Enumeration. Local IP addresses (review). Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks Class A 10.0.0.0 Class B 172.16.0.0 to 172.31.0.0 Class C 192.168.0.0 to 192.168.255.0
Some special IP addresses
localhost 127.0.0.1 (loopback address)
Class A 10.0.0.0
Class B 172.16.0.0 to 172.31.0.0
Class C 192.168.0.0 to 192.168.255.0
Machines behind a firewall can use these internal IP numbers to communicate among them.
Only the firewall machine/device (host) needs to have an IP address valid in the Internet.
network resources and shares
users and groups
applications and banners
Techniques (OS specific)
Obtain information about accounts, network
resources and shares.
Telnet and netcat: same in NT and UNIX.
Telnet: Connect to a known port and see the software it is running, as in this example.
Netcat: similar to telnet but provides more information.
Countermeasures: log remotely in your applications and edit banners.
FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh.
Registry enumeration: default in Win2k and above Server is Administrators only.
Tools: regdmp (NTResource Kit) and DumpSec (seen previously).
Countermeasures: be sure the registry is set for Administrators only and no command prompt is accessible remotely (telnet, etc).
Novell, UNIX, SQL enumeration will be seen in another class.
Protocols providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445.
Banner enumeration is not the main issue. (UDP 137),
Null session command: net use \\19x.16x.11x.xx\IPC$ “” /u:””
filter out NetBIOS related TCP, UDP ports 135-139 (firewall).
disable NetBIOS over TCP/IP see ShieldsUp! page on binding.
restrict anonymous using the Local Security Policy applet. More here. GetAcct bypasses these actions.
Good source of system and hacking tools: Resource kits XP and 7. Some tools were re-written by hackers.
NetBIOS enumeration (if port closed, none work)
NetBIOS Domain hosts: net view
NetBios Name Table: nbtstatuse and example and nbtscan.
NetBIOS shares: DumpSec, Legion, NetBIOS Auditing Tool (NAT), SMBScanner, NBTdump (use, output).
Countermeasures: as discussed previously = close ports 135-139, disable NetBIOS over TCP/IP
SNMP enumeration: SolarWinds IP Network Browser(commercial, see book).
Countermeasures: Windows close port 445.
Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “Computer Management” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.
Enumerating Users via NetBIOS: usernames and (common) passwords. Enum: use and output. DumpSec: output.
Countermeasures: as before (close ports, no NetBIOS over TCP/IP)
Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputiland read more in the book.
Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem).
Threat and countermeasures in the book (better dealt with in Operating Systems):
close ports 389 and 3268,
upgrade all systems to Win2k or above before migrating to Active Directory.