Chapter 3Chapter 3

EnumerationEnumeration

Last modified 8-30-12

DefinitionDefinition

Scanning identifies live hosts and running Scanning identifies live hosts and running services services

Enumeration probes the identified services Enumeration probes the identified services more fully for known weaknesses more fully for known weaknesses

Enumeration is more intrusive, using Enumeration is more intrusive, using active connections and directed queriesactive connections and directed queries

Enumeration will usually be logged and Enumeration will usually be logged and noticednoticed

Goals of EnumerationGoals of Enumeration

User account namesUser account names– to inform subsequent password-guessing to inform subsequent password-guessing

attacksattacks

Oft-misconfigured shared resourcesOft-misconfigured shared resources– for example, unsecured file sharesfor example, unsecured file shares

Older software versions with known Older software versions with known security vulnerabilitiessecurity vulnerabilities– such as web servers with remote buffer such as web servers with remote buffer

overflowsoverflows

Pen-Test VideoPen-Test Video

Link Ch 3a: Droop's Box: Simple Pen-test Using Nmap, Link Ch 3a: Droop's Box: Simple Pen-test Using Nmap, Nikto, Bugtraq, Nslookup and Other Tools by IronGeekNikto, Bugtraq, Nslookup and Other Tools by IronGeek

Normal nmap ScanNormal nmap Scan

nmap Version Scanningnmap Version Scanning

Vulnerability ScannersVulnerability Scanners

Very noisy and easy to detectVery noisy and easy to detect

Thorough and slowThorough and slow

NessusNessus

OpenVASOpenVAS

Cenzic HailstormCenzic Hailstorm

AccunetrixAccunetrix

Many othersMany others

NessusNessus

nmap NSE Scriptingnmap NSE Scripting

Nmap Scripting EngineNmap Scripting Engine– nmap –script-help allnmap –script-help all– When running script, -v helpsWhen running script, -v helps

Banner Grabbing with netcatBanner Grabbing with netcat

Telnet in Vista and Windows 7Telnet in Vista and Windows 7

First you need to First you need to install Telnetinstall Telnet– In Control Panel, In Control Panel,

Programs and Programs and Features, Turn Features, Turn Windows Windows Features on or Features on or off, check Telnet off, check Telnet ClientClient

Banner GrabbingBanner Grabbing

Connecting to remote applications and Connecting to remote applications and observing the output observing the output

Simple way, at a command promptSimple way, at a command prompt– telnet www.ccsf.edu 80telnet www.ccsf.edu 80

On the next blank screen type inOn the next blank screen type in– GET / HTTP/1.1GET / HTTP/1.1– Press Enter twicePress Enter twice

Making Characters VisibleMaking Characters Visible

In Windows XP and Vista, you can't see In Windows XP and Vista, you can't see what you type in the Telnet sessionwhat you type in the Telnet session

Do this:Do this:– At a command prompt, typeAt a command prompt, type

telnet hills.ccsf.edu 80telnet hills.ccsf.edu 80

– Press Enter. Press Ctrl+]. Then typePress Enter. Press Ctrl+]. Then typeset localechoset localecho

– Press Enter twicePress Enter twiceLink Ch 3z11Link Ch 3z11

Example BannersExample Banners

www.ccsf.edu tells you too muchwww.ccsf.edu tells you too much

cnn.com is bettercnn.com is better

Netcat Banner GrabsNetcat Banner Grabs

Get Netcat for Windows at links Ch 3d, 3d1, 3d2Get Netcat for Windows at links Ch 3d, 3d1, 3d2

Banner-Grabbing Banner-Grabbing Countermeasures Countermeasures

Turn off unnecessary servicesTurn off unnecessary services

Disable the presentation of the vendor and Disable the presentation of the vendor and version in banners version in banners

Audit yourself regularly with port scans Audit yourself regularly with port scans and raw netcat connects to active ports and raw netcat connects to active ports

Enumerating Common Network Enumerating Common Network Services Services

FTP, TCP 21FTP, TCP 21

Telnet, TCP 23Telnet, TCP 23

SMTP, TCP 25SMTP, TCP 25

DNS, TCP/UDP 53DNS, TCP/UDP 53

TFTP, TCP/UDP 69TFTP, TCP/UDP 69

Finger, TCP/UDP 79Finger, TCP/UDP 79

HTTP, TCP 80HTTP, TCP 80

FTP Enumeration, TCP 21 FTP Enumeration, TCP 21

CCSF doesn't give CCSF doesn't give away much away much informationinformationFTP is becoming obsolete, see FTP is becoming obsolete, see ftp.sun.comftp.sun.comFTP passwords are sent in the clearFTP passwords are sent in the clear– Don't allow anonymous uploadsDon't allow anonymous uploads– Turn it off, use secure FTP insteadTurn it off, use secure FTP instead

