Transcript Enumeration

Enumerating
slides (c) 2012 by Richard Newman
based on Hacking Exposed 7 by McClure, Scambray, and Kurtz
What is Enumeration?
How does it differ from footprinting and scanning?
–
–
–
Footprinting did not necessarily attempt to access the target
system(s) directly
Scanning involved transient contact
Enumeration involves establishing connections and directed
queries
Information typically gathered
–
–
–
User account names (for password attacks)
Misconfigured shared resources
Software version and patch state (for known vulnerabilities)
Detailed examination of target systems
Platform specific – how you interact depends on target service/system
Service Fingerprinting
Automated method
–
–
–
Easy to use, use likely to increase
Generates a lot of traffic – likely to be noticed
Takes significant time
Nmap Version Scanning
–
–
–
Popularity=9; Simplicity=8; Impact=3; Risk Rating=7
Use -sV switch
Can find “hidden” services (use same port as other service)
Amap Version Scanning (thc.org/thc-amap/)
–
–
–
Popularity=9; Simplicity=8; Impact=3; Risk Rating=7
Older than nmap
Uses different patterns, so gives a second opinion
Vulnerability Scanners - 1
Automated VS tools – Use when stealth not required
–
–
Know defender is not monitoring
Moving too fast to care
Countermeasures
–
–
–
–
Keep system patched
Do your own scans
IDS – detect (pretty noisy)
IPS – prevent (slow down attacks to discourage, delay attacker)
Vulnerability Scanners - 2
Nessus Scanning (nessus.org/products/nessus)
Popularity=9; Simplicity=9; Impact=6; Risk Rating=8
–
Easy to use GUI
–
Kept up to date
–
Optimized performance
–
Client ported to iPhone and Android
–
Extendable with user-developed custom plug-ins
–
Nessus Attack Scripting Language (NASL)
–
Open source version OpenVAS (openvas.org) is free
Vulnerability Scanners - 3
Nmap Scanning Engine (NSE) Scanning
Popularity=7; Simplicity=6; Impact=5; Risk Rating=6
–
Extendable with user-developed scripts
–
Lua interpreted language
–
Intended for specific probing
–
- - script or -sC options to run scripts
Basic Banner Grabbing
Popularity=5; Simplicity=9; Impact=1; Risk Rating=5
telnet
–
–
Ascii-based interactive session client
Can use to connect to many servers (ASCII-based)
–
–
“TCP/IP Swiss army knife”
Allows file input for tedious probes
netcat
Countermeasures
–
–
–
–
Shut down unnecessary services
Restrict access to services
Disable banner display (vendor dependent)
Do your own checks
Common Network Services - 1
- FTP
- Telnet
- SMTP
- DNS
- TFTP
- Finger
- HTTP
- MSRPC
- NetBIOS Name Service
- SMB Null Session
Common Network Services - 2
- SNMP
- BGP
- Active Directory LDAP
- Unix RPC
- rwho, rusers
- NIS
- SQL Resolution Service
- Oracle TNS
- NFS
- IPSec/IKE
FTP Enumeration
Popularity=1; Simplicity=10; Impact=1; Risk Rating=4
- File Transfer Protocol – TCP port 21
–
–
–
–
–
Less used now
Allows upload of (malicious) files
Often allows anonymous access using any email address
Get banner
Determine access
- Countermeasures
–
–
–
–
Turn off
Secure FTP (SFTP) uses SSH
FTP Secure (FTPS) uses SSL
HTTP for public information access
Telnet Enumeration
Popularity=4; Simplicity=9; Impact=3; Risk Rating=5
Telnet TCP 23
–
–
–
–
–
–
Used for remote access
Transmits data in cleartext
Often displays host system info
Even if it doesn't, the prompt may reveal system
May be used for attacking accounts if lockout not used
May reveal valid usernames from login attempts
Countermeasures
–
–
–
–
–
Turn off
Use secure shell (SSH) instead
Modify banner messages
Modify error messages
Account locking/drop connection on login failure
SMTP Enumeration
Popularity=5; Simplicity=9; Impact=1; Risk Rating=5
Simple Mail Transport Protocol – TCP 25
–
–
–
–
–
Used universally for email transfer
ASCII protocol for requests/replies
VRFY – verify user names
EXPN – provide actual delivery email address of alias
vrfy.pl script allows a file containing a list of user names to
be tested and valid user names reported
Countermeasures
–
–
Configure to turn off VRFY and EXPN, or
