Enumeration Testing

JSIITJSIITSystem Intrusion and Computer Forensic Module

code: (CSM203)

Assignment Presentation

ON

SYSTEM ENUMERATION TCP/UDP PORT

BYBY

YUSIF SULEIMANYUSIF SULEIMAN

2308-0703-02232308-0703-0223

InstructorInstructor:: Mr Mr BashiBashi

In Partial Fulfillment for the Award of IADNCS, 2012 In Partial Fulfillment for the Award of IADNCS, 2012

INTRODUCTIONINTRODUCTION

EnumerationEnumeration

Enumeration is the first attack on Enumeration is the first attack on target network; Enumeration is a target network; Enumeration is a process to gather the information process to gather the information about user names, machine names, about user names, machine names, network resources, shares and network resources, shares and services ; Enumeration makes a fixed services ; Enumeration makes a fixed active connection to a systemactive connection to a system

Although File Transfer Protocol (FTP) is Although File Transfer Protocol (FTP) is becoming less common on the Internet, becoming less common on the Internet, connecting to and examining the content of connecting to and examining the content of FTP repositories remains one of the simplest FTP repositories remains one of the simplest and potentially lucrative enumeration and potentially lucrative enumeration techniques. We’ve seen many public web techniques. We’ve seen many public web servers that used FTP for uploading web servers that used FTP for uploading web content, providing an easy vector for content, providing an easy vector for uploading malicious executables. Typically, uploading malicious executables. Typically, the availability of easily accessible file-sharing the availability of easily accessible file-sharing services quickly becomes widespread services quickly becomes widespread knowledge, and public FTP sites end up knowledge, and public FTP sites end up hosting sensitive and potentially embarrassing hosting sensitive and potentially embarrassing content. Even worse, many such sites are content. Even worse, many such sites are configured for anonymous accessconfigured for anonymous access

Techniques use for Techniques use for EnumerationEnumeration

CMD Command :CMD Command :There are many cmd commands which are more There are many cmd commands which are more EFFECTIVE in local area connections than EFFECTIVE in local area connections than windows OS :)windows OS :)

net use net use : (Works only in xp and 2000) : (Works only in xp and 2000) syntax :syntax : net use \\<ip address>\IPC$ ""/u:"" net use \\<ip address>\IPC$ ""/u:""Example :Example : net use \\192.168.2.2\IPS$ ""/u:"" net use \\192.168.2.2\IPS$ ""/u:""Defn :Defn : It connects to its hidden inner process It connects to its hidden inner process communication (IPS$) of 192.168.2.2 with build in communication (IPS$) of 192.168.2.2 with build in anonymous user (u:) with a null password ("")anonymous user (u:) with a null password ("")

nbtstat nbtstat : (tested and worked ): (tested and worked )Syntax :Syntax : nbtstat -A<ip address> nbtstat -A<ip address>Example Example : nbtstat -A<192.168.2.4>: nbtstat -A<192.168.2.4>Use :Use : Will get the NetBIOS Will get the NetBIOS information and MAC address of the information and MAC address of the systemsystem

FTP Enumeration FTP Enumeration syntax : ftp <ftp servername> syntax : ftp <ftp servername> Example : ftp ftp.gnuplot.infoExample : ftp ftp.gnuplot.info

Techniques (Continue )Techniques (Continue )

telnet telnet Syantax : telnet <URL/IP> <port number>Syantax : telnet <URL/IP> <port number>Example : telnet www.csice.edu.in 80 (http port Example : telnet www.csice.edu.in 80 (http port number)number)Use : connect to a serverUse : connect to a serverPORT NUMBERPORT NUMBERhttp 80http 80ftp 21ftp 21telnet 23telnet 23smtp 25smtp 25dns 53dns 53tftp 69tftp 69finger 79finger 79NetBios 137 NetBios 137

Techniques (Continue )Techniques (Continue )

