Date post: | 29-May-2018 |
Category: |
Documents |
Upload: | jitendra-kumar-dash |
View: | 228 times |
Download: | 0 times |
of 31
8/9/2019 Hacking Module 04
1/31
NMCSP2008 Batch-I
Module IV
Enumeration
8/9/2019 Hacking Module 04
2/31
Scenario
It was a rainy day and Jack was getting bored sitting at home. Hewanted to be engaged in something rather than gazing at thesky. Jack had heard about enumerating user accounts andother important system information using Null Sessions. Hewanted to try what he had learned in his information securityclass. From his friends he had come to know that theuniversity website had a flaw that allowed anonymous users tolog in.
Jack installed an application which used Null Sessions toenumerate systems. He tried out the application and to hissurprise discovered information about the system where thewebserver was hosted.
What started in good fun became very serious. Jack startedhaving some devilish thoughts after seeing the vulnerability.
What can Jack do with the gathered information?
Can he wreak havoc?
What if Jack had enumerated a vulnerable system meant for
online trading?
8/9/2019 Hacking Module 04
3/31
Module Objectives
Understanding Windows 2000 enumeration
How to connect via a Null session
How to disguise NetBIOS enumeration Disguise using SNMP enumeration
How to steal Windows 2000 DNS information
using zone transfers
Learn to enumerate users via CIFS/SMB
Active Directory enumerations
8/9/2019 Hacking Module 04
4/31
Module Flow
What is enumeration? Null Sessions Tools used
Countermeasures againstNull SessionsSNMP EnumerationTools used
SNMP EnumerationCountermeasures
MIB Zone Transfers
Blocking Zone TransfersEnumerating User AccountsTools Used
Active DirectoryEnumeration
Active Directory EnumerationCountermeasures
8/9/2019 Hacking Module 04
5/31
What is Enumeration
If acquisition and non-intrusive probing have not
turned up any results, then an attacker will next turn to
identifying valid user accounts or poorly protected
resource shares. Enumeration involves active connections to systems
and directed queries.
The type of information enumerated by intruders:
Network resources and shares
Users and groups
Applications and banners
8/9/2019 Hacking Module 04
6/31
Net Bios Null Sessions
The null session is often refereed to as the Holy Grail ofWindows hacking. Null sessions take advantage of flawsin the CIFS/SMB (Common Internet File System/Server Messaging Block).
You can establish a Null Session with a Windows(NT/2000/XP) host by logging on with a null username and password.
Using these null connections allows you to gather the
following information from the host: List of users and groups
List of machines
List of shares
Users and host SIDs (Security Identifiers)
8/9/2019 Hacking Module 04
7/31
So What's the Big Deal?
Anyone with a NetBIOSconnection to a computer caneasily get a full dump of allusernames, groups, shares,permissions, policies, servicesand more using the Null user.
The above syntax connectsto the hidden Inter ProcessCommunication 'share' (IPC$)at IP address 192.34.34.2 with
the built-in anonymous user(/u:) with () nullpassword.
The attacker now has achannel over which to attempt
various techniques.
The CIFS/SMB and
NetBIOS standards inWindows 2000 include APIsthat return rich informationabout a machine via TCP port139 - even to unauthenticatedusers.
C: \>net use \\192.34.34.2\IPC$ /u:
8/9/2019 Hacking Module 04
8/31
Tool: DumpSec
DumpSec reveals shares over a null session with the targetcomputer.
8/9/2019 Hacking Module 04
9/31
Tool: Winfo
Winfo uses null sessionsto remotely retrieveinformation about thetarget system.
Winfo gives detailedinformation about thefollowing in verbose mode:
System information
Domain information
Password policy Logout policy
Sessions
Logged in users
User accounts
Source: http://ntsecurity.nu/toolbox/winfo/
8/9/2019 Hacking Module 04
10/31
Tool: NAT
The NetBIOS Auditing Tool (NAT) isdesigned to explore the NetBIOS file-sharing services offered by the targetsystem.
It implements a stepwise approach to
information gathering and attempts toobtain file system-level access as thoughit were a legitimate local client.
If a NetBIOS session can be establishedat all via TCP port 139, the target isdeclared "vulnerable.
Once the session is fully set up,transactions are performed to collectmore information about the serverincluding any file system "shares" itoffers.
Source: http://www.rhino9.com
8/9/2019 Hacking Module 04
11/31
Null Session Countermeasure
Null sessions require access to TCP ports 139and/or 445.
You could also disable SMB services entirely onindividual hosts by unbinding the TCP/IP WINSClient from the interface.
Edit the registry to restrict the anonymous user.
1. Open regedt32, navigate to
HKLM\SYSTEM\CurrentControlSet\LSA 2. Choose edit | add value
value name: RestrictAnonymous
Data Type: REG_WORD
Value: 2
8/9/2019 Hacking Module 04
12/31
NetBIOS Enumeration
NBTscan is a program forscanning IP networks forNetBIOS name information.For each responded host it
lists IP address, NetBIOScomputer name, logged-inuser name and MAC address
The first thing a remote attacker will try on a Windows
2000 network is to get list of hosts attached to the wire.
1. net view / domain,
2. nbstat -A
8/9/2019 Hacking Module 04
13/31
SNMP Enumeration
SNMP is simple. Managers send requests to agents andthe agents send back replies.
The requests and replies refer to variables accessible byagent software.
Managers can also send requests to set values forcertain variables.
Traps let the manager know that something significanthas happened at the agent's end of things: a reboot
an interface failure or that something else that is potentially bad has happened
Enumerating NT users via the SNMP protocol is easyusing snmputil.
