Chapter 3 Enumeration Last modified 8-30-12. Definition Scanning identifies live hosts and running...
-
Upload
joleen-mckenzie -
Category
Documents
-
view
230 -
download
0
Transcript of Chapter 3 Enumeration Last modified 8-30-12. Definition Scanning identifies live hosts and running...
DefinitionDefinition
Scanning identifies live hosts and running Scanning identifies live hosts and running services services
Enumeration probes the identified services Enumeration probes the identified services more fully for known weaknesses more fully for known weaknesses
Enumeration is more intrusive, using Enumeration is more intrusive, using active connections and directed queriesactive connections and directed queries
Enumeration will usually be logged and Enumeration will usually be logged and noticednoticed
Goals of EnumerationGoals of Enumeration
User account namesUser account names– to inform subsequent password-guessing to inform subsequent password-guessing
attacksattacks
Oft-misconfigured shared resourcesOft-misconfigured shared resources– for example, unsecured file sharesfor example, unsecured file shares
Older software versions with known Older software versions with known security vulnerabilitiessecurity vulnerabilities– such as web servers with remote buffer such as web servers with remote buffer
overflowsoverflows
Pen-Test VideoPen-Test Video
Link Ch 3a: Droop's Box: Simple Pen-test Using Nmap, Link Ch 3a: Droop's Box: Simple Pen-test Using Nmap, Nikto, Bugtraq, Nslookup and Other Tools by IronGeekNikto, Bugtraq, Nslookup and Other Tools by IronGeek
Vulnerability ScannersVulnerability Scanners
Very noisy and easy to detectVery noisy and easy to detect
Thorough and slowThorough and slow
NessusNessus
OpenVASOpenVAS
Cenzic HailstormCenzic Hailstorm
AccunetrixAccunetrix
Many othersMany others
nmap NSE Scriptingnmap NSE Scripting
Nmap Scripting EngineNmap Scripting Engine– nmap –script-help allnmap –script-help all– When running script, -v helpsWhen running script, -v helps
Telnet in Vista and Windows 7Telnet in Vista and Windows 7
First you need to First you need to install Telnetinstall Telnet– In Control Panel, In Control Panel,
Programs and Programs and Features, Turn Features, Turn Windows Windows Features on or Features on or off, check Telnet off, check Telnet ClientClient
Banner GrabbingBanner Grabbing
Connecting to remote applications and Connecting to remote applications and observing the output observing the output
Simple way, at a command promptSimple way, at a command prompt– telnet www.ccsf.edu 80telnet www.ccsf.edu 80
On the next blank screen type inOn the next blank screen type in– GET / HTTP/1.1GET / HTTP/1.1– Press Enter twicePress Enter twice
Making Characters VisibleMaking Characters Visible
In Windows XP and Vista, you can't see In Windows XP and Vista, you can't see what you type in the Telnet sessionwhat you type in the Telnet session
Do this:Do this:– At a command prompt, typeAt a command prompt, type
telnet hills.ccsf.edu 80telnet hills.ccsf.edu 80
– Press Enter. Press Ctrl+]. Then typePress Enter. Press Ctrl+]. Then typeset localechoset localecho
– Press Enter twicePress Enter twiceLink Ch 3z11Link Ch 3z11
Example BannersExample Banners
www.ccsf.edu tells you too muchwww.ccsf.edu tells you too much
cnn.com is bettercnn.com is better
Netcat Banner GrabsNetcat Banner Grabs
Get Netcat for Windows at links Ch 3d, 3d1, 3d2Get Netcat for Windows at links Ch 3d, 3d1, 3d2
Banner-Grabbing Banner-Grabbing Countermeasures Countermeasures
Turn off unnecessary servicesTurn off unnecessary services
Disable the presentation of the vendor and Disable the presentation of the vendor and version in banners version in banners
Audit yourself regularly with port scans Audit yourself regularly with port scans and raw netcat connects to active ports and raw netcat connects to active ports
Enumerating Common Network Enumerating Common Network Services Services
FTP, TCP 21FTP, TCP 21
Telnet, TCP 23Telnet, TCP 23
SMTP, TCP 25SMTP, TCP 25
DNS, TCP/UDP 53DNS, TCP/UDP 53
TFTP, TCP/UDP 69TFTP, TCP/UDP 69
Finger, TCP/UDP 79Finger, TCP/UDP 79
HTTP, TCP 80HTTP, TCP 80
FTP Enumeration, TCP 21 FTP Enumeration, TCP 21
CCSF doesn't give CCSF doesn't give away much away much informationinformationFTP is becoming obsolete, see FTP is becoming obsolete, see ftp.sun.comftp.sun.comFTP passwords are sent in the clearFTP passwords are sent in the clear– Don't allow anonymous uploadsDon't allow anonymous uploads– Turn it off, use secure FTP insteadTurn it off, use secure FTP instead
Googling for FTP ServersGoogling for FTP Servers
Search forSearch for– intitle:"Index of ftp://"intitle:"Index of ftp://"
Here's an overly informative HTTP bannerHere's an overly informative HTTP banner
FTP BannerFTP Banner
Here's the corresponding overly Here's the corresponding overly informative FTP bannerinformative FTP banner
Eliminate FTPEliminate FTP
Plaintext password transmission!Plaintext password transmission!