Tools use for Enumeration Tools use for Enumeration Super ScanSuper Scan

IP Tools IP Tools - It gave information about - It gave information about

local info- examines the local host and shows info about local info- examines the local host and shows info about processor, memory, Winsock data, etc processor, memory, Winsock data, etc Connection Monitor- Connection Monitor- displays information about current TCP and UDP network displays information about current TCP and UDP network connections connections NetBIOS Info- gets NetBIOS information about NetBIOS Info- gets NetBIOS information about network interfaces (local and remote computers) network interfaces (local and remote computers) NB Scanner- shared resources scanner NB Scanner- shared resources scanner SNMP Scanner- scans network(s) for SNMP enabled devices SNMP Scanner- scans network(s) for SNMP enabled devices Name Scanner- scans all hostnames within a range of IP Name Scanner- scans all hostnames within a range of IP addresses addresses Port Scanner- scans network(s) for active TCP based Port Scanner- scans network(s) for active TCP based services services UDP Scanner- scans network(s) for active UDP based UDP Scanner- scans network(s) for active UDP based servicesservices

Ping Scanner- pings a remote hosts over the network Ping Scanner- pings a remote hosts over the network

Trace- traces the route to a remote host over the networkTrace- traces the route to a remote host over the network

WhoIs- obtains information about a Internet host or WhoIs- obtains information about a Internet host or domain name from the NIC (Network Information Center)domain name from the NIC (Network Information Center)

Finger- retrieves information about user from a remote Finger- retrieves information about user from a remote host host LookUp- looks for domain names according to its IP LookUp- looks for domain names according to its IP address or an IP address from its domain name address or an IP address from its domain name GetTime- gets time from time servers (also it can set GetTime- gets time from time servers (also it can set correct time on local system) correct time on local system) Telnet- telnet client Telnet- telnet client HTTP- HTTP client HTTP- HTTP client IP-Monitor- shows network traffic in real time (as a set of IP-Monitor- shows network traffic in real time (as a set of charts) charts) Host Monitor- monitors up/down status of selected hosts. Host Monitor- monitors up/down status of selected hosts. Trap Watcher- allows you to receive and process SNMP Trap Watcher- allows you to receive and process SNMP Trap messages.Trap messages.

IP Tools (Continue)IP Tools (Continue)

softperfect network scanner toolsoftperfect network scanner tool Features::Features::

>Pings computers and displays those alive.>Pings computers and displays those alive.>Detects hardware MAC-addresses, even across routers.>Detects hardware MAC-addresses, even across routers.>Detects hidden shared folders and writable ones.>Detects hidden shared folders and writable ones.>Detects your internal and external IP addresses.>Detects your internal and external IP addresses.>Scans for listening TCP ports, some UDP and SNMP services.>Scans for listening TCP ports, some UDP and SNMP services.>Retrieves currently logged-on users, configured user >Retrieves currently logged-on users, configured user accounts, uptime, etc.accounts, uptime, etc.>You can mount and explore network resources.>You can mount and explore network resources.>Can launch external third party applications.>Can launch external third party applications.>Exports results to HTML, XML, CSV and TXT>Exports results to HTML, XML, CSV and TXT>Supports Wake-On-LAN, remote shutdown and sending >Supports Wake-On-LAN, remote shutdown and sending network messages.network messages.>Retrieves potentially any information via WMI.>Retrieves potentially any information via WMI.>Retrieves information from remote registry, file system and >Retrieves information from remote registry, file system and service manager.service manager.

Enumeration PortsEnumeration Ports

FTP Enumeration, TCP 21FTP Enumeration, TCP 21 FTP port 21 open Fingerprint server FTP port 21 open Fingerprint server

telnet ip_address 21 (Banner grab) telnet ip_address 21 (Banner grab) Run command ftp ip_address Run command ftp ip_address [email protected] [email protected] Check for anonymous access Check for anonymous access

ftp ip_addressUsername: anonymous OR anonPassword: ftp ip_addressUsername: anonymous OR anonPassword: [email protected] [email protected]

Password guessing Password guessing Hydra brute force medusa Brutus

Examine configuration files Examine configuration files ftpusers , ftpusers , ftp.conf, proftpd.conf , proftpd.conf

