hands-on ethical hacking and network defense chapter 6 enumeration
TRANSCRIPT
Hands-On Ethical Hacking Hands-On Ethical Hacking and Network Defenseand Network Defense
Chapter 6Chapter 6EnumerationEnumeration
22
ObjectivesObjectives
Describe the enumeration step of security Describe the enumeration step of security testingtesting
Enumerate Microsoft OS targetsEnumerate Microsoft OS targets
Enumerate NetWare OS targetsEnumerate NetWare OS targets
Enumerate *NIX OS targetsEnumerate *NIX OS targets
33
Introduction to EnumerationIntroduction to Enumeration
Enumeration extracts information about:Enumeration extracts information about:– Resources or shares on the networkResources or shares on the network– User names or groups assigned on the networkUser names or groups assigned on the network– Last time user logged onLast time user logged on– User’s passwordUser’s password
Before enumeration, you use Port scanning and Before enumeration, you use Port scanning and footprintingfootprinting– To Determine OS being usedTo Determine OS being used
Intrusive processIntrusive process
44
NBTscanNBTscan
NBT (NetBIOS over TCP/IP)NBT (NetBIOS over TCP/IP)– is the Windows networking protocolis the Windows networking protocol– used for shared folders and printersused for shared folders and printers
NBTscanNBTscan– Tool for enumerating Microsoft OSsTool for enumerating Microsoft OSs
55
Enumerating Microsoft Enumerating Microsoft Operating SystemsOperating Systems
Study OS historyStudy OS history– Knowing your target makes your job easierKnowing your target makes your job easier
Many attacks that work for older Windows Many attacks that work for older Windows OSs still work with newer versionsOSs still work with newer versions
66
Windows 95Windows 95
The first Windows version that did not start The first Windows version that did not start with DOSwith DOS
Still used the DOS kernel to some extentStill used the DOS kernel to some extent
Introduced the Registry database to Introduced the Registry database to replace Win.ini, Autoexec.bat, and other replace Win.ini, Autoexec.bat, and other text filestext files
Introduced Plug and Play and ActiveXIntroduced Plug and Play and ActiveX
Used FAT16 file systemUsed FAT16 file system
77
Windows 98 and MEWindows 98 and ME
More Stable than Win 95More Stable than Win 95
Used FAT32 file systemUsed FAT32 file system
Win ME introduced System RestoreWin ME introduced System Restore
Win 95, 98, and ME are collectively called Win 95, 98, and ME are collectively called "Win 9x""Win 9x"
88
Windows NT 3.51 Windows NT 3.51 Server/WorkstationServer/Workstation
No dependence on DOS kernelNo dependence on DOS kernel
Domains and Domain ControllersDomains and Domain Controllers
NTFS File System to replace FAT16 and NTFS File System to replace FAT16 and FAT31FAT31
Much more secure and stable than Win9xMuch more secure and stable than Win9x
Many companies still use Win NT Server Many companies still use Win NT Server Domain ControllersDomain Controllers
Win NT 4.0 was an upgradeWin NT 4.0 was an upgrade
99
Windows 2000 Server/ProfessionalWindows 2000 Server/Professional
Upgrade of Win NTUpgrade of Win NT
Active DirectoryActive Directory– Powerful database storing information about Powerful database storing information about
all objects in a networkall objects in a networkUsers, printers, servers, etc.Users, printers, servers, etc.
