1 / 37

Enumerating

Enumerating. slides (c) 2012 by Richard Newman. based on Hacking Exposed 7 by McClure, Scambray, and Kurtz. What is Enumeration?. How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly –

elundy
Download Presentation

Enumerating

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enumerating slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz

  2. What is Enumeration? How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved transient contact – Enumeration involves establishing connections and directed queries Information typically gathered – User account names (for password attacks) – Misconfigured shared resources – Software version and patch state (for known vulnerabilities) Detailed examination of target systems Platform specific – how you interact depends on target service/system

  3. Service Fingerprinting Automated method – – – Nmap Version Scanning – Popularity=9; Simplicity=8; Impact=3; Risk Rating=7 – Use -sV switch – Can find “hidden” services (use same port as other service) Amap Version Scanning (thc.org/thc-amap/) – Popularity=9; Simplicity=8; Impact=3; Risk Rating=7 – Older than nmap – Uses different patterns, so gives a second opinion Easy to use, use likely to increase Generates a lot of traffic – likely to be noticed Takes significant time

  4. Vulnerability Scanners - 1 Automated VS tools – Use when stealth not required – Know defender is not monitoring – Moving too fast to care Countermeasures – Keep system patched – Do your own scans – IDS – detect (pretty noisy) – IPS – prevent (slow down attacks to discourage, delay attacker)

  5. Vulnerability Scanners - 2 Nessus Scanning (nessus.org/products/nessus) Popularity=9; Simplicity=9; Impact=6; Risk Rating=8 – Easy to use GUI – Kept up to date – Optimized performance – Client ported to iPhone and Android – Extendable with user-developed custom plug-ins – Nessus Attack Scripting Language (NASL) – Open source version OpenVAS (openvas.org) is free

  6. Vulnerability Scanners - 3 Nmap Scanning Engine (NSE) Scanning Popularity=7; Simplicity=6; Impact=5; Risk Rating=6 – Extendable with user-developed scripts – Lua interpreted language – Intended for specific probing – - - script or -sC options to run scripts

  7. Basic Banner Grabbing Popularity=5; Simplicity=9; Impact=1; Risk Rating=5 telnet Ascii-based interactive session client Can use to connect to many servers (ASCII-based) – – netcat “TCP/IP Swiss army knife” Allows file input for tedious probes – – Countermeasures – – – – Shut down unnecessary services Restrict access to services Disable banner display (vendor dependent) Do your own checks

  8. Common Network Services - 1 - FTP - Telnet - SMTP - DNS - TFTP - Finger - HTTP - MSRPC - NetBIOS Name Service - SMB Null Session

  9. Common Network Services - 2 - SNMP - BGP - Active Directory LDAP - Unix RPC - rwho, rusers - NIS - SQL Resolution Service - Oracle TNS - NFS - IPSec/IKE

  10. FTP Enumeration Popularity=1; Simplicity=10; Impact=1; Risk Rating=4 - File Transfer Protocol – TCP port 21 – Less used now – Allows upload of (malicious) files – Often allows anonymous access using any email address – Get banner – Determine access - Countermeasures – Turn off – Secure FTP (SFTP) uses SSH – FTP Secure (FTPS) uses SSL – HTTP for public information access

  11. Telnet Enumeration Popularity=4; Simplicity=9; Impact=3; Risk Rating=5 Telnet TCP 23 – – – – – – Countermeasures – – – – – Used for remote access Transmits data in cleartext Often displays host system info Even if it doesn't, the prompt may reveal system May be used for attacking accounts if lockout not used May reveal valid usernames from login attempts Turn off Use secure shell (SSH) instead Modify banner messages Modify error messages Account locking/drop connection on login failure

  12. SMTP Enumeration Popularity=5; Simplicity=9; Impact=1; Risk Rating=5 Simple Mail Transport Protocol – TCP 25 – Used universally for email transfer – ASCII protocol for requests/replies – VRFY – verify user names – EXPN – provide actual delivery email address of alias – vrfy.pl script allows a file containing a list of user names to be tested and valid user names reported Countermeasures – Configure to turn off VRFY and EXPN, or – Configure to require authentication/privileges to use them