MiTM MiTM pasvagg.pl

SMTP TCP 25 – version of popular SMTP server SMTP TCP 25 – version of popular SMTP server softwaresoftware

sendmail greater than 8 offer syntax that can sendmail greater than 8 offer syntax that can bebe

embeded in the mail.cf file to disable or embeded in the mail.cf file to disable or acquireacquire

authentication for VRFY and EXPN commandsauthentication for VRFY and EXPN commands • • Has two comands VRFY and EXPN which Has two comands VRFY and EXPN which

reveals thereveals the actual delivery addresses of aliases and actual delivery addresses of aliases and

mailing listmailing list • • Eg telnet 10.219.100.1 25Eg telnet 10.219.100.1 25

Enumerating SMTP, TCP 25Enumerating SMTP, TCP 25

Sendmail Port 25 open Fingerprint server telnet ip_address 25 (banner grab)

Mail Server Testing Enumerate users

VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts)

Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

Mail Relay Test HELO anything

Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain> Unknown domain - mail from: <user@unknown_domain> Domain not present - mail from: <user@localhost> Domain not supplied - mail from: <user> Source address omission - mail from: <> rcpt to: <nobody@recipient_domain> Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain> Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain"> User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]> Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain> Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>

Examine Configuration Files - sendmail.cf, submit.cf

DNS port 53 open Fingerprint server/ service DNS port 53 open Fingerprint server/ service host host

host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

nslookup nslookup nslookup [ -option ... ] [ host-to-find | - [ server ]] nslookup [ -option ... ] [ host-to-find | - [ server ]]

dig dig dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-

y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r

Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup lookup

DNS Enumeration DNS Enumeration Bile Suite

perl BiLE.pl [website] [project_name] perl BiLE.pl [website] [project_name] perl BiLE-weigh.pl [website] [input file] perl BiLE-weigh.pl [website] [input file] perl vet-IPrange.pl [input file] [true domain file] [output file] <range> perl vet-IPrange.pl [input file] [true domain file] [output file] <range> perl vet-mx.pl [input file] [true domain file] [output file] perl vet-mx.pl [input file] [true domain file] [output file] perl exp-tld.pl [input file] [output file] perl exp-tld.pl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl qtrace.pl [ip_address_file] [output_file] perl qtrace.pl [ip_address_file] [output_file] perl jarf-rev [subnetblock] [nameserver] perl jarf-rev [subnetblock] [nameserver]

txdns txdns -rt -t domain_name txdns -rt -t domain_name txdns -x 50 -bb domain_name txdns -x 50 -bb domain_name txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

Examine Configuration Files - Examine Configuration Files - host.conf, resolv.conf , named.conf host.conf, resolv.conf , named.conf

DNS Zone Transfer, TCP 53DNS Zone Transfer, TCP 53

TFTP port 69 open TFTP Enumeration TFTP port 69 open TFTP Enumeration tftp ip_address PUT local_file tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris) tftp – i <IP> GET /etc/passwd (old Solaris)

TFTP Bruteforcing TFTP Bruteforcing TFTP bruteforcer Cisco-Torch

TFTP, TCP/UDP 69 trivial file transfer protocol for TFTP, TCP/UDP 69 trivial file transfer protocol for unauthenticated file transfers using UDP port 69unauthenticated file transfers using UDP port 69

•• Its trivial to copy a poorly secured /etc/passwdIts trivial to copy a poorly secured /etc/passwd

$tftp 192.168.202.34$tftp 192.168.202.34

tftp>get /etc/passwd /tmp/passwd.cracklatertftp>get /etc/passwd /tmp/passwd.cracklater

tftp>quittftp>quit

Enumerating TFTP, TCP/UDP 69Enumerating TFTP, TCP/UDP 69

Finger Port 79 open Finger Port 79 open User enumeration User enumeration

finger 'a b c d e f g h' @example.com finger 'a b c d e f g h' @example.com

finger [email protected] finger [email protected]




finger **@example.com finger **@example.com


finger @example.com finger @example.com Command execution Command execution

finger "|/bin/[email protected]" finger "|/bin/[email protected]"

finger "|/bin/ls -a /@example.com" finger "|/bin/ls -a /@example.com" Finger Bounce Finger Bounce

finger user@host@victim finger user@host@victim

finger @internal@externafinger @internal@externa

Finger, TCP/UDP 79Finger, TCP/UDP 79

Web Ports 80, 8080 etc. open Fingerprint server Web Ports 80, 8080 etc. open Fingerprint server Telnet ip_address port Telnet ip_address port Firefox plugins Firefox plugins

