2. Objective Enumeration takes port scanning to the next level. Now that you know how to discover live systems on a network, the next steps are finding what resources are shared on the systems, discovering logon accounts and passwords, and gaining access to network resources.

3. Actions Enumeration involves connecting to a system, not just identifying that a system is present on a network. Attempt to retrieve information and gain access to servers by using company employees’ logon accounts. Knowledge of operating systems and how they store information can be helpful in enumeration.

4. Introduction to Enumeration We have seen how to perform a zone transfer, using the Dig command, and discover what computers are live on a network. The next step in security testing is enumeration, the process of extracting the following information from a network: Resources or shares on the network Usernames or groups assigned on the network Users’ passwords and recent logon times

5. Technique To determine what resources or shares are on a network must use port scanning and footprinting to first determine the OS. If a Windows OS, use specific tools to view resources. Goes beyond passive scanning of a network to find open ports. For example, sometimes this process entails guessing passwords after determining a username.

6. Windows 95 The first Microsoft GUI product that didn’t rely on DOS, Windows 95 was the beginning of plug and play and the ActiveX standard used in all Windows versions today. A major enhancement was the Registry, a database storing information about the system’s hardware and software. FAT16 file system, version OSR2 added FAT32.

7. Windows 98 and Me An improved file system (FAT32), new hardware support, better backup and recovery tools, The enumeration process for Windows Me is the same as for Windows 98.

8. Windows NT 3.51 Server Created with security and enhancement of network functionality in mind. Emphasized domains instead of workgroups and used the client/server model instead of peer-to-peer networks; Server responsible for authenticating users and giving them access to network resources. NTFS replaced FAT16 and FAT32 because of the difficulty in incorporating security in these file systems. NTFS included file-level security features not possible in FAT.

9. Windows NT 4.0 Server These upgrades to Windows NT 3.51 had improved GUIs and performance.

10. Windows 2000 Server/Professional Replaced the Registry with Active Directory for object storage. Active Directory was more scalable and used Lightweight Directory Access Protocol (LDAP), so larger network infrastructures could be supported. Enumeration of these OSs includes enumerating Active Directory.

11. Windows XP Professional Security improvements in the kernel data structures read only stop rogue applications from affecting the OS core, Windows File Protection was added to prevent overwriting core system files. Data Execution Prevention (DEP) and a firewall that’s enabled by default. fixed a security exposure caused by vulnerable running services that hackers often use for buffer overflow attacks firewall made it more difficult to exploit Windows service vulnerabilities and enumerate shares and services.

12. Windows Server 2003 Internet Information Services (IIS), and came in four editions. Remote Desktop, load balancing, VPN support, EFS, management services (such as Windows Management Instrumentation [WMI]), NET application services.

13. Windows Vista User Account Control (UAC) and allows running Vista in nonprivileged mode to prevent unwanted code or user actions from damaging or controlling the computer (maliciously or inadvertently). built-in full drive encryption, called BitLocker

14. Windows Server 2008 BitLocker drive encryption and UAC. Network Access Protection (NAP), which reduces the possibility of rogue systems being able to access network resources. Reduce “attack surface.” Hyper-V, a full-featured virtualization product, is included with Windows Server 2008 and allows installing guest OSs, such as Linux and other Windows versions.

15. Windows 7 Windows XP Mode (XPM) that allows running older applications in a virtual Windows XP environment However, XPM requires late-model processors that support virtualization extensions, and upgrading to Windows 7 from XP requires a complete reinstallation.

16. NetBIOS Basics NetBIOS is a Windows programming interface that allows computers to communicate across a local area network (LAN). Most Windows OSs use NetBIOS to share files and printers. NetBIOS listens on UDP ports 137 (NetBIOS Name service) and 138 (NetBIOS Datagram service) and TCP port 139 (NetBIOS Session service). File and printer sharing in Windows also requires an upper-level service called Server Message Block (SMB), which runs on top of NetBIOS. In Windows 2000 and later, SMB listens on TCP port 445 and doesn’t need to use NetBIOS over TCP/IP unless support for older Windows versions is required.