Configure to require authentication/privileges to use them
DNS Enumeration - 1
Popularity=5; Simplicity=9; Impact=2; Risk Rating=5
Domain Name Service (DNS) – TCP/UDP 53
–
–
–
–
Used for footprinting already
UDP used for most interactions
TCP for zone transfers
Zone transfer dumps entire contents of zone files
•
–
–
–
HINFO, hostname-IP mappings
SRV records allow search by service type
Nslookup, dig to access
BIND (Berkeley Internet Name Domain) enumeration
•
Reveals BIND version
•
Often allows zone transfer
DNS Enumeration - 2
Domain Name Service (DNS)
–
DNS Cache snooping
• DNS servers cache responses to recent queries
• Attacker can force server to only use cache
–
–
+norecurse option in dig
• Find recent accesses (or not) to particular FQDN
• Answer flag set to 0 if not, 1 if recent access
Automated DNS Enumeration
•
Dnsenum (code.google.com/p/dnsenum/)
•
Fierce.pl (ha.ckers.org/fierce)
•
Web services for same (e.g., centralops.net)
Countermeasures
–
–
–
–
Two DNS servers – one for public, one for private use
Block DNS zone transfers except to authorized hosts
Block version.bind requests
Disable DNS cache-snooping
TFTP Enumeration
Popularity=1; Simplicity=3; Impact=7; Risk Rating=3
Trivial FTP (TFTP) – TCP/UDP 69
–
–
–
–
Quick-and-dirty FTP
Cleartext, no authentication
Requires knowledge of file name (exactly)
May allow download of sensitive file (e.g., /etc/passwd,
/etc/shadow, network device configuration files, etc.)
Countermeasures
–
–
–
–
Turn off, if possible
Wrap in TCP wrapper to restrict access
Limit access to /tftpboot/ directory
Block at border firewall
Finger Enumeration
Popularity=7; Simplicity=10; Impact=1; Risk Rating=6
Finger – TCP/UDP 79
–
–
Reveals logged-in users, idle times
User info given from public file info
Countermeasures
–
–
–
–
Turn off
Block port 79
Restrict access
Restrict info given
HTTP Enumeration
Popularity=5; Simplicity=9; Impact=1; Risk Rating=5
Hypertext Transfer Protocol (HTTP) – TCP 80
–
–
Get type and version of web server
HEAD can get banner info
•
–
–
But so popular with worms it can trigger IDS
If server uses SSL, use openssl or sll proxy to connect
Can download all web pages for offline search
• Grendel-scan
• Robots.txt file for “do not search” regions....
Countermeasures
–
–
Change banner
Microsoft IIS lockdown tool
MSRPC Enumeration
Popularity=7; Simplicity=8; Impact=1; Risk Rating=5
Microsoft Remote Procedure Call (MSRPC) – TCP 135
–
–
–
–
RPC portmapper for windows
Gives list of services with version and IP/protocol/port info
Winfingerprint tool (sourceforge)
See hsc.fr/ressources/articles/win_net_srv
Countermeasures
–
–
–
Restrict outside access
Require use of VPN for external access
Use OWA (Outlook Web Access) for remote mail access
NBNS Enumeration
Popularity=7; Simplicity=5; Impact=3; Risk Rating=5
NetBIOS Name Service (NBNS) – UDP 137
–
–
–
–
–
–
Early windows version of DNS
net view command
•
Usually only works on local LAN segment
•
/domain for domains
•
/domain:dname for hosts on specific domain (dname)
nltest tool – identifies domain controllers (with auth creds)
netviewx tool – lists servers with specific services
nbstat, nbtscan – dump netbios name table, with users
nmbscan tool for Linux
Countermeasures
–
–
Restrict access on hosts, routers (test – may break apps)
Disable Alerter and Messenger Service on hosts
SMB Null Session Enumeration
Popularity=8; Simplicity=10; Impact=8; Risk Rating=9
Server Message Block (SMB) Null Session – TCP 139/445
–
–
–
–
Windows NT and descendents – file and print sharing
Samba in Linux
Can give remote access to attacker
a.k.a. Red Button, anonymous login, null session connection
SMB Null Session (2)
Establish “null session”
–
–
–
–
C:\>net use \\192.168.202.33\IPC$ “” /u:“”
Similar to mount network drive command
Connects to hidden IPC share at given IP as built-in
anonymous user (/u:“”) with null password (“”)
Allows access to targeted host
Enumerating File Shares
–
–
–
–
–
C:\>net view \\host
Shows IP address and shares on remote systems
Srvcheck, srvinfo (microsoft.com/downloads/...)
