1 / 40

Enumerating

Enumerating. BAI514 – Security I. Enumerating. The final pre-attack phase is enumerating Looking for user account information Looking for system groups and roles Looking for passwords Looking for shares (unprotected?). Enumerating. Topics covered in this section Protection rings

mahala
Download Presentation

Enumerating

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enumerating BAI514 – Security I

  2. Enumerating • The final pre-attack phase is enumerating • Looking for user account information • Looking for system groups and roles • Looking for passwords • Looking for shares (unprotected?)

  3. Enumerating • Topics covered in this section • Protection rings • Windows architecture • Windows enumeration techniques • SNMP enumeration • DNS zone transfer • Active Directory enumeration • Enumeration countermeasures

  4. Protection Rings • Processes can run concurrently in a computer system • Each process can access certain memory locations • Each process can execute a subset of the computer’s instruction set

  5. Protection Rings • Protection Domain - The memory and execution space assigned to each process • Protects programs from all unauthorized modification or execution interference • Protection Rings – a scheme that supports multiple protection domains • Rings are organized with the most privileged domain located in the center ring (0) • The least privileged domain is located in the outermost ring (4)

  6. Protection Rings • OS kernel is usually located at Ring 0 • Has access to all domains in that system • Security Kernel • The hardware, firmware, and software elements of a trusted computing base that implements the reference monitor concept • Mediates all accesses • Must be protected from modification • Must be verified as correct • Reference Monitor • Enforces access controls on objects • An abstract machine that mediates all access of subjects to objects.

  7. Protection Rings • Principle of least privilege • System components are placed in the appropriate ring so that they have only the minimum privileges necessary to perform their function • Protection rings provide an OS with various levels at which to execute code, restrict its access, and define a level of access control and granularity • Windows architecture employs a two-ring model.

  8. Windows Architecture • Windows NT family of operating system includes • Vista • Server 2003 • XP • 2000 • NT • They all share a similar kernel

  9. Windows Architecture • Windows NT architecture • Two main layers • User mode • Kernel mode • Several layers of modules within these two layers exist • Each of the two modes is in a distinct ring • User mode • Ring 3 • Has limited access to system resources • Kernel mode • Ring 0 • Has unrestricted access to all resources

  10. Windows Architecture • Attack tools operating in user mode can more easily be detected • Attack tools operating in kernel mode can hide from detection and be very difficult to remove

  11. Windows Architecture • User mode • Made up of subsystems which can pass I/O requests to the appropriate kernel mode drivers via the I/O manager • I/O manager exists in kernel mode

  12. Windows Architecture • Kernel mode • Has full access to the hardware and system resources • Runs code in a protected memory area • Controls • Scheduling • Thread prioritization • Memory management • Interaction with hardware • Stops user mode services and applications from accessing critical areas of the OS • User mode processes requiring access to these critical areas must ask the kernel to perform the action on their behalf.

  13. Windows Architecture

  14. Windows Security Elements • Windows Security Elements include • Security Identifiers (SIDs) • Relative Identifiers (RIDs) • Security Reference Monitor (SRM) • SAM database • Local Security Authority Subsystem Service (LSASS) • Network Basic Input/Output System (NetBIOS) • Active Directory (AD)

  15. Windows Security Elements • Windows keeps track of security rights and user identities through two elements • Security Identifiers (SIDs) • Identify user, group, and computer accounts • Every account on a network is issued a unique SID • Internal processes refer to the account’s SID rather than its name • Relative Identifiers (RIDs) • Subset of the SID • Identify a user or group in relation to the authority that issued the SID

  16. Windows Security Elements • SRM • Enforces the security rules • Determines when an object or resource can be accessed • Refers to Access Control Lists (ACLs) • Made up of Access Control Entries (ACEs) • Give permission to a select group of trustees • User account • Group account • Logon session

  17. Universal (well known) SIDs • Identify generic groups and generic users • S-1-1-0 • SID used to identify the Everyone group • “S” – Identifies string as a SID • The first “1” is the revision level of the SID • The last two digits are the SECURITY_WORLD_SID_AUTHORITY and SECURITY_WORLD_RID constants

  18. RIDs • Start as a fixed value • Incremented by one for each account created • The Administrator account will always be RID=500 • SIDs • Unique, unless a workstation is cloned

  19. SAM Database • Provides a simple form of name resolution, minimal transactions, replications, and secure storage for the security database • Manages security principal accounts • Uses AD for storage of these accounts on a domain controller • Uses the SAM database in the registry on workstations, stand-alone servers, and member servers • HKLM\SAM

  20. Windows Security Elements • SAM Database (cont.) • A domain in SAM can refer either to all of the accounts on a single computer or all of the accounts in a Windows NETBIOS domain.

  21. Windows Security Elements • Local Security Authority Subsystem Service • A process in MS Windows operating systems responsible for enforcing the security policy on teh system • Verifies users logging on to a Windows system and creates security tokens • Operates in user-mode • Responsible for the local system security policy • Controlling access, managing password policies, user authentication, sending security audit messages to the Event Log

  22. Windows Security Elements • Local Security Authority Subsystem Service (cont.) • WinLogon service starts the LSASS • LSASS then checks for what security DLLs to load and how to read policy, account, group, and password information from the SAM and SECURITY registry hives.