Googling for FTP ServersGoogling for FTP Servers

Search forSearch for– intitle:"Index of ftp://"intitle:"Index of ftp://"

Here's an overly informative HTTP bannerHere's an overly informative HTTP banner

FTP BannerFTP Banner

Here's the corresponding overly Here's the corresponding overly informative FTP bannerinformative FTP banner

Eliminate FTPEliminate FTP

Plaintext password transmission!Plaintext password transmission!

Alternatives:Alternatives:– SFTP (over SSH)SFTP (over SSH)– FTPS (over SSL)FTPS (over SSL)

Public content should be served over Public content should be served over HTTP, not FTPHTTP, not FTP

Enumerating Telnet, TCP 23 Enumerating Telnet, TCP 23

Telnet sometimes has banners, and allows Telnet sometimes has banners, and allows bruteforce username enumerationbruteforce username enumeration

It sends passwords in cleartextIt sends passwords in cleartext

Telnet should be eliminated if possibleTelnet should be eliminated if possible– Use SSH insteadUse SSH instead

If you must use Telnet, restrict it to proper If you must use Telnet, restrict it to proper source IP addressessource IP addresses– Or run it through a VPNOr run it through a VPN

Enumerating SMTP, TCP 25 Enumerating SMTP, TCP 25

SMTP can be enumerated with Telnet, SMTP can be enumerated with Telnet, using these commandsusing these commands– VRFY confirms names of valid usersVRFY confirms names of valid users– EXPN reveals the actual delivery addresses EXPN reveals the actual delivery addresses

of aliases and mailing lists of aliases and mailing lists

Antivirus NoteAntivirus Note

McAfee antivirus McAfee antivirus blocks telnets to blocks telnets to port 25port 25

"Prevent mass "Prevent mass mailing worms from mailing worms from sending mail"sending mail"

SMTP Enumeration SMTP Enumeration CountermeasuresCountermeasures

Disable the EXPN and VRFY commands, Disable the EXPN and VRFY commands, or restrict them to authenticated usersor restrict them to authenticated users

Sendmail and Exchange both allow that in Sendmail and Exchange both allow that in modern versionsmodern versions

DNS Zone Transfers, TCP 53DNS Zone Transfers, TCP 53

Zone transfers dump the entire contents of Zone transfers dump the entire contents of a given domain's zone filesa given domain's zone files

Restricted to authorized machines on most Restricted to authorized machines on most DNS servers now DNS servers now

Zone Transfer ExampleZone Transfer Example

Link Ch 1z14Link Ch 1z14

Bind Version Now DisabledBind Version Now Disabled

DNS Cache SnoopingDNS Cache Snooping

+norecurse – examines only the local DNS +norecurse – examines only the local DNS data (note ANSWER: 0)data (note ANSWER: 0)

Recursive DNS Recursive DNS

Now It's in the CacheNow It's in the Cache

DNS Enumeration ToolsDNS Enumeration Tools

dnsenumdnsenum– Google scrapingGoogle scraping– Brute forcingBrute forcing– MoreMore– Links Ch 3a,3bLinks Ch 3a,3b

FierceFierce

Link Ch 3cLink Ch 3c

DNS Enumeration DNS Enumeration CountermeasuresCountermeasures

Use separate internal and external DNS Use separate internal and external DNS serversservers

Block or restrict DNS zone transfersBlock or restrict DNS zone transfers

Restrict DNS queries to limit cache Restrict DNS queries to limit cache snooping (Link Ch 3d)snooping (Link Ch 3d)

Enumerating TFTP, TCP/UDP 69 Enumerating TFTP, TCP/UDP 69

TFTP is inherently insecureTFTP is inherently insecure– Runs in cleartextRuns in cleartext– No authentication at allNo authentication at all– Anyone can grab any file (even /etc/passwd in the Anyone can grab any file (even /etc/passwd in the

worst cases)worst cases)– Used in routers and VoIP Telephones to update Used in routers and VoIP Telephones to update

firmwarefirmware

TFTP Enumeration TFTP Enumeration Countermeasures Countermeasures

Wrap it to restrict accessWrap it to restrict access– Using a tool such as TCP WrappersUsing a tool such as TCP Wrappers– TCP Wrappers is like a software firewall, only TCP Wrappers is like a software firewall, only

allowing certain clients to access a service allowing certain clients to access a service – Links Ch 3e, 3fLinks Ch 3e, 3f

