Most modern businesses rely on digital services and information to operate on a day-to-day basis. If these services and resources become compromised the consequences can be severe both financially and legally, often resulting in considerable damage to a business’s reputation. In 2022, in their annual Cost of a Data Breach Report, IBM highlighted that 83% of organisations experienced more than one data breach. (IBM, 2022). Therefore, the prevention and mitigation of this damage ought to be high on the priority list of any executive. There are many threat actors who wish to gain unauthorised access to a business’s network. These can include “script kiddies,” a person using existing tools and technologies with limited knowledge, “Black Hats,” experienced hackers using their expertise for financial gain or even state sponsored attackers, using the funding and support of governments to perform malicious activities for geopolitical reasons. (Ben Gorman, 2023).

What do you mean by Information Security Policy?

Information Security Policy refers to policies, standards and guidelines envisioned and executed by a business to protect and ensure sensitive information and data from unauthorised access. (ISMS, no date). These procedures are regarded as integral steps in defense and should be understood and acted on by all employees. Fundamentally, an Information Security Policy should help to guide businesses in the introduction of technologies and situations. This can be done by assessing these using the Confidentiality, Integrity, and Availability (CIA) Triad.

The CIA Triad

The CIA Triad is a core concept in information security. It is a model that is used to help understand how to protect a business’s valuable digital assets. The three components of the triad are Confidentiality, which pertains to the secrecy of information and making it only accessible to authorized entities. (Death, 2023). Integrity, which involves maintaining the accuracy and consistency of information. (Death, 2023). And Availability, which means systems and data are functional and accessible. Understanding this model will improve the security of any business or project. It is important to think about this model when introducing any new system or technology into the business. It is also important when recapping security protocols to reassess existing technologies within the business and judge them based off the CIA triad. Not only does the triad form the foundation of cyber security systems, but it also helps businesses comply with data privacy legislation and reduce damage in the inevitability of an attack. (RiskXChange, no date). This helps us with the next step, risk management.

Risk Management

When running any digital service there will always be risks associated with it. Being able to understand that unfortunate things will happen at some point, and you cannot protect against every avenue of attack, is the strongest position to be in. Attack vectors that profit off so called Zero Day vulnerabilities are impossible to protect against, as the software or hardware manufacturers themselves are unaware of their existence. Other known vulnerabilities can be prevented however, as the ability to patch or modify system configurations to account for these is possible and can be included as reviewing in part of a well maintained Information Security Policy. It is integral to understand that a strong well thought out and executed risk management plan can limit and, in some cases, prevent damage from occurring. Risk management is defined differently by different organisations and standards.

Which standards are used?

One of the most well-known and used sets of standards is ISO/IEC 27005, which shows how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. (ITGovernance, 2023). This standard is relevant to any organisation, no matter the size or industry it operates in.

The ISO 27005 risk management approach can be classified into 6 key components.

Why should my company use this standard?

This standard has been adopted by many companies and is also used by government and non-profit organisations. It is designed to be flexible to adapt to any size of business. This is important as many executives of smaller or lesser organisations consider security to be an optional extra. This is a fallacy. To consider the security of an organisations digital assets as extra would be both reckless and dangerous. Not only to the business and its reputation but it could result in damage to the very customers they rely on or in the worst case, legal action.

There have been several cases where organisations with a poor understanding or commitment to security have ended up facing legal action. This is because they are responsible for the digital assets they collect and store. This is known as compliance. Data being sent, used, or stored must be protected in diverse ways. There are three states that data can be in, these are known as Data at rest, data in transit and data in use. (Marko Dinic, 2022). A failure to protect data in its three states will result in non-compliance. Depending on the severity and situation, the organisation may be in breach of a number of security laws or regulations.

What legislation is there regarding security in the UK?

Data Protection Act & UK-General Data Protection.

There are several laws and regulations that have been designed to protect sensitive data. And there have been instances where major corporations have failed to meet the requirements of these laws and regulations, such as British Airways, who faced a £183m fine following a data breach in 2018. (BBC, 2019). These laws are integral in the creation and maintenance of any Information Security Policy. The first of these laws is called the Data Protection Act (2018). The DPA works in conjunction with the UK-GDPR (General Data Protection Act) to implement strong security measures to safeguard personal data organisations collect and process and also reduce security breaches. (Kyle Chin, 2023). A failure to comply with this law can produce fines of up to £17.5 million pounds or 4% of annual global turnover. UK-GDPR offers similar punishment for organisations failing to meet its standards, one of which includes having a security policy that meets the GDPR’s requirements.

