CCS344-ETHICAL HACKING

UNIT-3
Enumeration Concepts
Enumeration takes port scanning to the next level. Now that you know how to Discover
live systems on a network, the next steps are finding what resources are Shared on the
systems, discovering login accounts and passwords, and gaining access to network
resources .

Enumeration involves connecting to a system, not just identifying that a system is

present on a network.

Hackers aren’t satisfied with knowing that computer systems are running on a
network; their goals are to find live systems and gain access to them. For security
testers, enumeration is a more intrusive part of testing, and not having permission from
the network’s owner for this step could result in being charged with a criminal offense. In
this step, you attempt to retrieve information and gain access to servers by using
company employees’ login accounts.

Knowledge of operating systems and how they store information can be helpful in
enumeration.

Not knowing how shares are handled in Windows or how files and folders are
managed in NetWare, for example, can make accessing information and finding
possible vulnerabilities more difficult.

Some of these tools have been Covered previously and some are new, but they
make enumeration as easy as entering a single command or clicking a button.

In previous chapters, you have seen how to perform a zone transfer, use the Dig
Command, and discover what computers live on a network. The next step in security
testing is enumeration, the process of extracting the following information from a
network:

● Resources or shares on the network

● Usernames or groups assigned on the network
● Users’ passwords and recent logon times

To determine what resources or shares are on a network, security testers must use Port
scanning and footprinting first to determine what OS is used. If a network is Running a
Windows OS, for example, testers can use specific tools to view shares and possibly
access resources.

As mentioned, enumeration is more intrusive because you’re not just identifying a

resource; you’re attempting to access it. It goes beyond passive scanning of a network
to find open ports. For example, sometimes this process entails guessing passwords
after determining a username.

Enumerations depend on the services that the systems offer. They can be

● DNS enumeration
● NTP enumeration
● SNMP enumeration
● Linux/Windows enumeration
● SMB enumeration

NetBIOS Enumeration
Before learning how to enumerate Microsoft systems, you need to review the
basics of how the Network Basic Input Output System (NetBIOS) works. NetBIOS is a
Windows programming interface that allows computers to communicate across a local
area network (LAN). Most Windows Oss use NetBIOS to share files and printers.

● NetBIOS listens on UDP ports 137 (NetBIOS Name service) and 138
(NetBIOS Datagram service) and TCP port 139 (NetBIOS Session service). File
and printer sharing in also requires an upper-level service called Server Message
Block (SMB),
Which runs on top of NetBIOS. In Windows 2000 and later, SMB listens on TCP port
445 and doesn’t need to use NetBIOS over TCP/IP unless support for older Windows
Versions is required.

The computer names you assign to Windows systems are called NetBIOS names
and Have a limit of 16 characters; the last character is reserved for a hexadecimal
number(00 to FF) that identifies the service running on the computer. Therefore, you
can use Only 15 characters for a computer name, and NetBIOS adds the last character
automatically to identify the service that has registered with the OS. For example, if a
Computer named SALES REP is running the Server service, the OS stores this
information in a NetBIOS table.

A NetBIOS name must be unique on a network. Lists the NetBIOS suffixes That
correspond to the services, or resource types, running on a computer. You don’t Need to
memorize all these suffixes, but note that some identify the computer or Server being
enumerated as a stand-alone computer or domain

SNMP Enumeration (Simple Network Management

Protocol)
● SNMP consists of a manager and an agent; agents are embedded on every
network device, and the manager is installed on a separate computer.
● SNMP holds two passwords to access and configure the SNMP agent from the
management station:
1.Read community string: It is public by default; allows viewing of
device/system configuration.
2.Read/write community string: It is private by default; allows remote editing
of configuration.
● Attacker uses these default community strings to extract information about a
device.
● Attackers enumerate SNMP to extract information about network resources such
as hosts, routers, devices, shares, etc. and network information such as ARP
tables, routing tables, traffic, etc.
● 網管協定
● Snmpwalk: snmpwalk -v 1 -c public 192.168.99.144
● Snmpcheck: snmpcheck -t 192.168.99.144

Working of SNMP
Management Information Base (MIB)
● MIB is a virtual database containing formal description of all the network objects
that can be managed using SNMP.
● The MIB database is hierarchical and each managed object in a MIB is
addressed through Object Identifiers (OIDs).
● Two types of managed objects exist:
1.Scalar objects that define a single object instance.
2.Tabular objects that define multiple related object instances are grouped in
MIB tables.
● The OID includes the type of MIB object such as counter, string, or address,
access level such as not-accessible, accessible-for-notify, read-only or
read-write, size restrictions, and range information.
 ● SNMP uses the MIB’s hierarchical namespace containing Object Identifiers
(OIDs) to translate the OID numbers into a human-readable display.
● 網管資料庫
● User ID: SID(重要不可被查到)+RID(流水號，從1000開始)
1.Computer
2.Domain

SNMP Enumeration Tools:

● OpUtils: OpUtils with its integrated set of tools helps network engineers to
monitor, diagnose, and troubleshoot their IT resources.
● Engineer’s Toolset:

Engineer’s Toolset performs network discovery on a single subnet or a range of subnets

using ICMP and SNMP.

