Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Slides:



Advertisements
Similar presentations
Ethical Hacking Module IV Enumeration.
Advertisements

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Experience with NTLM v2 on Win2K in NT 4.0 Domain Myung Bang Jefferson Lab Hepix-HepNT 2000 October 31, 2000.
Peer-to-Peer vs. Client/Server Network Operating Systems Instructor: Dr. Najla Al-Nabhan
Windows 2003 SP1 Member Server in ASU Active Directory WNUG/CCC February 2, 2006 Sharon Bushart CLAS Information Technology.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Network Shares and Accounts Sharing Printers, Drives, Folders – Setup Windows 95/98 Windows NT (2000, XP) Linux – Users – Groups.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Hussain Ali Department of Computer Engineering KFUPM, Dhahran, Saudi Arabia Microsoft Networking.
Windows Assessment Vulnerability Assessment Course.
Network Security With nmap By *** *****. Installing nmap netlab-2# cd /usr/ports/security/nmap netlab-2# make install all.
1.  A protocol is a set of rules that governs the communications between computers on a network.  Functions of protocols:  Addressing  Data Packet.
Installing Samba Vicki Insixiengmay Jonathan Krieger.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Samba
Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Hands-On Ethical Hacking and Network Defense Chapter 8 Microsoft Operating System Vulnerabilities.
Hands-On Ethical Hacking and Network Defense
A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e
CS391 Computer & Network Security
Ferry Astika Saputra Workshop Administrasi Jaringan SAMBA PROTOCOL.
Network Operating Systems versus Operating Systems Computer Networks.
Shadow Security Scanner Li,Guorui. Introduction Remote computer vulnerabilities scanner Runs on Windows Operating Systems SSS also scans servers built.
Samba version What is the Samba? Samba is a suite of programs which work together to allow clients to access to a server's filespace and printers.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Networking Concepts. Week-7 Network Protocols Three Major Components:  Application Interface –Connects programs to network  Global Network Transport.
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.
System Hacking Active System Intrusion. Aspects of System Hacking System password guessing Password cracking Key loggers Eavesdropping Sniffers Man in.
Internet Business Foundations © 2004 ProsoftTraining All rights reserved.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
SCSC 555 Frank Li.  Introduction to Enumeration  Enumerate Microsoft OS  Enumerate *NIX OS  Enumerate NetWare OS (skip) 2.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Dirty-Dozen: Top 12 Issues in Windows 2000 Security Roberta Bragg Security Evangelist Have Computer Will Travel, Inc.
Network Monitor By Zhenhong Zhao. What is the Network Monitor? The Network Monitor is a tool that gets information off of the host on the LAN. – Enumerating.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 Linux Networking and Security Chapter 5. 2 Configuring File Sharing Services Configure an FTP server for anonymous or regular users Set up NFS file.
Chapter 8 Configuring and Managing Shared Folder Security.
Penetration Testing 101 (Boot-camp)
Presented by Rebecca Meinhold But How Does the Internet Work?
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
TCOM Information Assurance Management System Hacking.
Lecture 6: Examples on Windows Operating Systems.
Retina Network Security Scanner
Hands-On Ethical Hacking and Network Defense
Announcements RSA Security Conference (extra credit) RSA Security Conference (extra credit) –April 7 through April 11, San Francisco –Visit the Forum for.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Mr C Johnston ICT Teacher G055 - Lecture 10 Network Protocols.
CSC 116 Nov Administrative Required 2 nd exam will be next week on Wed  Nov 18th It will be short (10 questions) It will only cover chapters.
LM/NTLMv1 Retirement Hosted by LSP Services.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Samba
Hacking 101, Boot-camp Computer Security Group March 10, 2010 Mitchell Adair.
Some Network Commands n Some useful network commands –ping –finger –nslookup –tracert –ipconfig.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Mitchell Adair Computer Security Group Feb. 10th, 2010 Enumerating Windows Users.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Web and Proxy Server.
CITA 352 Chapter 6 Enumeration.
Nessus Vulnerability Scan
Enumeration.
Working at a Small-to-Medium Business or ISP – Chapter 8
Lec 2: Protocols.
Hands-On Ethical Hacking and Network Defense
Presentation transcript:

Adrian Crenshaw

 I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  Sr. Information Security Consultant at TrustedSec  Co-Founder of Derbycon

 Skydogcon wanted something basic, decided to use it at Hack3rcon too  Who cares about Domain Admin if you can get the data without it  Ok, my ego cares, but…  Get the data  Trojan the EXEs  Add your SSH keys  Vulnerabilities get patched, common configuration mistakes last forever  Everybody screws it up

