Hostname

AIM: Find the computer name or NetBIOS name of the target machine.

The SMB (Server Message Block) hostname is the network name of a machine providing SMB services, typically used to identify systems on a local network. Enumerating the hostname during a penetration test serves several purposes:

Identifying Target Systems: By gathering the SMB hostname, a penetration tester can link IP addresses to machine names, giving them insight into the identity and role of a device (e.g., a domain controller, file server, or workstation).
Correlating System Roles: The hostname may provide information about the purpose of the system. For example, a hostname like DC01 likely indicates a domain controller, which could be a high-value target in the network.
Identifying Naming Conventions: Hostnames may follow specific conventions that provide insight into the organizational structure. For example, hostnames like HR-FS01 might indicate a file server in the HR department.
Mapping the Network: Enumerating hostnames helps build a network map, allowing attackers or testers to better understand how devices are interconnected.

Impact of Enumerating Host Names

After enumerating host names, the information can be leveraged to:

Privilege Escalation: If you discover a hostname that belongs to a sensitive system, such as a domain controller (DC01), you may prioritize targeting that machine for privilege escalation.
Targeted Exploits: By knowing the hostname and potentially correlating it with OS version or role, you can use more targeted exploits. For example, knowing that a host is a domain controller or file server allows you to focus on specific vulnerabilities relevant to those roles.
Further Enumeration: After discovering a hostname, further enumeration can reveal additional services, shares, and configurations specific to that machine.
Lateral Movement: Once you've identified critical machines (e.g., via hostname enumeration), you can attempt lateral movement by exploiting SMB services to pivot across the network.

How to Enumerate Hostnames

Tool

Tool Syntax

Windows

nbstat

nbtstat -A <Target-IP>

Windows

net view

net view \\\\<Target-IP>

Windows

PowerShell

Get-SmbShare -CimSession <Target-IP>

Linux

nmblookup

nmblookup -A <target ip>

Linux

nbtscan

nbtscan <target ip>

Linux

smbclient

smbclient -L //<Target-IP>

Linux

enum4linux

enum4linux -a <Target-IP>

Linux

nmap

nmap --script smb-os-discovery.nse -p 445 <Target-IP>

Linux

rpcclient

rpcclient -U "" <Target-IP>

Linux

Metasploit

use auxiliary/scanner/smb/smb_enumusers

Linux

CrackMapExec

cme smb <Target-IP> -d

Linux

python3 [smbclient.py](<http://smbclient.py/>) <domain>/<user>:<pass>@<Target-IP>

Linux

NetExec

nxc smb 192.168.1.0/24

Mitigating Security Risks Associated with SMB Hostname Enumeration

To reduce the risks posed by SMB enumeration, including hostname leakage, several mitigation strategies can be applied:

Disable or Restrict SMBv1: SMBv1 is outdated and vulnerable to various attacks. Disable it and only allow SMBv2 or SMBv3, which are more secure.
- Use PowerShell to disable SMBv1:
  > Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enforce SMB Signing: Enabling SMB signing helps protect against certain types of man-in-the-middle (MitM) attacks by requiring that SMB packets are signed.
- Enable SMB signing via Group Policy:Set "Microsoft network client: Digitally sign communications (always)" to Enabled.
  Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Restrict Anonymous Access: Prevent unauthenticated access to SMB shares by ensuring that anonymous users (null sessions) cannot list SMB shares or enumerate users.
- Modify the following registry key:
  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\RestrictNullSessAccess = 1
Firewall SMB Ports: Limit SMB access to trusted devices or segments by blocking ports 137, 138, 139, and 445 on untrusted networks. This prevents external attackers from enumerating SMB services.
- Configure Windows Firewall to restrict SMB traffic:
  New Inbound Rule -> Port -> TCP/UDP -> Specific Ports (137, 138, 139, 445)
Patch and Update Systems: Regularly update and patch systems to prevent exploitation of vulnerabilities in SMB services (e.g., EternalBlue). Ensure that all security patches for SMB-related vulnerabilities are applied.
Remove Unnecessary Shares: Disable or secure unnecessary SMB shares to reduce attack surface. Limit access to essential users and use strong authentication mechanisms.
Use Strong Access Controls: Ensure that sensitive shares and systems are only accessible to authorized users and enforce the principle of least privilege.
Monitor and Log SMB Traffic: Continuously monitor and log SMB traffic to detect any suspicious activity or attempts at unauthorized access. This helps identify malicious actors attempting to enumerate the network.