It scans a single IP, IP address range, or subnet and displays network devices
discovered in real time.

LDAP(Light weight Directory Access)

The lightweight Directory Access Protocol (LDAP) is used to access directory
Services over a network. A directory is a hierarchically organized data store that May
contain any kind of information but is commonly used to store personal Data such as
names, telephone numbers, e-mail addresses, and job functions.Common examples of
LDAP are the Active Directory used within Windows Domains, and OpenLDAP, used in
various situations. You are most likely to Encounter LDAP being used in corporate
intranet-based web applications, such As an HR application that allows users to view
and modify information about Employees.

Each LDAP query uses one or more search filters, which determine the directory
entries that are returned by the query. Search filters can use various logical Operators
to represent complex search conditions. The most common search Filters you are likely
to encounter are as follows:

● Simple match conditions match on the value of a single attribute. For Example,
an application function that searches for a user via his username Might use this
filter:
(username=daf)
 ● Disjunctive queries specify multiple conditions, any one of which must be
satisfied by entries that are returned. For example, a search function that looks
up a user-supplied search term in several directory attributes might use this filter:
(|(cn=earchterm)(sn=searchterm)(ou=searchterm))
● Conjunctive queries specify multiple conditions, all of which must be Satisfied
by entries that are returned. For example, a login mechanism implemented in
LDAP might use this filter:

(&(username=daf)(password=secret)

As with other forms of injection, if user-supplied input is inserted into an LDAP search
Filters without any validation, it may be possible for an attacker to supply crafted input
that modifies the filter’s structure and thereby retrieve Data or perform actions in an
unauthorized way.

In general, LDAP injection vulnerabilities are not as readily exploitable as SQL

injection flaws, due to the following factors:

● Where the search filter employs a logical operator to specify a conjunctive Or

disjunctive query, this usually appears before the point where user Supplied data
is inserted and therefore cannot be modified. Hence, simple Match conditions
and conjunctive queries don’t have an equivalent to the “or 1=1” type of attack
that arises with SQL injection.
● In the LDAP implementations that are in common use, the directory attributes to
be returned are passed to the LDAP APIs as a separate parameter from the
search filter and normally are hard-coded within the application.

Exploiting LDAP Injection

Despite the limitations just described, in many real-world situations it is possible To
exploit LDAP injection vulnerabilities to retrieve unauthorized data from the Application
or to perform unauthorized actions. The details of how this is done typically are highly
dependent on the construction of the search filter, the entry point For user input, and the
implementation details of the back-end LDAP service itself.

Disjunctive Queries
Consider an application that lets users list employees within a specified department of
the business. The search results are restricted to the geographic locations that the user
is authorized to view. For example, if a user is authorized to view the London and
Reading locations, and he searches for the “sales” department, the application performs
the following disjunctive query:
(|(department=London Sales)(department=Reading sales))

Here, the application constructs a disjunctive query and prepends different Expressions
before the user-supplied input to enforce the required access control. In this situation,
an attacker can subvert the query to return details of all Employees in all locations by
submitting the following search term:

)(department=*

The * character is a wildcard in LDAP; it matches any item. When this input is
embedded into the LDAP search filter, the following query is performed:

(|(department=London)(department=*)(department=Reading )(department=*))

Since this is a disjunctive query and contains the wildcard term (department=*), it
matches on all directory entries. It returns the details of all employees From all
locations, thereby subverting the application’s access control.

Conjunctive Queries
Consider a similar application function that allows users to search for employees by
name, again within the geographic region they are authorized to view.

If a user is authorized to search within the London location, and he searches For
the name daf, the following query is performed:

(&(givenName=daf)(department=London*))

Here, the user’s input is inserted into a conjunctive query, the second part of which
enforces the required access control by matching items in only one of the London
departments.

