How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to...
-
Upload
buddy-barber -
Category
Documents
-
view
218 -
download
0
Transcript of How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to...
![Page 2: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/2.jpg)
How does it differ from footprinting and scanning?– Footprinting did not necessarily attempt to access the
target system(s) directly– Scanning involved transient contact– Enumeration involves establishing connections and
directed queries
Information typically gathered– User account names (for password attacks)– Misconfigured shared resources– Software version and patch state (for known
vulnerabilities)
Detailed examination of target systemsPlatform specific – how you interact depends on target
service/system
What is Enumeration?
![Page 3: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/3.jpg)
Service Fingerprinting
Automated method– Easy to use, use likely to increase– Generates a lot of traffic – likely to be noticed– Takes significant time
Nmap Version Scanning– Popularity=9; Simplicity=8; Impact=3; Risk Rating=7– Use -sV switch– Can find “hidden” services (use same port as other service)
Amap Version Scanning (thc.org/thc-amap/)– Popularity=9; Simplicity=8; Impact=3; Risk Rating=7– Older than nmap– Uses different patterns, so gives a second opinion
![Page 4: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/4.jpg)
Automated VS tools – Use when stealth not required– Know defender is not monitoring– Moving too fast to care
Countermeasures– Keep system patched– Do your own scans – IDS – detect (pretty noisy)– IPS – prevent (slow down attacks to discourage, delay
attacker)
Vulnerability Scanners - 1
![Page 5: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/5.jpg)
Nessus Scanning (nessus.org/products/nessus)Popularity=9; Simplicity=9; Impact=6; Risk Rating=8– Easy to use GUI– Kept up to date– Optimized performance– Client ported to iPhone and Android– Extendable with user-developed custom plug-ins– Nessus Attack Scripting Language (NASL)– Open source version OpenVAS (openvas.org) is free
Vulnerability Scanners - 2
![Page 6: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/6.jpg)
Nmap Scanning Engine (NSE) Scanning Popularity=7; Simplicity=6; Impact=5; Risk Rating=6– Extendable with user-developed scripts– Lua interpreted language– Intended for specific probing– - - script or -sC options to run scripts
Vulnerability Scanners - 3
![Page 7: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/7.jpg)
Popularity=5; Simplicity=9; Impact=1; Risk Rating=5
telnet – Ascii-based interactive session client– Can use to connect to many servers (ASCII-based)
netcat– “TCP/IP Swiss army knife”– Allows file input for tedious probes
Countermeasures– Shut down unnecessary services– Restrict access to services– Disable banner display (vendor dependent)– Do your own checks
Basic Banner Grabbing
![Page 8: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/8.jpg)
- FTP- Telnet- SMTP- DNS- TFTP- Finger- HTTP- MSRPC- NetBIOS Name Service- SMB Null Session
Common Network Services - 1
![Page 9: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/9.jpg)
- SNMP- BGP- Active Directory LDAP- Unix RPC- rwho, rusers- NIS- SQL Resolution Service- Oracle TNS- NFS- IPSec/IKE
Common Network Services - 2
![Page 10: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/10.jpg)
Popularity=1; Simplicity=10; Impact=1; Risk Rating=4
- File Transfer Protocol – TCP port 21– Less used now– Allows upload of (malicious) files– Often allows anonymous access using any email
address– Get banner– Determine access
- Countermeasures– Turn off – Secure FTP (SFTP) uses SSH– FTP Secure (FTPS) uses SSL– HTTP for public information access
FTP Enumeration
![Page 11: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/11.jpg)
Popularity=4; Simplicity=9; Impact=3; Risk Rating=5
Telnet TCP 23– Used for remote access– Transmits data in cleartext– Often displays host system info– Even if it doesn't, the prompt may reveal system– May be used for attacking accounts if lockout not used– May reveal valid usernames from login attempts
Countermeasures– Turn off– Use secure shell (SSH) instead– Modify banner messages– Modify error messages– Account locking/drop connection on login failure
Telnet Enumeration
![Page 12: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/12.jpg)
Popularity=5; Simplicity=9; Impact=1; Risk Rating=5
Simple Mail Transport Protocol – TCP 25– Used universally for email transfer– ASCII protocol for requests/replies– VRFY – verify user names – EXPN – provide actual delivery email address of alias– vrfy.pl script allows a file containing a list of user
names to be tested and valid user names reportedCountermeasures