All All firecat

Specific Specific add n edit cookies asnumber header spy live http headers shazou web developer

Crawl website Crawl website lynx [options] startfile/URL Options include -traversal -crawl -dump -lynx [options] startfile/URL Options include -traversal -crawl -dump -

image_links -source image_links -source httprint Metagoofil

metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

Web Directory enumeration Web Directory enumeration Nikto

nikto [-h target] [options] , nikto [-h target] [options] , DirBuster, Wikto, Goolag Scanner

Enumerating HTTP, TCP 80Enumerating HTTP, TCP 80

Enumeration Microsoft RPC Port 135Enumeration Microsoft RPC Port 135 Enum

enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> ip>

Null Session Null Session net use \\192.168.1.1\ipc$ "" /u:"" net use \\192.168.1.1\ipc$ "" /u:""

net view \\ip_address net view \\ip_address Dumpsec

Smbclient Smbclient smbclient -L //server/share password options smbclient -L //server/share password options

Superscan Enumeration tab. Enumeration tab.

user2sid/sid2user Winfo

NetBIOS brute force NetBIOS brute force Hydra, Brutus, Cain & Abel, getacctHydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)

Examine Configuration Files Examine Configuration Files Smb.conf Smb.conf lmhosts lmhosts

Enumerating Microsoft RPC Endpoint Mapper(MSRPC) TCP135Enumerating Microsoft RPC Endpoint Mapper(MSRPC) TCP135

Enumeration NetBIOS Open Ports UDP 137Enumeration NetBIOS Open Ports UDP 137 Enum









NetBIOS Name Service Enumeration, UDP 137137

NetBIOS Session Enumeration, TCP 139139

NetBIOS Ports 139NetBIOS Ports 139 Enum









SNMP port 161 open Default Community Strings public private cisco

cable-docsis ILMI

MIB enumeration Windows NT

.1.3.6.1.2.1.1.5 Hostnames , .1.3.6.1.4.1.77.1.4.2 Domain Name , .1.3.6.1.4.1.77.1.2.25 Usernames , .1.3.6.1.4.1.77.1.2.3.1.1 Running Services , .1.3.6.1.4.1.77.1.2.27 Share Information

Solarwinds MIB walk Getif snmpwalk

snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications

ZyXel snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0 snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2

SNMP Bruteforce onesixtyone

onesixytone -c SNMP.wordlist <IP> cat

./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp

Examine SNMP Configuration files - snmp.conf, snmpd.conf , snmp-config.xml

SNMP Enumeration, UDP 161161

BGP Enumeration, TCP 179BGP Enumeration, TCP 179

The Border Gateway Protocol (BGP) is the de facto routing The Border Gateway Protocol (BGP) is the de facto routing protocol on the Internet and is used by routers to propagate protocol on the Internet and is used by routers to propagate information necessary to route IP packets to their information necessary to route IP packets to their destinations. By looking at the BGP routing tables, you can destinations. By looking at the BGP routing tables, you can determine the networks associated with a particular determine the networks associated with a particular corporation to add to your target host matrix. All networks corporation to add to your target host matrix. All networks connected to the Internet do not “speak” BGP, and this connected to the Internet do not “speak” BGP, and this method may not work with your corporate network. Only method may not work with your corporate network. Only networks that have more than one uplink use BGP, and networks that have more than one uplink use BGP, and these are typically used by medium-to-large organizations.these are typically used by medium-to-large organizations.

The methodology is simple. Here are the steps to perform The methodology is simple. Here are the steps to perform BGP route enumeration:BGP route enumeration:

1. Determine the Autonomous System Number (ASN) of the 1. Determine the Autonomous System Number (ASN) of the target organization.target organization.

2. Execute a query on the routers to identify all networks 2. Execute a query on the routers to identify all networks where the AS Path terminates with the organization’s ASN.where the AS Path terminates with the organization’s ASN.

