Chapter 6 Enumeration

Question 1

1) Extracting info from Email IDs

Answer 1

used to obtain username & domain name info

e-mail address contains two parts, the first before @ is username, and after @ is the domain

Question 2

3) Using Brute-force attacks on Directory Services

Answer 2

a directory service is a DB that contains info used to administer the NW; many directories are vulnerable to input verification deficiencies that may be exploited in discovering & compromising user accounts

Question 3

4) Exploiting SNMP

Answer 3

The Simple NW Mgmt Protocol can be exploited by an attacker who can guess the strings & use them to extract usernames

Question 4

5) Working with DNS Zone Transfers

Answer 4

Zone transfer in DNS is used to synchronize server info; contains info that could map the NW

info could fall into wrong hands

Question 5

6) Capturing Users Groups

Answer 5

extract user accounts from specified groups, storing the results, & determining whether the session accounts are in the group

Question 6

Windows User Contexts (4)

Answer 6

Users are most responsible for controlling access to the system

1) Local Service - user account w/ high than normal access to the local system but only limited access to the NW
2) NW service - A user account w/ normal access to the NW but only limited access to the local system
3) System - A super-user style account that has nearly unlimited access to the local system
4) Current User - The currently logged-in user, who can run applications & tasks but is still subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an Admin account

Question 7

Security Identifiers (SID)

Answer 7

Each user account in windows has an SID (S-1-3-43-4993949…) Even though you use a username to access the system, Windows identifies each user, group, or object by the SID. Windows uses the SID to match passwords and check permissions

Question 8

1) TCP 53

Answer 8

Used for DNS Zone Transfers; DNS system keeps servers up to date w/ latest Zone data

Question 9

2) TCP 135

Answer 9

communications between client-server apps, such as Microsoft Outlook to communicate w/ Microsoft Exchange

Question 10

3) TCP 137

Answer 10

associated w/ NetBIOS Name Service (NBNS) is designed to provide name resolution services involving the NetBIOS protocol;

The service allows NetBIOS to associate names & IP addresses of individuals systems & services; This service is a natural & easy target for many attackers

Question 11

4) TCP 139

Answer 11

NetBIOS Session Service, aka SMB over NetBIOS; management of connections between NetBIOS-enabled clients & apps; service is used by NetBIOS to establish connections & tear them down when they are no longer needed

Question 12

5) TCP 445

Answer 12

SMB over TCP

Question 13

6) UDP 161 and 162

Answer 13

SNMP is a protocol used to manage & monitor NW devices & hosts; The protocol is designed to facilitate messsaging, monitoring, auditing, & other capabilities;

Listening takes place on 161 & traps are received on 162

Question 14

7) TCP/UDP 389

Answer 14

LDAP (Lightweight Directory Access Protocol) is used by many apps; Two of the most common are Active Directory & Exchange;

Used to exchange info beetween two parties; If this port is open, that means one of these or a similar product is present

Question 15

8) TCP/UDP 3368

Answer 15

Global Catalog Service associated w/ AD;

service used to locate information within AD

Question 16

9) TCP 25

Answer 16

SMTP (Simple Mail Transfer Protocol) is used for the transmission of messages in the form of e-mail across NWs.

Question 17

Null Sessions

Answer 17

allows clients of a connection to access certain types of info across the NW; it is something that occurs when a connection is made w/ out credentials being provided

Connection can only be made at a special location called the interprocess communication (IPC), an administrative share;

Info obtained:

• List of users & groups
• List of machines
• List of shares
• Users & host SIDs

The NULL session allows access to a system using a special account called a NULL user; can be used to reveal info while not requiring username or PW

Question 18

SNMP

Answer 18

app layer protocol functions using UDP; used in mgmt of devices such as routers, hubs, swtiches, etc; It comes in 3 versions; main requirement is the NW is running TCP/IP protocol

SNMPv1 - introduced a standardized protocol managing NW devices; does not include any security measures

SNMPv2 - backwards compatible w/ SNMPv1, offered security features

SNMPv3 - latest; increased emphasis on security in two areas:

  1) Authentication - ensure traps are read by only the intended recipient
  2) Privacy - encrypts the payload of the SNMP msg to ensure it cannot be read by unauthorized users

Question 19

Management Information Base (MIB)

Answer 19

DB containing descriptions of NW objects that can be managed through SNMP; it is the collection of hierarchically organized information;

MIB elements are recognized by object identifiers (OID); Each OID begins w/ the root of the MIB tree;

Question 20

What do Object Identifiers include?

Answer 20

object’s type (counter, string, address), access level (r, r/w), size restrictions, range info

Question 21

SNMP passwords (attackers can take adv of default PWs here)

SNMP protocol tends to contain 2 passwords:

Answer 21

SNMP protocol tends to contain 2 passwords used to both configure and read the info from an agent:
1) Read community String - configuration of the device or system can be viewed w/ the help of this PW; These strings are public

2) Read/write community string - configuration on the device can be viewed and changed using this PW; These strings are private
tools: SNScan

Question 22

LDAP

Answer 22

Lightweight Directory Access Protocol - used to query and organize DBs

Question 23

NTP port #

Answer 23

protocol used to synchronize the clocks across hosts on a NW; important b/c directory services rely on clock settings for logon purposes

uses UDP Port 123 for communication purposes

Question 24

SMTP

Answer 24

protocol used to send messages between servers that send & receive e-mail

Question 25

SMTP Relay

Answer 25

lets users send emails through external servers;

spammers & hackers can use email server to send spam/malware through email

Question 26

MIB Tabular objects

Answer 26

2) Tabular objects define groups of related object instances

Question 27

MIB Scalar Objects

Answer 27

1) Scalar Objects define a single object instance

Question 28

Windows User Group

Anonymous Logon

Answer 28

1) Anonymous Logon Designed - to allow anonymous access to resources; typically used when accessing a web server or web applications

Question 29

Windows User Group

Batch

Answer 29

2) Batch - used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files

Question 30

Windows User Group

Creator Group

Answer 30

3) Creator Group - Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file

Question 31

Windows User Group

Creator Owner

Answer 31

4) Creator Owner - the person who created the file is a member of this group. Windows 2000 & later uses this group to automatically grant access permissions to the creator of the file

Question 32

Windows User Group

Everyone

Answer 32

5) Everyone - All users are members of this group; This group is used to give wide access to a system resource

Question 33

Windows User Group

Interactive

Answer 33

6) Interactive - any user logged on to the local system has the Interactive identity, which allows only local users to access a resource

Question 34

Windows User Group

Network

Answer 34

7) Network - Any user accessing the system through a NW has the NW identity, which allows only remote users to access a resource

Question 35

Windows User Group

Restricted

Answer 35

8) Restricted Users & computers with restricted capabilities have the restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.

Question 36

Windows User Group

Self

Answer 36

9) Self- refers to the object & allows the object to modify itself

Question 37

Windows User Group

Service

Answer 37

10) Service - any service accessing the system has the Service identity, which grants access to processes run

Question 38

Windows User Group

System

Answer 38

11) System - The OS has the System identity, which is used when the OS needs to perform a system-level function

Question 39

Windows User Group

Terminal Server User

Answer 39

12) Terminal Server User - allows Terminal Server users to access Terminal Server applications & to perform other necessary tasks w/ terminal services