[go: up one dir, main page]
Scribd
Upload
2K views17 pages

CEH Module 06: Enumeration

Ethical Hacking: Enumeration

Uploaded by

Ahmad Mahmoud
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views17 pages

CEH Module 06: Enumeration

Ethical Hacking: Enumeration

Uploaded by

Ahmad Mahmoud
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Ethical Hacking and

Countermeasures
Version 6

Mod le VI
Module
Enumeration
Module Objective

This module will familiarize you with:

• Overview of System Hacking Cycle


• Enumeration
• Techniques for Enumeration
• Establishing Null Session
• Enumerating User Accounts
• Null
ll User Countermeasures
• SNMP Scan
• SNMP Enumeration
• MIB
• SNMP Util Example
• SNMP Enumeration Countermeasures
• Active
ct ve Directory
ecto y Enumeration
u e at o
• AD Enumeration Countermeasures
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Overview of System Hacking Cycle

Step 1: Enumerate users


Enumerate
• Extract user names using Win 2K enumeration and SNMP probing

Step 2: Crack the password


Crack
• Crack the password of the user and gain access to the system

Step 3: Escalate privileges


• Escalate to the level of the administrator
Escalate

Step 4: Execute applications


• Plant keyloggers, spywares, and rootkits on the machine
Execute
Step 5: Hide files
• Use steganography to hide hacking tools and source code
Hide
Step
p66: C
Cover yyour tracks
• Erase tracks so that you will not be caught
T k
Tracks
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is Enumeration

Enumeration is defined as extraction of user names, machine names,


network resources,
resources shares
shares, and services

Enumeration techniques are conducted in an intranet environment

Enumeration involves active connections to systems and directed


queries
q

The type of information enumerated by


intruders:
• Network resources and shares
• Users and groups
• Applications and banners
• Auditing settings
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Techniques for Enumeration

Some of the techniques for


enumeration are:

• Extract user names using Win2k


enumeration
• Extract user names using SNMP
• Extract user names using email IDs
• Extract information usingg default
passwords
• Brute force Active Directory

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Netbios Null Sessions

The null session is often refereed to as the Holy Grail of


Windows hacking.
hacking Null sessions take advantage of flaws in
the CIFS/SMB (Common Internet File System/Server
Messaging Block)

You can establish a null session with a Windows


(NT/2000/XP) host by logging on with a null user name
and password

Using these null connections, you can gather the following


information from the host:

• List of users and groups


• List of machines
• List of shares
• Users and host SIDs (Security Identifiers)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
So What's the Big Deal

The attacker now has a channel over


Anyone with a NetBIOS connection to
which to attempt various techniques
your computer can easily get a full dump
of all your user names, groups, shares,
permissions, policies, services, and more
using the null user The CIFS/SMB and NetBIOS standards
in Windows 2000 include APIs that
return rich information about a machine
The following g syntax
y connects to the via TCP port 139—even to the
hidden Inter Process Communication unauthenticated
th ti t d users
'share' (IPC$) at IP address 192.34.34.2
with the built-in anonymous user (/u:'''')
with a ('''') null password This works on Windows 2000/XP
systems,
t b
butt nott on Wi
Win 2003

Windows: C:\>net use \\192.34.34.2\IPC$ “” /u:””


/u:
Linux: $ smbclient \\\\target\\ipc\$ "" –U ""
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NetBIOS Enumeration Using
Netview

The Netview
Th N i tooll allowsll you to gather
h
two essential bits of information:

• List of computers that belong to a domain


• List of shares on individual hosts on the network

The first thing a remote attacker will try on a


Windows 2000 network is to get a list of
hosts attached to the wire

• net view /domain


• Net view \\<some-computer>
• nbstat -A <some IP>

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nbtstat Enumeration Tool
Nbtstat is a Windows command-line tool that can be used to display information about a
computer’s NetBIOS connections and name tables
• Run: nbtstat –A <some ip address>

C:\nbtstat

• Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S]
[interval] ]

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Null Session Countermeasures

Null sessions require access to TCP 139 and/or TCP 445


ports

Null sessions do not work with Windows 2003

You could also disable SMB services entirely on individual


hosts by unbinding the WINS Client TCP/IP from the
interface

Edit the registry to restrict the anonymous user:

• Step1: Open regedt32 and navigate to


HKLM\SYSTEM\CurrentControlSet\LSA
• Step2: Choose edit | add value
• value name: Restrict Anonymous
• Data Type: REG_WORD
• Value: 2 Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SNMP Enumeration
Agent
SNMP stands for Simple Network Management Protocol

Managers send requests to agents and the agents send


back replies

The requests and replies refer to variables accessible to


the agent software
GET/SET
Managers can also send requests to set values for certain
variables TRAP
Traps makes the manager aware that something
significant has happened at the agent's end of things:
• A reboot
• An interface failure
• Or, something else that is potentially bad has occurred
Enumerating NT users via SNMP protocol is easy using M t
Mgmt
snmputil

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Management Information Base

MIB provides a standard representation of the


SNMP agent’s
agent s available information and where
it is stored

It is the most basic element of network


management

It is the updated version of the standard MIB

It adds new SYNTAX types


yp and adds more
manageable objects to the MIB tree

Look for SNMP systems with the community


string
i “public,”
“ bli ” which
hi h iis the
h ddefault
f l ffor most
systems
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Solarwinds

Solarwinds is a set of
network management
tools

The tooll set consists


Th i off
the following:
• Discovery
• Cisco Tools
• Ping Tools
• Address Management
g
• Monitoring
• MIB Browser
• Security
• Mi ll
Miscellaneous

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SNMP Enumeration
Countermeasures
Simplest way to prevent such activity
i to
is t remove th
the SNMP agentt or tturn
off the SNMP service

If shutting off SNMP is not an option,


then change the default “public”
community’s name

Implement the Group Policy security


option called “Additional restrictions
for anonymous connections.
connections ”

Access to null session pipes, null


session
i shares,
h andd IPS
IPSec filt
filtering
i
should also be restricted
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Enumerate Systems Using
Default Passwords

Many devices like switches/hubs/routers might still be enabled with a “default password”

Try to gain access using default passwords

www.phenoelit.de/dpl/dpl.html contains interesting list of passwords


Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Perform Enumeration

Extract user names using win 2k enumeration

Gather information from the host using null sessions

Perform Windows enumeration using the tool Super Scan4

Get the users’


users accounts using the tool GetAcct

P f
Perform an SNMP portt scan using
i ththe ttooll SNScan
SNS

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary

Enumeration involves active connections to systems and directed queries

The type of information enumerated by intruders includes network resources


and shares, users and groups, and applications and banners

Crackers often use Null sessions to connect to the target systems

NetBIOS and SNMP enumerations can be disguised


g using
g tools such as
snmputil, and nat

Tools such as user2sid


user2sid, sid2user
sid2user, and userinfo can be used to identify
vulnerable user accounts
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

You might also like