In this situation, two different attacks might succeed, depending on the details of the
back-end LDAP service. Some LDAP implementations, including OpenLDAP, allow
multiple search filters to be batched, and these are applied Disjunctively. For example,
an attacker could supply the following input:

*))(&(givenName=daf
When this input is embedded into the original search filters, it becomes:

&(givenName=*))(&(givenName=daf)(department=London*))
This now contains two search filters, the first of which contains a single wildcard match
condition. The details of all employees are returned from all locations, thereby
subverting the application’s access control.

Finding LDAP Injection Flaws

Supplying invalid input to an LDAP operation typically does not result in an
Informative error message. In general, the evidence available to you in diagnosing
Vulnerability includes the results returned by a search function and the occurrence of an
error such as an HTTP 500 status code. Nevertheless, you can use the following steps
to identify an LDAP injection flaw with a degree of reliability.

Preventing LDAP Injection

If it is necessary to insert user-supplied input into an LDAP query, this operation
should be performed only on simple items of data that can be subjected to strict input
validation. The user input should be checked against a white list of Acceptable
characters, which should ideally include only alphanumeric characters. Characters
that may be used to interfere with the LDAP query should be blocked, including ( ) ; , * |
& = and the null byte. Any input that does not match the white list should be rejected,
not sanitized

NTP(Network Time Protocol)

Network Time Protocol (NTP) is a protocol used to synchronize the clocks of
computer systems over a network. In ethical hacking, understanding NTP can be
important for various reasons. For example, attackers may exploit vulnerabilities in NTP
implementations to launch attacks such as man-in-the-middle attacks or distributed
denial of service (DDoS) attacks. By manipulating the time on a target system, attackers
can potentially disrupt services or gain unauthorized access to systems. Ethical hackers
may also use NTP to ensure accurate time synchronization during security
assessments or penetration testing. It is important for ethical hackers to be aware of
NTP vulnerabilities and best practices for securing NTP implementations to protect
against potential attacks.

1 .Overview of Network Time Protocol (NTP)

● Definition and purpose of NTP

● Importance of time synchronization in computer systems

2. NTP Vulnerabilities in Ethical Hacking

● Exploitable vulnerabilities in NTP implementations

 ● Potential risks of NTP attacks in ethical hacking scenarios

3. Attacks Using NTP in Ethical Hacking

● Man-in-the-middle attacks leveraging NTP

● -Distributed Denial of Service (DDoS) attacks through NTP manipulation

4. Ethical Hacking Applications of NTP

● Ensuring accurate time synchronization during security assessments

● -Using NTP for penetration testing and vulnerability assessments

5. Securing NTP Implementations

● Best practices for securing NTP servers and clients

● Mitigation strategies to protect against NTP-based attacks

SMTP (Simple Mail Transfer Protocol)

The Simple Mail Transport Protocol is used to send email messages as opposed to
POP3 or IMAP which can be used to both send and receive messages. SMTP relies on
using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service,
however, should an MX server not be detected, SMTP will revert and try an A or
alternatively SRV records. SMTP generally runs on port 25.

SMTP enumeration allows us to determine valid users on the SMTP server. This
is done with the help built-in SMTP commands, they are

● VRFY – This command is used for validating users.

● EXPN – This command tells the actual delivery address of aliases and mailing
lists.
● RCPT TO – It defines the recipients of the message.

In other cases, the application may perform the SMTP conversation itself, or it may
pass user-supplied input to a different component to do this. In this situation, it may be
possible to inject arbitrary SMTP commands directly into this Conversation, potentially
taking full control of the messages being generated by the application.

For example, consider an application that uses requests of the following form to
submit site feedback:

POST feedback.php HTTP/1.1

Host: wahh-app.com
 Content-Length: 56
From=daf@wahh-mail.com&Subject=Site+feedback&Message=fo
This causes the web application to perform an SMTP conversation with the following
commands:

MAIL FROM: daf@wahh-mail.com

RCPT TO: feedback@wahh-app.com
DATA
From: daf@wahh-mail.com
To: feedback@wahh-app.com
Subject: Site feedback
Foo
Finding SMTP Injection Flaws
To probe an application’s mail functionality effectively, you need to target every
parameter that is submitted to an e-mail-related function, even those that may initially
appear to be unrelated to the content of the generated message. You should also test
for each kind of attack, and you should perform each test case Using both Windows-
and UNIX-style newline characters.

Preventing SMTP Injection

SMTP injection vulnerabilities usually can be prevented by implementing rigorous
validation of any user-supplied data that is passed to an e-mail function or used in an
SMTP conversation. Each item should be validated as strictly as Possible given the
purpose for which it is being used:

● E-mail addresses should be checked against a suitable regular expression

(which should, of course, reject any newline characters).
● The message subject should not contain any newline characters, and it may be
limited to a suitable length.
● If the contents of a message are being used directly in an SMTP conversation
lines containing just a single dot should be disallowed.

