Differences between revisions 7 and 8
Revision 7 as of 2010-02-24 03:32:13
Size: 5200
Editor: c-71-226-185-105
Comment:
Revision 8 as of 2010-03-09 22:35:34
Size: 5185
Editor: c-71-226-185-105
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
= Ch 3 - Enumeration - Matt Zuehlke = = Ch 3 - Enumeration =

Ch 3 - Enumeration

Link to PDF of powerpoint presentation http://dl.dropbox.com/u/68566/Enumeration.pdf

What is Enumeration?

  • Probing identified open services as found in last chapter.
  • Enumeration is different from information gathering because of an increased level of intrusiveness.
  • Involves active connections with target, and will and should be logged/noticed.
  • Tends to be platform-specific, and depends greatly on the information found by port-scanning.
  • Often times port-scanning and enumeration tools are bundled together.

Basic Banner Grabbing

  • Banner grabbing is connecting to remote applications and observing what the host sends back.
  • Ex. telnet www.example.com 80 or nc –v www.example.com 80
  • See what information is returned in the header/banner
  • Main information you can get back is server software and version

Enumerating Common Network Services

  • Some of the highest risk services that you should be aware of and block are
    • NetBIOS Session, TCP 139/445
    • Finger, TCP 79
    • SNMP, UDP 161
    • UNIX RPC, TCP/UDP 111 and 32771
  • Some other notable risky services
    • Enumerating Microsoft RPC Endpoint Mapper, TCP 135

    • Novell NetWare Enum., TCP 524 and IPX

NetBIOS Session

  • Null NetBIOS Session is the holy grail of enumeration
  • Network file sharing and printing uses SMB, and SMB passes rich system information to anyone.
  • Once connected hacker has open channel to try out other techniques over, can be used to find…
    • Network information, shares, users, groups, registry keys, etc.
  • Stop by attacks by restricting user access to port 139/445 and could also disable SMB on individual NT hosts

Finger

  • One of the oldest tricks in the book for enumerating users.
  • In the beginning Finger was a simple useful program to give out user information.
  • Works only on hosts that have Finger running, and port 79 open.
  • Simple to fix, have no excuse to leave open and running.

SNMP

  • Designed to provide intimate information about network devices, software, and systems.
    • Makes it a frequent target for hackers
  • Data protected by a simple password auth. System known as community string
    • Most devices default to string of public
  • Makes it very easy to get in and identify devices

UNIX RPC

  • Applications use to talk over the network
  • The most popular way of doing so
  • Can tell the attackers what types of services and file systems are running
  • Only way to limit this connecting is create an authentication system for RPC access, or use a system that uses encrypted keys for access.

Enumerating MS RPC Endpoint Mapper

  • Some Microsoft systems have this endpoint or portmapper service running
  • Attackers can use to query the service to find out about other applications and services available on the target machine.
  • Best to restrict access to port 135
    • Can cause problems for exchange servers when remote users try and connect
    • Best to use a VPN to let remote users in

Novell NetWare Enum.

  • Microsoft not alone with null session holes

  • Hole in NetWare is even worse because it allows anyone to discover servers, trees, groups, printers, and usernames without even logging in to a server

  • Block access to port 524 and add a inheritance rights filter (IRF) to the root of the tree to keep users from viewing

Summary

  • Windows family SMB - make it easy to find user credentials, file system exports, and application info.
    • Often thought of as the holy grail to hackers.
  • SNMP – If improperly configured to use public community string can give out lots of information anyone.
  • Leaking OS – Finger gives away too much information and is often times enabled by default.
  • Limit RPC access to authenticated users or use encryption.

Quiz and Answers

1. What is the “holy grail” to hackers?

NetBIOS / SMB / Null NetBIOS Session

2. What is the main information you can get from a banner grab?

Server software and version

3. Name the two things you need to do to secure the Finger leak?

Disable service and block port

4. What service if set to use a standard community string will return lots of information to any one?

SNMP

5. What two ways can you use to stop access to RPC?

Limit to authenticated users and/or use encryption

Here are the examples Dr. A gave in class

(some of these are Linux, others are Windows)

NetCat

nc -v www.scotnpatti.com 80
    HEAD / HTTP/1.0 (press enter)
       (press enter)

FTP

www.scotnpatti.com   (bad)
www.cs.southern.edu  (good)

SMTP

telnet email.scotnpatti.com
    vrfy root
    vrfy scot
    vrfy jane

DNS

dig @peter.cs.andrews.edu southern.edu axfr 
//works here, but may not work elsewhere

BindVersion

dig @ns1.someuniversitythatdoesen'texist.edu version.bind txt chaos

Back to Cptr427Winter2010

HackingExposedChapter03 (last edited 2010-03-09 22:35:34 by c-71-226-185-105)