– Based on Novell's Novell Directory ServicesBased on Novell's Novell Directory Services
Enumerating this system would include Enumerating this system would include enumerating Active Directoryenumerating Active Directory
1010
Windows XP ProfessionalWindows XP Professional
Much more secure, especially after Much more secure, especially after Service Pack 2Service Pack 2– Windows File ProtectionWindows File Protection– Data Execution PreventionData Execution Prevention– Windows FirewallWindows Firewall
1111
Windows Server 2003Windows Server 2003
Much more secure, especially after Much more secure, especially after Service Pack 1Service Pack 1– Network services are closed by defaultNetwork services are closed by default– Internet Explorer security set higher Internet Explorer security set higher
1212
NetBIOS BasicsNetBIOS Basics
Network Basic Input Output System Network Basic Input Output System (NetBIOS)(NetBIOS)– Programming interfaceProgramming interface– Allows computer communication over a LANAllows computer communication over a LAN– Used to share files and printersUsed to share files and printers
1313
NetBIOS namesNetBIOS names
Computer names on Windows systemsComputer names on Windows systems
Limit of 16 charactersLimit of 16 characters
Last character identifies type of service Last character identifies type of service runningrunning
Must be unique on a networkMust be unique on a network
1414
NetBIOS SuffixesNetBIOS Suffixes
For complete list, see link Ch 6hFor complete list, see link Ch 6h
1515
NetBIOS Null SessionsNetBIOS Null Sessions
Null sessionNull session– Unauthenticated connection to a Windows Unauthenticated connection to a Windows
computercomputer– Does not use logon and passwords valuesDoes not use logon and passwords values
Around for over a decadeAround for over a decade– Still present on Windows XPStill present on Windows XP
A large vulnerabilityA large vulnerability– See links Ch 6a-fSee links Ch 6a-f
1616
Null Session InformationNull Session Information
Using these NULL connections allows you Using these NULL connections allows you to gather the following information from the to gather the following information from the host:host:– List of users and groups List of users and groups – List of machines List of machines – List of shares List of shares – Users and host SIDs (Security Identifiers) Users and host SIDs (Security Identifiers)
From brown.edu (link Ch 6b)From brown.edu (link Ch 6b)
1717
Demonstration of Null SessionsDemonstration of Null Sessions
Start Win 2000 ProStart Win 2000 Pro
Share a folderShare a folder
From a Win XP command promptFrom a Win XP command prompt– NET VIEW \\NET VIEW \\ip-addressip-address FailsFails– NET USE \\NET USE \\ip-addressip-address\IPC$ "" /u:""\IPC$ "" /u:""
Creates the null sessionCreates the null session
Username="" Password=""Username="" Password=""
– NET VIEW \\NET VIEW \\ip-addressip-address Works nowWorks now
1818
Demonstration of Demonstration of EnumerationEnumeration
Download Winfo Download Winfo from link Ch 6gfrom link Ch 6g
Run it – see all Run it – see all the information!the information!
1919
NULL Session InformationNULL Session Information
NULL sessions exist in windows NULL sessions exist in windows networking to allow: networking to allow: – Trusted domains to enumerate resources Trusted domains to enumerate resources – Computers outside the domain to authenticate Computers outside the domain to authenticate
and enumerate users and enumerate users – The SYSTEM account to authenticate and The SYSTEM account to authenticate and
enumerate resources enumerate resources
NetBIOS NULL sessions are enabled by NetBIOS NULL sessions are enabled by default in Windows NT and 2000default in Windows NT and 2000
From brown.edu (link Ch 6b)From brown.edu (link Ch 6b)
2020
NULL Sessions in Win XP and NULL Sessions in Win XP and 2003 Server2003 Server
Windows XP and 2003 don't allow Null Windows XP and 2003 don't allow Null Sessions, according to link Ch 6c.Sessions, according to link Ch 6c.– I tried the NET USE command on Win XP SP2 I tried the NET USE command on Win XP SP2
and it did not workand it did not work– Link Ch 6f says you can still do it in Win XP Link Ch 6f says you can still do it in Win XP
SP2, but you need to use a different SP2, but you need to use a different procedureprocedure
2121
NetBIOS Enumeration ToolsNetBIOS Enumeration Tools
Nbtstat commandNbtstat command– Powerful enumeration tool included with the Powerful enumeration tool included with the
Microsoft OSMicrosoft OS– Displays NetBIOS tableDisplays NetBIOS table
2222
NetBIOS Enumeration ToolsNetBIOS Enumeration Tools
Net view commandNet view command– Shows whether there are any shared Shows whether there are any shared
resources on a network hostresources on a network host
2323
NetBIOS Enumeration Tools NetBIOS Enumeration Tools (continued)(continued)
Net use commandNet use command– Used to connect to a computer with shared Used to connect to a computer with shared
folders or filesfolders or files
2424
Additional Enumeration ToolsAdditional Enumeration Tools
NetScanTools ProNetScanTools Pro
DumpSecDumpSec
HyenaHyena
NessusWXNessusWX
2525
NetScanTools ProNetScanTools Pro
Produces a graphical view of NetBIOS Produces a graphical view of NetBIOS running on a networkrunning on a network
Enumerates any shares running on the Enumerates any shares running on the computercomputer
Verifies whether access is available for Verifies whether access is available for shared resource using its Universal Naming shared resource using its Universal Naming Convention (UNC) nameConvention (UNC) name
Costs about $250 per machine (link Ch 6i)Costs about $250 per machine (link Ch 6i)
2626
2727
2828
DumpSecDumpSec
Enumeration tool for Microsoft systemsEnumeration tool for Microsoft systems
Produced by Foundstone, Inc.Produced by Foundstone, Inc.