DNS(Domain Name System)

 DNS enumeration is the process of locating all the DNS servers and their
corresponding records for an organization. DNS enumeration will yield usernames,
computer names, and IP addresses of potential target systems.

Domain Name System(DNS) is nothing but a program that converts or translates a

website name into an IP address and vice versa.

● The process of DNS Enumeration returns various important information about

the target like DNS record types, host names, IP addresses and much more
depending upon the configuration of that target system.
● To perform DNS enumeration there are various open source tools, scripts
available like Nmap, DNS recon etc.

Steps of DNS Enumeration:

There are various tools to do DNS Enumeration, you are free to explore them by
doing a simple web search about DNS Enumeration tools, but here we are going to use
Nmap as an example:-

Nmap:
It is a tool used to discover host and services that are currently running of a
computer network. Nmap provides an extensive Script by the name dns-nsec-enum.

Command Usage
Vulnerability Assessment Concepts
Desktop and Server OS Vulnerabilities
Windows OS Vulnerabilities
1.Many Windows OSs have serious vulnerabilities

– Windows 2000 and earlier

• Administrators must disable, reconfigure, or uninstall services and features

– Windows XP, Vista, Server 2003, Server 2008, and Windows 7

• Most services and features are disabled by default

2. Good information source:

– CVE Website

– SANS Institute Top 20 List

– Manufacture Security websites

3. Sample CVE Listing (Windows Server 2008)

 Many of the explanations at the CVE Website are complex and might be difficult to
understand. What’s important, however, is that you’re able to research a vulnerability
that’s relevant to the security test you’re conducting.

For example, if the system you’re testing uses the Remote Desktop Connection
client noted in CVE 2009-1929,you might need to do research on what Remote Desktop
Connection is and whether the version the company is running is vulnerable. You
might also have to visit the Microsoft Web site to see whether any patches or security
updates are available for this vulnerability.

For example, searching on “Remote Desktop Connection vulnerability” at the

Microsoft Web site reveals the following: “Microsoft Security Bulletin MS09-044 - Critical
Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution
(970927).” Information about the vulnerability and links to download the patches are
provided at www.microsoft.com/technet/security/Bulletin/

Windows File Systems

● The purpose of any file system, regardless of the OS, is to store and manage
information.
● The file system organizes information that users create as well as the OS files
needed to boot the system, so the file system is the most vital part of any OS. In
some cases, this critical component of the OS can be a vulnerability
File Allocation Table
File Allocation Table (FAT), the original Microsoft file system, is supported by nearly
all desktop and server OSs. Because of its broad support, FAT12 is also the standard
filesystem for most removable media other than CDs and DVDs.

Later versions, such as FAT16, FAT32, and Extended FAT (exFAT, developed for
Windows Embedded CE),provide for larger file and disk sizes.

New Technology File System (NTFS)

1. First released as high-end file system

• Added support for larger files, disk volumes, and ACL file security

2. Subsequent Windows versions

• Included several upgrades

3. Alternate Data Streams (ADSs): Stores metadata such as author, title file
attributes, and image thumbnails.

• Can “stream” (hide) information behind existing files

4.Without affecting function, size, or other information

5. DIR Command in Vista and later update to display ADS sizing information using
switches

• Several detection methods

Remote Procedure Call

● Remote Procedure Call (RPC) is an interprocess communication mechanism
that allows a program running on one host to run code on a remote host.

• Example: shutdown \\computername /t:xx "msg”

● The Conficker worm took advantage of a vulnerability in RPC to run arbitrary

code on susceptible hosts.

NetBIOS
• Software loaded into memory

– Enables computer program to interact with network resource or device

• NetBIOS isn’t a protocol

 – Interface to a network protocol

• NetBios Extended User Interface (NetBEUI)

– Fast, efficient network protocol

– Allows NetBIOS packets to be transmitted

over TCP/IP

– NBT is NetBIOS over TCP

• Systems running newer Windows OSs

– Share files and resources without using NetBIOS

• NetBIOS is still used for backward compatibility

– Budgets don’t allow upgrading

– Customer expectations must be met

– Not installed by default

Server Message Block

In Windows, Server Message Block (SMB) is used to share files and usually runs on top
of NetBIOS, NetBEUI, or TCP/IP. Several hacking tools that target SMB can still cause
damage to Windows networks.