Network and Information Systems (NIS) Regulations

The NIS Regulations’ primary function is to “detect and manage the threats to the security of network and information systems in an acceptable and proportional manner” (UK Government, 2023). These regulations are focused more on organisations that are considered to be digital service providers such as search engines or marketplaces and operators of essential services, this means healthcare, energy, transport and other public services. (Kyle Chin, 2023). This may not apply to all businesses, but it is important to be aware of the legislation that is in effect in the UK. Following in the footsteps of the largest organisations in security policy is an effective way to stay up to date and aware of the changing landscape of security threats.

What are some things I can do to increase security straight away?

Physical Security

Introducing new security measures into the office is the best way to start the prevention of cyber-attacks. Physical access to sensitive systems is one of the main causes for disruption. Creating policies around the office environment and providing cybersecurity training to all personnel is necessary. Some examples of new policies could include; mandatory training for staff, a clean desk policy, ID verification on building entry, surveillance systems, visitor tracking systems etc. All these policies should be checked and tested on a regular basis to ensure all employees understand and know the risks.

Cybersecurity

The best way to start implementing the ideas shown in this document is to hire a security consultant to setup your organisations security policy using one of the frameworks mentioned above. This will provide a solid foundation for future implementation and review. Some ideas that can be considered are; MFA (Multi Factor Authentication) for access to systems, hierarchical user management system with dedicated groups of users to limit access and control to employees, this will prevent unauthorised usage of tools and storage by rogue or uneducated employees.

Conclusion

To conclude, having a bulletproof Information Security Policy that is based on a well-known and respected framework, such as ISO/IEC 27005, allows your organisation to progress with its digital business. Seeing the common pitfalls of other companies and the damage it does to a business is a keen motivator to get in control of your digital assets. If the only takeaway you make from this blog is introducing a new in-house policy for security, then that is a success. All these things take time and resources to implement, but it is a necessary aspect of managing your information system.

References

IBM. (December 2022), Cost of a Data Breach Report 2023. IBM [Accessed on 24th November 2023]

Gorman, Ben. (July 14, 2023), Different Types of Hackers: White Hat, Black Hat, Gray Hat, and More. AVG [Online] [Accessed on 25th November 2023] https://www.avg.com/en/signal/types-of-hackers

ISMS. (no date), Information Security Policy [Online] [Accessed on 25th November 2023] https://www.isms.online/information-security/policy/

Death, Darren (October 2023), Information Security Handbook. Second Edition, Packt Publishing.

RiskXChange. (no date), What Is the CIA Triad Security Model? RiskXChange [Accessed on 25th November] https://riskxchange.co/1006933/what-is-the-cia-triad/

ITGovernance. (2023), ISO 27005. [Online] [Accessed on 29th November] https://www.itgovernance.co.uk/iso27005

BBC. (July 8, 2019), British Airways faces record £183m fine for data breach [Accessed on 29th November] https://www.bbc.co.uk/news/business-48905907

Marko Dinic. (May 02, 2022), A Complete Guide to Encryption — Data at Rest, Data in Motion and Data in Use. [Accessed on 1st December] https://jatheon.com/blog/data-at-rest-data-in-motion-data-in-use/

Kyle Chin. (Aug 11, 2023), List of Cybersecurity Laws and Regulations in the UK. [Accessed on 1st December] https://www.upguard.com/blog/cybersecurity-laws-regulations-uk

UK Government (May 03, 2023), *The Network and Information Systems Regulations 2018. *[Accessed on 2nd December] https://www.legislation.gov.uk/uksi/2018/506

What is enum4linux?

Enum4Linux is a tool that allows you to enumerate information from Windows and Samba systems. Samba is an open-source implementation of the Server Message Block (SMB) protocol for Unix systems (Robert Sheldon, no date). The Samba platform allows communication between Unix and Windows hosts on a network. This allows Unix hosts to access Windows file and print services and is a vital component in integrating Linux/Unix servers into Active Directory environments (Samba, no date).

