enumeration. local ip addresses local ip addresses (review) some special ip addresses localhost...
TRANSCRIPT
EnumerationEnumeration
Local IP addressesLocal IP addresses(review)
Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks
Class A 10.0.0.0 Class B 172.16.0.0 to 172.31.0.0 Class C 192.168.0.0 to 192.168.255.0
Machines behind a firewall can use these internal IP numbers to communicate among them.
Only the firewall machine/device (host) needs to have an IP address valid in the Internet.
What is enumeration?What is enumeration?
Categories network resources and shares users and groups applications and banners
Techniques (OS specific) Windows UNIX/Linux
Obtain information about accounts, network resources and shares.
Windows Windows applications and banner enumerationapplications and banner enumeration
Telnet and netcat: same in NT and UNIX. Telnet: Connect to a known port and see the software it is
running, as in this example. Netcat: similar to telnet but provides more information. Countermeasures: log remotely in your applications and edit
banners.
FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh.
Registry enumeration: default in Win2k and above Server is Administrators only. Tools: regdmp (NTResource Kit) and DumpSec (seen previously). Countermeasures: be sure the registry is set for Administrators
only and no command prompt is accessible remotely (telnet, etc).
Novell, UNIX, SQL enumeration will be seen in another class.
Windows Windows general securitygeneral security
Protocols providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445.
Banner enumeration is not the main issue. (UDP 137), Null session command: net use \\19x.16x.11x.xx\IPC$
“” /u:”” countermeasures:
filter out NetBIOS related TCP, UDP ports 135-139 (firewall).
disable NetBIOS over TCP/IP see ShieldsUp! page on binding. restrict anonymous using the
Local Security Policy applet. More here. GetAcct bypasses these actions.
Good source of system and hacking tools: Resource kits XP and 7. Some tools were re-written by hackers.
Windows Windows network resourcesnetwork resources
NetBIOS enumeration (if port closed, none work) NetBIOS Domain hosts: net view NetBios Name Table: nbtstat use and example and nbtscan. NetBIOS shares: DumpSec, Legion, NetBIOS Auditing Tool (
NAT), SMBScanner, NBTdump (use, output). Countermeasures: as discussed previously = close ports
135-139, disable NetBIOS over TCP/IP SNMP enumeration: SolarWinds IP Network Browser
(commercial, see book). Countermeasures: Windows close port 445.
Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “Computer Management” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.
Windows: Windows: user and group enumerationuser and group enumeration
Enumerating Users via NetBIOS: usernames and (common) passwords. Enum: use and output. DumpSec: output. Countermeasures: as before (close ports, no NetBIOS over
TCP/IP)
Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputil and read more in the book.
Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem). Threat and countermeasures in the book (better
dealt with in Operating Systems): close ports 389 and 3268, upgrade all systems to Win2k or above before migrating
to Active Directory.