Hands-On Ethical Hacking and Network Defense
Chapter 6 Enumeration
�Objectives
Describe the enumeration step of security testing Enumerate Microsoft OS targets Enumerate NetWare OS targets Enumerate *NIX OS targets
�Introduction to Enumeration
Enumeration extracts information about:
Resources or shares on the network User names or groups assigned on the network Last time user logged on Users password
Before enumeration, you use Port scanning and footprinting
To Determine OS being used
Intrusive process
3
�NBTscan
NBT (NetBIOS over TCP/IP)
is the Windows networking protocol used for shared folders and printers
NBTscan
Tool for enumerating Microsoft OSs
�Enumerating Microsoft Operating Systems
Study OS history
Knowing your target makes your job easier
Many attacks that work for older Windows OSs still work with newer versions
�Windows 95
The first Windows version that did not start with DOS Still used the DOS kernel to some extent Introduced the Registry database to replace Win.ini, Autoexec.bat, and other text files Introduced Plug and Play and ActiveX Used FAT16 file system
6
�Windows 98 and ME
More Stable than Win 95 Used FAT32 file system Win ME introduced System Restore Win 95, 98, and ME are collectively called "Win 9x"
�Windows NT 3.51 Server/Workstation
No dependence on DOS kernel Domains and Domain Controllers NTFS File System to replace FAT16 and FAT31 Much more secure and stable than Win9x Many companies still use Win NT Server Domain Controllers Win NT 4.0 was an upgrade
8
�Windows 2000 Server/Professional
Upgrade of Win NT Active Directory
Powerful database storing information about all objects in a network
Users, printers, servers, etc.
Based on Novell's Novell Directory Services
Enumerating this system would include enumerating Active Directory
9
�Windows XP Professional
Much more secure, especially after Service Pack 2
Windows File Protection Data Execution Prevention Windows Firewall
10
�Windows Server 2003
Much more secure, especially after Service Pack 1
Network services are closed by default Internet Explorer security set higher
11
�NetBIOS Basics
Network Basic Input Output System (NetBIOS)
Programming interface Allows computer communication over a LAN Used to share files and printers
12
�NetBIOS names
Computer names on Windows systems Limit of 16 characters Last character identifies type of service running Must be unique on a network
13
�NetBIOS Suffixes
For complete list, see link Ch 6h
14
�NetBIOS Null Sessions
Null session
Unauthenticated connection to a Windows computer Does not use logon and passwords values
Around for over a decade
Still present on Windows XP
A large vulnerability
See links Ch 6a-f
15
�Null Session Information
Using these NULL connections allows you to gather the following information from the host:
List of users and groups List of machines List of shares Users and host SIDs (Security Identifiers)
From brown.edu (link Ch 6b)
16
�Demonstration of Null Sessions
Start Win 2000 Pro Share a folder From a Win XP command prompt
NET VIEW \\ip-address Fails NET USE \\ip-address\IPC$ "" /u:""
Creates the null session Username="" Password=""
NET VIEW \\ip-address
Works now
17
�Demonstration of Enumeration
Download Winfo from link Ch 6g Run it see all the information!
18
�NULL Session Information
NULL sessions exist in windows networking to allow:
Trusted domains to enumerate resources Computers outside the domain to authenticate and enumerate users The SYSTEM account to authenticate and enumerate resources
NetBIOS NULL sessions are enabled by default in Windows NT and 2000
From brown.edu (link Ch 6b)
19
�NULL Sessions in Win XP and 2003 Server
Windows XP and 2003 don't allow Null Sessions, according to link Ch 6c.
I tried the NET USE command on Win XP SP2 and it did not work Link Ch 6f says you can still do it in Win XP SP2, but you need to use a different procedure
20
�NetBIOS Enumeration Tools
Nbtstat command
Powerful enumeration tool included with the Microsoft OS Displays NetBIOS table
21
�NetBIOS Enumeration Tools
Net view command
Shows whether there are any shared resources on a network host
22
�NetBIOS Enumeration Tools (continued)
Net use command
Used to connect to a computer with shared folders or files
23
�Additional Enumeration Tools
NetScanTools Pro DumpSec Hyena NessusWX
24
�NetScanTools Pro
Produces a graphical view of NetBIOS running on a network Enumerates any shares running on the computer Verifies whether access is available for shared resource using its Universal Naming Convention (UNC) name Costs about $250 per machine (link Ch 6i)
25
�26
�27
�DumpSec
Enumeration tool for Microsoft systems Produced by Foundstone, Inc. Allows user to connect to a server and dump the following information
Permissions for shares Permissions for printers Permissions for the Registry Users in column or table format Policies and rights Services
28
�Hyena
Excellent GUI product for managing and securing Microsoft OSs Shows shares and user logon names for Windows servers and domain controllers Displays graphical representation of:
Microsoft Terminal Services Microsoft Windows Network Web Client Network Find User/Group
29
�Prices
DumpSec seems to be free Hyena costs about $200 per station
Link Ch 6j
30
�31
�NessusWX
This is the client part of Nessus Allows enumeration of different OSs on a large network Running NessusWX
Be sure Nessus server is up and running Open the NessusWX client application To connect your client with the Nessus server
Click Communications, Connect from the menu on the session window Enter servers name 32 Log on the Nessus server
�33
�34
�NessusWX (continued)
Nessus identifies
NetBIOS names in use Shared resources Vulnerabilities with shared resources
Also offers solutions to those vulnerabilities
OS version OS vulnerabilities Firewall vulnerabilities
35
�36
�37
�38
�39
�Etherleak Vulnerability
Padding in Ethernet frames comes from RAM, it's not just zeroes Real data can leak out that way See link Ch 6l
40
�41
�Enumerating the NetWare Operating System
Security professionals see Novell NetWare as a dead horse
Ignoring an OS can limit your career as a security professional
Novell NetWare version 4.11
Novell does not offer any technical support for earlier versions Novell has switched to SUSE Linux now
42
�NetWare Enumeration Tools
NetWare 5.1 is still used on many networks New vulnerabilities are discovered daily
You need to be vigilant in checking vendor sites and security sites
Tool
Nessus
43
�44
�NetWare Enumeration Tools (continued)
Nessus
Enumerates a NetWare server Determines eDirectory information Discovers the user name and password for the FTP account Discovers names of several user accounts
45
�46
�47
�48
�NetWare Enumeration Tools (continued)
Novell Client32
Available at www.novell.com Client available for several OSs
Specify information for
Tree Content Server
49
�50
�51
�52
�Enumerating the *NIX Operating System
Several variations
Solaris SunOS HP-UX Linux Ultrix AIX BSD UNIX FreeBSD OpenBSD
53
�UNIX Enumeration
Finger utility
Most popular tool for security testers Finds out who is logged in to a *NIX system Determine owner of any process
Nessus
Another important *NIX enumeration tool
54
�55
�56