  13. DNS Enumeration - 1 Popularity=5; Simplicity=9; Impact=2; Risk Rating=5 Domain Name Service (DNS) – TCP/UDP 53 – Used for footprinting already – UDP used for most interactions – TCP for zone transfers – Zone transfer dumps entire contents of zone files • HINFO, hostname-IP mappings – SRV records allow search by service type – Nslookup, dig to access – BIND (Berkeley Internet Name Domain) enumeration • Reveals BIND version • Often allows zone transfer

  14. DNS Enumeration - 2 Domain Name Service (DNS) – DNS Cache snooping • DNS servers cache responses to recent queries • Attacker can force server to only use cache – +norecurse option in dig • Find recent accesses (or not) to particular FQDN • Answer flag set to 0 if not, 1 if recent access – Automated DNS Enumeration • Dnsenum (code.google.com/p/dnsenum/) • Fierce.pl (ha.ckers.org/fierce) • Web services for same (e.g., centralops.net) Countermeasures – Two DNS servers – one for public, one for private use – Block DNS zone transfers except to authorized hosts – Block version.bind requests – Disable DNS cache-snooping

  15. TFTP Enumeration Popularity=1; Simplicity=3; Impact=7; Risk Rating=3 Trivial FTP (TFTP) – TCP/UDP 69 – Quick-and-dirty FTP – Cleartext, no authentication – Requires knowledge of file name (exactly) – May allow download of sensitive file (e.g., /etc/passwd, /etc/shadow, network device configuration files, etc.) Countermeasures – – – – Turn off, if possible Wrap in TCP wrapper to restrict access Limit access to /tftpboot/ directory Block at border firewall

  16. Finger Enumeration Popularity=7; Simplicity=10; Impact=1; Risk Rating=6 Finger – TCP/UDP 79 – Reveals logged-in users, idle times – User info given from public file info Countermeasures – – – – Turn off Block port 79 Restrict access Restrict info given

  17. HTTP Enumeration Popularity=5; Simplicity=9; Impact=1; Risk Rating=5 Hypertext Transfer Protocol (HTTP) – TCP 80 – Get type and version of web server – HEAD can get banner info • But so popular with worms it can trigger IDS – If server uses SSL, use openssl or sll proxy to connect – Can download all web pages for offline search • Grendel-scan • Robots.txt file for “do not search” regions.... Countermeasures – – Change banner Microsoft IIS lockdown tool

  18. MSRPC Enumeration Popularity=7; Simplicity=8; Impact=1; Risk Rating=5 Microsoft Remote Procedure Call (MSRPC) – TCP 135 – RPC portmapper for windows – Gives list of services with version and IP/protocol/port info – Winfingerprint tool (sourceforge) – See hsc.fr/ressources/articles/win_net_srv Countermeasures – – – Restrict outside access Require use of VPN for external access Use OWA (Outlook Web Access) for remote mail access

  19. NBNS Enumeration Popularity=7; Simplicity=5; Impact=3; Risk Rating=5 NetBIOS Name Service (NBNS) – UDP 137 – Early windows version of DNS – net view command • Usually only works on local LAN segment • /domain for domains • /domain:dname for hosts on specific domain (dname) – nltest tool – identifies domain controllers (with auth creds) – netviewx tool – lists servers with specific services – nbstat, nbtscan – dump netbios name table, with users – nmbscan tool for Linux Countermeasures – Restrict access on hosts, routers (test – may break apps) – Disable Alerter and Messenger Service on hosts

  20. SMB Null Session Enumeration Popularity=8; Simplicity=10; Impact=8; Risk Rating=9 Server Message Block (SMB) Null Session – TCP 139/445 – Windows NT and descendents – file and print sharing – Samba in Linux – Can give remote access to attacker – a.k.a. Red Button, anonymous login, null session connection

