Ch 3 - Enumeration
Link to PDF of powerpoint presentation http://dl.dropbox.com/u/68566/Enumeration.pdf
What is Enumeration?
- Probing identified open services as found in last chapter.
- Enumeration is different from information gathering because of an increased level of intrusiveness.
- Involves active connections with target, and will and should be logged/noticed.
- Tends to be platform-specific, and depends greatly on the information found by port-scanning.
- Often times port-scanning and enumeration tools are bundled together.
Basic Banner Grabbing
- Banner grabbing is connecting to remote applications and observing what the host sends back.
- Ex. telnet www.example.com 80 or nc –v www.example.com 80
- See what information is returned in the header/banner
- Main information you can get back is server software and version
Enumerating Common Network Services
- Some of the highest risk services that you should be aware of and block are
- NetBIOS Session, TCP 139/445
- Finger, TCP 79
- SNMP, UDP 161
- UNIX RPC, TCP/UDP 111 and 32771
- Some other notable risky services
- Enumerating Microsoft RPC Endpoint Mapper, TCP 135
Novell NetWare Enum., TCP 524 and IPX
NetBIOS Session
- Null NetBIOS Session is the holy grail of enumeration
- Network file sharing and printing uses SMB, and SMB passes rich system information to anyone.
- Once connected hacker has open channel to try out other techniques over, can be used to find…
- Network information, shares, users, groups, registry keys, etc.
- Stop by attacks by restricting user access to port 139/445 and could also disable SMB on individual NT hosts
Finger
- One of the oldest tricks in the book for enumerating users.
- In the beginning Finger was a simple useful program to give out user information.
- Works only on hosts that have Finger running, and port 79 open.
- Simple to fix, have no excuse to leave open and running.
SNMP
- Designed to provide intimate information about network devices, software, and systems.
- Makes it a frequent target for hackers
- Data protected by a simple password auth. System known as community string
- Most devices default to string of public
- Makes it very easy to get in and identify devices
UNIX RPC
- Applications use to talk over the network
- The most popular way of doing so
- Can tell the attackers what types of services and file systems are running
- Only way to limit this connecting is create an authentication system for RPC access, or use a system that uses encrypted keys for access.
Enumerating MS RPC Endpoint Mapper
- Some Microsoft systems have this endpoint or portmapper service running
- Attackers can use to query the service to find out about other applications and services available on the target machine.
- Best to restrict access to port 135
- Can cause problems for exchange servers when remote users try and connect
- Best to use a VPN to let remote users in
Novell NetWare Enum.
- Microsoft not alone with null session holes
Hole in NetWare is even worse because it allows anyone to discover servers, trees, groups, printers, and usernames without even logging in to a server
- Block access to port 524 and add a inheritance rights filter (IRF) to the root of the tree to keep users from viewing
Summary
- Windows family SMB - make it easy to find user credentials, file system exports, and application info.
- Often thought of as the holy grail to hackers.
- SNMP – If improperly configured to use public community string can give out lots of information anyone.
- Leaking OS – Finger gives away too much information and is often times enabled by default.
- Limit RPC access to authenticated users or use encryption.
Quiz and Answers
1. What is the “holy grail” to hackers?
NetBIOS / SMB / Null NetBIOS Session |
2. What is the main information you can get from a banner grab?
Server software and version |
3. Name the two things you need to do to secure the Finger leak?
Disable service and block port |
4. What service if set to use a standard community string will return lots of information to any one?
SNMP |
5. What two ways can you use to stop access to RPC?
Limit to authenticated users and/or use encryption |
Here are the examples Dr. A gave in class
(some of these are Linux, others are Windows)
NetCat
nc -v www.scotnpatti.com 80 HEAD / HTTP/1.0 (press enter) (press enter)
FTP
www.scotnpatti.com (bad) www.cs.southern.edu (good)
SMTP
telnet email.scotnpatti.com vrfy root vrfy scot vrfy jane
DNS
dig @peter.cs.andrews.edu southern.edu axfr //works here, but may not work elsewhere
BindVersion
dig @ns1.someuniversitythatdoesen'texist.edu version.bind txt chaos
Back to Cptr427Winter2010