Alternatives:Alternatives:– SFTP (over SSH)SFTP (over SSH)– FTPS (over SSL)FTPS (over SSL)
Public content should be served over Public content should be served over HTTP, not FTPHTTP, not FTP
Enumerating Telnet, TCP 23 Enumerating Telnet, TCP 23
Telnet sometimes has banners, and allows Telnet sometimes has banners, and allows bruteforce username enumerationbruteforce username enumeration
It sends passwords in cleartextIt sends passwords in cleartext
Telnet should be eliminated if possibleTelnet should be eliminated if possible– Use SSH insteadUse SSH instead
If you must use Telnet, restrict it to proper If you must use Telnet, restrict it to proper source IP addressessource IP addresses– Or run it through a VPNOr run it through a VPN
Enumerating SMTP, TCP 25 Enumerating SMTP, TCP 25
SMTP can be enumerated with Telnet, SMTP can be enumerated with Telnet, using these commandsusing these commands– VRFY confirms names of valid usersVRFY confirms names of valid users– EXPN reveals the actual delivery addresses EXPN reveals the actual delivery addresses
of aliases and mailing lists of aliases and mailing lists
Antivirus NoteAntivirus Note
McAfee antivirus McAfee antivirus blocks telnets to blocks telnets to port 25port 25
"Prevent mass "Prevent mass mailing worms from mailing worms from sending mail"sending mail"
SMTP Enumeration SMTP Enumeration CountermeasuresCountermeasures
Disable the EXPN and VRFY commands, Disable the EXPN and VRFY commands, or restrict them to authenticated usersor restrict them to authenticated users
Sendmail and Exchange both allow that in Sendmail and Exchange both allow that in modern versionsmodern versions
DNS Zone Transfers, TCP 53DNS Zone Transfers, TCP 53
Zone transfers dump the entire contents of Zone transfers dump the entire contents of a given domain's zone filesa given domain's zone files
Restricted to authorized machines on most Restricted to authorized machines on most DNS servers now DNS servers now
DNS Cache SnoopingDNS Cache Snooping
+norecurse – examines only the local DNS +norecurse – examines only the local DNS data (note ANSWER: 0)data (note ANSWER: 0)
DNS Enumeration ToolsDNS Enumeration Tools
dnsenumdnsenum– Google scrapingGoogle scraping– Brute forcingBrute forcing– MoreMore– Links Ch 3a,3bLinks Ch 3a,3b
DNS Enumeration DNS Enumeration CountermeasuresCountermeasures
Use separate internal and external DNS Use separate internal and external DNS serversservers
Block or restrict DNS zone transfersBlock or restrict DNS zone transfers
Restrict DNS queries to limit cache Restrict DNS queries to limit cache snooping (Link Ch 3d)snooping (Link Ch 3d)
Enumerating TFTP, TCP/UDP 69 Enumerating TFTP, TCP/UDP 69
TFTP is inherently insecureTFTP is inherently insecure– Runs in cleartextRuns in cleartext– No authentication at allNo authentication at all– Anyone can grab any file (even /etc/passwd in the Anyone can grab any file (even /etc/passwd in the
worst cases)worst cases)– Used in routers and VoIP Telephones to update Used in routers and VoIP Telephones to update
firmwarefirmware
TFTP Enumeration TFTP Enumeration Countermeasures Countermeasures
Wrap it to restrict accessWrap it to restrict access– Using a tool such as TCP WrappersUsing a tool such as TCP Wrappers– TCP Wrappers is like a software firewall, only TCP Wrappers is like a software firewall, only
allowing certain clients to access a service allowing certain clients to access a service – Links Ch 3e, 3fLinks Ch 3e, 3f
Limit access to the /tftpboot directoryLimit access to the /tftpboot directory
Make sure it's blocked at the border Make sure it's blocked at the border firewall firewall
Finger, TCP/UDP 79 Finger, TCP/UDP 79
Shows users on local or remote systems, if Shows users on local or remote systems, if enabledenabled– Useful for social engineeringUseful for social engineering
Countermeasure: block remote access to fingerCountermeasure: block remote access to finger
Enumerating HTTP, TCP 80 Enumerating HTTP, TCP 80
Grab banners Grab banners with netcat or with netcat or telnettelnet
Crawl Web sites Crawl Web sites with Sam Spadewith Sam Spade
Grendel-ScanGrendel-Scan
Crawls sites and reports on vulnerabilitiesCrawls sites and reports on vulnerabilities