  21. SMB Null Session (2) Establish “null session” – C:\>net use \\192.168.202.33\IPC$ “” /u:“” – Similar to mount network drive command – Connects to hidden IPC share at given IP as built-in anonymous user (/u:“”) with null password (“”) – Allows access to targeted host Enumerating File Shares – C:\>net view \\host – Shows IP address and shares on remote systems – Srvcheck, srvinfo (microsoft.com/downloads/...) – DumpSec (nee DumpAcl) – SomarSoft.com – Wholesale approach – for sysadmin (not hacker) • ShareEnum (SysInternal) • Networkscanner (SoftPerfect)

  22. SMB Null Session (3) Share Scanning wholesale for hackers – Includes password brute-forcing (may be intelligent) – Legion – NetBIOS Auditing Tool (NAT) (see hackingexposed.com) Registry Enumeration – – – – Registry holds keys indicating applications installed Also holds user info and services and holds configuration info (e.g., lockout number for failed password attempts) Also may hold pointers to back doors All of which can suggest exploits Check if Registry is locked down using reg – – –

  23. SMB Null Session (4) Enumerating Trusted Domains – Nltest /server:server_name /trusted_domains User Enumeration – DumpSec • Following work with RestrictAnonymous=1, with null session UserInfo/UserDump (hammerofgod.com) GetAcct (securityFriday.com) sid2user & user2sid (evgenii.rudnyi.ru/soft/sid/sid.txt) • SID is security ID – variable length value set at install • See also http://en.wikipedia.org/wiki/Security_Identifier • User IDs (and much more) based on SID List of users, groups, system policies, user rights – – – –

  24. SMB Null Session (5) SIDs C:\>user2sid \\targetIP “domain users” Returns SID of host (hyphenated, S-1-...) Digits following last hyphen is Relative ID (RID) RID predefined for built-in users and groups • 500=admin • 501=guest RID for users starts at 1000 for NT and increments • RID not reused => can see users past and present All-in-one tools – Cain & Abel (oxid.it/cain.html) – Winfingerprint (sourceforge.net) – also Active Directory, WMI – NBTEnum (try on packetstorm) – includes intelligent BF attack – enum (BindView, Symantec). Enum4linux (Portcullis Security) NetE (cult of the dead cow) – – – – –

  25. SMB Null Session (6) Popularity=8; Simplicity=10; Impact=8; Risk Rating=9 Countermeasures – – – – Filter TCP/UDP ports 139 & 445 at perimeter Self audit Unbind WINS Client, or Set RestrictAnonymous key (=0 is open, =1 can be bypassed, =2 means no null sessions possible) in NT More granular access control in later Windows versions HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winre g and subkeys (e.g., AllowedPaths) – –

  26. SNMP Enumeration Popularity=7; Simplicity=9; Impact=3; Risk Rating=6 Simple Network Management Protocol – UDP 161 – “Security Not My Problem” - lacks strong protections – Password authentication – well-known default pw – Access to get and set MIBs (mgt info bases) – Vendor specific extensions to MIBs – Uses ASN.1 syntax for object IDs (OIDs)

  27. SNMP Enumeration (2) Tools Snmputil, snmpget, snmpwalk commandline tools Snmpget (linux/unix) in net-snmp suite at SourceForge Copy-router-config.pl (muts) IP Network Browser – GUI tool (solarwinds.com) – – – – Targets Running services Share names Share paths Comments on shares Usernames Domain name Architecture, OS version – – – – – – –

  28. SNMP Enumeration (3) SNMP Scanners – – Simple, light-weight => perfect for automated scanning SNScan (mcafee.com/us/downloads/free-tools/snscan.aspx) • Community and range to scan (or in file) • Hostname and (MIB version of) OS version • Csv file export onesixtyone (portcullis-security.com/16.php) • Command line version of SNScan Countermeasures – Remove or disable SNMP agents on hosts – Use obscure community names (e.g., NOT “public” or “private”) – Block port 161 at all perimeter network access devices – Restrict access to specific IP addresses – Use SNMPv3 (more secure) Set Registry to permit only authorized access –

