Chapter 6 Enumeration

Question 1

Phase 3: Enumeration

Answer 1

process of extracting info from target in an organized and methodical manner by initiating active connections (may be crossing legal boundaries)

Info includes:

• strengths & weaknesses of system;
• NW resources & shares
• Users & groups
• routing tables
• machine names
• apps & banners
• SNMP & DNS details
• ARP tables
• traffic stats

Question 2

Enumeration Techniques

Answer 2

1) Extracting info from Email IDs
2) Obtaining info through Default PWs
3) Using Brute-force attacks on Directory Services
4) Exploiting SNMP
5) Working w/ DNS Zone Transfers
6) Capturing User Groups

Question 3

1) Extracting info from Email IDs

Answer 3

used to obtain username & domain name info

e-mail address contains two parts, the first before @ is username, and after @ is the domain

Question 4

2) Obtaining info through Default PWs

Answer 4

every device has default settings in place

Question 5

3) Using Brute-force attacks on Directory Services

Answer 5

a directory service is a DB that contains info used to administer the NW; many directories are vulnerable to input verification deficiencies that may be exploited in discovering & compromising user accounts

Question 6

4) Exploiting SNMP

Answer 6

The Simple NW Mgmt Protocol can be exploited by an attacker who can guess the strings & use them to extract usernames

Question 7

5) Working with DNS Zone Transfers

Answer 7

Zone transfer in DNS is used to synchronize server info; contains info that could map the NW

info could fall into wrong hands

Question 8

6) Capturing Users Groups

Answer 8

extract user accounts from specified groups, storing the results, & determining whether the session accounts are in the group

Question 9

Windows

Answer 9

designed to be used as either stand-alone or in networked environment; the following will be assumed for NW setup only

Question 10

Define users

Processes in Windows are run under one of the following user contexts:

Answer 10

Users are most responsible for controlling access to the system

1) Local Service - user account w/ high than normal access to the local system but only limited access to the NW
2) NW service - A user account w/ normal access to the NW but only limited access to the local system
3) System - A super-user style account that has nearly unlimited access to the local system
4) Current User - The currently logged-in user, who can run applications & tasks but is still subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an Admin account

Question 11

Groups

Default Groups in Windows:

Answer 11

groups are used to simplify mgmt; they are effective admin tools that enable mgmt of multiple users;

1) Anonymous Logon Designed - to allow anonymous access to resources; typically used when accessing a web server or web applications
2) Batch - used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files
3) Creator Group - Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file
4) Creator Owner - the person who created the file is a member of this group. Windows 2000 & later uses this group to automatically grant access permissions to the creator of the file
5) Everyone - All users are members of this group; This group is used to give wide access to a system resource
6) Interactive - any user logged on to the local system has the Interactive identity, which allows only local users to access a resource
7) Network - Any user accessing the system through a NW has the NW identity, which allows only remote users to access a resource
8) Restricted Users & computers with restricted capabilities have the restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.
9) Self- refers to the object & allows the object to modify itself
10) Service - any service accessing the system has the Service identity, which grants access to processes run
11) System - The OS has the System identity, which is used when the OS needs to perform a system-level function
12) Terminal Server User - allows Terminal Server users to access Terminal Server applications & to perform other necessary tasks w/ terminal services

Question 12

Security Identifiers (SID)

Answer 12

Each user account in windows has an SID (S-1-3-43-4993949…) Even though you use a username to access the system, Windows identifies each user, group, or object by the SID. Windows uses the SID to match passwords and check permissions

Question 13

Services & ports of interest for Enumeration phase:

Answer 13

1) TCP 53
2) TCP 135
3) TCP 137
4) TCP 139
5) TCP 445
6) UDP 161 and 162
7) TCP/UDP 389
8) UCP/UDP 3368
9) TCP 25

Question 14

1) TCP 53

Answer 14

Used for DNS Zone Transfers; DNS system keeps servers up to date w/ latest Zone data

Question 15

2) TCP 135

Answer 15

communications between client-server apps, such as Microsoft Outlook to communicate w/ Microsoft Exchange

