Hacking Module 04

8/9/2019 Hacking Module 04

1/31

NMCSP2008 Batch-I

Module IV

Enumeration


2/31

Scenario

It was a rainy day and Jack was getting bored sitting at home. Hewanted to be engaged in something rather than gazing at thesky. Jack had heard about enumerating user accounts andother important system information using Null Sessions. Hewanted to try what he had learned in his information securityclass. From his friends he had come to know that theuniversity website had a flaw that allowed anonymous users tolog in.

Jack installed an application which used Null Sessions toenumerate systems. He tried out the application and to hissurprise discovered information about the system where thewebserver was hosted.

What started in good fun became very serious. Jack startedhaving some devilish thoughts after seeing the vulnerability.

What can Jack do with the gathered information?

Can he wreak havoc?

What if Jack had enumerated a vulnerable system meant for

online trading?


3/31

Module Objectives

Understanding Windows 2000 enumeration

How to connect via a Null session

How to disguise NetBIOS enumeration Disguise using SNMP enumeration

How to steal Windows 2000 DNS information

using zone transfers

Learn to enumerate users via CIFS/SMB

Active Directory enumerations


4/31

Module Flow

What is enumeration? Null Sessions Tools used

Countermeasures againstNull SessionsSNMP EnumerationTools used

SNMP EnumerationCountermeasures

MIB Zone Transfers

Blocking Zone TransfersEnumerating User AccountsTools Used

Active DirectoryEnumeration

Active Directory EnumerationCountermeasures


5/31

What is Enumeration

If acquisition and non-intrusive probing have not

turned up any results, then an attacker will next turn to

identifying valid user accounts or poorly protected

resource shares. Enumeration involves active connections to systems

and directed queries.

The type of information enumerated by intruders:

Network resources and shares

Users and groups

Applications and banners


6/31

Net Bios Null Sessions

The null session is often refereed to as the Holy Grail ofWindows hacking. Null sessions take advantage of flawsin the CIFS/SMB (Common Internet File System/Server Messaging Block).

You can establish a Null Session with a Windows(NT/2000/XP) host by logging on with a null username and password.

Using these null connections allows you to gather the

following information from the host: List of users and groups

List of machines

List of shares

Users and host SIDs (Security Identifiers)


7/31

So What's the Big Deal?

Anyone with a NetBIOSconnection to a computer caneasily get a full dump of allusernames, groups, shares,permissions, policies, servicesand more using the Null user.

The above syntax connectsto the hidden Inter ProcessCommunication 'share' (IPC$)at IP address 192.34.34.2 with

the built-in anonymous user(/u:) with () nullpassword.

The attacker now has achannel over which to attempt

various techniques.

The CIFS/SMB and

NetBIOS standards inWindows 2000 include APIsthat return rich informationabout a machine via TCP port139 - even to unauthenticatedusers.

C: \>net use \\192.34.34.2\IPC$ /u:


8/31

Tool: DumpSec

DumpSec reveals shares over a null session with the targetcomputer.


9/31

Tool: Winfo

Winfo uses null sessionsto remotely retrieveinformation about thetarget system.

Winfo gives detailedinformation about thefollowing in verbose mode:

System information

Domain information

Password policy Logout policy

Sessions

Logged in users

User accounts

Source: http://ntsecurity.nu/toolbox/winfo/


10/31

Tool: NAT

The NetBIOS Auditing Tool (NAT) isdesigned to explore the NetBIOS file-sharing services offered by the targetsystem.

It implements a stepwise approach to

information gathering and attempts toobtain file system-level access as thoughit were a legitimate local client.

If a NetBIOS session can be establishedat all via TCP port 139, the target isdeclared "vulnerable.

Once the session is fully set up,transactions are performed to collectmore information about the serverincluding any file system "shares" itoffers.

Source: http://www.rhino9.com


11/31

Null Session Countermeasure

Null sessions require access to TCP ports 139and/or 445.

You could also disable SMB services entirely onindividual hosts by unbinding the TCP/IP WINSClient from the interface.

Edit the registry to restrict the anonymous user.

1. Open regedt32, navigate to

HKLM\SYSTEM\CurrentControlSet\LSA 2. Choose edit | add value

value name: RestrictAnonymous

Data Type: REG_WORD

Value: 2


12/31

NetBIOS Enumeration

NBTscan is a program forscanning IP networks forNetBIOS name information.For each responded host it

lists IP address, NetBIOScomputer name, logged-inuser name and MAC address

The first thing a remote attacker will try on a Windows

2000 network is to get list of hosts attached to the wire.

1. net view / domain,

2. nbstat -A


13/31

SNMP Enumeration

SNMP is simple. Managers send requests to agents andthe agents send back replies.

The requests and replies refer to variables accessible byagent software.

Managers can also send requests to set values forcertain variables.

Traps let the manager know that something significanthas happened at the agent's end of things: a reboot

an interface failure or that something else that is potentially bad has happened

Enumerating NT users via the SNMP protocol is easyusing snmputil.