8/9/2019 Hacking Module 04
14/31
Tool :Solarwinds
It is a set of NetworkManagement Tools.
The tool set consists ofthe following:
Discovery
Cisco Tools
Ping Tools
Address Management
Monitoring MIB Browser
Security
Miscellaneous
Source: http://www.solarwinds.net/
8/9/2019 Hacking Module 04
15/31
Tool: Enum
Available for download from
http://razor.bindview.com
Enum is a console-based Win32
information enumeration utility.
Using null sessions, enum can
retrieve user lists, machine lists,
share lists, name lists, group and
membership lists, password and LSA
policy information.
enum is also capable of
rudimentary brute force dictionary
attack on individual accounts.
8/9/2019 Hacking Module 04
16/31
8/9/2019 Hacking Module 04
17/31
SNMPutil example
8/9/2019 Hacking Module 04
18/31
SNMP Enumeration Countermeasures
The simplest way to prevent such activity is to remove
the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the
default 'public' community name.
Implement the Group Policy security option called
Additional restrictions for anonymous connections.
Access to null session pipes, null session shares, and
IPSec filtering should also be restricted.
8/9/2019 Hacking Module 04
19/31
Management Information Base
MIB provides a standard representation of the SNMP
agents available information and where it is stored.
MIB is the most basic element of network management.
MIB-II is the updated version of the standard MIB.
MIB-II adds new SYNTAX types, and adds more
manageable objects to the MIB tree.
8/9/2019 Hacking Module 04
20/31
Windows 2000 DNS Zone transfer
For clients to locate Win 2k domain services,such as AD and kerberos, Win 2k relies on DNSSRV records.
Simple zone transfer (nslookup, ls -d) can enumerate lot ofinteresting network information.
An attacker would look at the following records
closely: 1. Global Catalog Service (_gc._tcp_)
2. Domain Controllers (_ldap._tcp)
3. Kerberos Authentication (_kerberos._tcp)
8/9/2019 Hacking Module 04
21/31
Blocking Win 2k DNS Zone transfer
Zone transfers can beeasily blocked usingthe DNS propertysheet as show here.
8/9/2019 Hacking Module 04
22/31
Enumerating User Accounts
Two powerful NT/2000 enumeration tools are:
1.sid2user
2.user2sid
They can be downloaded fromwww.chem.msu.su/^rudnyi/NT/
These are command line tools that look up NT SIDs fromusername input and vice versa.
8/9/2019 Hacking Module 04
23/31
Tool: Userinfo
UserInfo is a little function that retrieves all availableinformation about any known user from any NT/Win2ksystem that you can access TCP port 139 on.
Specifically calling the NetUserGetInfo API call at Level3, Userinfo returns standard info like
SID and Primary group
logon restrictions and smart card requirements
special group information
pw expiration information and pw age
This application works as a null user, even if the RA isset to 1 to specifically deny anonymous enumeration.
8/9/2019 Hacking Module 04
24/31
Tool: GetAcct
GetAcct sidesteps "RestrictAnonymous=1" and acquiresaccount information on Windows NT/2000 machines.
Downloadable fromwww.securityfriday.com
8/9/2019 Hacking Module 04
25/31
Tool: DumpReg
DumpReg is a tool to
dump the Windows NT and
Windows 95 Registry.
Main aim is to find keysand values matching a
string.
Source: http://www.systemtools.com/
8/9/2019 Hacking Module 04
26/31
Tool: Trout
Trout is a combination ofTraceroute and Whois.
Pinging can be set to acontrollable rate.
The Whois lookup can beused to identify the hostsdiscovered.
Source: http://www.foundstone.com/
8/9/2019 Hacking Module 04
27/31
Tool: Winfingerprint
Winfingerprint is a GUI-based tool that has theoption of scanning a singlehost or a continuous
network block.Has two main windows:
IP address range
Windows options
Source: http://winfingerprint.sourceforge.net
8/9/2019 Hacking Module 04
28/31
Tool: PsTools
The PsTools suite falls in-between enumeration and fullsystem access.
The various tools that arepresent in this suite are asfollows:
PsFile
PsLoggedOn
PsGetSid
PsInfo
PsService
PsList
PsKill and PsSuspend
PsLogList
PsExec
PsShutdown
Source: http://www.sysinternals.com
8/9/2019 Hacking Module 04
29/31
Active Directory Enumeration
All the existing users and groups could be enumerated
with a simple LDAP query.
The only thing required to perform this enumeration is
to create an authenticated session via LDAP.
Connect to any AD server using ldp.exe port 389.
Authentication can be done using Guest/or any domain
account.
Now all the users and built-in groups could be
enumerated.
8/9/2019 Hacking Module 04
30/31
AD Enumeration countermeasures
How is this possible with a simple guest account?
The Win 2k dcpromo installation screen queries the
user if he wants to relax access permissions on the
directory to allow legacy servers to perform lookup:
1.Permission compatible with pre-Win2k
2.Permission compatible with only with Win2k
Choose option 2 during AD installation.
8/9/2019 Hacking Module 04
31/31
Summary
Enumeration involves active connections to systemsand directed queries.
The type of information enumerated by intruders
includes network resources and shares, users andgroups, and applications and banners.
Null sessions are used often by crackers to connect totarget systems.
NetBIOS and SNMP enumerations can be disguisedusing tools such as snmputil, NAT, etc.
Tools such as user2sid, sid2user and userinfo can beused to identify vulnerable user accounts.