The BGP protocol uses IP network addresses and The BGP protocol uses IP network addresses and ASNs exclusively. The ASN is a 16-bit integer that ASNs exclusively. The ASN is a 16-bit integer that an organization purchases from ARIN to identify an organization purchases from ARIN to identify itself on the network. You can think of an ASN as itself on the network. You can think of an ASN as an IP address for an organization. Because you an IP address for an organization. Because you cannot execute commands on a router using a cannot execute commands on a router using a company name, the first step is to determine the company name, the first step is to determine the ASN for an organization. There are two ASN for an organization. There are two techniques to do this, depending on what type of techniques to do this, depending on what type of information you have. One approach, if you have information you have. One approach, if you have the company name, is to perform a whois search the company name, is to perform a whois search with the ASN keywordwith the ASN keyword

Alternatively, if you have an IP address for the Alternatively, if you have an IP address for the organization, you can query a router and use the organization, you can query a router and use the last entry in the AS Path as the ASN. For example, last entry in the AS Path as the ASN. For example, you can telnet to a public router and perform the you can telnet to a public router and perform the following commands:following commands:

C:>C:>telnet route-views.oregon-ix.nettelnet route-views.oregon-ix.net

User Access VerificationUser Access Verification

Username: Username: rviewsrviews

route-views.oregon-ix.net>route-views.oregon-ix.net>show ip bgp show ip bgp 63.79.158.163.79.158.1

BGP routing table entry for 63.79.158.0/24, BGP routing table entry for 63.79.158.0/24, version 7215687version 7215687

Paths: (29 available, best #14)Paths: (29 available, best #14)

Not advertised to any peerNot advertised to any peer

8918 701 16394 163948918 701 16394 16394

212.4.193.253 from 212.4.193.253 212.4.193.253 from 212.4.193.253 (212.4.193.253)(212.4.193.253)

Origin IGP, localpref 100, valid, externalOrigin IGP, localpref 100, valid, external

LDAP Port 389 Open ldap enumeration LDAP Port 389 Open ldap enumeration ldapminer

ldapminer -h ip_address -p port (not required if default) -d ldapminer -h ip_address -p port (not required if default) -d luma

Gui based tool Gui based tool ldp

Gui based tool Gui based tool openldap

ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file]properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn] [dn rdn]

Window Active Director LDAP Enumeration, TCP/UDP 389 & 3268

ldap brute force ldap brute force bf_ldap bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l

passwords list | length of passwords to generate optional: -p port (default 389) -v passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) (verbose mode) -P Ldap user path (default ,CN=Users,)

K0ldS LDAP_Brute.pl Examine Configuration Files General Examine Configuration Files General

containers.ldif containers.ldif ldap.cfg ldap.cfg ldap.conf ldap.conf ldap.xml ldap.xml ldap-config.xml ldap-config.xml ldap-realm.xml ldap-realm.xml slapd.conf slapd.conf

IBM SecureWay V3 server IBM SecureWay V3 server V3.sas.oc V3.sas.oc

Microsoft Active Directory server Microsoft Active Directory server msadClassesAttrs.ldif msadClassesAttrs.ldif

Netscape Directory Server 4 Netscape Directory Server 4 nsslapd.sas_at.conf nsslapd.sas_at.conf nsslapd.sas_oc.conf nsslapd.sas_oc.conf

OpenLDAP directory server OpenLDAP directory server slapd.sas_at.conf slapd.sas_at.conf slapd.sas_oc.conf slapd.sas_oc.conf

Sun ONE Directory Server 5.1 Sun ONE Directory Server 5.1 75sas.ldif 75sas.ldif

Novell NetWare Enumeration, TCP 524 and Novell NetWare Enumeration, TCP 524 and IPXIPX

Microsoft Windows is not alone with its “null Microsoft Windows is not alone with its “null session” holes. Novell’s NetWare has a similar session” holes. Novell’s NetWare has a similar problem—actually it’s worse. Novell practically problem—actually it’s worse. Novell practically gives up the information farm, all without gives up the information farm, all without authenticating to a single server or tree. Old authenticating to a single server or tree. Old NetWare 3.NetWare 3.x and 4.x servers (with Bindery x and 4.x servers (with Bindery Context enabled) have what can be called the Context enabled) have what can be called the “Attach” vulnerability, allowing anyone to “Attach” vulnerability, allowing anyone to discover servers, trees, groups, printers, and discover servers, trees, groups, printers, and usernames without logging into a single server. usernames without logging into a single server.

See the reference for how easily this is done and See the reference for how easily this is done and recommendations for plugging up these recommendations for plugging up these information holes.information holes.

