Hands-On Ethical Hacking Hands-On Ethical Hacking and Network Defenseand Network Defense
Chapter 6Chapter 6EnumerationEnumeration
Modified 2-22-14
ObjectivesObjectives
Describe the enumeration step of security Describe the enumeration step of security testingtesting
Enumerate Microsoft OS targetsEnumerate Microsoft OS targets
Enumerate NetWare OS targetsEnumerate NetWare OS targets
Enumerate *NIX OS targetsEnumerate *NIX OS targets
Introduction to EnumerationIntroduction to Enumeration
Enumeration extracts information about:Enumeration extracts information about:– Resources or shares on the networkResources or shares on the network– User names or groups assigned on the networkUser names or groups assigned on the network– Last time user logged onLast time user logged on– UserUser’’s passwords password
Before enumeration, you use Port scanning and Before enumeration, you use Port scanning and footprintingfootprinting– To Determine OS being usedTo Determine OS being used
Intrusive processIntrusive process
NBTscanNBTscan
NBT (NetBIOS over TCP/IP)NBT (NetBIOS over TCP/IP)– is the Windows networking protocolis the Windows networking protocol– used for shared folders and printersused for shared folders and printers
NBTscanNBTscan– Tool for enumerating Microsoft OSsTool for enumerating Microsoft OSs
Enumerating Microsoft Enumerating Microsoft Operating SystemsOperating Systems
Study OS historyStudy OS history– Knowing your target makes your job easierKnowing your target makes your job easier
Many attacks that work for older Windows Many attacks that work for older Windows OSs still work with newer versionsOSs still work with newer versions
Windows 95Windows 95
The first Windows version that did not start The first Windows version that did not start with DOSwith DOS
Still used the DOS kernel to some extentStill used the DOS kernel to some extent
Introduced the Registry database to Introduced the Registry database to replace Win.ini, Autoexec.bat, and other replace Win.ini, Autoexec.bat, and other text filestext files
Introduced Plug and Play and ActiveXIntroduced Plug and Play and ActiveX
Used FAT16 file systemUsed FAT16 file system
Windows 98 and MEWindows 98 and ME
More Stable than Win 95More Stable than Win 95
Used FAT32 file systemUsed FAT32 file system
Win ME introduced System RestoreWin ME introduced System Restore
Win 95, 98, and ME are collectively called Win 95, 98, and ME are collectively called "Win 9x""Win 9x"
They run Windows 98They run Windows 98
Use plaintext passwordsUse plaintext passwords– Research from Billy K Rios, published 2-Research from Billy K Rios, published 2-
11-1411-14
Windows NT 3.51 Windows NT 3.51 Server/WorkstationServer/Workstation
No dependence on DOS kernelNo dependence on DOS kernel
Domains and Domain ControllersDomains and Domain Controllers
NTFS File System to replace FAT16 and NTFS File System to replace FAT16 and FAT32FAT32
Much more secure and stable than Win9xMuch more secure and stable than Win9x
Many companies still use Win NT Server Many companies still use Win NT Server Domain ControllersDomain Controllers
Win NT 4.0 was an upgradeWin NT 4.0 was an upgrade
Windows 2000 Server/ProfessionalWindows 2000 Server/Professional
Upgrade of Win NTUpgrade of Win NT
Active DirectoryActive Directory– Powerful database storing information about Powerful database storing information about
all objects in a networkall objects in a networkUsers, printers, servers, etc.Users, printers, servers, etc.
– Based on Novell's Novell Directory ServicesBased on Novell's Novell Directory Services
Enumerating this system would include Enumerating this system would include enumerating Active Directoryenumerating Active Directory
Windows XP ProfessionalWindows XP Professional
Much more secure, especially after Much more secure, especially after Service Pack 2Service Pack 2– Windows File ProtectionWindows File Protection– Data Execution PreventionData Execution Prevention– Windows FirewallWindows Firewall
Link Ch 6nLink Ch 6n
Windows Server 2003Windows Server 2003
Much more secure, especially after Much more secure, especially after Service Pack 1Service Pack 1– Network services are closed by defaultNetwork services are closed by default– Internet Explorer security set higher Internet Explorer security set higher
1414
Windows VistaWindows Vista
User Account ControlUser Account Control– Users log in with low privileges for most tasksUsers log in with low privileges for most tasks
BitLocker Drive EncryptionBitLocker Drive Encryption
Address Space Layout Randomization Address Space Layout Randomization (ASLR)(ASLR)
Download Process Explorer (link Ch 3e)
View, Show Lower Pane
View, Lower Pane View, DLLS
View, Select Columns, DLL tab, Base Address
Select explorer.exe and find ntdll.dll
Reboot to see base address change
ASLR Demo
1717
Windows Server 2008Windows Server 2008
User Account ControlUser Account ControlBitLocker Drive EncryptionBitLocker Drive EncryptionASLRASLRNetwork Access ProtectionNetwork Access Protection– Granular levels of network access based on a clients Granular levels of network access based on a clients
level of compliance with policylevel of compliance with policy
Server CoreServer Core– Small, stripped-down server, like LinuxSmall, stripped-down server, like Linux
Hyper-VHyper-V– Virtual MachinesVirtual Machines
1818
Windows 7Windows 7
XP ModeXP Mode– A virtual machine running Win XPA virtual machine running Win XP
User Account Control was refined and User Account Control was refined and made easier to usemade easier to use
Windows 8Windows 8
Built-in antivirusBuilt-in antivirus
SmartScreen protects against phishing SmartScreen protects against phishing and social engineering by using a URL and social engineering by using a URL and application reputation systemand application reputation system
Windows 8 secure boot using EFI on ARM Windows 8 secure boot using EFI on ARM prevents rootkitsprevents rootkits
Windows 8.1Windows 8.1
Pass the Hash finally fixed, after 15 years!Pass the Hash finally fixed, after 15 years!