– Configure to turn off VRFY and EXPN, or– Configure to require authentication/privileges to use
them
SMTP Enumeration
![Page 13: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/13.jpg)
Popularity=5; Simplicity=9; Impact=2; Risk Rating=5
Domain Name Service (DNS) – TCP/UDP 53– Used for footprinting already– UDP used for most interactions– TCP for zone transfers– Zone transfer dumps entire contents of zone files
• HINFO, hostname-IP mappings
– SRV records allow search by service type– Nslookup, dig to access– BIND (Berkeley Internet Name Domain)
enumeration• Reveals BIND version• Often allows zone transfer
DNS Enumeration - 1
![Page 14: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/14.jpg)
Domain Name Service (DNS) – DNS Cache snooping
• DNS servers cache responses to recent queries• Attacker can force server to only use cache
– +norecurse option in dig
• Find recent accesses (or not) to particular FQDN• Answer flag set to 0 if not, 1 if recent access
– Automated DNS Enumeration• Dnsenum (code.google.com/p/dnsenum/)• Fierce.pl (ha.ckers.org/fierce)• Web services for same (e.g., centralops.net)
Countermeasures– Two DNS servers – one for public, one for private
use– Block DNS zone transfers except to authorized
hosts– Block version.bind requests– Disable DNS cache-snooping
DNS Enumeration - 2
![Page 15: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/15.jpg)
Popularity=1; Simplicity=3; Impact=7; Risk Rating=3
Trivial FTP (TFTP) – TCP/UDP 69– Quick-and-dirty FTP– Cleartext, no authentication– Requires knowledge of file name (exactly)– May allow download of sensitive file (e.g., /etc/passwd,
/etc/shadow, network device configuration files, etc.)
Countermeasures– Turn off, if possible– Wrap in TCP wrapper to restrict access– Limit access to /tftpboot/ directory– Block at border firewall
TFTP Enumeration
![Page 16: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/16.jpg)
Popularity=7; Simplicity=10; Impact=1; Risk Rating=6
Finger – TCP/UDP 79– Reveals logged-in users, idle times– User info given from public file info
Countermeasures– Turn off– Block port 79– Restrict access– Restrict info given
Finger Enumeration
![Page 17: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/17.jpg)
Popularity=5; Simplicity=9; Impact=1; Risk Rating=5
Hypertext Transfer Protocol (HTTP) – TCP 80– Get type and version of web server– HEAD can get banner info
• But so popular with worms it can trigger IDS
– If server uses SSL, use openssl or sll proxy to connect– Can download all web pages for offline search
• Grendel-scan• Robots.txt file for “do not search” regions....
Countermeasures– Change banner– Microsoft IIS lockdown tool
HTTP Enumeration
![Page 18: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/18.jpg)
Popularity=7; Simplicity=8; Impact=1; Risk Rating=5
Microsoft Remote Procedure Call (MSRPC) – TCP 135– RPC portmapper for windows– Gives list of services with version and IP/protocol/port
info– Winfingerprint tool (sourceforge)– See hsc.fr/ressources/articles/win_net_srv
Countermeasures– Restrict outside access– Require use of VPN for external access– Use OWA (Outlook Web Access) for remote mail access
MSRPC Enumeration
![Page 19: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/19.jpg)
Popularity=7; Simplicity=5; Impact=3; Risk Rating=5
NetBIOS Name Service (NBNS) – UDP 137– Early windows version of DNS– net view command
• Usually only works on local LAN segment• /domain for domains• /domain:dname for hosts on specific domain (dname)
– nltest tool – identifies domain controllers (with auth creds)
– netviewx tool – lists servers with specific services– nbstat, nbtscan – dump netbios name table, with users– nmbscan tool for Linux
Countermeasures– Restrict access on hosts, routers (test – may break
apps)– Disable Alerter and Messenger Service on hosts
NBNS Enumeration
![Page 20: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/20.jpg)
Popularity=8; Simplicity=10; Impact=8; Risk Rating=9
Server Message Block (SMB) Null Session – TCP 139/445– Windows NT and descendents – file and print
sharing– Samba in Linux– Can give remote access to attacker– a.k.a. Red Button, anonymous login, null session
connection
SMB Null Session Enumeration
![Page 21: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/21.jpg)
Establish “null session”– C:\>net use \\192.168.202.33\IPC$ “” /u:“”– Similar to mount network drive command– Connects to hidden IPC share at given IP as built-in
anonymous user (/u:“”) with null password (“”)– Allows access to targeted host
Enumerating File Shares– C:\>net view \\host– Shows IP address and shares on remote systems– Srvcheck, srvinfo (microsoft.com/downloads/...)– DumpSec (nee DumpAcl) – SomarSoft.com– Wholesale approach – for sysadmin (not hacker)
• ShareEnum (SysInternal)• Networkscanner (SoftPerfect)