DumpSec (nee DumpAcl) – SomarSoft.com
Wholesale approach – for sysadmin (not hacker)
• ShareEnum (SysInternal)
• Networkscanner (SoftPerfect)
SMB Null Session (3)
Share Scanning wholesale for hackers
–
–
–
Includes password brute-forcing (may be intelligent)
Legion
NetBIOS Auditing Tool (NAT) (see hackingexposed.com)
Registry Enumeration
–
–
–
–
–
–
–
Registry holds keys indicating applications installed
Also holds user info
and services
and holds configuration info (e.g., lockout number for failed
password attempts)
Also may hold pointers to back doors
All of which can suggest exploits
Check if Registry is locked down using reg
SMB Null Session (4)
Enumerating Trusted Domains
–
Nltest /server:server_name /trusted_domains
User Enumeration
–
–
–
–
–
DumpSec
• List of users, groups, system policies, user rights
Following work with RestrictAnonymous=1, with null session
UserInfo/UserDump (hammerofgod.com)
GetAcct (securityFriday.com)
sid2user & user2sid (evgenii.rudnyi.ru/soft/sid/sid.txt)
• SID is security ID – variable length value set at install
• See also
http://en.wikipedia.org/wiki/Security_Identifier
• User IDs (and much more) based on SID
SMB Null Session (5)
SIDs
–
–
–
–
–
C:\>user2sid \\targetIP “domain users”
Returns SID of host (hyphenated, S-1-...)
Digits following last hyphen is Relative ID (RID)
RID predefined for built-in users and groups
• 500=admin
• 501=guest
RID for users starts at 1000 for NT and increments
• RID not reused => can see users past and present
All-in-one tools
–
–
–
–
Cain & Abel (oxid.it/cain.html)
Winfingerprint (sourceforge.net) – also Active Directory, WMI
NBTEnum (try on packetstorm) – includes intelligent BF
attack
enum (BindView, Symantec). Enum4linux (Portcullis
Security)
SMB Null Session (6)
Popularity=8; Simplicity=10; Impact=8; Risk Rating=9
Countermeasures
–
–
–
–
–
–
Filter TCP/UDP ports 139 & 445 at perimeter
Self audit
Unbind WINS Client, or
Set RestrictAnonymous key (=0 is open, =1 can be
bypassed, =2 means no null sessions possible) in NT
More granular access control in later Windows versions
HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winre
g and subkeys (e.g., AllowedPaths)
SNMP Enumeration
Popularity=7; Simplicity=9; Impact=3; Risk Rating=6
Simple Network Management Protocol – UDP 161
–
–
–
–
–
“Security Not My Problem” - lacks strong protections
Password authentication – well-known default pw
Access to get and set MIBs (mgt info bases)
Vendor specific extensions to MIBs
Uses ASN.1 syntax for object IDs (OIDs)
SNMP Enumeration (2)
Tools
–
–
–
–
Snmputil, snmpget, snmpwalk commandline tools
Snmpget (linux/unix) in net-snmp suite at SourceForge
Copy-router-config.pl (muts)
IP Network Browser – GUI tool (solarwinds.com)
Targets
–
–
–
–
–
–
–
Running services
Share names
Share paths
Comments on shares
Usernames
Domain name
Architecture, OS version
SNMP Enumeration (3)
SNMP Scanners
–
–
–
Simple, light-weight => perfect for automated scanning
SNScan (mcafee.com/us/downloads/free-tools/snscan.aspx)
• Community and range to scan (or in file)
• Hostname and (MIB version of) OS version
• Csv file export
onesixtyone (portcullis-security.com/16.php)
•
Command line version of SNScan
Countermeasures
–
–
–
–
–
Remove or disable SNMP agents on hosts
Use obscure community names (e.g., NOT “public” or
“private”)
Block port 161 at all perimeter network access devices
Restrict access to specific IP addresses
Use SNMPv3 (more secure)
BGP Enumeration
Popularity=2; Simplicity=6; Impact=2; Risk Rating=3
Border Gateway Protocol (BGP) – TCP 179
–
–
–
–
Interdomain routing protocol
Determine Autonomous Systems Number (ASN) of target
Query routers to get all networks where AS Path ends with
desired ASN
Only uses IP addresses and ASNs
• Get ASN from whois search (if name known)
• Get ASN from router using IP address (if known)
– Use telnet to router – show ASN path
– Use last ASN on list as target ASN
– May be false if BGP not used!!!