Question 16

3) TCP 137

Answer 16

associated w/ NetBIOS Name Service (NBNS) is designed to provide name resolution services involving the NetBIOS protocol;

The service allows NetBIOS to associate names & IP addresses of individuals systems & services; This service is a natural & easy target for many attackers

Question 17

4) TCP 139

Answer 17

NetBIOS Session Service, aka SMB over NetBIOS; management of connections between NetBIOS-enabled clients & apps; service is used by NetBIOS to establish connections & tear them down when they are no longer needed

Question 18

5) TCP 445

Answer 18

SMB over TCP

Question 19

6) UDP 161 and 162

Answer 19

SNMP is a protocol used to manage & monitor NW devices & hosts; The protocol is designed to facilitate messsaging, monitoring, auditing, & other capabilities;

Listening takes place on 161 & traps are received on 162

Question 20

7) TCP/UDP 389

Answer 20

LDAP (Lightweight Directory Access Protocol) is used by many apps; Two of the most common are Active Directory & Exchange;

Used to exchange info beetween two parties; If this port is open, that means one of these or a similar product is present

Question 21

8) TCP/UDP 3368

Answer 21

Global Catalog Service associated w/ AD;

service used to locate information within AD

Question 22

9) TCP 25

Answer 22

SMTP (Simple Mail Transfer Protocol) is used for the transmission of messages in the form of e-mail across NWs.

Question 23

NetBIOS - a blessing to some & a curse to others, why?

Answer 23

NetBIOS API was used to assist in the access to resources on a LAN only; Used 16 char names, the first 15 identifying the machine & the last char representing a service or item on the machine itself; It resolves NetBIOS names to IP addresses

Much info can be found here; Using scanning techniques, an attacker can find port 139 open; they can attempt to view or access info such as file shares, printing shares, usernames, group info, etc

One of the tools used to work w/ NetBIOS is a command-line utility nbtstat; This can display info, including name tables, protocol stats, etc; actually used to locate problems w/ NetBIOS over TCP/IP

Has the baility to return names registered with the WINS (Windows Internet Naming Service)

Question 24

Tasks that can be done w/ nbtstat

Answer 24

command line

nbtstat -a
—-This returns the NetBIOS name table & mandatory access control (MAC) address of the address card the computer name specified

nbtstat -A
—-Lists the same info as -a but using IP

• c (lists contents of the NetBIOS name cache)
• n (displays names registered locally by NetBIOS)
• r (displays count of all names resolved by broadcast)
• s (lists sessions table & converts destination IP addresses to computer NetBIOS names)
• S (lists the current NetBIOS sesssions & their statuses, along w/ IPs)

Question 25

Null Sessions

Answer 25

allows clients of a connection to access certain types of info across the NW; it is something that occurs when a connection is made w/ out credentials being provided

Connection can only be made at a special location called the interprocess communication (IPC), an administrative share;

Info obtained:

• List of users & groups
• List of machines
• List of shares
• Users & host SIDs

The NULL session allows access to a system using a special account called a NULL user; can be used to reveal info while not requiring username or PW

Question 26

How to exploit a NULL session

Answer 26

Attach to the system by:
net use \hostnameorIP\ipc$ “ \user:”

View the shares available:
net view \hostnameorIP

Once an attacker has this list of shares, next step is to connect to a share & view the data:
net use s: \hostnameorIP\sharedFolderName

Question 27

SNMP

Answer 27

app layer protocol functions using UDP; used in mgmt of devices such as routers, hubs, swtiches, etc; It comes in 3 versions; main requirement is the NW is running TCP/IP protocol

SNMPv1 - introduced a standardized protocol managing NW devices; does not include any security measures

SNMPv2 - backwards compatible w/ SNMPv1, offered security features

SNMPv3 - latest; increased emphasis on security in two areas:

  1) Authentication - ensure traps are read by only the intended recipient
  2) Privacy - encrypts the payload of the SNMP msg to ensure it cannot be read by unauthorized users

Question 28

Enumeration w/ SNMP

Answer 28

leverage weakness in the protocol to reveal user accounts & devices on a target;

The system works through the user of the agent & mgmt station:

1) The SNMP mgmt station sends a request to the agent
2) The agent receives the request & sends back a reply

Question 29

Management Information Base (MIB)

Answer 29

DB containing descriptions of NW objects that can be managed through SNMP; it is the collection of hierarchically organized information;

MIB elements are recognized by object identifiers (OID); Each OID begins w/ the root of the MIB tree;

Question 30

Scalar Objects

Tabular Objects

Answer 30

MIB-managed objects include:

1) Scalar Objects define a single object instance
2) Tabular objects define groups of related object instances

Question 31

What do Object Identifiers include?

