Scribd Logo
Upload

Welcome to Scribd!

  • 185 views

    Hacking Module 04

    Uploaded by

    Jitendra Kumar Dash
    Jack used a tool that allowed anonymous users to log in and enumerate system information from a university website using null sessions. He discovered vulnerabilities that provided details about the webserver system. The document discusses enumeration techniques like null sessions, SNMP, and DNS zone transfers that can be used to gather sensitive information from Windows systems. It also describes tools attackers can use for enumeration and recommends countermeasures organizations can implement to prevent enumeration and protect their systems.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd

    Hacking Module 04

    Uploaded by

    Jitendra Kumar Dash
    185 views31 pages
    Jack used a tool that allowed anonymous users to log in and enumerate system information from a university website using null sessions. He discovered vulnerabilities that provided details about the webserver system. The document discusses enumeration techniques like null sessions, SNMP, and DNS zone transfers that can be used to gather sensitive information from Windows systems. It also describes tools attackers can use for enumeration and recommends countermeasures organizations can implement to prevent enumeration and protect their systems.

    Original Title

    Hacking Module 04

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Jack used a tool that allowed anonymous users to log in and enumerate system information from a university website using null sessions. He discovered vulnerabilities that provided details about the webserver system. The document discusses enumeration techniques like null sessions, SNMP, and DNS zone transfers that can be used to gather sensitive information from Windows systems. It also describes tools attackers can use for enumeration and recommends countermeasures organizations can implement to prevent enumeration and protect their systems.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    185 views31 pages

    Hacking Module 04

    Uploaded by

    Jitendra Kumar Dash
    Jack used a tool that allowed anonymous users to log in and enumerate system information from a university website using null sessions. He discovered vulnerabilities that provided details about the webserver system. The document discusses enumeration techniques like null sessions, SNMP, and DNS zone transfers that can be used to gather sensitive information from Windows systems. It also describes tools attackers can use for enumeration and recommends countermeasures organizations can implement to prevent enumeration and protect their systems.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    of 31

    NMCSP

    2008 Batch-I

    Module IV
    Enumeration
    Scenario

    It was a rainy day and Jack was getting bored sitting at home. He
    wanted to be engaged in something rather than gazing at the
    sky. Jack had heard about enumerating user accounts and
    other important system information using Null Sessions. He
    wanted to try what he had learned in his information security
    class. From his friends he had come to know that the
    university website had a flaw that allowed anonymous users to
    log in.
    Jack installed an application which used Null Sessions to
    enumerate systems. He tried out the application and to his
    surprise discovered information about the system where the
    webserver was hosted.
    What started in good fun became very serious. Jack started
    having some devilish thoughts after seeing the vulnerability.
    What can Jack do with the gathered information?
    Can he wreak havoc?
    What if Jack had enumerated a vulnerable system meant for
    online trading?
    Module Objectives

     Understanding Windows 2000 enumeration


     How to connect via a Null session
     How to disguise NetBIOS enumeration
     Disguise using SNMP enumeration
     How to steal Windows 2000 DNS information
    using zone transfers
     Learn to enumerate users via CIFS/SMB
     Active Directory enumerations
    Module Flow

    What is enumeration? Null Sessions Tools used

    SNMP Enumeration Countermeasures against


    Tools used
    Null Sessions

    SNMP Enumeration MIB Zone Transfers


    Countermeasures

    Tools Used Enumerating User Accounts Blocking Zone Transfers

    Active Directory Active Directory Enumeration


    Enumeration Countermeasures
    What is Enumeration

     If acquisition and non-intrusive probing have not


    turned up any results, then an attacker will next turn to
    identifying valid user accounts or poorly protected
    resource shares.
     Enumeration involves active connections to systems
    and directed queries.
     The type of information enumerated by intruders:
    • Network resources and shares
    • Users and groups
    • Applications and banners
    Net Bios Null Sessions

     The null session is often refereed to as the Holy Grail of


    Windows hacking. Null sessions take advantage of flaws
    in the CIFS/SMB (Common Internet File System/
    Server Messaging Block).
     You can establish a Null Session with a Windows
    (NT/2000/XP) host by logging on with a null user
    name and password.
     Using these null connections allows you to gather the
    following information from the host:
    • List of users and groups
    • List of machines
    • List of shares
    • Users and host SIDs (Security Identifiers)
    So What's the Big Deal?