NetWare Enumeration via Network NetWare Enumeration via Network NeighborhoodNeighborhood

The first step to enumerating a Novell network is to The first step to enumerating a Novell network is to learn about the servers and trees available on the learn about the servers and trees available on the wire. This can be done a number of ways, but none wire. This can be done a number of ways, but none more simply than through the Windows Network more simply than through the Windows Network Neighborhood. This handy network-browsing utility Neighborhood. This handy network-browsing utility will query for all Novell servers and NDS trees on the will query for all Novell servers and NDS trees on the wire. This enumeration occurs over IPX on traditional wire. This enumeration occurs over IPX on traditional NetWare networks, or via NetWare Core Protocol NetWare networks, or via NetWare Core Protocol (NCP, TCP 524) for NetWare 5 or greater servers (NCP, TCP 524) for NetWare 5 or greater servers running “pure” TCP/IP (the NetWare client software running “pure” TCP/IP (the NetWare client software essentially wraps IPX in an IP packet with destination essentially wraps IPX in an IP packet with destination port TCP 524). Although you cannot drill down into port TCP 524). Although you cannot drill down into the Novell NDS tree without logging into the tree the Novell NDS tree without logging into the tree itself, this capability represents the initial baby steps itself, this capability represents the initial baby steps leading to more serious attacks.leading to more serious attacks.

UNIX RPC Enumeration, TCP/UDP 111 and UNIX RPC Enumeration, TCP/UDP 111 and 3277132771

Like any network resource, applications need to Like any network resource, applications need to have a way to talk to each other over the wires. have a way to talk to each other over the wires. One of the most popular protocols for doing just One of the most popular protocols for doing just that is Remote Procedure Call (RPC). RPC employs a that is Remote Procedure Call (RPC). RPC employs a service called the portmapper (now known as service called the portmapper (now known as rpcbind) to arbitrate between client requests and rpcbind) to arbitrate between client requests and ports that it dynamically assigns to listening ports that it dynamically assigns to listening applications. Despite the pain it has historically applications. Despite the pain it has historically caused firewall administrators, RPC remains caused firewall administrators, RPC remains extremely popular. The rpcinfo tool is the extremely popular. The rpcinfo tool is the equivalent of finger for enumerating RPC equivalent of finger for enumerating RPC applications listening on remote hosts and can be applications listening on remote hosts and can be targeted at servers found listening on port 111 targeted at servers found listening on port 111 (rpcbind) or 32771 (Sun’s alternate ortmapper) in (rpcbind) or 32771 (Sun’s alternate ortmapper) in previous scans:previous scans:

[root$]rpcinfo –p 192.168.202.34[root$]rpcinfo –p 192.168.202.34

program vers proto portprogram vers proto port

100000 100000 22 tdp tdp 111 111 rusersdrusersd

100002 100002 3 3 udp udp 712 712 rusersdrusersd

100011 100011 2 2 udp udp 754 754 rquotadrquotad

100005 100005 1 1 udp udp 635 635 mountdmountd

100003 100003 2 2 udp udp 2049 2049 nfsnfs

100004 100004 2 2 tcp tcp 778 778 ypservypserv This tells attackers that this host is running rusersd, This tells attackers that this host is running rusersd,

NFS, and NIS (ypserv is the NIS server). Therefore, NFS, and NIS (ypserv is the NIS server). Therefore, rusers, showmount -e, and pscan –n will produce rusers, showmount -e, and pscan –n will produce further information (see reference for more tools further information (see reference for more tools and discussion). The pscan tool can also be used to and discussion). The pscan tool can also be used to enumerate this info by use of the -r switch.enumerate this info by use of the -r switch.