  23. Windows Security Elements • NetBIOS • Standard interface between networks and PCs • Enables applications on different computers to communicate within a LAN. • Created for IBM • Adopted by Microsoft and adapted to run over TCP/IP • Not natively routable • Systems are identified by a 15 character unique name • Systems utilize Server Message Blocks (SMB) to allow remote directory, file, and printer sharing • Hackers LOVE NetBIOS!

  24. Windows Security Elements • Active Directory (AD) • Directory service used to store information about the network resources across a domain • Is an implementation of LDAP • Allows administrators to • Assign enterprise-wide policies • Deploy programs to computers • Apply critical updates to an entire organization

  25. Windows Security Elements • Active Directory (cont.) • Stores information and settings in a central, organized, accessible database • Hierarchical framework of objects • Resources (e.g. Printers) • Services (e.g. Mail) • Users (accounts or users and groups) • AD runs under the LSASS process

  26. Enumerating Techniques for Windows • Enumerating involves building active connections to systems and initiating directed queries to identify types of information such as network resources and shares, users and groups, and applications and banners

  27. Enumerating Techniques for Windows • Techniques used for enumerating include • Establishing null sessions and enumerating NetBIOS names • Enumerating SNMP • Interrogating DNS • Getting Active Directory information

  28. Enumerating Techniques for Windows • NetBIOS Enumerating • The null sessions is the “Holy Grail” of Windows hacking • Null sessions take advantage of flaws in the Common Internet File System/Server Messaging Block (CIFS/SMB) • Can yield info such as • List of users and groups • List of machines • List of shares • User and host Security Identifiers (SIDs) • Policies • Services • And more!!! 

  29. Enumerating Techniques for Windows • NetBIOS Enumerating (cont.) • Net View • net view /domain – to get a list of domains • Net view /domain:domain_name – list servers on the specified domain • Net view \\server -- find unprotected shares • Net use \\ip_addr_of_target\IPC$ “ “ /u: “ “

  30. Enumerating Techniques for Windows • NetBIOS (cont.) • NBTSTAT • Returns NetBIOS information of either the local host or a remote computerNBTSTAT –A 10.1.1.101 • NBTSTAT also returns a code with each machine • <20> means that the computer is running file-sharing

  31. Enumerating Techniques for Windows • NetBIOS (cont.) • Nbtscan • www.unixwiz.net/tools/nbtscan.html • Scans an IP network for NetBIOS name information • IP address • NetBIOS computer name • Logged-in user • MAC address

  32. Enumerating Techniques for Windows • NetBIOS (cont) • User2sid and Sid2user • Allow the administrator to query the SAM to find out a SID value for a given account name and vice versa. • Relies on the ability to create a NULL session to IPC$ • Ex. User2sid Everyone sid2user \\<ipaddr> 5 21 201642981 56269216 500

  33. Enumerating Techniques for Windows • NetBIOS (cont) • Other tools • DumpSec • Dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers, and shares • NetBIOS Auditing Tool (NAT) • Explores the NetBIOS file-sharing services offered by the target system • If a NetBIOS sessions can be established at all via TCP 139, the system is considered vulnerable

  34. Enumerating Techniques for Windows • SNMP Enumeration • Simple Network Management Protocol • Designed to allow centralized management of network resources • Weak authentication • Default read password = “public” • Default write password = “private” • All data sent in clear text • Tools • Getif – browses the information SNMP can access on a device • Snscan – scans a network for SNMP enabled devices

  35. Enumerating Techniques for Windows • DNS Zone Transfer • Method used by a secondary name server to update its information from the primary DNS server • Nslookupls –d <domain_name>

  36. Enumerating Techniques for Windows • Active Directory Enumeration • Hackers are really only interested in getting a dump of the AD tree • Use the ldp.exe tool from Microsoft • Connect to any AD server using ldp.exe port 389 • Authenticate yourself using Guest or any domain account • Now all the users and built-in groups can be enumerated

  37. Countermeasures • NetBIOS Null Sessions • Require access to TCP 139 or TCP 445 • Disable them • Disable SMB • Unbind WINS Client TCP/IP from the NIC • Restrict the anonymous user by editing the registry • Navigate to HKLM\SYSTEM\CurrentControlSet\LSA • Add a value • Value name: “RestrictAnonymous” • Data type: REG_WORD • Value: 2

  38. Countermeasures • SNMP • Remove SNMP agent or disable the service • Change default community strings • Implement ACLs to restrict which machines can connect to SNMP agents

  39. Countermeasures • DNS Zone Transfer • Disable zone transfers in AD • Open DNS • Right-click on a DNS zone, and click properties • Clear the “Allow zone transfers” checkbox • OR allow only certain servers to perform zone transfers • Block TCP 53 on the firewall

  40. FIN

More Related