Overview
This article guides you on using the GFI LanGuard Utilities to audit the network and gather various information, in particular to:
- gather network information
- enumerate computers
- audit network devices
- enumerate users.
Information
The following utilities are available from the GFI LanGuard console Utilities tab:
- DNS Lookup
- Traceroute
- Whois
- Enumerate Computers
- Enumerate Users
- SNMP Auditing
- SNMP Walk
- SQL Server Audit
DNS Lookup
DNS lookup resolves domain names into the corresponding IP address and retrieves particular information from the target domain (for example, MX record, etc.).
- Select DNS Lookup in the left pane under the Tools section.
- Specify the hostname in the Hostname/IP to resolve.
- Under Common Tasks in the left pane, click on Edit DNS Lookup options or click Options on the right pane.
- Specify the information described below:
Option Description Basic Information Retrieve the hostname and the relative IP address. Host Information Retrieve HINFO details. The host information (known as HINFO) generally includes target computer information such as hardware specifications and OS details. Aliases Retrieve information on the ‘A Records’ configured on the target domain. MX Records Enumerate all the mail servers and the order (i.e., priority) to receive and process emails for the target domain. NS Records Specify the ‘name–servers’ that are authoritative for a particular domain or subdomain. - (Optional) Specify the alternative DNS server that will be queried by the DNS Lookup tool.
- Click Retrieve to start the process.
Some DNS entries do not contain certain information for security reasons.
Traceroute
Performs a simple trace to a certain machine name or IP and returns all hops.
- Select Traceroute in the left pane under the Tools section.
- In the Trace (domain/IP/name), specify the name/IP or domain to reach.
- (Optional) Under Common Tasks in the left pane, click on Edit Traceroute options or click Options on the right pane to change the default options.
- Click on the Traceroute button to start the tracing process.
Traceroute will break down the path taken to a target computer into ‘hops.’ A hop indicates a stage and represents a traversed computer during this step of the process.
The information enumerated by this tool includes the IP of traversed computers, the number of times a computer was traversed, and the time taken to reach the respective computer. An icon is also included next to each hop. This icon indicates the state of that particular hop. The icons used in this tool include:
Icon | Description |
---|---|
Indicates a successful hop taken within normal parameters. | |
Indicates a successful hop, but the time required was quite long. | |
Indicates a successful hop, but the time required was too long. | |
Indicates that the hop was timed out (> 1000ms). |
Whois
Whois looks up information on a particular domain or IP address.
- Select Whois in the left pane under the Tools section.
- In Query (domain/IP/name) menu, specify the name/IP or domain to reach.
- (Optional) From Common Tasks in the left pane, click Edit Whois options or Options on the right pane to change the Whois server to query.
- Click Retrieve to start the process.
Enumerate Computers
The Enumerate Computers utility identifies domains and workgroups on a network. During execution, this tool will also scan each domain/workgroup discovered to enumerate their respective computers.
The information includes:
- The domain or workgroup name
- The list of domain/workgroup computers
- The operating system installed on the discovered computers
- Any additional details that might be collected through NetBIOS.
Computers are enumerated using one of the following methods:
Option | Description |
---|---|
From Active Directory® |
This method is much faster and will include computers that are currently switched off. You need to run the tool under an account with access rights to Active Directory to use this option successfully. |
From Windows Explorer | This method enumerates computers through a real-time network scan, and therefore, it is slower and will not include computers that are switched off. |
To enumerate computers:
- Select Enumerate Computers in the left pane under the Tools section.
- Select the desired domain.
- From Common Tasks in the left pane, click Edit Enumerate Computers options or Options on the right pane.
- Select whether to enumerate computers from Active Directory® or Windows Explorer.
- Click Retrieve to start the process.
Once you have a list of enumerated computers, you can select a machine(s), right-click on them, and:
- Select Scan to start a security scan on the selected computers and, at the same time, continue using the Enumerate Computers tool.
- Select Deploy Custom Patches to deploy custom patches and third-party software on the selected computers.
- Select Enable Auditing Policies. This will launch the Auditing Policies configuration Wizard that will guide you through the selected computers' auditing policies configuration process.
Enumerate Users
To scan the Active Directory® and retrieve the list of all users and contacts, their state attributes such as disabled/locked accounts and ‘Password never expires’ statuses:
- Select Enumerate Users in the left pane under the Tools section.
- Select the domain.
- From Common Tasks in the left pane, click Edit Enumerate Users options or Options on the right pane to filter the information to extract and display only the users or contact details. Besides, you can optionally configure this tool to highlight disabled or locked accounts.
- Click Retrieve to start the process.
This utility can enable or disable enumerated user accounts. Right-click on the account and select Enable/Disable account accordingly.
SNMP Auditing
LanGuard uses the Simple Network Management Protocol (SNMP) to obtain information, like hardware specifications and operating system versions, from network devices, such as servers, computers, printers, hubs, switches, and routers. Through SNMP, LanGuard can monitor network performance, audit network usage, and detect network faults.
GFI LanGuard supports SNMPv1 and SNMPv2c. SNMPv3 and SNMP over TLS / DTLS are NOT supported.
This tool identifies and reports weak SNMP community strings by performing a dictionary attack using the values stored in its default dictionary file (snmp–pass.txt).
- Select SNMP Audit in the left pane under the Tools section.
- Specify the IP to reach.
- From Common Tasks in the left pane, click Edit SNMP Audit options, or use the Options button in the top-right section of the screen to edit the default options.
- Click Retrieve to start the process.
You can add new community strings to the default dictionary file by using a text editor. Another option available is using other dictionary files by specifying the dictionary file path from the Options dialog.
SNMP Walk
To probe your network nodes and retrieve SNMP information (for example, OID’s):
- Select SNMP Walk in the left pane under the Tools section.
- Specify the IP to scan for SNMP information.
- From Common Tasks in the left pane, click Edit SNMP Audit options. Alternatively, use the Options button available in the top-right section of the screen to provide alternative community strings.
- Click Retrieve to start the process.
SNMP activity is normally blocked at the router/firewall so that internet users cannot SNMP scan your network. Malicious users can use information collected through SNMP scanning to hack your network or systems. Unless this service is required, it is highly recommended to disable it.
SQL Server Audit
This tool enables you to test the password vulnerability of any SQL user accounts configured on the SQL Server®. During the audit process, this tool will perform dictionary attacks using the credentials specified in the ‘passwords.txt’ dictionary file.
- Select SQL Server Audit in the left pane under the Tools section.
- Specify the IP address of the SQL Server® that you wish to audit.
- From Common Tasks in the left pane, click Edit SQL Server® Audit options or Options button on the right pane to edit the default options such as performing dictionary attacks on all the other SQL user accounts.
- Click the Audit to start the process.
You can add new passwords to the default dictionary file by using a text editor. Another option available is using other dictionary files by specifying the file path from the SQL Server Audit Options dialog Dictionary Database tab.