Enumeration

Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks  Class A  Class B to  Class C to  Machines behind a firewall can use these internal IP numbers to communicate among them.  Only the firewall machine/device (host) needs to have an IP address valid in the Internet.

What is enumeration?  Categories  network resources and shares  users and groups  applications and banners  Techniques (OS specific)  Windows  UNIX/Linux Obtain information about accounts, network resources and shares.

Windows applications and banner enumeration  Telnet and netcat: same in NT and UNIX.  Telnet: Connect to a known port and see the software it is running, as in this example.example  Netcat: similar to telnet but provides more information.more information  Countermeasures: log remotely in your applications and edit banners.  FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh.  Registry enumeration: default in Win2k and above Server is Administrators only.  Tools: regdmp (NTResource Kit) and DumpSec (seen previously).  Countermeasures: be sure the registry is set for Administrators only and no command prompt is accessible remotely (telnet, etc).  Novell, UNIX, SQL enumeration will be seen in another class.

Windows general security  Protocols providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445.  Banner enumeration is not the main issue. (UDP 137),  Null session command: net use \\19x.16x.11x.xx\IPC$ “” /u:””  countermeasures:  filter out NetBIOS related TCP, UDP ports (firewall).  disable NetBIOS over TCP/IP see ShieldsUp! page on binding.ShieldsUp! binding.  restrict anonymous using the Local Security Policy applet. More here. GetAcct bypasses these actions.Local Security Policy applethereGetAcct  Good source of system and hacking tools: Resource kits XP and 7. Some tools were re-written by hackers.XP7

Windows network resources  NetBIOS enumeration (if port closed, none work)  NetBIOS Domain hosts: net viewnet view  NetBios Name Table: nbtstat use and example and nbtscan. useexamplenbtscan  NetBIOS shares: DumpSec, Legion, NetBIOS Auditing Tool (NAT), SMBScanner, NBTdump (use, output).DumpSecLegionNATSMBScanneruseoutput  Countermeasures: as discussed previously = close ports , disable NetBIOS over TCP/IP  SNMP enumeration: SolarWinds IP Network Browser (commercial, see book).  Countermeasures: Windows close port 445.  Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “Computer Management” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.Computer Management

Windows: user and group enumeration  Enumerating Users via NetBIOS: usernames and (common) passwords. Enum: use and output. DumpSec: output.commonuseoutput  Countermeasures: as before (close ports, no NetBIOS over TCP/IP)  Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputil and read more in the book.IP Network Browser.snmputil  Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory - - you login once (the good) and have access to all resources (the security problem).  Threat and countermeasures in the book (better dealt with in Operating Systems):  close ports 389 and 3268,  upgrade all systems to Win2k or above before migrating to Active Directory.