14/31

Tool :Solarwinds

It is a set of NetworkManagement Tools.

The tool set consists ofthe following:

Discovery

Cisco Tools

Ping Tools

Address Management

Monitoring MIB Browser

Security

Miscellaneous

Source: http://www.solarwinds.net/


15/31

Tool: Enum

Available for download from

http://razor.bindview.com

Enum is a console-based Win32

information enumeration utility.

Using null sessions, enum can

retrieve user lists, machine lists,

share lists, name lists, group and

membership lists, password and LSA

policy information.

enum is also capable of

rudimentary brute force dictionary

attack on individual accounts.


16/31


17/31

SNMPutil example


18/31

SNMP Enumeration Countermeasures

The simplest way to prevent such activity is to remove

the SNMP agent or turn off the SNMP service.

If shutting off SNMP is not an option, then change the

default 'public' community name.

Implement the Group Policy security option called

Additional restrictions for anonymous connections.

Access to null session pipes, null session shares, and

IPSec filtering should also be restricted.


19/31

Management Information Base

MIB provides a standard representation of the SNMP

agents available information and where it is stored.

MIB is the most basic element of network management.

MIB-II is the updated version of the standard MIB.

MIB-II adds new SYNTAX types, and adds more

manageable objects to the MIB tree.


20/31

Windows 2000 DNS Zone transfer

For clients to locate Win 2k domain services,such as AD and kerberos, Win 2k relies on DNSSRV records.

Simple zone transfer (nslookup, ls -d) can enumerate lot ofinteresting network information.

An attacker would look at the following records

closely: 1. Global Catalog Service (_gc._tcp_)

2. Domain Controllers (_ldap._tcp)

3. Kerberos Authentication (_kerberos._tcp)


21/31

Blocking Win 2k DNS Zone transfer

Zone transfers can beeasily blocked usingthe DNS propertysheet as show here.


22/31

Enumerating User Accounts

Two powerful NT/2000 enumeration tools are:

1.sid2user

2.user2sid

They can be downloaded fromwww.chem.msu.su/^rudnyi/NT/

These are command line tools that look up NT SIDs fromusername input and vice versa.


23/31

Tool: Userinfo

UserInfo is a little function that retrieves all availableinformation about any known user from any NT/Win2ksystem that you can access TCP port 139 on.

Specifically calling the NetUserGetInfo API call at Level3, Userinfo returns standard info like

SID and Primary group

logon restrictions and smart card requirements

special group information

pw expiration information and pw age

This application works as a null user, even if the RA isset to 1 to specifically deny anonymous enumeration.


24/31

Tool: GetAcct

GetAcct sidesteps "RestrictAnonymous=1" and acquiresaccount information on Windows NT/2000 machines.

Downloadable fromwww.securityfriday.com


25/31

Tool: DumpReg

DumpReg is a tool to

dump the Windows NT and

Windows 95 Registry.

Main aim is to find keysand values matching a

string.

Source: http://www.systemtools.com/


26/31

Tool: Trout

Trout is a combination ofTraceroute and Whois.

Pinging can be set to acontrollable rate.

The Whois lookup can beused to identify the hostsdiscovered.

Source: http://www.foundstone.com/


27/31

Tool: Winfingerprint

Winfingerprint is a GUI-based tool that has theoption of scanning a singlehost or a continuous

network block.Has two main windows:

IP address range

Windows options

Source: http://winfingerprint.sourceforge.net


28/31

Tool: PsTools

The PsTools suite falls in-between enumeration and fullsystem access.

The various tools that arepresent in this suite are asfollows:

PsFile

PsLoggedOn

PsGetSid

PsInfo

PsService

PsList

PsKill and PsSuspend

PsLogList

PsExec

PsShutdown

Source: http://www.sysinternals.com


29/31

Active Directory Enumeration

All the existing users and groups could be enumerated

with a simple LDAP query.

The only thing required to perform this enumeration is

to create an authenticated session via LDAP.

Connect to any AD server using ldp.exe port 389.

Authentication can be done using Guest/or any domain

account.

Now all the users and built-in groups could be

enumerated.


30/31

AD Enumeration countermeasures

How is this possible with a simple guest account?

The Win 2k dcpromo installation screen queries the

user if he wants to relax access permissions on the

directory to allow legacy servers to perform lookup:

1.Permission compatible with pre-Win2k

2.Permission compatible with only with Win2k

Choose option 2 during AD installation.


31/31

Summary

Enumeration involves active connections to systemsand directed queries.

The type of information enumerated by intruders

includes network resources and shares, users andgroups, and applications and banners.

Null sessions are used often by crackers to connect totarget systems.

NetBIOS and SNMP enumerations can be disguisedusing tools such as snmputil, NAT, etc.

Tools such as user2sid, sid2user and userinfo can beused to identify vulnerable user accounts.

Hacking Module 04

Documents