Limit access to the /tftpboot directoryLimit access to the /tftpboot directory

Make sure it's blocked at the border Make sure it's blocked at the border firewall firewall

Finger, TCP/UDP 79 Finger, TCP/UDP 79

Shows users on local or remote systems, if Shows users on local or remote systems, if enabledenabled– Useful for social engineeringUseful for social engineering

Countermeasure: block remote access to fingerCountermeasure: block remote access to finger

Enumerating HTTP, TCP 80 Enumerating HTTP, TCP 80

Grab banners Grab banners with netcat or with netcat or telnettelnet

Crawl Web sites Crawl Web sites with Sam Spadewith Sam Spade

Grendel-ScanGrendel-Scan

Crawls sites and reports on vulnerabilitiesCrawls sites and reports on vulnerabilities

In BackTrackIn BackTrack

Very slowVery slow

Link Ch 3eLink Ch 3e

HTTP Enumeration HTTP Enumeration Countermeasures Countermeasures

Change the banner on your web serversChange the banner on your web servers– URLScan for IIS v 4 and laterURLScan for IIS v 4 and later

Link Ch 3hLink Ch 3h

Microsoft RPC Endpoint Mapper Microsoft RPC Endpoint Mapper (MSRPC), TCP 135(MSRPC), TCP 135

Remote Procedure Call (RPC) endpoint Remote Procedure Call (RPC) endpoint mapper (or portmapper) service on TCP mapper (or portmapper) service on TCP 135 135

Querying this service can yield information Querying this service can yield information about applications and services available about applications and services available on the target machine on the target machine

epdumpepdump

From Microsoft's Windows Resource KitFrom Microsoft's Windows Resource Kit

Shows services bound to IP addressesShows services bound to IP addresses

It takes some research to interpret the It takes some research to interpret the resultsresults– Link Ch 3fLink Ch 3f

epdumpepdump

rpcdumprpcdump

In Backtrack, similar resultsIn Backtrack, similar results

winfingerprintwinfingerprint

Does RPC enumeration and much moreDoes RPC enumeration and much more

Link Ch 3gLink Ch 3g

MSRPC Enumeration MSRPC Enumeration Countermeasures Countermeasures

Block port 135 at the firewall, if you canBlock port 135 at the firewall, if you can– But some Microsoft Exchange configurations But some Microsoft Exchange configurations

require access to the endpoint mapperrequire access to the endpoint mapper– You can avoid that by using Virtual Private You can avoid that by using Virtual Private

Networks, orNetworks, or– Outlook Web Access (OWA) which works Outlook Web Access (OWA) which works

over HTTPSover HTTPS– Exchange 2003 and later implements RPC Exchange 2003 and later implements RPC

over HTTPover HTTP

NetBIOS Name Service, UDP 137NetBIOS Name Service, UDP 137

NetBIOS Name Service (NBNS) is NetBIOS Name Service (NBNS) is Microsoft's name service, an alternative to Microsoft's name service, an alternative to DNSDNS

What is Name Resolution?What is Name Resolution?– Suppose you issue a command that refers to Suppose you issue a command that refers to

a computer by name, such as PINGa computer by name, such as PING

Name ResolutionName Resolution

Windows needs to change a computer Windows needs to change a computer name to an IP address to send data name to an IP address to send data packetspackets

Windows uses two naming systems:Windows uses two naming systems:– DNS (the preferred method)DNS (the preferred method)– NetBIOS Name Resolution (still used by all NetBIOS Name Resolution (still used by all

versions of Windows)versions of Windows)

Standard Name Resolution Standard Name Resolution MethodsMethods

Charts from link Ch 3h Charts from link Ch 3h

Additional Name Resolution Additional Name Resolution MethodsMethods

NET VIEW NET VIEW

NET VIEW can list the domains, or the NET VIEW can list the domains, or the computers in each domaincomputers in each domain

NBNS over TCP/IPNBNS over TCP/IP

Normally NBNS only works on the local Normally NBNS only works on the local network segmentnetwork segment

It is possible to route NBNS over TCP/IP, It is possible to route NBNS over TCP/IP, allowing enumeration from a remote allowing enumeration from a remote systemsystem

Other Tools to Enumerate NBNS Other Tools to Enumerate NBNS

NLTEST and NETDOM can find domain NLTEST and NETDOM can find domain controllerscontrollers

NETVIEWX finds specific services NETVIEWX finds specific services

NBTSTAT collects information from a single NBTSTAT collects information from a single systemsystem

