enumeration. local ip addresses local ip addresses (review) some special ip addresses localhost...
TRANSCRIPT
![Page 1: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/1.jpg)
EnumerationEnumeration
![Page 2: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/2.jpg)
Local IP addressesLocal IP addresses(review)
Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks
Class A 10.0.0.0 Class B 172.16.0.0 to 172.31.0.0 Class C 192.168.0.0 to 192.168.255.0
Machines behind a firewall can use these internal IP numbers to communicate among them.
Only the firewall machine/device (host) needs to have an IP address valid in the Internet.
![Page 3: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/3.jpg)
What is enumeration?What is enumeration?
Categories network resources and shares users and groups applications and banners
Techniques (OS specific) Windows UNIX/Linux
Obtain information about accounts, network resources and shares.
![Page 4: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/4.jpg)
Windows Windows applications and banner enumerationapplications and banner enumeration
Telnet and netcat: same in NT and UNIX. Telnet: Connect to a known port and see the software it is
running, as in this example. Netcat: similar to telnet but provides more information. Countermeasures: log remotely in your applications and edit
banners.
FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh.
Registry enumeration: default in Win2k and above Server is Administrators only. Tools: regdmp (NTResource Kit) and DumpSec (seen previously). Countermeasures: be sure the registry is set for Administrators
only and no command prompt is accessible remotely (telnet, etc).
Novell, UNIX, SQL enumeration will be seen in another class.
![Page 5: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/5.jpg)
Windows Windows general securitygeneral security
Protocols providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445.
Banner enumeration is not the main issue. (UDP 137), Null session command: net use \\19x.16x.11x.xx\IPC$
“” /u:”” countermeasures:
filter out NetBIOS related TCP, UDP ports 135-139 (firewall).
disable NetBIOS over TCP/IP see ShieldsUp! page on binding. restrict anonymous using the
Local Security Policy applet. More here. GetAcct bypasses these actions.
Good source of system and hacking tools: Resource kits XP and 7. Some tools were re-written by hackers.
![Page 6: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/6.jpg)
Windows Windows network resourcesnetwork resources
NetBIOS enumeration (if port closed, none work) NetBIOS Domain hosts: net view NetBios Name Table: nbtstat use and example and nbtscan. NetBIOS shares: DumpSec, Legion, NetBIOS Auditing Tool (
NAT), SMBScanner, NBTdump (use, output). Countermeasures: as discussed previously = close ports
135-139, disable NetBIOS over TCP/IP SNMP enumeration: SolarWinds IP Network Browser
(commercial, see book). Countermeasures: Windows close port 445.
Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “Computer Management” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.
![Page 7: Enumeration. Local IP addresses Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks](https://reader036.vdocuments.us/reader036/viewer/2022082709/56649d745503460f94a548b6/html5/thumbnails/7.jpg)
Windows: Windows: user and group enumerationuser and group enumeration
Enumerating Users via NetBIOS: usernames and (common) passwords. Enum: use and output. DumpSec: output. Countermeasures: as before (close ports, no NetBIOS over
TCP/IP)
Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputil and read more in the book.
Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem). Threat and countermeasures in the book (better
dealt with in Operating Systems): close ports 389 and 3268, upgrade all systems to Win2k or above before migrating
to Active Directory.