NetBIOS BasicsNetBIOS Basics
Network Basic Input Output System Network Basic Input Output System (NetBIOS)(NetBIOS)– Programming interfaceProgramming interface– Allows computer communication over a LANAllows computer communication over a LAN– Used to share files and printersUsed to share files and printers
NetBIOS namesNetBIOS names
Computer names on Windows systemsComputer names on Windows systems
Limit of 16 charactersLimit of 16 characters
Last character identifies type of service Last character identifies type of service runningrunning
Must be unique on a networkMust be unique on a network
NetBIOS SuffixesNetBIOS Suffixes
For complete list, see link Ch 6hFor complete list, see link Ch 6h
NetBIOS Null SessionsNetBIOS Null Sessions
Null sessionNull session– Unauthenticated connection to a Windows computerUnauthenticated connection to a Windows computer– Does not use logon and passwords valuesDoes not use logon and passwords values
Around for over a decadeAround for over a decade– Still present on Windows XPStill present on Windows XP– Disabled on Server 2003Disabled on Server 2003– Absent entirely in Vista and later versionsAbsent entirely in Vista and later versions
A large vulnerabilityA large vulnerability– See links Ch 6a-fSee links Ch 6a-f
Null Session InformationNull Session Information
Using these NULL connections allows you Using these NULL connections allows you to gather the following information from the to gather the following information from the host:host:– List of users and groups List of users and groups – List of machines List of machines – List of shares List of shares – Users and host SIDs (Security Identifiers) Users and host SIDs (Security Identifiers)
From brown.edu (link Ch 6b)From brown.edu (link Ch 6b)
Demonstration of Null SessionsDemonstration of Null Sessions
Start Win 2000 ProStart Win 2000 Pro
Share a folderShare a folder
From a Win XP command promptFrom a Win XP command prompt– NET VIEW \\NET VIEW \\ip-addressip-address FailsFails– NET USE \\NET USE \\ip-addressip-address\IPC$ "" /u:""\IPC$ "" /u:""
Creates the null sessionCreates the null session
Username="" Password=""Username="" Password=""
– NET VIEW \\NET VIEW \\ip-addressip-address Works nowWorks now
Demonstration of Demonstration of EnumerationEnumeration
Download Winfo Download Winfo from link Ch 6gfrom link Ch 6g
Run it – see all Run it – see all the information!the information!
NULL Session InformationNULL Session Information
NULL sessions exist in windows NULL sessions exist in windows networking to allow: networking to allow: – Trusted domains to enumerate resources Trusted domains to enumerate resources – Computers outside the domain to authenticate Computers outside the domain to authenticate
and enumerate users and enumerate users – The SYSTEM account to authenticate and The SYSTEM account to authenticate and
enumerate resources enumerate resources
NetBIOS NULL sessions are enabled by NetBIOS NULL sessions are enabled by default in Windows NT and 2000default in Windows NT and 2000
From brown.edu (link Ch 6b)From brown.edu (link Ch 6b)
NULL Sessions in Win XP and NULL Sessions in Win XP and 2003 Server2003 Server
Windows XP and 2003 don't allow Null Windows XP and 2003 don't allow Null Sessions, according to link Ch 6c.Sessions, according to link Ch 6c.– I tried the NET USE command on Win XP SP2 I tried the NET USE command on Win XP SP2
and it did not workand it did not work– Link Ch 6f says you can still do it in Win XP Link Ch 6f says you can still do it in Win XP
SP2, but you need to use a different SP2, but you need to use a different procedureprocedure
NetBIOS Enumeration ToolsNetBIOS Enumeration Tools
Nbtstat commandNbtstat command– Powerful enumeration tool included with the Powerful enumeration tool included with the
Microsoft OSMicrosoft OS– Displays NetBIOS tableDisplays NetBIOS table
NetBIOS Enumeration ToolsNetBIOS Enumeration Tools
Net view commandNet view command– Shows whether there are any shared Shows whether there are any shared
resources on a network hostresources on a network host
NetBIOS Enumeration Tools NetBIOS Enumeration Tools (continued)(continued)
Net use commandNet use command– Used to connect to a computer with shared Used to connect to a computer with shared
folders or filesfolders or files
Additional Enumeration ToolsAdditional Enumeration Tools
Windows tools included with BackTrack Windows tools included with BackTrack – Smb4K toolSmb4K tool
DumpSecDumpSec
HyenaHyena
Nessus and OpenVASNessus and OpenVAS
Using Windows Enumeration Using Windows Enumeration ToolsTools
Backtrack Smb4K tool Backtrack Smb4K tool – Used to enumerate Windows computers in a networkUsed to enumerate Windows computers in a network
Figure 6-6 Using Smb4K on a Windows network
DumpSecDumpSec
Enumeration tool for Windows systemsEnumeration tool for Windows systems– Produced by Foundstone, Inc.Produced by Foundstone, Inc.