Countermeasures - none
Active Directory LDAP Enumeration
Popularity=2; Simplicity=2; Impact=5; Risk Rating=3
Active Directory/Lightweight Directory Access Protocol
(LDAP) – TCP/UDP 389 and 3268
- Active Directory holds info on all objects in system
- ldp.exe is AD Administration Tool – connect/browse
- view users, groups, e.g.
- requires authenticated session via LDAP
- user enum alternative if NetBIOS ports blocked
- LUMA or JXplorer on Linux/X Windows
- ldapenum command-line script (Windows/Linux)
Countermeasures
Filter access to ports 389 and 3268
Remove Everyone group from pre-Win2K Compatible Access
Unix RPC Enumeration
Popularity=7; Simplicity=10; Impact=1; Risk Rating=6
Unix Remote Procedure Call (RPC) – TCP/UDP 111, 32771
- Portmapper/rpcbind used for dynamic port assignment
for services available using RPC/RMI
- remains very popular for distributed systems
- rpcinfo –p <IP addr> lists pgm, version, proto, port
- nmap –sS –sR <IP addr> works nicely
Countermeasures
Not easy in general – needed for distr. sys. operation.
Can use Sun’s Secure RPC (using PKC)
Filter or disable ports 111, 32771, etc.
rwho, rusers Enumeration
Popularity=3; Simplicity=8; Impact=1; Risk Rating=4
rwho (UDP 513), rusers (RPC pgm 100002)
rwho returns currently logged-in users using rwhod
rusers can provide a little more info
Countermeasures
Turn off (look in start-up scripts /etc/init.d, /etc/rc*.d)
NIS Enumeration
Popularity=3; Simplicity=8; Impact=1; Risk Rating=4
Network Information System (NIS) – RPC pgm 100004
- Once NIS domain name is known, NIS maps
(distributed mappings of host’s critical info, e.g., passwd
file contents) are available using RPC
- pscan –n tool
Countermeasures
Use hard-to-guess NIS domain name
Use NIS+ (uses secure RPC)
At least edit /var/yp/securenets file to restrict access
Don’t include root/system acct info in NIS tables
SQL Resolution Service
Enumeration
Popularity=5; Simplicity=8; Impact=2; Risk Rating=5
SQL Resolution Service – UDP 1434
Works like portmapper as “instance mapper” for SQL
SQLPing tool
Countermeasures
Restrict access at firewall
Use “hide server” option
Oracle TNS Enumeration
Popularity=1; Simplicity=10; Impact=1; Risk Rating=4
Transparent Network Substrate (TNS) – TCP 1521/2483
Oracle TNS listener manages client-server DB traffic
Can get database SID, version, OS, etc.
Need SID to access DB – can try default accts
AppSentry Listener Security Check tool
tnscmd.pl/tnscmd10g.pl, getsids tools
Oracle Assessment Kit (OAK)
Oracle Auditing Tool (OAT)
Countermeasures
Configure to require password access
See Project Lockdown and Integrigy papers
NFS Enumeration
Popularity=7; Simplicity=10; Impact=1; Risk Rating=6
Network File System (NFS) – TCP/UDP 2049
Unix utility showmount shows exported directories
Countermeasures
Not much you can do
Make sure permissions are correct on directories
Block 2049 at firewall
Log requests
IPSec/IKE Enumeration
Popularity=6; Simplicity=6; Impact=9; Risk Rating=7
IPSec/Internet Key Exchange (IKE) – UDP 500
- IPSec used for VPN
- IKE used manage key negotiations
- Malformed packets are silently dropped – hard to see
- ike-scan forms packets that get responses
- gets negotiation info, like
PSK or certs
Main Mode/Aggressive Mode
Which ciphersuites are in use
- PSK/Aggressive Mode => get hash of PSK, use psk-crack
Countermeasures
Restrict VPN access to specific IP addrs, if possible
Use Main Mode and certificates