• Several hacking tools target SMB

– L0phtcrack’s SMB Packet Capture

– SMBDie

– NBTDeputy

– SMBRelay

– NBName

– It took Microsoft 7 years to patch these

– Server Message Block (cont’d.)

• SMB2

– Introduced in Windows Vista

– Several new features

 – Faster and more efficient

• Windows 7

• Windows XP Mode

Common Internet File System

Common Internet File System (CIFS) is a standardized protocol that replaced
SMB in Windows 2000 Server and later, but to allow backward compatibility, the original
SMB is still used.

CIFS is a remote file system protocol that enables computers to share network
resources over the Internet.

– Replaced SMB for Windows 2000 Server and later

– SMB is still used for backward compatibility

• Remote file system protocol

– Enables sharing of network resources over the Internet

• Relies on other protocols to handle

service announcements

– Notifies users of available resources

• Enhancements

– Locking features

– Caching and read-ahead/write-behind

– Support for fault tolerance

– Capability to run more efficiently over dial-up

– Support for anonymous and authenticated access

• Server security methods

– Share-level security
– User-level security

• Attackers look for servers designated as domain controllers

– Severs handle authentication

• Windows Server 2003 and 2008
– Domain controller uses a global catalog (GC) server

• Locates resources among many objects

– Aids in mapping services to devices

Null Sessions
Null session is an anonymous connection established without credentials, such as a
username and password.Also called an anonymous logon, a null session can be used
to display information about users, groups, shares,and password policies. Null
sessions are necessary only if networks need to support older Windows versions.

• NetBIOS enumeration vulnerabilities use:

– Nbtstat

– Net view

– Netstat

– Ping

– Pathping

– Telnet

Web Services
• IIS installs with critical security vulnerabilities

– IIS Lockdown Wizard

• Locks down IIS versions 4.0 and 5.0

• IIS 6.0 Installs with a “secure by default” mode

– Previous versions left crucial security holes

– Keeping a system patched is important

– Configure only needed services (e.g. FTP, SMTP, etc…)

SQL Server
• Many potential vulnerabilities

– Null System Administrator (SA) password

 • SA access through SA account

• SA with blank password

– Database and database server

• Most SA accounts are placed in administrative groups in local machine and AD for
ease of integration

– Presents a Broad Attack Surface

• Code Red

• Slammer

• SQL Injection

Buffer Overflows
• Too much Data is written to an unchecked buffer

– The excess data overflows to the next memory allocation block, replacing expected data
with the hackers instructions

– Normally, occurs when copying strings of characters from one buffer to another

• Functions don’t verify text fits

– Attackers run shell code

• C and C++

– Lack built-in protection against overwriting data in memory

Passwords and Authentication

• Weakest security link in any network

– Authorized users

• Most difficult to secure

• Relies on people following policy

• Lack of general understanding to risks or impacts

– Companies should take steps to address it

• Mandatory annual IT awareness training

• Logical protective measures

 – Minimum password length

– Maximum password age

• Migration to multi-factor authentication

• Passwords Policy Minimum Criteria

• Comprehensive password policy is critical

1.Should include:
• Change regularly

• Require at least six characters (even MS says min 8)

• Require complex passwords (consider passphrases)

• Passwords can’t be common words, dictionary words, slang, jargon, or dialect

(consider character substitution)

• Passwords must not be identified with a user

• Never write it down or store it online or in a file

• Do not reveal it to anyone (including IT, co-worker, etc…)

• Use caution when logging on and limit reuse

• Configure domain controllers

– Enforce password age, length, and complexity

• Password policy aspects that can be enforced:

– Account lockout threshold

• Set number of failed attempts before account is disabled temporarily

– Account lockout duration

• Set period of time account is locked out after failed logon attempts

Tools for Identifying Vulnerabilities in Windows

Many tools are available for discovering Windows vulnerabilities. Using more than
one tool for analysis is advisable, so learning a variety of methods and tools is beneficial
to your career. Familiarity with several tools also helps you pinpoint problems more
accurately.
 • Built-in Windows Tools

• Microsoft Baseline Security Analyzer (MBSA)

– Capable of checking for:

• Patches

• Security updates

• Configuration errors

• Blank or weak passwords

– Can be set for system roles

• SQL Server

• Web Server

• Domain Controller

• Workstation

Using MBSA
Any computer meeting the system requirements shown in Table 8.3 can scan
another computer or be scanned locally or remotely by MBSA. MBSA has its origins in
the HFNetchk scanner created by Mark Shavlik, a Windows NT developer.