Enum4linux is built around the Samba tools suite to enable penetration testers to retrieve information about a target system including its operating system, group membership information, workgroup, or domain membership and even password policy retrieval all using one tool. It attempts to replicate the functionality of enum.exe on Windows machines. (Kali, 2023).

What will this tutorial cover?

In this tutorial, I will cover the concepts of why using a tool like enum4linux is important in the reconnaissance phase of a penetration test. I will show you how to access enum4linux and install it on Kali (if it has not been pre-installed on your system). I will also use the Basic Pentesting box from TryHackMe to demonstrate the tool and its numerous different settings.

What is Enumeration?

*Figure 1: The 5 penetration testing stages.* (Cyril, 2023).

In a penetration test, there are 5 stages. The first stage, planning and reconnaissance is as important as any other. During this phase, the scope of the test is defined as well as the goals that the test aims to achieve. From this, the tester can begin what is referred to as reconnaissance, this involves gathering intelligence about the target, such as network information, to greater their understanding and work out potential weaknesses in a target.

Enum4linux allows a pentester to extract valuable information about a potential target, such as operating system information, network infrastructure or hostnames for specific devices that may produce a weakness that can be exploited.

There are several different forms of enumeration. To learn more about these types, I refer you to this article by EC-Council https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/enumeration-ethical-hacking/.

Legal and Ethical Issues.

It is important to note that using tools such as enum4linux on targets that you do not have explicit permission to do so is considered a crime punishable under most countries laws. Depending on where you are in the world will depend on the severity of the sentence should you act without consent when using tools of this nature, any “hacking” tool should be treated with respect and it is important to understand the technical details before putting them to use.

In the United Kingdom, the Computer Misuse Act 1990, was introduced to handle incidents where people use computer systems to gain unauthorised access to private data, unauthorised access with the intent to damage, and unauthorised access to impair or restrict the operation of a computer. (Computer Misuse Act 1990). There are plenty of online and offline testing environments where you can operate these tools without infringing on ang legal issues.

This also takes into consideration the ethical guidelines we must follow as security professionals. If you have been given permission to use these tools on a network then you must still think about whether it is ethical to do so. Be responsible and maintain clarity when engaging with another person’s computer systems.

Installing enum4linux.

If enum4linux did not come preinstalled with your version of Kali Linux, you can install it and its dependencies using this command.

sudo apt install enum4linux

*Figure 2. Screenshot from Kali Linux showing installation of enum4linux.*

Using enum4linux.

Accessing the help pages for enum4linux will give us all the information we need on what the tool can accomplish for us. To view this, we can use the commands:

enum4linux --help
enum4linux -h

*Figure 3. Screenshot highlighting the help pages provided with enum4linux.*

As you can see from the help pages, there are a lot of different options we have access to when using enum4linux. We will run through each of these options individually to get a better understanding of their usability. The only thing you need to follow along is your own virtual machine running Kali and access a vulnerable machine such as Metasploitable or a box from TryHackMe. For this tutorial I will be using the Basic Pentesting box from TryHackMe which can be completed here. This is not a walkthrough of the box and merely showcases the section following the initial nmap scan results. But you are welcome to follow along at home. https://tryhackme.com/room/basicpentestingjt

Getting The User list.

The first option at our disposal is “-U” to get a list of the users who are listed on the target we are trying to enumerate from. To use this option we can type the following into the terminal.

enum4linux -U $IP_ADDRESS

If unsuccessful, we can use the “-r” option instead. This option will use a method known as RID Cycling to brute force the users. To use the RID cycling mode:

enum4linux -r $IP_ADDRESS

What is RID Cycling?

An RID or Relative Identifier is a hexadecimal identifier that is unique. It is used by Windows Server to keep track of objects and identify them. (HackTricks, 2023) Anytime a new user object is added to a domain, the Security Identifier or SID is combined with the RID to create a unique value for this object. The issue here is that RIDs are sequential, so it is possible to brute force these identifiers using this technique. (Microsoft, 2023).

*Figure 4 Result of using RID cycling to extract user information from target.*

After running this command, we can see that enum4linux has found several Security Identifiers on the target system. Then using the technique of RID cycling, it has located two Unix users known as kay and jan.

Enumerating Password Policy Information.