 Server Message Block Protocol  Evolved into Common Internet File System (CIFS)  Communicates over  445/TCP or  137/UDP, 138/UDP, & 137/TCP, 139/TCP or  NetBEUI  Also supports Inter-Process Communication (IPC) named pipes

 Invented by IBM  Microsoft used it in its answer to Novell Netware, LAN Manager  Samba uses in it *nix environments  Changed over the years  SMB 2  SMB 2.1  SMB 3.0  SMB 3.02

 Windows 2000 & XP

 Windows NT 4/2000: Anonymous Security identifier (SID) was part of Everyone metagroup  Windows XP forward, it is not, must be authenticated  Homegroup?  Share Level vs NTFS Permissions  What version of Windows?  Authenticate with Microsoft account?

 $ suffix hides from built in Windows tools, but not others  Admins think it does  Not the same as Samba’s browseable=no setting  About the same thing as not broadcasting your SSID

 How easy is it to integrate with current authentication?  Samba  AS/400  OS X  SOHO NAS

 Anonymous  Local Hash (WCE or Built-in to the tool)  Null Sessions 1. nslookup domainname 2. enum4linux -a someip > enum4linux-a.txt 3. grep "Domain Users" enum4linux-a.txt |cut -d '\' -f 2 > users.txt 4. hydra -L users.txt -P passwords.txt smb 5. hydra -L users.txt -e nsr smb  Responder and crack challenge response

 WCE wce.exe -g somepassword wce.exe -s someuser:somedomain:90172B990B993E317 6FDE78389BE2CE2:DE4DB66B3AFD1319F4442 D FAC

 Based on NetBIOS service location protocol  net view

1. use auxiliary/scanner/smb/smb_enumshares 2. set rhosts /24 3. set smbuser adrian 4. set SMBpass somepassword 5. set spidershares true 6. set showfiles true 7. set threads run

 nmap -sU -sS --script smb-enum- shares.nse -p U:137,T:139, script-args smbusername=adrian,smbpassword=some pass --open /24  smbhash  shares.html shares.html

Nmap scan report for Cthulhu ( ) Host is up (0.078s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds 137/udp open netbios-ns MAC Address: A4:17:31:02:7B:50 (Hon Hai Precision Ind. Co.) Host script results: | smb-enum-shares: | ADMIN$ | Anonymous access: | Current user ('adrian') access: | C | Anonymous access: | Current user ('adrian') access: READ | C$ | Anonymous access: | Current user ('adrian') access: | IPC$ | Anonymous access: READ |_ Current user ('adrian') access: READ Nmap done: 256 IP addresses (10 hosts up) scanned in seconds

 Quickly know what access you have

 General->Up thread count  Additional->Grab HTTP & FTP server banner  Work Stations->Lookup logged on users  Share->Enumerate All

Getting the most out of shares

 Use operators in CAPITALS

  \d{3}-\d{2}-\d{4}|\d{9}|(?i)ssn  grepWin  AstroGrep

Tweaks to secure and scan better

 Deny access to this computer from the network  Under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

 HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmC ompatibilityLevel  SecPol.msc

LevelGroup Policy NameSendsAcceptsProhibits Sending 0 Windows NT 4, 2000, XP Send LM and NTLM Responses LM, NTLM NTLMv2 Session Security is negotiated LM, NTLM, NTLMv2NTLMv2 Session Security (on Windows 2000 below SRP1, Windows NT 4.0, and Windows 9x) 1Send LM and NTLM— use NTLMv2 session security if negotiated LM, NTLM NTLMv2 Session Security is negotiateda LM, NTLM, NTLMv2NTLMv2 2Send NTLM response only NTLM NTLMv2 Session Security is negotiated LM, NTLaM, NTLMv2LM and NTLMv2 3 Vista, 7, etc. Send NTLMv2 response only NTLMv2 Session Security is always used LM, NTLM, NTLMv2LM and NTLM 4Send NTLMv2 response only/refuse LM NTLMv2 Session Security NTLM, NTLMv2LM 5Send NTLMv2 response only/refuse LM and NTLM NTLMv2, Session Security NTLMv2LM and NTLM Based on

 Finding Rogue SMB File Shares On Your Network uefileshares uefileshares  Finding the Leaks leaks.html leaks.html  nessuscmd Tip: Finding Open SMB File Shares finding-open-smb-file-shares finding-open-smb-file-shares

Derbycon Sept 23th-27th, Others Photo Credits to KC (devauto) Derbycon Art Credits to DigiP

42

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.