SMB Null Session (2)
![Page 22: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/22.jpg)
Share Scanning wholesale for hackers– Includes password brute-forcing (may be intelligent)– Legion– NetBIOS Auditing Tool (NAT) (see
hackingexposed.com)
Registry Enumeration– Registry holds keys indicating applications installed– Also holds user info– and services– and holds configuration info (e.g., lockout number for
failed password attempts)– Also may hold pointers to back doors– All of which can suggest exploits– Check if Registry is locked down using reg
SMB Null Session (3)
![Page 23: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/23.jpg)
Enumerating Trusted Domains– Nltest /server:server_name /trusted_domains
User Enumeration– DumpSec
• List of users, groups, system policies, user rights
– Following work with RestrictAnonymous=1, with null session
– UserInfo/UserDump (hammerofgod.com)– GetAcct (securityFriday.com)– sid2user & user2sid (evgenii.rudnyi.ru/soft/sid/sid.txt)
• SID is security ID – variable length value set at install• See also
http://en.wikipedia.org/wiki/Security_Identifier • User IDs (and much more) based on SID
SMB Null Session (4)
![Page 24: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/24.jpg)
SIDs– C:\>user2sid \\targetIP “domain users”– Returns SID of host (hyphenated, S-1-...)– Digits following last hyphen is Relative ID (RID)– RID predefined for built-in users and groups
• 500=admin• 501=guest
– RID for users starts at 1000 for NT and increments• RID not reused => can see users past and present
All-in-one tools– Cain & Abel (oxid.it/cain.html)– Winfingerprint (sourceforge.net) – also Active Directory, WMI– NBTEnum (try on packetstorm) – includes intelligent BF
attack– enum (BindView, Symantec). Enum4linux (Portcullis Security)– NetE (cult of the dead cow)– Winfo (ntsecurity.nu)
SMB Null Session (5)
![Page 25: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/25.jpg)
Popularity=8; Simplicity=10; Impact=8; Risk Rating=9
Countermeasures– Filter TCP/UDP ports 139 & 445 at perimeter– Self audit– Unbind WINS Client, or– Set RestrictAnonymous key (=0 is open, =1 can be
bypassed, =2 means no null sessions possible) in NT
– More granular access control in later Windows versions
– HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winreg and subkeys (e.g., AllowedPaths)
SMB Null Session (6)
![Page 26: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/26.jpg)
Popularity=7; Simplicity=9; Impact=3; Risk Rating=6
Simple Network Management Protocol – UDP 161– “Security Not My Problem” - lacks strong protections– Password authentication – well-known default pw– Access to get and set MIBs (mgt info bases)– Vendor specific extensions to MIBs– Uses ASN.1 syntax for object IDs (OIDs)
SNMP Enumeration
![Page 27: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/27.jpg)
Tools– Snmputil, snmpget, snmpwalk commandline tools– Snmpget (linux/unix) in net-snmp suite at SourceForge– Copy-router-config.pl (muts)– IP Network Browser – GUI tool (solarwinds.com)
Targets– Running services– Share names– Share paths– Comments on shares– Usernames– Domain name– Architecture, OS version
SNMP Enumeration (2)
![Page 28: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/28.jpg)
SNMP Scanners– Simple, light-weight => perfect for automated scanning– SNScan
(mcafee.com/us/downloads/free-tools/snscan.aspx)• Community and range to scan (or in file)• Hostname and (MIB version of) OS version• Csv file export
– onesixtyone (portcullis-security.com/16.php)• Command line version of SNScan
Countermeasures– Remove or disable SNMP agents on hosts– Use obscure community names (e.g., NOT “public” or
“private”)– Block port 161 at all perimeter network access devices– Restrict access to specific IP addresses– Use SNMPv3 (more secure)– Set Registry to permit only authorized access
SNMP Enumeration (3)
![Page 29: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/29.jpg)
Popularity=2; Simplicity=6; Impact=2; Risk Rating=3
Border Gateway Protocol (BGP) – TCP 179– Interdomain routing protocol– Determine Autonomous Systems Number (ASN) of
target– Query routers to get all networks where AS Path ends
with desired ASN– Only uses IP addresses and ASNs
• Get ASN from whois search (if name known)• Get ASN from router using IP address (if known)
– Use telnet to router – show ASN path– Use last ASN on list as target ASN– May be false if BGP not used!!!
Countermeasures - none
BGP Enumeration
![Page 30: How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved.](https://reader035.fdocuments.net/reader035/viewer/2022062516/56649db15503460f94aa07f0/html5/thumbnails/30.jpg)
Refferenceslides (c) 2012 by Richard Newman
based on Hacking Exposed 7 by McClure, Scambray, and Kurtz