EnumerationEnumeration

Local IP addressesLocal IP addresses(review)

Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks

Class A 10.0.0.0 Class B 172.16.0.0 to 172.31.0.0 Class C 192.168.0.0 to 192.168.255.0

Machines behind a firewall can use these internal IP numbers to communicate among them.

Only the firewall machine/device (host) needs to have an IP address valid in the Internet.

What is enumeration?What is enumeration?

Categories network resources and shares users and groups applications and banners

Techniques (OS specific) Windows UNIX/Linux

Obtain information about accounts, network resources and shares.

Windows Windows applications and banner enumerationapplications and banner enumeration

Telnet and netcat: same in NT and UNIX. Telnet: Connect to a known port and see the software it is

running, as in this example. Netcat: similar to telnet but provides more information. Countermeasures: log remotely in your applications and edit

banners.

FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh.

Registry enumeration: default in Win2k and above Server is Administrators only. Tools: regdmp (NTResource Kit) and DumpSec (seen previously). Countermeasures: be sure the registry is set for Administrators

only and no command prompt is accessible remotely (telnet, etc).

Novell, UNIX, SQL enumeration will be seen in another class.

Windows Windows general securitygeneral security

Protocols providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445.

Banner enumeration is not the main issue. (UDP 137), Null session command: net use \\19x.16x.11x.xx\IPC$

“” /u:”” countermeasures:

filter out NetBIOS related TCP, UDP ports 135-139 (firewall).

disable NetBIOS over TCP/IP see ShieldsUp! page on binding. restrict anonymous using the

Local Security Policy applet. More here. GetAcct bypasses these actions.

Good source of system and hacking tools: Resource kits XP and 7. Some tools were re-written by hackers.

Windows Windows network resourcesnetwork resources

NetBIOS enumeration (if port closed, none work) NetBIOS Domain hosts: net view NetBios Name Table: nbtstat use and example and nbtscan. NetBIOS shares: DumpSec, Legion, NetBIOS Auditing Tool (

NAT), SMBScanner, NBTdump (use, output). Countermeasures: as discussed previously = close ports

135-139, disable NetBIOS over TCP/IP SNMP enumeration: SolarWinds IP Network Browser

(commercial, see book). Countermeasures: Windows close port 445.

Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “Computer Management” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.

Windows: Windows: user and group enumerationuser and group enumeration

Enumerating Users via NetBIOS: usernames and (common) passwords. Enum: use and output. DumpSec: output. Countermeasures: as before (close ports, no NetBIOS over

TCP/IP)

Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputil and read more in the book.

Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem). Threat and countermeasures in the book (better

dealt with in Operating Systems): close ports 389 and 3268, upgrade all systems to Win2k or above before migrating

to Active Directory.