In BackTrackIn BackTrack
Very slowVery slow
Link Ch 3eLink Ch 3e
HTTP Enumeration HTTP Enumeration Countermeasures Countermeasures
Change the banner on your web serversChange the banner on your web servers– URLScan for IIS v 4 and laterURLScan for IIS v 4 and later
Link Ch 3hLink Ch 3h
Microsoft RPC Endpoint Mapper Microsoft RPC Endpoint Mapper (MSRPC), TCP 135(MSRPC), TCP 135
Remote Procedure Call (RPC) endpoint Remote Procedure Call (RPC) endpoint mapper (or portmapper) service on TCP mapper (or portmapper) service on TCP 135 135
Querying this service can yield information Querying this service can yield information about applications and services available about applications and services available on the target machine on the target machine
epdumpepdump
From Microsoft's Windows Resource KitFrom Microsoft's Windows Resource Kit
Shows services bound to IP addressesShows services bound to IP addresses
It takes some research to interpret the It takes some research to interpret the resultsresults– Link Ch 3fLink Ch 3f
winfingerprintwinfingerprint
Does RPC enumeration and much moreDoes RPC enumeration and much more
Link Ch 3gLink Ch 3g
MSRPC Enumeration MSRPC Enumeration Countermeasures Countermeasures
Block port 135 at the firewall, if you canBlock port 135 at the firewall, if you can– But some Microsoft Exchange configurations But some Microsoft Exchange configurations
require access to the endpoint mapperrequire access to the endpoint mapper– You can avoid that by using Virtual Private You can avoid that by using Virtual Private
Networks, orNetworks, or– Outlook Web Access (OWA) which works Outlook Web Access (OWA) which works
over HTTPSover HTTPS– Exchange 2003 and later implements RPC Exchange 2003 and later implements RPC
over HTTPover HTTP
NetBIOS Name Service, UDP 137NetBIOS Name Service, UDP 137
NetBIOS Name Service (NBNS) is NetBIOS Name Service (NBNS) is Microsoft's name service, an alternative to Microsoft's name service, an alternative to DNSDNS
What is Name Resolution?What is Name Resolution?– Suppose you issue a command that refers to Suppose you issue a command that refers to
a computer by name, such as PINGa computer by name, such as PING
Name ResolutionName Resolution
Windows needs to change a computer Windows needs to change a computer name to an IP address to send data name to an IP address to send data packetspackets
Windows uses two naming systems:Windows uses two naming systems:– DNS (the preferred method)DNS (the preferred method)– NetBIOS Name Resolution (still used by all NetBIOS Name Resolution (still used by all
versions of Windows)versions of Windows)
Standard Name Resolution Standard Name Resolution MethodsMethods
Charts from link Ch 3h Charts from link Ch 3h
NET VIEW NET VIEW
NET VIEW can list the domains, or the NET VIEW can list the domains, or the computers in each domaincomputers in each domain
NBNS over TCP/IPNBNS over TCP/IP
Normally NBNS only works on the local Normally NBNS only works on the local network segmentnetwork segment
It is possible to route NBNS over TCP/IP, It is possible to route NBNS over TCP/IP, allowing enumeration from a remote allowing enumeration from a remote systemsystem
Other Tools to Enumerate NBNS Other Tools to Enumerate NBNS
NLTEST and NETDOM can find domain NLTEST and NETDOM can find domain controllerscontrollers
NETVIEWX finds specific services NETVIEWX finds specific services
NBTSTAT collects information from a single NBTSTAT collects information from a single systemsystem
NBTSCAN scans a whole range of addresses, NBTSCAN scans a whole range of addresses, and dumps the whole NetBIOS name tableand dumps the whole NetBIOS name table– Link Ch 3iLink Ch 3i
nmbscan in BackTracknmbscan in BackTrack
Stopping NetBIOS Name Services Stopping NetBIOS Name Services Enumeration Enumeration
All the preceding techniques operate over All the preceding techniques operate over the NetBIOS Naming Service, UDP 137 the NetBIOS Naming Service, UDP 137 Block UDP 137 at the firewall, or restrict it Block UDP 137 at the firewall, or restrict it to only certain hoststo only certain hostsTo prevent user data from appearing in To prevent user data from appearing in NetBIOS name table dumps, disable the NetBIOS name table dumps, disable the Alerter and Messenger services on Alerter and Messenger services on individual hostsindividual hostsBlocking UDP 137 will disable NBNS Blocking UDP 137 will disable NBNS name authentication, of course name authentication, of course
