chapter 6 enumeration

SCSC 555Frank Li

Introduction to Enumeration Enumerate Microsoft OS Enumerate *NIX OS Enumerate NetWare OS (skip)

2

Enumeration extracts information about:◦ Resources or shares on the network◦ User names or groups assigned on the network◦ Last time user logged on◦ User’s password

Enumeration is more intrusive than passive port scanning◦ First need to determine OS of the target host

By Port scanning and footprinting◦ E.g. NBT (NetBIOS over TCP/IP) is the tool for

enumerating Microsoft OSs

3

Using enumeration tool nbtscan◦ Use nbtscan command to scan a range of IP

addresses ◦ Example: nbtscan 192.168.0.0./24

4

Introduction to Enumeration Enumerate Microsoft OS Enumerate *NIX OS

5

Study OS history◦ Knowing your target makes your job easier◦ Many attacks that work for older Windows OSs

still work with newer versions

6

7

8

Network Basic Input Output System (NetBIOS)◦ Is a MS programming interface◦ Allows computer communication over a LAN◦ Used to share files and printers

NetBIOS names are computer names assigned to Windows systems◦ Must be unique on a network◦ Limit of 16 characters◦ The last character (suffix) is reserved for identifies

type of service running next page

9

10

11

One of the biggest vulnerabilities of NetBIOS system -- NetBIOS Null session◦ Is unauthenticated connection to a Windows

computer Does not use logon and passwords values

Attackers use enumeration tool to establish a null session ◦ to gather logon accounts, group membership, and

file shares from target hosts

12

NetBIOS NULL sessions are enabled by default in Windows NT and 2000.

Windows XP and 2003 will allow anonymous enumeration of shared network resources, but not accounts.

13

For the most part if the appropriate ports are accessible a NULL session is possible.

14

Port Protocol Description

135 TCP Location Service (RPC endpoint mapping)

135 UDP Location Service (RPC endpoint mapping)

137 TCP NETBIOS Name Service

137 UDP NETBIOS Name Service

138 TCP NETBIOS Datagram Service

138 UDP NETBIOS Datagram Service

139 TCP NETBIOS Session Service

139 UDP NETBIOS Session Service

445 TCP SMB/CIFS

Use IP address obtained when port scanning to perform a NetBIOS enumeration

NetBIOS Enumeration Tools◦ Nbtstat◦ Net view◦ Net use◦ NetScanTools Pro◦ DumpSec◦ Hyena◦ NessusWX◦ Enum◦ Hunt

15

Nbtstat command◦ Powerful enumeration tool included with the Microsoft OS◦ Displays NetBIOS table◦ E.g., Nbstat –a salesrep

16

Net view command◦ Shows whether there are any shared

resources on a network host E.g., net view \\192.168.0.106

17

Net use command◦ Used to connect to a computer with shared

folders or files◦ view the information about current computer

connections. ◦ also can controls persistent network connections.

E.g., To assign the disk-drive device name E: to the Letters shared directory on the \\Fin server, type: net use e: \\fin\letters

18

NetScanTools Pro produces a graphical view of NetBIOS running on a network◦ Enumerates any shares running on the computer◦ Verifies whether access is available for shared

resource using its Universal Naming Convention (UNC) name

◦ Example: figure 6-10, 6-11 the \\SALEsMGR\SharedDocs comment entry is blank.

to see whether access is available, an attacker enters the UNC \\SALEsMGR\SharedDocs in the Run dialog ox in Windows

19

DumpSechttp://www.systemtools.com/cgi-in/download.pl?DumpAcl

Produced by Foundstone, Inc. Allows user to connect to a server and “dump”

the following information◦ Permissions for shares◦ Permissions for printers◦ Permissions for the Registry◦ Users in column or table format◦ Policies and rights◦ Services

20

Hyena is GUI product for managing and securing Microsoft OSs◦ Shows shares and user logon names for

Windows servers and domain controllers◦ Displays graphical representation of:

Microsoft Terminal Services Microsoft Windows Network Web Client Network Find User/Group

21

NessusWX allows enumeration of different OSs on a large network

Running NessusWX1. Nessus server is up and running2. Open the NessusWX client application3. To connect your NessusWX client with the

Nessus server1. Click Communications, Connect from the menu on

the session window2. Enter server’s name3. Log on the Nessus server

22

23

24

Enum http://www.bindview.com/Services/RAZOR/Utilities/Windows/enum_readme.cfm

one of the best tools for exploiting the NULL session vulnerability

allowing you to exploits every aspect of this flaw. ◦ the ability to enumerate users, ◦ and then try to brute force the password using a supplied

password list.

25

Hunt http://www.foundstone.com/resources/freetools/hunt.zip

Part of the NT Forensic Toolkit from Foundstone,

this tool makes it very easy to enumerate users and shares from a vulnerable windows host, and is the most accurate

26

Nessus identifies ◦ NetBIOS names in use◦ Shared resources◦ Password information

27

28

29

30

Nessus also identifies:◦ OS and service pack◦ OS vulnerabilities◦ Firewall vulnerabilities

31

32

33

34

Introduction to Enumeration Enumerate Microsoft OS Enumerate *NIX OS

35

variations of Unix◦ Solaris◦ SunOS◦ HP-UX◦ Linux◦ Ultrix◦ AIX◦ BSD UNIX◦ FreeBSD◦ OpenBSD

36

Finger utility◦ Is the most popular tool for security testers◦ Finds out who is logged in to a *NIX system◦ Determine owner of any process

Nessus can also be used for *NIX enumeration

37

E.g., # finger -b -p james

display the following information about the user james.Login name, Computer Hope on since Feb 11 23:37:16 on pts/7 from domain.computerhope.com28 seconds Idle TimeUnread mail since Mon Feb 12 00:22:52 2001

38