    Anyone with a NetBIOS The attacker now has a


    connection to a computer can channel over which to attempt
    easily get a full dump of all various techniques.
    usernames, groups, shares, The CIFS/SMB and NetBIOS
    permissions, policies, services standards in Windows 2000
    and more using the Null user. include APIs that return rich
    The above syntax connects information about a machine
    to the hidden Inter Process via TCP port 139 - even to
    Communication 'share' (IPC$) unauthenticated users.
    at IP address 192.34.34.2 with C: \>net use \\192.34.34.2
    the built-in anonymous user \IPC$ “” /u: “”
    (/u:“”) with (“”) null
    password.
    Tool: DumpSec

    DumpSec reveals shares over a null session with the target


    computer.
    Tool: Winfo

     Winfo uses null sessions


    to remotely retrieve
    information about the
    target system.
     Winfo gives detailed
    information about the
    following in verbose mode:
    • System information
    • Domain information
    • Password policy
    • Logout policy
    • Sessions
    • Logged in users
    • User accounts

    Source: http://ntsecurity.nu/toolbox/winfo/
    Tool: NAT

    The NetBIOS Auditing Tool (NAT) is


    designed to explore the NetBIOS file-
    sharing services offered by the target
    system.
    It implements a stepwise approach to
    information gathering and attempts to
    obtain file system-level access as though it
    were a legitimate local client.
    If a NetBIOS session can be established
    at all via TCP port 139, the target is
    declared "vulnerable“.
    Once the session is fully set up,
    transactions are performed to collect
    more information about the server
    including any file system "shares" it
    offers.

    Source: http://www.rhino9.com
    Null Session Countermeasure
     Null sessions require access to TCP ports 139
    and/or 445.
     You could also disable SMB services entirely on
    individual hosts by unbinding the TCP/IP WINS
    Client from the interface.
     Edit the registry to restrict the anonymous user.
    • 1. Open regedt32, navigate to
    HKLM\SYSTEM\CurrentControlSet\LSA
    • 2. Choose edit | add value
    • value name: RestrictAnonymous
    • Data Type: REG_WORD
    • Value: 2
    NetBIOS Enumeration

    NBTscan is a program for


    scanning IP networks for
    NetBIOS name information.
    For each responded host it
    lists IP address, NetBIOS
    computer name, logged-in
    user name and MAC address
     The first thing a remote attacker will try on a Windows
    2000 network is to get list of hosts attached to the wire.
    1. net view / domain,
    2. nbstat -A <some IP>
    SNMP Enumeration

     SNMP is simple. Managers send requests to agents and


    the agents send back replies.
     The requests and replies refer to variables accessible by
    agent software.
     Managers can also send requests to set values for
    certain variables.
     Traps let the manager know that something significant
    has happened at the agent's end of things:
    • a reboot
    • an interface failure
    • or that something else that is potentially bad has happened
     Enumerating NT users via the SNMP protocol is easy
    using snmputil.
    Tool :Solarwinds

     It
    is a set of Network
    Management Tools.
     The tool set consists of
    the following:
    • Discovery
    • Cisco Tools
    • Ping Tools
    • Address Management
    • Monitoring
    • MIB Browser
    • Security
    • Miscellaneous

    Source: http://www.solarwinds.net/
    Tool: Enum

    Available for download from


    http://razor.bindview.com

    Enum is a console-based Win32


    information enumeration utility.
    Using null sessions, enum can
    retrieve user lists, machine lists,
    share lists, name lists, group and
    membership lists, password and LSA
    policy information.
    enum is also capable of
    rudimentary brute force dictionary
    attack on individual accounts.
    Tool : SNScan V1.05

     It is a Windows based
    SNMP scanner that can
    effectively detect SNMP
    enabled devices on the
    network.
     Itscans specific SNMP
    ports and uses public, and
    user defined, SNMP
    community names.
     Itis handy as a tool for
    information gathering.
    Source: http://www.foundstone.com
    SNMPutil example
    SNMP Enumeration Countermeasures

     The simplest way to prevent such activity is to remove


    the SNMP agent or turn off the SNMP service.

     If shutting off SNMP is not an option, then change the


    default 'public' community name.