Allows user to connect to a server and Allows user to connect to a server and “dump” the following information“dump” the following information– Permissions for sharesPermissions for shares– Permissions for printersPermissions for printers– Permissions for the RegistryPermissions for the Registry– Users in column or table formatUsers in column or table format– Policies and rightsPolicies and rights– ServicesServices
2929
HyenaHyena
Excellent GUI product for managing and Excellent GUI product for managing and securing Microsoft OSssecuring Microsoft OSs
Shows shares and user logon names for Shows shares and user logon names for Windows servers and domain controllersWindows servers and domain controllers
Displays graphical representation of:Displays graphical representation of:– Microsoft Terminal ServicesMicrosoft Terminal Services– Microsoft Windows NetworkMicrosoft Windows Network– Web Client NetworkWeb Client Network– Find User/GroupFind User/Group
3030
PricesPrices
DumpSec seems to be freeDumpSec seems to be free
Hyena costs about $200 per stationHyena costs about $200 per station– Link Ch 6jLink Ch 6j
3131
3232
NessusWXNessusWX
This is the client part of NessusThis is the client part of Nessus
Allows enumeration of different OSs on a large Allows enumeration of different OSs on a large networknetwork
Running NessusWXRunning NessusWX– Be sure Nessus server is up and runningBe sure Nessus server is up and running– Open the NessusWX client applicationOpen the NessusWX client application– To connect your client with the Nessus serverTo connect your client with the Nessus server
Click Communications, Connect from the menu on the Click Communications, Connect from the menu on the session windowsession window
Enter server’s nameEnter server’s name
Log on the Nessus serverLog on the Nessus server
Nessus is No Longer FreeNessus is No Longer Free
OpenVAS is OpenVAS is the open the open source fork source fork of Nessusof Nessus
Links Ch 6l, Links Ch 6l, 6m6m
3333
3434
3535
3636
NessusWX (continued)NessusWX (continued)
Nessus identifies Nessus identifies – NetBIOS names in useNetBIOS names in use– Shared resourcesShared resources– Vulnerabilities with shared resourcesVulnerabilities with shared resources
Also offers solutions to those vulnerabilitiesAlso offers solutions to those vulnerabilities
– OS versionOS version– OS vulnerabilitiesOS vulnerabilities– Firewall vulnerabilitiesFirewall vulnerabilities
3737
3838
3939
4040
4141
Etherleak VulnerabilityEtherleak Vulnerability
Padding in Ethernet frames comes from Padding in Ethernet frames comes from RAM, it's not just zeroesRAM, it's not just zeroes
Real data can leak out that wayReal data can leak out that way
See link Ch 6lSee link Ch 6l
4242
4343
Enumerating the NetWare Enumerating the NetWare Operating SystemOperating System
Security professionals see Novell NetWare Security professionals see Novell NetWare as a “dead horse”as a “dead horse”– Ignoring an OS can limit your career as a Ignoring an OS can limit your career as a
security professionalsecurity professional
Novell NetWare version 4.11Novell NetWare version 4.11– Novell does not offer any technical support for Novell does not offer any technical support for
earlier versionsearlier versions– Novell has switched to SUSE Linux nowNovell has switched to SUSE Linux now
4444
NetWare Enumeration ToolsNetWare Enumeration Tools
NetWare 5.1 is still used on many NetWare 5.1 is still used on many networksnetworks
New vulnerabilities are discovered dailyNew vulnerabilities are discovered daily– You need to be vigilant in checking vendor You need to be vigilant in checking vendor
sites and security sitessites and security sites
ToolTool– NessusNessus
4545
4646
NetWare Enumeration Tools NetWare Enumeration Tools (continued)(continued)
NessusNessus– Enumerates a NetWare serverEnumerates a NetWare server– Determines eDirectory informationDetermines eDirectory information– Discovers the user name and password for Discovers the user name and password for
the FTP accountthe FTP account– Discovers names of several user accountsDiscovers names of several user accounts
4747
4848
4949
5050
NetWare Enumeration Tools NetWare Enumeration Tools (continued)(continued)
Novell Client32Novell Client32– Available at Available at www.novell.comwww.novell.com– Client available for several OSsClient available for several OSs
Specify information forSpecify information for– TreeTree– ContentContent– ServerServer
5151
5252
5353
5454
Enumerating the *NIX Operating Enumerating the *NIX Operating SystemSystem
Several variationsSeveral variations– SolarisSolaris– SunOSSunOS– HP-UXHP-UX– LinuxLinux– UltrixUltrix– AIXAIX– BSD UNIXBSD UNIX– FreeBSDFreeBSD– OpenBSDOpenBSD
5555
UNIX EnumerationUNIX Enumeration
Finger utilityFinger utility– Most popular tool for security testersMost popular tool for security testers– Finds out who is logged in to a *NIX systemFinds out who is logged in to a *NIX system– Determine owner of any processDetermine owner of any process
NessusNessus– Another important *NIX enumeration toolAnother important *NIX enumeration tool
5656
5757