Next up, we have the password policy option on enum4linux. To use this option, we can use the flag “-P” as seen on the help pages.

enum4linux -P $IP_ADDRESS

This option will give us details on any password policies active on the domains associated with the target IP address we inserted. The password policy information we receive can be incredibly useful in the later stages of a penetration test, if we need to brute force any passwords, we can adjust our settings to better match the requirements set by the server when a new password is created. This can help avoid detection and reduce the computing power required to gain entry.

*Figure 5. Output from enum4linux using password policy option.*

After running the command, we can see the following output information. For the domain on the IP address we provided, there is a password policy containing a minimum password length of 5, a maximum password age of 37 days, 6 hours, and 21 minutes. It is also clear that there is no Account Lockout Threshold active. This indicates to us that if we were to brute force a password using a tool such as Hydra, we could have as many attempts as we like without the risk of being locked out.

Enumerating Share Information.

*Figure 6. Output from share enumeration setting on enum4linux.*

The share enumeration option on enum4linux returns all the shares (files and folders) on the target system. This includes default or administrative shares such as the IPC share, which is responsible for handling inter-program communication. (NetApp, 2023) We can also see another share called Anonymous which is a disk type share. This could contain useful folders and files that may produce valuable information or data in a penetration test. To use this option:

enum4linux -S $IP_ADDRESS

Extracting Printer Information.

This option is self-explanatory. It detects if there are any printers connected to the target network. In this example, we can see that there are no printers connected. Some printers can be misconfigured to expose their administrative panels or a simple Denial of Service (DoS) attack could render a businesses ability to print documents useless.

*Figure 7. Output of running printer information option on enum4linux.*

Finding Operating System Information.

*Figure 8. Output of running OS information setting on enum4linux.*

Although if we are running enum4linux we are aware that the Operating System of the target will probably be a Samba server or Windows Server. It can be important to get more information about the version or type exactly. This information can highlight outdated or misconfigured network settings that can be exploited in the later stages of a penetration test.

enum4linux -o $IP_ADDRESS

When we run the OS Detection option, enum4linux uses two different methods to retrieve this information. One using smbclient and one using srvinfo. In the example given smbclient was unsuccessful in finding any information for us so enum4linux switched to srvinfo, which provides information on system processes. It is possible to use other tools such as Nmap to retrieve OS information. In a scenario where we are not sure what our target is, using Nmap to enumerate this information would be the best method. We would see then what is running on the target and focus our tools for enumerating further, by using a tool such as enum4linux to do so.

In Conclusion.

After reading through this tutorial, you should feel more comfortable using enum4linux to perform enumeration and reconnaissance during the initial phase of a penetration test. Performing overall or specific type enumeration depending on the types of information you’re trying to retrieve will produce a lot of important data and information about Windows Server and Samba systems. This data can help you understand the functionality of a specific target network and also provide details that can later be used to determine an avenue of exploitation. Hopefully, you can now see the value and the powerful nature of this tool and its uses in the industry.

References

Robert Sheldon. (no date), Server Message Block protocol (SMB Protocol) TechTarget [Accessed on 2nd December 2023] https://www.techtarget.com/searchnetworking/definition/Server-Message-Block-Protocol

Samba. (no date), Samba Homepage Samba.org [Accessed on 2nd December 2023] https://www.samba.org/samba/

Kali. (November 24, 2023), enum4linux [Accessed on 2nd December 2023] https://www.kali.org/tools/enum4linux/

Cyril (January 25, 2023), COMPREHENSIVE GUIDE TO PENETRATION TESTING (SECURITY TESTING), SecureTriad. **[Accessed on 2nd December 2023] https://securetriad.io/penetration-testing/

HackTricks (September 03, 2023), rpcclient enumeration [Accessed on 2nd December 2023] https://book.hacktricks.xyz/network-services-pentesting/pentesting-smb/rpcclient-enumeration

Microsoft (September 09, 2023), Security Identifiers [Accessed on 2nd December 2023] https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

NetApp (January 01, 2023) What the default administrator shares are. [Accessed on 3rd December 2023] https://docs.netapp.com/us-en/ontap/smb-admin/default-administrative-shares-concept.html

Computer Misuse Act 1990 c. 18 Available at: https://www.legislation.gov.uk/ukpga/1990/18/contents [Accessed on 3rd December 2023]