Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.

Published byDarleen Owens Modified over 9 years ago

Similar presentations

Presentation on theme: "Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses."— Presentation transcript:

1 Enumeration

2 Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses Enumeration is more intrusive, using active connections and directed queries Enumeration will usually be logged and noticed

3 Goals of Enumeration User account names to inform subsequent password-guessing attacks Oft-misconfigured shared resources for example, unsecured file shares Older software versions with known security vulnerabilities such as web servers with remote buffer overflows

4 Normal nmap Scan

5 nmap Version Scanning

6 Vulnerability Scanners Very noisy and easy to detect Thorough and slow Nessus OpenVAS Cenzic Hailstorm Accunetrix Many others

7 Nessus Probably most well-known vulnerability assessment tool Uses nmap for initial port scanning Two-level architecture Server: runs scans Client: control scans, view reports http://www.nessus.org

8 Nessus Structure Uses plug-ins to abstract vulnerability tests Tests further grouped into families Uses accounts for authorization Can configure through running server interactively as opposed to running server in daemon state

9 Nessus Notes Plugins tab Be careful with enabling all plugins Dangerous plugins can interrupt or even crash services on ports

10 Nessus results Good graphical interface Listing of findings with recommendations Examples: http://www.nessus.org/demos

11 Banner Grabbing with netcat

12 Telnet in Vista and Windows 7 First you need to install Telnet In Control Panel, Programs and Features, Turn Windows Features on or off, check Telnet Client

13 Banner Grabbing Connecting to remote applications and observing the output Simple way, at a command prompt telnet www.just.edu.jo 80www.just.edu.jo On the next blank screen type in GET / HTTP/1.1 Press Enter twice

14 Example Banners www.ccsf.edu tells you too much cnn.com is better

15 Netcat Banner Grabs

16 Banner-Grabbing Countermeasures Turn off unnecessary services Disable the presentation of the vendor and version in banners Audit yourself regularly with port scans and raw netcat connects to active ports

17 Enumerating Common Network Services FTP, TCP 21 Telnet, TCP 23 SMTP, TCP 25 DNS, TCP/UDP 53 TFTP, TCP/UDP 69 Finger, TCP/UDP 79 HTTP, TCP 80

18 FTP Enumeration, TCP 21 FTP is becoming obsolete, see ftp.sun.com FTP passwords are sent in the clear Don't allow anonymous uploads Turn it off, use secure FTP instead

19 Googling for FTP Servers Search for intitle:"Index of ftp://" Here's an overly informative HTTP banner

20 FTP Banner Here's the corresponding overly informative FTP banner

21 Eliminate FTP Plaintext password transmission! Alternatives: SFTP (over SSH) FTPS (over SSL) Public content should be served over HTTP, not FTP

22 Enumerating Telnet, TCP 23 Telnet sometimes has banners, and allows bruteforce username enumeration It sends passwords in cleartext Telnet should be eliminated if possible Use SSH instead If you must use Telnet, restrict it to proper source IP addresses Or run it through a VPN

23 Enumerating SMTP, TCP 25 SMTP can be enumerated with Telnet, using these commands VRFY confirms names of valid users EXPN reveals the actual delivery addresses of aliases and mailing lists

24 Antivirus Note McAfee antivirus blocks telnets to port 25 "Prevent mass mailing worms from sending mail"

25 SMTP Enumeration Countermeasures Disable the EXPN and VRFY commands, or restrict them to authenticated users Sendmail and Exchange both allow that in modern versions

26 DNS Zone Transfers, TCP 53 Zone transfers dump the entire contents of a given domain's zone files Restricted to authorized machines on most DNS servers now

27 Zone Transfer Example

28 DNS Cache Snooping +norecurse – examines only the local DNS data (note ANSWER: 0)

29 Recursive DNS

30 Now It's in the Cache

31 DNS Enumeration Tools dnsenum Google scraping Brute forcing More

32 DNS Enumeration Countermeasures Use separate internal and external DNS servers Block or restrict DNS zone transfers Restrict DNS queries to limit cache snooping

33 Enumerating TFTP, TCP/UDP 69 TFTP is inherently insecure Runs in cleartext No authentication at all Anyone can grab any file (even /etc/passwd in the worst cases) Used in routers and VoIP Telephones to update firmware

34 TFTP Enumeration Countermeasures Wrap it to restrict access Using a tool such as TCP Wrappers TCP Wrappers is like a software firewall, only allowing certain clients to access a service Limit access to the /tftpboot directory Make sure it's blocked at the border firewall

35 Finger, TCP/UDP 79 Shows users on local or remote systems, if enabled Useful for social engineering Countermeasure: block remote access to finger

36 Enumerating HTTP, TCP 80 Grab banners with netcat or telnet Crawl Web sites with Sam Spade

37 Grendel-Scan Crawls sites and reports on vulnerabilities In BackTrack Very slow

38

39 HTTP Enumeration Countermeasures Change the banner on your web servers URLScan for IIS v 4 and later

Download ppt "Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses."

Similar presentations

Hacking Exposed 7 Network Security Secrets & Solutions

Hacking Exposed 7 Network Security Secrets & Solutions
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Forces that Have Brought the world to it’s knees over the centuries.

Forces that Have Brought the world to it’s knees over the centuries.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Computation for Physics 計算物理概論 Introduction to Linux.

Computation for Physics 計算物理概論 Introduction to Linux.
Chapter 3 Enumeration Last modified 8-30-12.

Chapter 3 Enumeration Last modified

Similar presentations

Ads by Google