     Implement the Group Policy security option called


    Additional restrictions for anonymous connections.

     Access to null session pipes, null session shares, and


    IPSec filtering should also be restricted.
    Management Information Base

     MIB provides a standard representation of the SNMP


    agent’s available information and where it is stored.
     MIB is the most basic element of network management.
     MIB-II is the updated version of the standard MIB.
     MIB-II adds new SYNTAX types, and adds more
    manageable objects to the MIB tree.
    Windows 2000 DNS Zone transfer

     For clients to locate Win 2k domain services,


    such as AD and kerberos, Win 2k relies on DNS
    SRV records.
     Simple zone transfer (nslookup, ls -d
    <domainname>) can enumerate lot of
    interesting network information.
     An attacker would look at the following records
    closely:
    • 1. Global Catalog Service (_gc._tcp_)
    • 2. Domain Controllers (_ldap._tcp)
    • 3. Kerberos Authentication (_kerberos._tcp)
    Blocking Win 2k DNS Zone transfer

    Zone transfers can be


    easily blocked using
    the DNS property
    sheet as show here.
    Enumerating User Accounts

     Two powerful NT/2000 enumeration tools are:


    • 1.sid2user
    • 2.user2sid
     They can be downloaded fromwww.chem.msu.su/^rudnyi/NT/
     These are command line tools that look up NT SIDs from
    username input and vice versa.
    Tool: Userinfo

     UserInfo is a little function that retrieves all available


    information about any known user from any NT/Win2k
    system that you can access TCP port 139 on.
     Specifically calling the NetUserGetInfo API call at Level
    3, Userinfo returns standard info like
    • SID and Primary group
    • logon restrictions and smart card requirements
    • special group information
    • pw expiration information and pw age
     This application works as a null user, even if the RA is
    set to 1 to specifically deny anonymous enumeration.
    Tool: GetAcct

     GetAcct sidesteps "RestrictAnonymous=1" and acquires


    account information on Windows NT/2000 machines.
     Downloadable from www.securityfriday.com
    Tool: DumpReg

    DumpReg is a tool to
    dump the Windows NT and
    Windows 95 Registry.
    Main aim is to find keys
    and values matching a
    string.

    Source: http://www.systemtools.com/
    Tool: Trout

    Trout is a combination of
    Traceroute and Whois.
    Pinging can be set to a
    controllable rate.
    The Whois lookup can be
    used to identify the hosts
    discovered.

    Source: http://www.foundstone.com/
    Tool: Winfingerprint

    Winfingerprint is a GUI-
    based tool that has the
    option of scanning a single
    host or a continuous
    network block.
    Has two main windows:
    • IP address range
    • Windows options

    Source: http://winfingerprint.sourceforge.net
    Tool: PsTools

    The PsTools suite falls in-


    between enumeration and full
    system access.
    The various tools that are
    present in this suite are as
    follows:
    • PsFile
    • PsLoggedOn
    • PsGetSid
    • PsInfo
    • PsService
    • PsList
    • PsKill and PsSuspend
    • PsLogList
    • PsExec
    • PsShutdown
    Source: http://www.sysinternals.com
    Active Directory Enumeration

     All the existing users and groups could be enumerated


    with a simple LDAP query.
     The only thing required to perform this enumeration is
    to create an authenticated session via LDAP.
     Connect to any AD server using ldp.exe port 389.
     Authentication can be done using Guest/or any domain
    account.
     Now all the users and built-in groups could be
    enumerated.
    AD Enumeration countermeasures

     How is this possible with a simple guest account?

     The Win 2k dcpromo installation screen queries the


    user if he wants to relax access permissions on the
    directory to allow legacy servers to perform lookup:

    1.Permission compatible with pre-Win2k

    2.Permission compatible with only with Win2k

     Choose option 2 during AD installation.


    Summary

     Enumeration involves active connections to systems


    and directed queries.
     The type of information enumerated by intruders
    includes network resources and shares, users and
    groups, and applications and banners.
     Null sessions are used often by crackers to connect to
    target systems.
     NetBIOS and SNMP enumerations can be disguised
    using tools such as snmputil, NAT, etc.
     Tools such as user2sid, sid2user and userinfo can be
    used to identify vulnerable user accounts.

    You might also like