NetBIOS Session, TCP 139NetBIOS Session, TCP 139
These are the notorious Null Sessions These are the notorious Null Sessions The Windows Server Message Block The Windows Server Message Block
(SMB) protocol hands out a wealth of (SMB) protocol hands out a wealth of information freelyinformation freely
Null Sessions are turned off by default in Null Sessions are turned off by default in Win XP and later versions, but open in Win XP and later versions, but open in Win 2000 and NTWin 2000 and NT– They aren't available in Win 95, 98, or Me They aren't available in Win 95, 98, or Me
Information AvailableInformation Available
Null sessions on Win 2000 and NT provide Null sessions on Win 2000 and NT provide information about:information about:– SharesShares– User accountsUser accounts– Password policiesPassword policies
DumpSecDumpSec
Free from link Ch 3jFree from link Ch 3jRuns on Vista (and earlier Windows)Runs on Vista (and earlier Windows)
Registry Enumeration Registry Enumeration
The Registry can be viewed The Registry can be viewed remotely with reg or DumpSecremotely with reg or DumpSec
Requires Administrator privileges Requires Administrator privileges by default on Windows serversby default on Windows servers– You can't do it with null sessionsYou can't do it with null sessions
Gary McKinnon used remote Gary McKinnon used remote registry access to hack into the registry access to hack into the PentagonPentagon– Link Ch 3kLink Ch 3k
user2sid/sid2user user2sid/sid2user
These utilities can get user account These utilities can get user account names and SIDs remotely, even if the names and SIDs remotely, even if the registry key RestrictAnonymous is set to 1 registry key RestrictAnonymous is set to 1
They can find the Administrator's account They can find the Administrator's account name, even if it's renamed, by changing name, even if it's renamed, by changing the last 3 numbers of another account's the last 3 numbers of another account's SID to 500SID to 500– Works against Win 2003, but not Win XP SP2Works against Win 2003, but not Win XP SP2– See link Ch 3lSee link Ch 3l
All-in-One Null All-in-One Null Session Session
Enumeration ToolsEnumeration Tools
winfingerprintwinfingerprintWinfoWinfoNBTEnum 3.3NBTEnum 3.3
– Link Ch 3mLink Ch 3m
SMB Null Session SMB Null Session CountermeasuresCountermeasures
Block TCP 139 and 445 at the routerBlock TCP 139 and 445 at the routerSet the Set the RestrictAnonymousRestrictAnonymous registry key registry key
to 1 or 2to 1 or 2– HKLM\SYSTEM\CurrentControlSet\Control\LSA HKLM\SYSTEM\CurrentControlSet\Control\LSA
Ensure the Registry Is Locked DownEnsure the Registry Is Locked Down– http://support.microsoft.com/kb/153183 (link Ch 3n)http://support.microsoft.com/kb/153183 (link Ch 3n)
SNMP, UDP 161SNMP, UDP 161
Simple Network Management Protocol Simple Network Management Protocol (SNMP) is intended for network (SNMP) is intended for network management and monitoring management and monitoring – Administrators use SNMP to remotely Administrators use SNMP to remotely
manage routers and other network devicesmanage routers and other network devices
Community StringsCommunity Strings
SNMP is not a very secure protocol. SNMP is not a very secure protocol. It has a minimal security system called It has a minimal security system called
SNMP Community StringsSNMP Community StringsCommunity strings act like passwordsCommunity strings act like passwordsThere are three kinds of SNMP There are three kinds of SNMP
Community strings: Community strings: Read-OnlyRead-Only, , Read-Read-WriteWrite, and , and TrapTrap (Trap is rarely used) (Trap is rarely used)– But the community strings are often left at But the community strings are often left at
obvious defaults like "public" and "private"obvious defaults like "public" and "private"
Management Information Bases Management Information Bases (MIBs)(MIBs)