PreviousServer Message Block (SMB): 445 NextShared Folders

Last updated 5 months ago

Hostname

AIM: Find the computer name or NetBIOS name of the target machine.

Identifying Target Systems: By gathering the SMB hostname, a penetration tester can link IP addresses to machine names, giving them insight into the identity and role of a device (e.g., a domain controller, file server, or workstation).
Correlating System Roles: The hostname may provide information about the purpose of the system. For example, a hostname like DC01 likely indicates a domain controller, which could be a high-value target in the network.
Identifying Naming Conventions: Hostnames may follow specific conventions that provide insight into the organizational structure. For example, hostnames like HR-FS01 might indicate a file server in the HR department.
Mapping the Network: Enumerating hostnames helps build a network map, allowing attackers or testers to better understand how devices are interconnected.

Impact of Enumerating Host Names

After enumerating host names, the information can be leveraged to:

Privilege Escalation: If you discover a hostname that belongs to a sensitive system, such as a domain controller (DC01), you may prioritize targeting that machine for privilege escalation.
Targeted Exploits: By knowing the hostname and potentially correlating it with OS version or role, you can use more targeted exploits. For example, knowing that a host is a domain controller or file server allows you to focus on specific vulnerabilities relevant to those roles.
Further Enumeration: After discovering a hostname, further enumeration can reveal additional services, shares, and configurations specific to that machine.
Lateral Movement: Once you've identified critical machines (e.g., via hostname enumeration), you can attempt lateral movement by exploiting SMB services to pivot across the network.

How to Enumerate Hostnames

Tool

Tool Syntax

Windows

nbstat

nbtstat -A <Target-IP>

Windows

net view

net view \\\\<Target-IP>

Windows

PowerShell

Get-SmbShare -CimSession <Target-IP>

Linux

nmblookup

nmblookup -A <target ip>

Linux

nbtscan

nbtscan <target ip>

Linux

smbclient

smbclient -L //<Target-IP>

Linux

enum4linux

enum4linux -a <Target-IP>

Linux

nmap

nmap --script smb-os-discovery.nse -p 445 <Target-IP>

Linux

rpcclient

rpcclient -U "" <Target-IP>

Linux

Metasploit

use auxiliary/scanner/smb/smb_enumusers

Linux

CrackMapExec

cme smb <Target-IP> -d

Linux

Impacket ()

python3 [smbclient.py](<http://smbclient.py/>) <domain>/<user>:<pass>@<Target-IP>

Linux

NetExec

nxc smb 192.168.1.0/24

Mitigating Security Risks Associated with SMB Hostname Enumeration

To reduce the risks posed by SMB enumeration, including hostname leakage, several mitigation strategies can be applied:

Disable or Restrict SMBv1: SMBv1 is outdated and vulnerable to various attacks. Disable it and only allow SMBv2 or SMBv3, which are more secure.
- Use PowerShell to disable SMBv1:
  > Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Enforce SMB Signing: Enabling SMB signing helps protect against certain types of man-in-the-middle (MitM) attacks by requiring that SMB packets are signed.
- Enable SMB signing via Group Policy:Set "Microsoft network client: Digitally sign communications (always)" to Enabled.
  Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Restrict Anonymous Access: Prevent unauthenticated access to SMB shares by ensuring that anonymous users (null sessions) cannot list SMB shares or enumerate users.
- Modify the following registry key:
  HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\\RestrictNullSessAccess = 1
Firewall SMB Ports: Limit SMB access to trusted devices or segments by blocking ports 137, 138, 139, and 445 on untrusted networks. This prevents external attackers from enumerating SMB services.
- Configure Windows Firewall to restrict SMB traffic:
  New Inbound Rule -> Port -> TCP/UDP -> Specific Ports (137, 138, 139, 445)
Patch and Update Systems: Regularly update and patch systems to prevent exploitation of vulnerabilities in SMB services (e.g., EternalBlue). Ensure that all security patches for SMB-related vulnerabilities are applied.
Remove Unnecessary Shares: Disable or secure unnecessary SMB shares to reduce attack surface. Limit access to essential users and use strong authentication mechanisms.
Use Strong Access Controls: Ensure that sensitive shares and systems are only accessible to authorized users and enforce the principle of least privilege.
Monitor and Log SMB Traffic: Continuously monitor and log SMB traffic to detect any suspicious activity or attempts at unauthorized access. This helps identify malicious actors attempting to enumerate the network.

PreviousServer Message Block (SMB): 445 NextShared Folders

Last updated 5 months ago