Microsoft collaborated with Shavlik to develop and refine MBSA. The latest MBSA
version uses the dynamic features of Windows Update.
Best Practices for Hardening Windows Systems
As a penetration tester, your job is simply to find vulnerabilities and report them as
defined in your contract. Your responsibility ends there. However, a security tester must
not only find vulnerabilities; he or she must be familiar with methods of correcting them.

Typically, managers want solutions included with reports of potential problems,

particularly for technologies they might not fully understand.

• Security Tester

– Finds vulnerabilities

Patching Systems
• Best way to keep systems secure

– Keep up to date

• Attackers take advantage of known vulnerabilities

• Options for small networks

– Accessing Windows Update manually

– Configure Automatic Updates

 • Options for large networks
– Systems Management Server (SMS or SCCM)

– Windows Software Update Service (WSUS)

• Third-party patch management solutions

Antivirus Solutions
• Antivirus solution is essential

– Small networks

• Desktop antivirus tool with automatic updates

– Large networks
• Require corporate-level solution

–Antivirus tools

•Almost useless if not updated regularly

•Configure to disallow local users to disable

Enable Logging and Review Logs Regularly

• Important step for monitoring critical areas

– Performance

– Traffic patterns

– Possible security breaches

• Can have negative impact on performance

• Review regularly

– Signs of intrusion or problems

• Use log-monitoring tool

• SEIM effective but very expensive

Disable Unused Services and Filtering Ports

Disabling unneeded services and deleting unnecessary applications or scripts makes
sense because they give intruders a potential point of entry into a network. For
example, if you have a Windows Server 2008 system acting as a file server, you
certainly don’t need DNS services running on it; doing so leaves port 53 TCP/UDP open
and vulnerable to attack. The idea is simple: Open only what needs to be open, and
close everything else also known as reducing the attack surface.
Someports frequently subject to attack include the following:

● FTP (20 and 21 TCP)

● TFTP (69 UDP)
● Telnet (23 TCP)
● DNS (53 TCP/UDP)
● nNNTP (119 TCP)
● NetBIOS (135 TCP/UDP, 137 and 138 UDP, 139 TCP)
● Windows 2000 NetBIOS (445 TCP/UDP)
● nRemote Desktop Protocol (3389 TCP)
● SNMP (161 and 162 TCP/UDP)
● Windows RPC programs (1025 to 1039 TCP/UDP)

Other practices include:

• Use TCP/IP filtering

• Delete unused scripts and sample applications

• Delete default hidden shares

• Use unique naming scheme and passwords

• Be careful of default permissions

• Use appropriate packet-filtering techniques

• Use available tools to assess system security

• Disable Guest account

• Rename Administrator Accounts

• Never use default passwords

• Rename default Administrator account

• Make sure there are no accounts with blank passwords

Linux OS Vulnerabilities
Linux can be made more secure if users are aware of its vulnerabilities and keep
current on new releases and fixes. It’s assumed you have some experience working
with a *nix OS, so basics of the Linux OS and file system. Many Linux versions are
available, with differences ranging from slight to major.
 For example, Red Hat and Fedora Linux use the yum command to update and
manage RPM packages, and Ubuntu and Debian (and the Linux version included with
the BackTrack files) use the apt get command to update and manage DEB packages.

• It’s important to understand basics

• Run control and service configuration

• Directory structure and file system

• Basic shell commands and scripting

• Package management

Samba
• Open-source implementation of CIFS

• Created in 1992

• Allows sharing resources over a network

• Security professionals should have basic knowledge of SMB and Samba

• Many companies have a mixed environment of Windows and *nix systems

• Used to “trick” Windows services into believing *nix resources are Windows resources

Tools for Identifying Linux Vulnerabilities

• CVE Website
 • Source for discovering possible attacker avenues

• OpenVAS can enumerate multiple OSs

• Security tester using enumeration tools can:

• Identify a computer on the network by using port scanning and zone transfers

• Identify the OS by conducting port scanning and enumeration

• Identify via enumeration any logon accounts and passwords

• Learn names of shared folders by using enumeration

• Identify services running

The following example shows OpenVAS enumerating a Linux computer. Figure 8.4shows the
OpenVAS report after a Linux computer with the IP address 192.168.1.102has been scanned.
(The rhel in the left pane indicates a Red Hat Enterprise Linux 5.3 system.)
Many of the vulnerabilities OpenVAS has discovered allow running remote code,which means
attackers could gain complete access to the system. In Figure 8.7, Open-VAS found that the
Linux computer runs a vulnerable version of the ISC DHCP client, which is susceptible to a
buffer overflow attack.

