#acl SecurityClass2010Group:read,write,admin All:read

= Ch 3 - Enumeration =

Link to PDF of powerpoint presentation
http://dl.dropbox.com/u/68566/Enumeration.pdf

=== What is Enumeration? ===
 * Probing identified open services as found in last chapter.
 * Enumeration is different from information gathering because of an increased level of intrusiveness.
 * Involves active connections with target, and will and should be logged/noticed. 
 * Tends to be platform-specific, and depends greatly on the information found by port-scanning.
 * Often times port-scanning and enumeration tools are bundled together.
=== Basic Banner Grabbing ===
 *Banner grabbing is connecting to remote applications and observing what the host sends back.
 *Ex. telnet www.example.com 80 or nc –v www.example.com 80
 *See what information is returned in the header/banner
 *Main information you can get back is server software and version
=== Enumerating Common Network Services ===
 *Some of the highest risk services that you should be aware of and block are
  *	NetBIOS Session, TCP 139/445
  *	Finger, TCP 79
  *	SNMP, UDP 161
  *	UNIX RPC, TCP/UDP 111 and 32771
 *	Some other notable risky services
  *	Enumerating Microsoft RPC Endpoint Mapper, TCP 135
  *	Novell NetWare Enum., TCP 524 and IPX

=== NetBIOS Session ===
 *	Null NetBIOS Session is the holy grail of enumeration
 *	Network file sharing and printing uses SMB, and SMB passes rich system information to anyone.
 *	Once connected hacker has open channel to try out other techniques over, can be used to find…
  *	Network information, shares, users, groups, registry keys, etc.
 *	Stop by attacks by restricting user access to port 139/445 and could also disable SMB on individual NT hosts
=== Finger ===
 *	One of the oldest tricks in the book for enumerating users.
 *	In the beginning Finger was a simple useful program to give out user information.
 *	Works only on hosts that have Finger running, and port 79 open.
 *	Simple to fix, have no excuse to leave open and running.
=== SNMP ===
 *	Designed to provide intimate information about network devices, software, and systems.
  *	Makes it a frequent target for hackers
 *	Data protected by a simple password auth. System known as community string
  *	Most devices default to string of public
 *	Makes it very easy to get in and identify devices

=== UNIX RPC ===
 *	Applications use to talk over the network
 *	The most popular way of doing so
 *	Can tell the attackers what types of services and file systems are running
 *	Only way to limit this connecting is create an authentication system for RPC access, or use a system that uses encrypted keys for access.
=== Enumerating MS RPC Endpoint Mapper ===
 *	Some Microsoft systems have this endpoint or portmapper service running
 *	 Attackers can use to query the service to find out about other applications and services available on the target machine.
 *	Best to restrict access to port 135
  *	Can cause problems for exchange servers when remote users try and connect
  *	Best to use a VPN to let remote users in
=== Novell NetWare Enum. ===
 *	Microsoft not alone with null session holes
 *	Hole in NetWare is even worse because it allows anyone to discover servers, trees, groups, printers, and usernames without even logging in to a server
 *	Block access to port 524 and add a inheritance rights filter (IRF) to the root of the tree to keep users from viewing
=== Summary ===
 *	Windows family SMB - make it easy to find user credentials, file system exports, and application info.
  *	Often thought of as the holy grail to hackers.
 *	SNMP – If improperly configured to use public community string can give out lots of information anyone.
 *	Leaking OS – Finger gives away too much information and is often times enabled by default.
 *	Limit RPC access to authenticated users or use encryption.


== Quiz and Answers ==

1. What is the “holy grail” to hackers?
||<#32CD32> NetBIOS / SMB / Null NetBIOS Session ||
2. What is the main information you can get from a banner grab?
||<#32CD32> Server software and version ||
3. Name the two things you need to do to secure the Finger leak?
||<#32CD32> Disable service and block port ||
4. What service if set to use a standard community string will return lots of information to any one?
||<#32CD32> SNMP ||
5. What two ways can you use to stop access to RPC?
||<#32CD32> Limit to authenticated users and/or use encryption ||


== Here are the examples Dr. A gave in class ==

(some of these are Linux, others are Windows)

=== NetCat ===

{{{
nc -v www.scotnpatti.com 80
    HEAD / HTTP/1.0 (press enter)
       (press enter)
}}}

=== FTP ===

{{{
www.scotnpatti.com   (bad)
www.cs.southern.edu  (good)
}}}

=== SMTP ===

{{{
telnet email.scotnpatti.com
    vrfy root
    vrfy scot
    vrfy jane
}}}

=== DNS ===

{{{
dig @peter.cs.andrews.edu southern.edu axfr 
//works here, but may not work elsewhere
}}}

=== BindVersion ===

{{{
dig @ns1.someuniversitythatdoesen'texist.edu version.bind txt chaos
}}}


Back to Cptr427Winter2010