17. NETBIOS The computer names you assign to Windows systems are called NetBIOS names and have a limit of 16 characters; the last character is reserved for a hexadecimal number (00 to FF) This Char identifies the service running on the computer. Therefore, you can use only 15 characters for a computer name, and NetBIOS adds the last character automatically to identify the service that has registered with the OS. For example, if a computer named SALESREP is running the Server service, the OS stores this information in a NetBIOS table. A NetBIOS name must be unique on a network.

18. NETBIOS Some suffixes correspond to the services, or resource types, running on a computer. some identify the computer or server being enumerated as a stand-alone computer or domain controller. Domain controllers are valuable as these systems store more information, including logon names for user accounts and network resources.

19. NetBIOS Null Sessions One of the biggest vulnerabilities of NetBIOS systems is a null session, which is an unauthenticated connection to a Windows computer that uses no logon and password values.

20. NetBIOS Null Sessions Many of the enumeration tools establish a null session to gather information such as logon accounts, group membership, and file shares from an attacked computer.

21. NetBIOS Null Sessions This vulnerability has been around for more than a decade and is still present in Windows XP. Null sessions have been disabled by default in Windows Server 2003, although administrators can enable them if they’re needed for some reason. In Windows Vista and Server 2008, null sessions aren’t available and can’t be enabled, even by administrators

22. NetBIOS Enumeration Tools The Nbtstat command is a powerful enumeration tool included with Windows. To display the NetBIOS table, you issue the Nbtstat -a Ipaddress

23. C:\Documents and Settings>nbtstat -a salesrep Local Area Connection: Node IpAddress: [192.168.0.100] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status ---------------------------------------------- SALESREP UNIQUE Registered ZIONBANK GROUP Registered ZIONBANK UNIQUE Registered SALESREF UNIQUE Registered ZIONBANK GROUP Registered INet~Services GROUP Registered ZIONBANK UNIQUE Registered IS~SALESREP.... UNIQUE Registered.._MSBROWSE___. GROUP Registered ADMINISTRATOR UNIQUE Registered MAC Address = 00-50-DA-63-EB-BE C:\Documents and Settings >

24. NetBIOS Enumeration Tools entry SALESREP. The 20 represents the Server service running on the SALESREP computer. The NetBIOS table also shows that ZIONBANK is a domain controller, as indicated by the 1C suffix, and even reveals the logged-on user’s name: Administrator.

25. Net View Tools Another built-in Windows tool is the Net view command, which gives a quick way to see whether there are any shared resources on a computer or server. To see the syntax for this command, type net view? at the command prompt

26. C:\Documents and Settings>net view Server Name Remark ------------------------------------------------------------------------------------ \\SAMBA Manager \\SECURITYTESTER \\SERVER server The command completed successfully. C:\Documents and Settings>net view ? The syntax of this command is: NET VIEW [\\computername [/CACHE] : /DOMAIN[:domainname]] NET VIEW /NETWORK:NW [\\computername] C:\Documents and Settings>

27. You can also use the IP address of computers you discovered with port-scanning tools. Next shows the command used on a remote Windows 98 computer. A share name called EMPPASSWORDS is retrieved The next command an attacker could use against this computer is \\192.168.0.106\emppasswords to retrieve user passwords.

28. C:\Documents and Settings>net view \\192.168.0.106 Shared resources at \\192.168.0.106 MTS CONSULTING Share name Type Used as Comment ---------------------------------------------------------------------- --------------------------- CDDRU Disk EMPPASSWORDS Disk WIN98-SYSTEM Disk The command completed successfully. C:\Documents and Settings>

29. Windows Enumeration Tools A simple command-line utility can give you the name of a logged-on user, and a guess of that user’s password can give you access to the system quickly. Many password-cracking programs can determine a password in a matter of seconds.

30. Password Crackers The Department of Defense uses one called L0phtcrack. (www.l0phtcrack.com/down-load.html.) However, security testers can often guess passwords without needing a special program because some users are careless when creating passwords. For example, many users, despite guidelines in company security policies, use simple passwords, such as “password” or “p@$$w0rd.”