Checking for Trojan Programs

1. Most Trojan programs perform one or more of the following:

• Allow remote administration of attacked system

• Create a file server on attacked computer

• Files can be loaded and downloaded

2. Steal passwords from attacked system

• E-mail them to attacker

• Log keystrokes

1.E-mail results or store them in a hidden file the attacker can access remotely

3.Linux Trojan programs

• Sometimes disguised as legitimate programs

• Contain program code that can wipe out file systems

• More difficult to detect today

• Protecting against identified Trojan programs is easier

 4.Rootkits containing Trojan binary programs

• More dangerous

• Attackers hide tools

1.Perform further attacks

2.Have access to backdoor programs

5.Countermeasures Against Linux Attacks

6. Most critical tasks:

• User awareness training

• Keeping current

• Configuring systems to improve security

User Awareness Training

1. Inform users

• No information should be given to outsiders

• Knowing OS makes attacks easier

• Be suspicious of people asking questions

• Verify who they are talking to

• Call them back

2.Keeping Current

3.As soon as a vulnerability is discovered and posted

• OS vendors notify customers

• Upgrades

• Patches

• Installing fixes promptly is essential

4.Linux distributions

• Most have warning methods

5. Secure Configuration
6.Many methods to help prevent intrusion

• Vulnerability scanners
• Built-in Linux tools

• Free benchmark tools

• Center for Internet Security

• Security Blanket

• Trusted Computer Solutions

Vulnerabilities of Embedded OS
Some security professionals can remember when computer attacks typically
caused damage equivalent to graffiti on a building. Offensive, yes, but not damaging
enough to concern most security professionals. However, the impact of attacks has
become more serious, and embedded OSs are no exception.You found that many
embedded OSs have vulnerabilities. Web sites such as www.milw0rm.com and
www.packetstormsecurity.org have information on what hackers are doing with these
vulnerabilities.

Many hackers today want more than just notoriety, however; they’re criminals looking
for ways to steal money. The easiest way to profit from hacking is to attack devices
where cash is stored and dispensed by a computer: ATMs. The most common ATM
attacks involve using card skimmers or actually stealing the machines. A security
researcher, Barnaby Jack of Juniper Networks, announced a vulnerability in a line of
popular ATMs that made both local and remote attacks possible. An insider, such as an
authorized technician, was needed to install the malicious code, and then an
accomplice inserted a specially designed control card that allowed complete control of
the ATM, including unlimited cash dispensing and printing account numbers and PINs.
Considering that an ATM can store hundreds of thousands of dollars, the embedded OS
in an ATM is an attractive target to hackers.

Embedded OSs Are Everywhere

Billions of embedded systems with the Y2K (for “Year 2000”) software flaw would
suddenly stop or fail when the clock struck midnight. These embedded systems were
located everywhere, including critical infrastructure controls for power communications,
transportation, and more, so enormous amounts of time and money were spent fixing
them to prevent potential disaster. Today, there are many more embedded devices to be
concerned about than in 2000. These embedded devices don’t have the Y2K software
flaw, but they’re under attack from hackers and terrorists who want to further their
financial or political causes.

Embedded OSs Are Networked

For reasons of efficiency and economy, connecting embedded systems to a
network has advantages. Being able to manage systems and share services while
keeping the amount of human resources and expertise to a minimum helps companies
reduce costs. Gaining efficiency and reducing costs have a price, however: Any device
added to a network infrastructure increases the potential for security problems. Security
testers should address questions such as the following for every machine or device on a
network:

● What Peripheral Component Interconnect (PCI) devices are present?

● Where were they manufactured? Is the supply chain trustworthy?
● nWhich devices have embedded OSs stored in rewritable (nonvolatile) memory?
● Rewritable memory can be flashed (that is, erased and rewritten quickly).
● Which embedded OS is currently loaded on each device?

Embedded OSs Are Difficult to Patch

Patching on general-purpose computers is usually simple, but patching embedded
OSs can be a problem. For example, many skilled system administrators know how to
patch a Web server for Linux, Windows, or Solaris UNIX OSs running on standard Sun
or x86 PC hardware, but they might have no clue how to patch a Web server running on
a tiny chip (called a “16-bit microcontroller”) inside a plastic box the size of a deck of
cards. Many embedded OSs lack the familiar interfaces of general-purpose computers;
for example, usually there’s no CD/DVD-ROM drive,which you’d normally use to install
updated software.