NBTSCAN scans a whole range of addresses, NBTSCAN scans a whole range of addresses, and dumps the whole NetBIOS name tableand dumps the whole NetBIOS name table– Link Ch 3iLink Ch 3i

nmbscan in BackTracknmbscan in BackTrack

NBTSCANNBTSCAN

Stopping NetBIOS Name Services Stopping NetBIOS Name Services Enumeration Enumeration

All the preceding techniques operate over All the preceding techniques operate over the NetBIOS Naming Service, UDP 137 the NetBIOS Naming Service, UDP 137 Block UDP 137 at the firewall, or restrict it Block UDP 137 at the firewall, or restrict it to only certain hoststo only certain hostsTo prevent user data from appearing in To prevent user data from appearing in NetBIOS name table dumps, disable the NetBIOS name table dumps, disable the Alerter and Messenger services on Alerter and Messenger services on individual hostsindividual hostsBlocking UDP 137 will disable NBNS Blocking UDP 137 will disable NBNS name authentication, of course name authentication, of course

NetBIOS Session, TCP 139NetBIOS Session, TCP 139

These are the notorious Null Sessions These are the notorious Null Sessions The Windows Server Message Block The Windows Server Message Block

(SMB) protocol hands out a wealth of (SMB) protocol hands out a wealth of information freelyinformation freely

Null Sessions are turned off by default in Null Sessions are turned off by default in Win XP and later versions, but open in Win XP and later versions, but open in Win 2000 and NTWin 2000 and NT– They aren't available in Win 95, 98, or Me They aren't available in Win 95, 98, or Me

Null Session Against Win 2000Null Session Against Win 2000

Information AvailableInformation Available

Null sessions on Win 2000 and NT provide Null sessions on Win 2000 and NT provide information about:information about:– SharesShares– User accountsUser accounts– Password policiesPassword policies

DumpSecDumpSec

Free from link Ch 3jFree from link Ch 3jRuns on Vista (and earlier Windows)Runs on Vista (and earlier Windows)

Registry Enumeration Registry Enumeration

The Registry can be viewed The Registry can be viewed remotely with reg or DumpSecremotely with reg or DumpSec

Requires Administrator privileges Requires Administrator privileges by default on Windows serversby default on Windows servers– You can't do it with null sessionsYou can't do it with null sessions

Gary McKinnon used remote Gary McKinnon used remote registry access to hack into the registry access to hack into the PentagonPentagon– Link Ch 3kLink Ch 3k

user2sid/sid2user user2sid/sid2user

These utilities can get user account These utilities can get user account names and SIDs remotely, even if the names and SIDs remotely, even if the registry key RestrictAnonymous is set to 1 registry key RestrictAnonymous is set to 1

They can find the Administrator's account They can find the Administrator's account name, even if it's renamed, by changing name, even if it's renamed, by changing the last 3 numbers of another account's the last 3 numbers of another account's SID to 500SID to 500– Works against Win 2003, but not Win XP SP2Works against Win 2003, but not Win XP SP2– See link Ch 3lSee link Ch 3l

All-in-One Null All-in-One Null Session Session

Enumeration ToolsEnumeration Tools

winfingerprintwinfingerprintWinfoWinfoNBTEnum 3.3NBTEnum 3.3

– Link Ch 3mLink Ch 3m

SMB Null Session SMB Null Session CountermeasuresCountermeasures

Block TCP 139 and 445 at the routerBlock TCP 139 and 445 at the routerSet the Set the RestrictAnonymousRestrictAnonymous registry key registry key

to 1 or 2to 1 or 2– HKLM\SYSTEM\CurrentControlSet\Control\LSA HKLM\SYSTEM\CurrentControlSet\Control\LSA

Ensure the Registry Is Locked DownEnsure the Registry Is Locked Down– http://support.microsoft.com/kb/153183 (link Ch 3n)http://support.microsoft.com/kb/153183 (link Ch 3n)

SNMP, UDP 161SNMP, UDP 161

Simple Network Management Protocol Simple Network Management Protocol (SNMP) is intended for network (SNMP) is intended for network management and monitoring management and monitoring – Administrators use SNMP to remotely Administrators use SNMP to remotely

manage routers and other network devicesmanage routers and other network devices

Community StringsCommunity Strings

SNMP is not a very secure protocol. SNMP is not a very secure protocol. It has a minimal security system called It has a minimal security system called

SNMP Community StringsSNMP Community StringsCommunity strings act like passwordsCommunity strings act like passwordsThere are three kinds of SNMP There are three kinds of SNMP

