Slides 6 - USC Upstate: Faculty

Download Report

Transcript Slides 6 - USC Upstate: Faculty 

SCSC 555
Frank Li
Introduction to Enumeration
 Enumerate Microsoft OS
 Enumerate *NIX OS
 Enumerate NetWare OS (skip)

2

Enumeration extracts information about:
◦
◦
◦
◦

Resources or shares on the network
User names or groups assigned on the network
Last time user logged on
User’s password
Enumeration is more intrusive than passive port
scanning
◦ First need to determine OS of the target host
 By Port scanning and footprinting
◦ E.g. NBT (NetBIOS over TCP/IP) is the tool for enumerating
Microsoft OSs
3

Using enumeration tool nbtscan
◦ Use nbtscan command to scan a range of IP
addresses
◦ Example: nbtscan 192.168.0.0./24
4
Introduction to Enumeration
 Enumerate Microsoft OS
 Enumerate *NIX OS

5

Study OS history
◦ Knowing your target makes your job easier
◦ Many attacks that work for older Windows OSs still
work with newer versions
6
7
8

Network Basic Input Output System (NetBIOS)
◦ Is a MS programming interface
◦ Allows computer communication over a LAN
◦ Used to share files and printers

NetBIOS names are computer names assigned
to Windows systems
◦ Must be unique on a network
◦ Limit of 16 characters
◦ The last character (suffix) is reserved for identifies
type of service running  next page
9
10
11

One of the biggest vulnerabilities of NetBIOS
system -- NetBIOS Null session
◦ Is unauthenticated connection to a Windows
computer
 Does not use logon and passwords values

Attackers use enumeration tool to establish a
null session
◦ to gather logon accounts, group membership, and
file shares from target hosts
12


NetBIOS NULL sessions are enabled by default
in Windows NT and 2000.
Windows XP and 2003 will allow anonymous
enumeration of shared network resources,
but not accounts.
13

For the most part if the appropriate ports are accessible a
NULL session is possible.
Port
Protocol
Description
135
TCP
Location Service (RPC endpoint mapping)
135
UDP
Location Service (RPC endpoint mapping)
137
TCP
NETBIOS Name Service
137
UDP
NETBIOS Name Service
138
TCP
NETBIOS Datagram Service
138
UDP
NETBIOS Datagram Service
139
TCP
NETBIOS Session Service
139
UDP
NETBIOS Session Service
445
TCP
SMB/CIFS
14

Use IP address obtained when port scanning to
perform a NetBIOS enumeration

NetBIOS Enumeration Tools
◦
◦
◦
◦
◦
◦
◦
◦
◦
Nbtstat
Net view
Net use
NetScanTools Pro
DumpSec
Hyena
NessusWX
Enum
Hunt
15

Nbtstat command
◦ Powerful enumeration tool included with the Microsoft OS
◦ Displays NetBIOS table
◦ E.g., Nbstat –a salesrep
16

Net view command
◦ Shows whether there are any shared resources
on a network host

E.g., net view \\192.168.0.106
17

Net use command
◦ Used to connect to a computer with shared folders
or files
◦ view the information about current computer
connections.
◦ also can controls persistent network connections.

E.g., To assign the disk-drive device name E: to the
Letters shared directory on the \\Fin server, type:
net use e: \\fin\letters
18

NetScanTools Pro produces a graphical view of
NetBIOS running on a network
◦ Enumerates any shares running on the computer
◦ Verifies whether access is available for shared
resource using its Universal Naming Convention (UNC)
name
◦ Example: figure 6-10, 6-11
 the \\SALEsMGR\SharedDocs comment entry is blank.
to see whether access is available, an attacker enters the
UNC \\SALEsMGR\SharedDocs
in the Run dialog ox in
Windows
19
DumpSec
http://www.systemtools.com/cgiin/download.pl?DumpAcl
 Produced by Foundstone, Inc.
 Allows user to connect to a server and “dump”
the following information

◦
◦
◦
◦
◦
◦
Permissions for shares
Permissions for printers
Permissions for the Registry
Users in column or table format
Policies and rights
Services
20

Hyena is GUI product for managing and
securing Microsoft OSs
◦ Shows shares and user logon names for Windows
servers and domain controllers
◦ Displays graphical representation of:




Microsoft Terminal Services
Microsoft Windows Network
Web Client Network
Find User/Group
21


NessusWX allows enumeration of different
OSs on a large network
Running NessusWX
1. Nessus server is up and running
2. Open the NessusWX client application
3. To connect your NessusWX client with the Nessus
server
1. Click Communications, Connect from the menu on
the session window
2. Enter server’s name
3. Log on the Nessus server
22
23
24
Enum
http://www.bindview.com/Services/RAZOR/Utilities
/Windows/enum_readme.cfm
 one of the best tools for exploiting the NULL
session vulnerability
 allowing you to exploits every aspect of this flaw.
◦ the ability to enumerate users,
◦ and then try to brute force the password using a supplied
password list.
25
Hunt
http://www.foundstone.com/resources/freet
ools/hunt.zip
 Part of the NT Forensic Toolkit from
Foundstone,
 this tool makes it very easy to enumerate
users and shares from a vulnerable windows
host, and is the most accurate
26

Nessus identifies
◦ NetBIOS names in use
◦ Shared resources
◦ Password information
27
28
29
30

Nessus also identifies:
◦ OS and service pack
◦ OS vulnerabilities
◦ Firewall vulnerabilities
31
32
33
34
Introduction to Enumeration
 Enumerate Microsoft OS
 Enumerate *NIX OS

35

variations of Unix
◦
◦
◦
◦
◦
◦
◦
◦
◦
Solaris
SunOS
HP-UX
Linux
Ultrix
AIX
BSD UNIX
FreeBSD
OpenBSD
36

Finger utility
◦ Is the most popular tool for security testers
◦ Finds out who is logged in to a *NIX system
◦ Determine owner of any process

Nessus can also be used for *NIX enumeration
37

E.g., # finger -b -p james
display the following information about the user james.
Login name, Computer Hope on since Feb 11 23:37:16 on
pts/7 from domain.computerhope.com
28 seconds Idle Time
Unread mail since Mon Feb 12 00:22:52 2001
38