tool called DumpSec this tool can gather or dump a lot of data into a report.

Hyena is another tool you could use to see system information.

Nessus and OpenVas are also used to gather information about Windows systems. These same tools can be used on NetWare systems.

On a UNIX system you can use the finger command to find information on the system

--------------

Find domain controllers and domain administrators

net group "domain controllers" /domain

net group "domain admins" /domain

Find domain controllers and domain administrators if you are not in the domain:

dsquery server -domain

dsquery user -domain  -name *martin*

The following will give you the username once given in input the name and surname of a person

dsquery user -domain -name *martin*| dsget user

Identify domain controllers and primary domain controllers

nltest /dclist:

Identify forest:

Test.vbs:

Set objSysinfo= CreateObject("ADSystemInfo")

Wscript.Echo "Forest DNS Name:" & objSysInfo.ForestDNSName

Test1.vbs:

Set objRootDSE = GetObject("LDAP://RootDSE")

Wscript.Echo "Root Domain: " & objRootDSE.get("RootDomainNamingContext")

Search by email (source= http://blog.acarter.co.uk/2011/08/dsquery-to-find-user-by-email-address/ )

PS C:\> dsquery * domainroot -filter "(&(objectClass=User) (proxyA
ddresses=*target@email.com*))" -l  -attr name mail proxyAddresses sAMA
ccountName