31. Additional Enumeration Tools Several built-in Windows tools can assist you in enumerating NetBIOS systems. DumpSec, a popular enumeration tool for Windows systems, is produced by Found-stone, Inc., and can be downloaded from www.systemtools.com. The information you can gather with this tool is astonishing. For example, after connecting to a Windows server, you can download—or, as it’s called in DumpSec, “dump”—the following information: Permissions for shares, Permissions for printers, Permissions for the Registry, Users in column or table format, Policies (such as local, domain, and group policies), Rights, Services

32. More Tools Hyena, available at www.systemtools.com, is an excellent GUI tool for managing and securing Windows OSs. The interface is easy to use and gives security professionals a wealth of information With just a click, you can look at the shares and user logon names for Windows servers and domain controllers. If any domains or workgroups are on the network, this tool displays them, too.

33. Nessus and OpenVAS Very Popular Nessus can be downloaded for personal use

34. Nessus and OpenVAS This tool can come in handy when you need to enumerate different OSs on a large network and have many servers in different locations. For example, you can use a laptop running Windows XP and Nessus Client to connect to any Nessus server running the same version.

35. Enumerating the Netware OS Many security professionals assume that knowledge of just one OS is enough, but focusing on Windows and ignoring *nix systems—or vice versa—is not acceptable Similarly, some security professionals see Novell NetWare as a “dead” OS, but many corporations still rely on their faithful NetWare servers that keep plugging away.

36. Enumerating the *nix OS Solaris (Sun Microsystems) and OpenSolaris HP-UX (Hewlett-Packard) Mac OS X and OpenDarwin, based on FreeBSD AIX (IBM) BSD UNIX (University of California at Berkley) FreeBSD (BSD-based UNIX, developed by contributors) OpenBSD (BSD-based UNIX, developed by contributors) NetBSD (BSD-based UNIX, developed by contributors) Linux, including the following distributions: Ubuntu (Debian based, sponsored by Canonical) Red Hat Enterprise Linux (released commercially by Red Hat)

37. UNIX Enumeration Finger is a simple but still popular enumeration tool for both security testers and hackers which enables you to find out who’s logged in to a *nix system with one simple command daemon (fingerd) listens on TCP port 79. If you have any experience with UNIX, you might have used Finger to determine who was running a process that seemed to take over the OS, such as creating an endless loop or causing other processes to freeze. Before stopping the process, an administrator might want to find its owner and contact him or her to find out what’s running and prevent the problem from happening again. Nessus is also helpful in *nix enumeration.

38. Time Required: 30 minutes Objective: Learn to use the Finger command on local and remote *nix systems. Description: In this activity, you use the Finger command to enumerate your computer and see how this powerful command can gather information from a remote system. If necessary, boot your computer into Linux with the BackTrack files, and then type startx at the command prompt and press Enter. Open a Konsole shell, type man finger, and press Enter. Read through the manual, using the spacebar to scroll through the document. Press Ctrl+Z to exit when you’re finished. Type finger root and press Enter. Note that the output displays the logon name, the directory in which the root account is currently located, the shell being used, and the date the root account logged on to the system. To find out whether a remote *nix server is running fingerd, type finger @example.edu and press Enter (substituting a real domain name for example). Figure 6.23 shows sample output of trying this command. Follow hints that fingerd provides, such as how to further narrow your query. You can experiment with different remote addresses, but several prestigious universities, such as MIT, Harvey Mudd, and Carnegie Mellon, still have fingerd listening on systems as of this writing. Figure 6.23: Using the Finger command on a remote system — Courtesy Course Technology/Cengage Learning Do an Internet search for other.edu domains, as suggested in Step 5, to come up with some Web servers and hostnames you can use, and try using the Finger command with them. Do any respond to Finger queries? If so, are any users logged on? Use the Finger command with the e-mail address of someone at a different university. Do you get any response? To find out who the person is behind an account name, use the information the Finger command provided, and do an Internet search. What information about this person’s professional background did you find? Take a few minutes to review any other accounts the Finger command revealed. Identifying the account logon names on a system can be damaging to the owner or administrator. What other information did the Finger command supply that an attacker could use? Give specific examples. When you’re finished, close all open windows.