Questions tagged [enumeration]

Pre-attack is a phase where an attacker attempts to discover information about their target. This can involve network reconnaissance, operational intelligence, historical information, etc.

52 questions
14
votes
4 answers

Is username enumeration practical when the username is an email address?

From what I understand it is bad security practice to display informative failed login messages like: The email you entered does not exist Instead of Incorrect email/password combination because it can lead to username enumeration. Is this is…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
10
votes
2 answers

User Enumeration Vulnerability while creating Google account

When we create a Google account, Google tells us whether an account with specified username exists or not. Doesn't that lead to user enumeration? Why not let users fill other information first, pass the CAPTCHA test, and then choose the email…
Engineer
  • 177
  • 1
  • 9
10
votes
2 answers

How do exploit kits enumerate or fingerprint their targets?

My current understanding is that an exploit kit will fingerprint (gather information on) a system, check those details against a database of vulnerabilities and then attempt to use the relevant exploits. I can see simple ways of checking for things…
Arlix
  • 1,459
  • 3
  • 13
  • 22
9
votes
3 answers

enumeration and MS DCERPC

Enumeration, enumeration, and even more enumeration is the generic pentesting mantra, but enumeration is worthless if you can't read the results. I came across the Windows RPC service, where metasploit returns results such as msf…
countermode
  • 684
  • 1
  • 7
  • 22
8
votes
3 answers

How important is CAPTCHA on registration pages?

I am working on a site and I would like to add CAPTCHA to the user registration page to prevent user name enumeration. I am working with a front end developer who feels pretty strongly that we should not add CAPTCHA to the registration page because…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
8
votes
1 answer

Strange responses from an unfamiliar HTTP server

I noticed an unfamiliar device when scanning my local wireless network. It had two open (listening?) TCP ports; TCP/80 (http?) & TCP/443 (https?). In an effort to identify the unfamiliar device; I exercised some basic banner-grabbing techniques,…
voices
  • 1,649
  • 7
  • 22
  • 36
8
votes
6 answers

Should I use a cryptograpically secure random number generator when I generate IDs?

It is common to generate random identifiers to expose through an API instead of using a simple auto incrementing primary key. The reasons are many: Prevents easy enumeration. Does not give away order objects were created. Does not give away total…
Anders
  • 64,406
  • 24
  • 178
  • 215
7
votes
1 answer

Informative error messages in password reset functionality?

When I am implementing password reset functionality I usually do not include informative messages about whether a user was found, because I have always believed that it can lead to user name enumeration. So instead of showing: Account with email…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
6
votes
1 answer

Discovering a vulnerable service on a machine

I am trying to get access to one of the machines in my lab. it has 2 tcp ports that I am highly suspecting which are: port 25 tcp port 111 tcp For port 25, it is supposed to be running SMTP, however, I think that it is running another service…
Ahmed Taher
  • 701
  • 6
  • 13
  • 23
6
votes
1 answer

How can I misuse the information of DCE service enumeration?

Nessus reports almost on any Windows machine "DCE service enumaration". With the metasploit module tcp_dcerpc_auditor I get the following information: 192.168.1.23 - UUID 99fcfec4-5260-101b-bbcb-00aa0021347a 0.0 OPEN VIA 135 ACCESS GRANTED…
6
votes
1 answer

Are these encrypted URL values safe or could they be guessed?

One of our suppliers had a weakness on the secure section of his webpage. By changing ID's in the URL, we could see data that did not belong to us. For example: https://supplier.org/showItem.do?contract.id=102210199&car.id=102334247 Showed a…
Konerak
  • 3,898
  • 2
  • 16
  • 16
4
votes
3 answers

Scan all possible files on server (Brute force Filenames)

I'm looking for a tool which can scan all possible filename combinations on a server and tells you what filenames the server responded to. So it would try something like: example.com/a, example.com/b, ... , example.com/css, ... . It would the check…
Max Rumpf
  • 43
  • 1
  • 1
  • 3
4
votes
3 answers

Techniques for fingerprinting a web based content management system (CMS)

Let's say we have a random basic blog or informational website: just some pages with information, a sidebar with an overview of the archives, the normal stuff. We know of this website that it's built with a CMS. How can we get to know which CMS…
user21287
4
votes
1 answer

Can someone explain me the DNSSEC NSEC3 output?

I'm trying to understand how NSEC and NSEC3 records work in DNSSEC. When I query for an non-existent domain with supports NSEC3, I get the following output $ dig +dnssec NSEC3 gggg.icann.org. | grep -F "NSEC3" | grep -Fv "RRSIG NSEC3" ; <<>>…
driver_
  • 41
  • 2
4
votes
1 answer

Beyond Nmap: Investigating open TCP ports bound to unknown services

I have an uninvited guest using my private WLAN. At first I thought it was probably just a tech-savvy neighbour in need of Internet access, in which case; it wouldn't really bother me. However, I've noticed they always seem to connect the same three…
1
2 3 4