Allows user to connect to a server and Allows user to connect to a server and ““dumpdump””::– Permissions for sharesPermissions for shares
– Permissions for printersPermissions for printers
– Permissions for the RegistryPermissions for the Registry
– Users in column or table formatUsers in column or table format
– Policies Policies
– RightsRights
– ServicesServices
HyenaHyena
Excellent GUI product for managing and Excellent GUI product for managing and securing Windows OSssecuring Windows OSs– Shows shares and user logon names for Shows shares and user logon names for
Windows servers and domain controllersWindows servers and domain controllers– Displays graphical representation of:Displays graphical representation of:
Microsoft Terminal ServicesMicrosoft Terminal Services
Microsoft Windows NetworkMicrosoft Windows Network
Web Client NetworkWeb Client Network
Find User/GroupFind User/Group
Figure 6-8 The Hyena interface
Nessus and OpenVASNessus and OpenVAS
OpenVAS OpenVAS – Operates in client/server mode Operates in client/server mode – Open-source descendent of NessusOpen-source descendent of Nessus
Popular tool for identifying vulnerabilitiesPopular tool for identifying vulnerabilities
Nessus Server and Client Nessus Server and Client – Latest version can run on Windows, Mac OS X, Latest version can run on Windows, Mac OS X,
FreeBSD, and most Linux distributionsFreeBSD, and most Linux distributions– Handy when enumerating different OSs on a Handy when enumerating different OSs on a
large network large network Many servers in different locationsMany servers in different locations
Figure 6-10 The Nessus session window
Figure 6-12 The Connection Manager dialog box
Figure 6-13 Nessus ready to scan
Figure 6-14 Nessus enumerates a NetBIOS system
Figure 6-15 Enumerating shares in Nessus
Figure 6-16 Nessus indicates the OS and service pack
Enumerating the NetWare Enumerating the NetWare Operating SystemOperating System
Novell NetWareNovell NetWare– Some security professionals see as a Some security professionals see as a ““deaddead””
OSOS– Ignoring an OS can limit your career as a Ignoring an OS can limit your career as a
security professionalsecurity professional
NetWareNetWare– Novell does not offer any technical support for Novell does not offer any technical support for
versions before 6.5versions before 6.5
Table 6-3 NetWare OS descriptions
NetWare Enumeration ToolsNetWare Enumeration Tools
NetWare 5.1 NetWare 5.1 – Still used on many networksStill used on many networks
New vulnerabilities are discovered dailyNew vulnerabilities are discovered daily– Vigilantly check vendor and security sitesVigilantly check vendor and security sites
Example Example – Older version of Nessus to scan a NetWare Older version of Nessus to scan a NetWare
5.1 server5.1 server
Figure 6-17 Nessus enumerates a NetWare server
Figure 6-18 Enumerating eDirectory in Nessus
Figure 6-19 Nessus discovers the FTP account’s username and password
Figure 6-20 Nessus enumerates several user accounts
NetWare Enumeration Tools NetWare Enumeration Tools (cont(cont’’d.)d.)
Novell Client for WindowsNovell Client for Windows– Gathers information on shares and resourcesGathers information on shares and resources
Vulnerability in NetWare OSVulnerability in NetWare OS– You can click Trees, Contexts, and Servers You can click Trees, Contexts, and Servers
buttons without a login name or password buttons without a login name or password Open dialog boxes showing network informationOpen dialog boxes showing network information
Figure 6-22 Logging in with credentials supplied by Nessus
Figure 6-23 Information displayed after the NetWare login is accepted
Figure 6-24 Accessing NetWare through mapped drives
Enumerating the *nix Operating Enumerating the *nix Operating SystemSystem
Several variationsSeveral variations– Solaris and OpenSolarisSolaris and OpenSolaris– HP-UXHP-UX– Mac OS X and OpenDarwinMac OS X and OpenDarwin– AIXAIX– BSD UNIXBSD UNIX– FreeBSDFreeBSD– OpenBSDOpenBSD– NetBSDNetBSD– Linux, including several distributionsLinux, including several distributions
UNIX EnumerationUNIX Enumeration
Finger utilityFinger utility– Most popular enumeration tool for security Most popular enumeration tool for security
testerstesters– Finds out who is logged in to a *nix systemFinds out who is logged in to a *nix system– Determines who was running a processDetermines who was running a process
NessusNessus– Another important *nix enumeration toolAnother important *nix enumeration tool
Figure 6-25 Using the Finger command
Figure 6-26 Nessus enumerates a Linux system