Community strings: Community strings: Read-OnlyRead-Only, , Read-Read-WriteWrite, and , and TrapTrap (Trap is rarely used) (Trap is rarely used)– But the community strings are often left at But the community strings are often left at

obvious defaults like "public" and "private"obvious defaults like "public" and "private"

Management Information Bases Management Information Bases (MIBs)(MIBs)

The MIB contains a SNMP The MIB contains a SNMP device's data in a tree-device's data in a tree-structured form, like the structured form, like the Windows RegistryWindows Registry

Vendors add data to the Vendors add data to the MIBMIB

Microsoft stores Windows Microsoft stores Windows user account names in the user account names in the MIBMIB– Image from link Ch 3oImage from link Ch 3o

Data Available Via SNMP Data Available Via SNMP EnumerationEnumeration

Running servicesRunning servicesShare namesShare namesShare pathsShare pathsComments on sharesComments on sharesUsernamesUsernamesDomain nameDomain name

SNMP Enumeration ToolsSNMP Enumeration Tools

snmputilsnmputil from the from the Windows NT Resource KitWindows NT Resource Kit

snmpgetsnmpget or or snmpwalksnmpwalk for for UnixUnix

IP Network BrowserIP Network Browser– Part of the Engineer's Part of the Engineer's

Toolset, link Ch 2dToolset, link Ch 2d

Worse than EnumerationWorse than Enumeration

Attackers who guess the SNMP Attackers who guess the SNMP community string may be able to remotely community string may be able to remotely control your network devicescontrol your network devices– That can be used for DoS attacks, or other That can be used for DoS attacks, or other

attacksattacks

SNMP Enumeration SNMP Enumeration Countermeasures Countermeasures

Remove or disable unneeded SNMP Remove or disable unneeded SNMP agentsagents

Change the community strings to non-Change the community strings to non-default valuesdefault values

Block access to TCP and UDP ports 161 Block access to TCP and UDP ports 161 (SNMP GET/SET) (SNMP GET/SET)

Restrict access to SNMP agents to the Restrict access to SNMP agents to the appropriate management console IP appropriate management console IP address address

SNMP Enumeration SNMP Enumeration Countermeasures Countermeasures

Use SNMP V3—much more secure than Use SNMP V3—much more secure than V1 or 2V1 or 2– Provides enhanced encryption and Provides enhanced encryption and

authentication mechanismsauthentication mechanisms

Adjust Win NT registry keys to make Adjust Win NT registry keys to make SNMP less dangerousSNMP less dangerous

BGP, TCP 179BGP, TCP 179

Border Gateway Protocol (BGP) is the de Border Gateway Protocol (BGP) is the de facto routing protocol on the Internet facto routing protocol on the Internet

Used by routers to help them guide Used by routers to help them guide packets to their destinationspackets to their destinations

It can be used to find all the networks It can be used to find all the networks associated with a particular corporationassociated with a particular corporation– That may give you more targets to attackThat may give you more targets to attack

A small risk, but there is no A small risk, but there is no countermeasurecountermeasure

Windows Active Directory LDAP, Windows Active Directory LDAP, TCP/UDP 389 and 3268TCP/UDP 389 and 3268

Active Directory contains all user accounts Active Directory contains all user accounts and other information on Windows domain and other information on Windows domain controllerscontrollers

If the domain is made compatible with If the domain is made compatible with earlier versions of Windows, such as Win earlier versions of Windows, such as Win NT4 Server, any domain member can NT4 Server, any domain member can enumerate Active Directoryenumerate Active Directory

Active Directory Enumeration Active Directory Enumeration Countermeasures Countermeasures

Filter access to ports 389 and 3268 at the Filter access to ports 389 and 3268 at the network border network border

Use "Native" domains—don't allow Win Use "Native" domains—don't allow Win NT4 Domain ControllersNT4 Domain Controllers

Other Services Vulnerable to Other Services Vulnerable to EnumerationEnumeration

UNIX RPC, TCP/UDP 111 and 32771UNIX RPC, TCP/UDP 111 and 32771 rwho (UDP 513) and rusers (RPC Program rwho (UDP 513) and rusers (RPC Program

100002)100002)NIS, RPC Program 100004NIS, RPC Program 100004Oracle TNS, TCP 1521/2483Oracle TNS, TCP 1521/2483SQL Resolution Service, UDP 1434SQL Resolution Service, UDP 1434NFS, TCP/UDP 2049NFS, TCP/UDP 2049 IPSec/IKE, UDP 500IPSec/IKE, UDP 500