Answer 31

object’s type (counter, string, address), access level (r, r/w), size restrictions, range info

Question 32

MIB & SNMP mgr

Answer 32

MIB is used as a codebook by SNMP mgr for converting the OID #s into human readable display

Question 33

SNMP passwords (attackers can take adv of default PWs here)

SNMP protocol tends to contain 2 passwords:

Answer 33

SNMP protocol tends to contain 2 passwords used to both configure and read the info from an agent:
1) Read community String - configuration of the device or system can be viewed w/ the help of this PW; These strings are public

2) Read/write community string - configuration on the device can be viewed and changed using this PW; These strings are private
tools: SNScan

Question 34

Unix & Linux Enumeration commands

Answer 34

1) finger command
finger username
—returns info about a user on a given system (i.e. user’s home directory, login time, idle times, office location, last time they both received or read mail)

Switches that be used w/ the finger command include:

• b //removes home directory & shell from user display
• f //removes header info from display
• w //removes full name from display
• l //returns list of users

2) rpcinfo command
rpcinfo hostname
—enumerates info over RPC (remote procedure call) protocol

Switches used:

• m //displays list of stats for RPC on given host
• s //displays list registered RPC apps on given host

3) showmount command
/usr/sbin/showmount [- ade ] [hostname]
—lists & identifies shared directories on given system; also displays list of all clients that have remotely mounted a file system

Switches used:

• a //prints all remote mounts
• d //lists directories that have been remotely mounted by clients
• e //prints list of shared file systems

Question 35

LDAP

Answer 35

Lightweight Directory Access Protocol - used to query and organize DBs

Question 36

A directory is

Answer 36

A directory is a DB, but the data is organized in a hierarchical or logical format

Question 37

LDAP enumeration

Answer 37

the queries performed through LDAP against a DB tend to disclose sensitive data that could be leveraged by an attacker

Question 38

NTP & port #

Answer 38

protocol used to synchronize the clocks across hosts on a NW; important b/c directory services rely on clock settings for logon purposes

uses UDP Port 123 for communication purposes

Question 39

NTP enumeration commands

Answer 39

The following commands can be used against an NTP server

1) ntpdate
2) ntptrace
3) ntpdc
4) ntpq

Question 40

SMTP

Answer 40

protocol used to send messages between servers that send & receive e-mail

Question 41

SMTP enumeration command: VRFY

Answer 41

using telnet & VRFY in cmd:

//SMTP uses port 25
//use telnet command to attach to the target & extract info; use VRFY command to check if specific user ID is present

telnet 25
//connected
VRFY username
//response

**Countermeasure - deactivate VRFY command, but before doing so, research to determine if your environment needs to have that command enabled

Question 42

SMTP enumeration command: EXPN

Answer 42

similar to VRFY, but rather than returning on user, it returns all users on a distribution list

telnet 25
//connect
EXPN

Question 43

SMTP enumeration command: RCPT TO

Answer 43

identifies the recipient of an email message

telnet  25
MAIL FROM: link
//response
RCPT TO:link
//response

Question 44

SMTP Relay

Answer 44

lets users send emails through external servers;

spammers & hackers can use email server to send spam/malware through email

Question 45

A ______ is used to connect to a remote system using NetBIOS

Answer 45

A NULL session can be used to connect to a remote system via the ipc$ share

Question 46

Which command can be used to view NetBIOS information?

Answer 46

nbtstat

Question 47

SNScan is used to access information for which protocol

Answer 47

SNMP

Question 48

SNMP is used to

Answer 48

Monitor NW devices & trap messages