Enumeration

1. Enumeration

2. Local IP addresses(review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks Class A 10.0.0.0 Class B 172.16.0.0 to 172.31.0.0 Class C 192.168.0.0 to 192.168.255.0 Machines behind a firewall can use these internal IP numbers to communicate among them. Only the firewall machine/device (host) needs to have an IP address valid in the Internet.

3. What is enumeration? Categories network resources and shares users and groups applications and banners Techniques (OS specific) Windows UNIX/Linux Obtain information about accounts, network resources and shares.

4. Windows applications and banner enumeration Telnet and netcat: same in NT and UNIX. Telnet: Connect to a known port and see the software it is running, as in this example. Netcat: similar to telnet but provides more information. Countermeasures: log remotely in your applications and edit banners. FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh. Registry enumeration: default in Win2k and above Server is Administrators only. Tools: regdmp (NTResource Kit) and DumpSec (seen previously). Countermeasures: be sure the registry is set for Administrators only and no command prompt is accessible remotely (telnet, etc). Novell, UNIX, SQL enumeration will be seen in another class.

5. Windows general security Protocols providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445. Banner enumeration is not the main issue. (UDP 137), Null session command: net use \\19x.16x.11x.xx\IPC$ “” /u:”” countermeasures: filter out NetBIOS related TCP, UDP ports 135-139 (firewall). disable NetBIOS over TCP/IP see ShieldsUp! page on binding. restrict anonymous using the Local Security Policy applet. More here. GetAcct bypasses these actions. Good source of system and hacking tools: Resource kits XP and 7. Some tools were re-written by hackers.

6. Windows network resources NetBIOS enumeration (if port closed, none work) NetBIOS Domain hosts: net view NetBios Name Table: nbtstatuse and example and nbtscan. NetBIOS shares: DumpSec, Legion, NetBIOS Auditing Tool (NAT), SMBScanner, NBTdump (use, output). Countermeasures: as discussed previously = close ports 135-139, disable NetBIOS over TCP/IP SNMP enumeration: SolarWinds IP Network Browser(commercial, see book). Countermeasures: Windows close port 445. Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “Computer Management” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.

7. Windows: user and group enumeration Enumerating Users via NetBIOS: usernames and (common) passwords. Enum: use and output. DumpSec: output. Countermeasures: as before (close ports, no NetBIOS over TCP/IP) Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputiland read more in the book. Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem). Threat and countermeasures in the book (better dealt with in Operating Systems): close ports 389 and 3268, upgrade all systems to Win2k or above before migrating to Active Directory.