SQL Server Port 1433 1434 open SQL Enumeration SQL Server Port 1433 1434 open SQL Enumeration piggy SQLPing

sqlping ip_address/hostname sqlping ip_address/hostname SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver

SQL Brute Force SQL Brute Force SQLPAT

sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

SQL Dict SQLAT Hydra SQLlhf ForceSQL

SQL Resolution Service Enumeration, UDP 1434

NFS Port 2049 open NFS Enumeration NFS Port 2049 open NFS Enumeration showmount -e hostname/ip_address showmount -e hostname/ip_address mount -t nfs mount -t nfs

ip_address:/directory_found_exported ip_address:/directory_found_exported /local_mount_point /local_mount_point

NFS Brute Force NFS Brute Force Interact with NFS share and try to Interact with NFS share and try to

add/delete add/delete Exploit and Confuse Unix Exploit and Confuse Unix

Examine Configuration Files Examine Configuration Files /etc/exports /etc/exports /etc/lib/nfs/xtab /etc/lib/nfs/xtab

NFS Enumeration, TCP/UDP 2049

4.0 4.0 REFERENCESREFERENCES Harry Newton, “Newton’s Telecom Dictionary,” CMP Harry Newton, “Newton’s Telecom Dictionary,” CMP

Books, New York, NY, 2002.Books, New York, NY, 2002.

http://www.phenoelit-us.org/dpl/dpl.htmlhttp://www.phenoelit-us.org/dpl/dpl.html

Postel, John. "RFC 793". Retrieved 29 June Postel, John. "RFC 793". Retrieved 29 June 2012.2012.

"Port Numbers". Internet Assigned "Port Numbers". Internet Assigned Numbers Authority (IANA)Numbers Authority (IANA)..

http://en.wikipedia.org/wiki/http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers List_of_TCP_and_UDP_port_numbers

Ieee xplore digital library, Cavendish, D. C&C Res. Ieee xplore digital library, Cavendish, D. C&C Res. Communications Magazine, Labs., USA Volume: 38, Communications Magazine, Labs., USA Volume: 38, Issue: 6, Pages: 164 – 172 Issue: 6, Pages: 164 – 172 http://ieeexplore.ieee.org/xpl/login.jsp?http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=846090&url=http%3A%2Ftp=&arnumber=846090&url=http%3A%2F%2Fieeexplore.ieee.org%2Fieeexplore.ieee.org%2Fiel5%2F35%2F18353%2F00846090.pdf%2Fiel5%2F35%2F18353%2F00846090.pdf%3Farnumber%3D846090%3Farnumber%3D846090

Gigabit Ethernet for Metro Area Networks, Paul Gigabit Ethernet for Metro Area Networks, Paul Bedell. 2003. Page 329.Bedell. 2003. Page 329.

Dale Barr, JR., Peter M. Fonash: Internet Protocol Dale Barr, JR., Peter M. Fonash: Internet Protocol over Optical Transport Networks; National over Optical Transport Networks; National Communication Technologies, Inc. Dec 2003. Page 9, Communication Technologies, Inc. Dec 2003. Page 9, 43 to 47.43 to 47.

G.7712, “Vertel Supports, Latest Optical Network G.7712, “Vertel Supports, Latest Optical Network Management Standard”,Management Standard”,

Embedded Stars, last accessed 23 September 2006.Embedded Stars, last accessed 23 September 2006. http://www.embeddedstar.com/press/content/http://www.embeddedstar.com/press/content/

2003/3/embedded7896.html,2003/3/embedded7896.html, ECI Lightsoft Network Management Solutions ECI Lightsoft Network Management Solutions

General DescriptionGeneral Description Handbook, 2nd Edition, ECI, June 2006. Page 64.Handbook, 2nd Edition, ECI, June 2006. Page 64. MakingMaking EthernetEthernet overover SONET, D. Frey, F. Moore,SONET, D. Frey, F. Moore,

“A Transport Network Operations Model”“A Transport Network Operations Model”, , Proceedings NFOEC, 2003. Page 29.Proceedings NFOEC, 2003. Page 29.

Useful INTERNET ADDRESSES OF Useful INTERNET ADDRESSES OF STANDARDS STANDARDS BODIES AND FORUMSBODIES AND FORUMS

Interne: Interne: http://www.phenoelit-us.org/dpl/dpl.htmlhttp://www.phenoelit-us.org/dpl/dpl.html

Telecommunications Industry Association (TIA): Telecommunications Industry Association (TIA): www.tiaonline.orgwww.tiaonline.org

International Electrical Electronic Engineers (IEEE) International Electrical Electronic Engineers (IEEE) www.ieee.orgwww.ieee.org

THANK YOUTHANK YOU

Enumeration Testing

Documents

Transcript of Enumeration Testing