However, the amount of time and expertise an attacker would need to exploit this
minor vulnerability is extremely high, too. For these types of vulnerabilities, you must
weigh the cost of fixing the vulnerability against the importance of the information the
embedded system controls. You might recommend not fixing the vulnerability because
it’s secure enough for the minor risk involved.

Embedded OSs Are in Networking Devices

Networking devices, such as routers and switches, usually have software and
hardware designed for the tasks of transmitting information across networks. Originally,
general purpose computers were used to perform routing and switching, but high-speed
networks now use specialized hardware and embedded OSs. Cisco, for example, used
mainly proprietary code in its embedded systems in the past. By using more open
source code, however, Cisco can release new product features more quickly. Cisco
uses Linux kernels in its latest VoIP Call Manager appliances and Adaptive Security
Appliance (ASA) firewall. Other embedded OSs for networking devices are modified *nix
OSs. For example, Juniper’s and Extreme Networks’s OSs are based on UNIX.

To compromise an entire network through a router, attackers follow the usual

methods of footprinting, scanning, and enumerating the target. After bypassing
authentication, attackers can launch other network attacks by using the access they
gained through compromising the router.

Embedded OSs Are in Network Peripherals

The most common peripheral devices on an organization’s network are
printers,scanners, copiers, and networked fax devices. Devices performing more than
one of these functions are called multifunction devices (MFDs). Usually, the only time
system or network administrators think about an MFD is when they’re troubleshooting
an existing one or adding one to the network. The rest of the time, these network
peripherals are forgotten. They’re rarely scanned for vulnerabilities or configured for
security.

Some sophisticated printers run embedded Windows OSs, so they could be infected
by common malware, too. MFDs and print servers with hard drives can certainly be
used to spread malware if they have network accessible shares.Attackers who want to
use a printer to infect many systems on a network could insert malicious links that pop
up on users’ desktops every time the printer is low on toner,for example.
In many older printers, all available networking protocols are enabled by default. If a
printer is secured via its IP address, attackers could simply connect to it with a different
protocol, such as IPX or AppleTalk. Because these printers also have default
administrator usernames and passwords, unauthorized users can connect to them as
administrators.
Supervisory Control and Data Acquisition Systems
Supervisory control and data acquisition (SCADA) systems are used for equipment
monitoring in large industries, such as public works and utilities, power generators and
dams, transportation systems (such as FAA control towers), manufacturing anywhere
automation is critical.

SCADA systems sometimes have many embedded systems as components,

which might be vulnerable through the data fed in and out of them or through their
embedded OSs. In any case, it’s no exaggeration to say the security of some SCADA
systems is a life-or-death proposition. For this reason,SCADA systems controlling
critical infrastructure are usually separated from the Internet by an “air gap.”

Cell Phones, Smartphones, and PDAs

From a security perspective, conversations over traditional phones have been
considered protected. Tapping a phone line used to require a lot of time, expensive
technical equipment, and a warrant. Even then, all you could do was listen to a
conversation. Surprisingly, many people have the same security expectations of
cellphones, smartphones, and PDAs.PDAs are vulnerable to the same attacks as cell
phones, but they have additional vulnerabilities associated with PDA applications and
services. Smartphones, such as BlackBerrys and iPhones, combine the functions of
PDAs and cell phones, so they have even more vulnerabilities.

Rootkits
Rootkits exist for Windows and *nix OSs, so embedded versions of these OSs are
vulnerable to them, too. Rootkits can modify parts of the OS or install themselves as
kernel modules, drivers, libraries, and even applications.

Rootkit-detection tools and some antivirus software can detect rootkits and prevent
them from being installed. However, the problem becomes more difficult if the OS has
already been compromised. Installing these tools on an infected system doesn’t
normally trigger alerts because rootkits can monitor the OS for anti-rootkit tools and
neutralize them.

A computer might have several megabytes of flash ROM on the motherboard and
controller cards, such as the Ethernet controller. Firmware rootkits are hard to detect
because the code for firmware often isn’t checked for possible corruption.

Best Practices for Protecting Embedded OSs

You’ve learned that your job as a security tester is to discover and document
vulnerabilities and recommend ways to fix them. Now that you know embedded OSs
have vulnerabilities similar to those in general-purpose OSs as well as additional
security challenges, what can you do?

● Identify all embedded systems in an organization.

● Prioritize the systems or functions that depend on these embedded systems.
● Follow the least privileges principle for access to embedded systems.
● nUse data transport encryption, when possible, for embedded system
communication.
● Configure embedded systems as securely as possible and follow manufacturer's
recommendations.