  29. BGP Enumeration Popularity=2; Simplicity=6; Impact=2; Risk Rating=3 Border Gateway Protocol (BGP) – TCP 179 – Interdomain routing protocol – Determine Autonomous Systems Number (ASN) of target – Query routers to get all networks where AS Path ends with desired ASN – Only uses IP addresses and ASNs • Get ASN from whois search (if name known) • Get ASN from router using IP address (if known) – Use telnet to router – show ASN path – Use last ASN on list as target ASN – May be false if BGP not used!!! Countermeasures - none

  30. Active Directory LDAP Enumeration Popularity=2; Simplicity=2; Impact=5; Risk Rating=3 Active Directory/Lightweight Directory Access Protocol (LDAP) – TCP/UDP 389 and 3268 - Active Directory holds info on all objects in system - ldp.exe is AD Administration Tool – connect/browse - view users, groups, e.g. - requires authenticated session via LDAP - user enum alternative if NetBIOS ports blocked - LUMA or JXplorer on Linux/X Windows - ldapenum command-line script (Windows/Linux) Countermeasures Filter access to ports 389 and 3268 Remove Everyone group from pre-Win2K Compatible Access

  31. Unix RPC Enumeration Popularity=7; Simplicity=10; Impact=1; Risk Rating=6 Unix Remote Procedure Call (RPC) – TCP/UDP 111, 32771 - Portmapper/rpcbind used for dynamic port assignment for services available using RPC/RMI - remains very popular for distributed systems - rpcinfo –p <IP addr> lists pgm, version, proto, port - nmap –sS –sR <IP addr> works nicely Countermeasures Not easy in general – needed for distr. sys. operation. Can use Sun’s Secure RPC (using PKC) Filter or disable ports 111, 32771, etc.

  32. rwho, rusers Enumeration Popularity=3; Simplicity=8; Impact=1; Risk Rating=4 rwho (UDP 513), rusers (RPC pgm 100002) rwho returns currently logged-in users using rwhod rusers can provide a little more info Countermeasures Turn off (look in start-up scripts /etc/init.d, /etc/rc*.d)

  33. NIS Enumeration Popularity=3; Simplicity=8; Impact=1; Risk Rating=4 Network Information System (NIS) – RPC pgm 100004 - Once NIS domain name is known, NIS maps (distributed mappings of host’s critical info, e.g., passwd file contents) are available using RPC - pscan –n tool Countermeasures Use hard-to-guess NIS domain name Use NIS+ (uses secure RPC) At least edit /var/yp/securenets file to restrict access Don’t include root/system acct info in NIS tables

  34. SQL Resolution Service Enumeration Popularity=5; Simplicity=8; Impact=2; Risk Rating=5 SQL Resolution Service – UDP 1434 Works like portmapper as “instance mapper” for SQL SQLPing tool Countermeasures Restrict access at firewall Use “hide server” option

  35. Oracle TNS Enumeration Popularity=1; Simplicity=10; Impact=1; Risk Rating=4 Transparent Network Substrate (TNS) – TCP 1521/2483 Oracle TNS listener manages client-server DB traffic Can get database SID, version, OS, etc. Need SID to access DB – can try default accts AppSentry Listener Security Check tool tnscmd.pl/tnscmd10g.pl, getsids tools Oracle Assessment Kit (OAK) Oracle Auditing Tool (OAT) Countermeasures Configure to require password access See Project Lockdown and Integrigy papers

  36. NFS Enumeration Popularity=7; Simplicity=10; Impact=1; Risk Rating=6 Network File System (NFS) – TCP/UDP 2049 Unix utility showmount shows exported directories Countermeasures Not much you can do Make sure permissions are correct on directories Block 2049 at firewall Log requests

  37. IPSec/IKE Enumeration Popularity=6; Simplicity=6; Impact=9; Risk Rating=7 IPSec/Internet Key Exchange (IKE) – UDP 500 - IPSec used for VPN - IKE used manage key negotiations - Malformed packets are silently dropped – hard to see - ike-scan forms packets that get responses - gets negotiation info, like PSK or certs Main Mode/Aggressive Mode Which ciphersuites are in use - PSK/Aggressive Mode => get hash of PSK, use psk-crack Countermeasures Restrict VPN access to specific IP addrs, if possible Use Main Mode and certificates

More Related