The MIB contains a SNMP The MIB contains a SNMP device's data in a tree-device's data in a tree-structured form, like the structured form, like the Windows RegistryWindows Registry
Vendors add data to the Vendors add data to the MIBMIB
Microsoft stores Windows Microsoft stores Windows user account names in the user account names in the MIBMIB– Image from link Ch 3oImage from link Ch 3o
Data Available Via SNMP Data Available Via SNMP EnumerationEnumeration
Running servicesRunning servicesShare namesShare namesShare pathsShare pathsComments on sharesComments on sharesUsernamesUsernamesDomain nameDomain name
SNMP Enumeration ToolsSNMP Enumeration Tools
snmputilsnmputil from the from the Windows NT Resource KitWindows NT Resource Kit
snmpgetsnmpget or or snmpwalksnmpwalk for for UnixUnix
IP Network BrowserIP Network Browser– Part of the Engineer's Part of the Engineer's
Toolset, link Ch 2dToolset, link Ch 2d
Worse than EnumerationWorse than Enumeration
Attackers who guess the SNMP Attackers who guess the SNMP community string may be able to remotely community string may be able to remotely control your network devicescontrol your network devices– That can be used for DoS attacks, or other That can be used for DoS attacks, or other
attacksattacks
SNMP Enumeration SNMP Enumeration Countermeasures Countermeasures
Remove or disable unneeded SNMP Remove or disable unneeded SNMP agentsagents
Change the community strings to non-Change the community strings to non-default valuesdefault values
Block access to TCP and UDP ports 161 Block access to TCP and UDP ports 161 (SNMP GET/SET) (SNMP GET/SET)
Restrict access to SNMP agents to the Restrict access to SNMP agents to the appropriate management console IP appropriate management console IP address address
SNMP Enumeration SNMP Enumeration Countermeasures Countermeasures
Use SNMP V3—much more secure than Use SNMP V3—much more secure than V1 or 2V1 or 2– Provides enhanced encryption and Provides enhanced encryption and
authentication mechanismsauthentication mechanisms
Adjust Win NT registry keys to make Adjust Win NT registry keys to make SNMP less dangerousSNMP less dangerous
BGP, TCP 179BGP, TCP 179
Border Gateway Protocol (BGP) is the de Border Gateway Protocol (BGP) is the de facto routing protocol on the Internet facto routing protocol on the Internet
Used by routers to help them guide Used by routers to help them guide packets to their destinationspackets to their destinations
It can be used to find all the networks It can be used to find all the networks associated with a particular corporationassociated with a particular corporation– That may give you more targets to attackThat may give you more targets to attack
A small risk, but there is no A small risk, but there is no countermeasurecountermeasure
Windows Active Directory LDAP, Windows Active Directory LDAP, TCP/UDP 389 and 3268TCP/UDP 389 and 3268
Active Directory contains all user accounts Active Directory contains all user accounts and other information on Windows domain and other information on Windows domain controllerscontrollers
If the domain is made compatible with If the domain is made compatible with earlier versions of Windows, such as Win earlier versions of Windows, such as Win NT4 Server, any domain member can NT4 Server, any domain member can enumerate Active Directoryenumerate Active Directory
Active Directory Enumeration Active Directory Enumeration Countermeasures Countermeasures
Filter access to ports 389 and 3268 at the Filter access to ports 389 and 3268 at the network border network border
Use "Native" domains—don't allow Win Use "Native" domains—don't allow Win NT4 Domain ControllersNT4 Domain Controllers
Other Services Vulnerable to Other Services Vulnerable to EnumerationEnumeration
UNIX RPC, TCP/UDP 111 and 32771UNIX RPC, TCP/UDP 111 and 32771 rwho (UDP 513) and rusers (RPC Program rwho (UDP 513) and rusers (RPC Program
100002)100002)NIS, RPC Program 100004NIS, RPC Program 100004Oracle TNS, TCP 1521/2483Oracle TNS, TCP 1521/2483SQL Resolution Service, UDP 1434SQL Resolution Service, UDP 1434NFS, TCP/UDP 2049NFS, TCP/UDP 2049 IPSec/IKE, UDP 500IPSec/IKE, UDP 500