After completing this chapter, you will be able to:
•Describe the enumeration step of security testing •Enumerate Windows OS targets •Enumerate *nix OS targets
Hands-On Ethical Hacking and Network Defense, 3rd 2
Edition Introduction to Enumeration • Enumeration extracts information about: – Resources or shares on the network – Network topology and architecture – Usernames or groups assigned on the network – Information about users and recent logon times • Port scanning and footprinting – Used to determine what OS is used • Enumeration is more intrusive – Attempting to access a resource, not just identify it
Hands-On Ethical Hacking and Network Defense, 3rd 3
Edition Introduction to Enumeration • NBTscan (NetBIOS over TCP/IP) – Tool for enumerating Windows OSs – Part of the Kali Linux suite of security tools
Hands-On Ethical Hacking and Network Defense, 3rd 4
Edition Enumerating Windows Operating Systems • To understand how an attacker might gain access to resources or shares on a Windows network – This section takes a brief look at Windows OSs • This chapter focuses on Windows OS – As it relates to enumeration – Very little information can be enumerated from Window’s systems after Windows 7
Hands-On Ethical Hacking and Network Defense, 3rd 5
Edition Enumerating Windows Operating Systems
Hands-On Ethical Hacking and Network Defense, 3rd 6
Edition Enumerating Windows Operating Systems
Hands-On Ethical Hacking and Network Defense, 3rd 7
Edition NetBIOS Basics • Network Basic Input Output System (NetBIOS) – Programming interface – Allows computer communication over a LAN – Most Windows OSs use it to share files and printers • Requires Server Message Block (SMB) • NetBIOS names – Computer names on Windows systems – Limit of 16 characters – Last character identifies type of service running – Must be unique on a network
Hands-On Ethical Hacking and Network Defense, 3rd 8
Edition NetBIOS Basics
Hands-On Ethical Hacking and Network Defense, 3rd 9
Edition NetBIOS Basics • You do not need to memorize all these suffixes – But note that some identify the computer or server being enumerated as a stand-alone computer or domain controller – Hackers often exert more effort to attack domain controllers • These systems store more information, including logon names for user accounts and network resources
Hands-On Ethical Hacking and Network Defense, 3rd 10
Edition NetBIOS Null Sessions • Null session – Unauthenticated connection to a Windows computer – Does not use logon and passwords values • Many enumeration tools establish a null session to gather information such as logon accounts, group membership, and file shares • Around for over a decade – Still present on Windows XP – Disabled by default in Windows Server 2003 – Not available in Windows Vista and Server 2008
Hands-On Ethical Hacking and Network Defense, 3rd 11
Edition NetBIOS Enumeration Tools • Nbtstat command – Powerful enumeration tool – Included with Windows – Displays NetBIOS table • To display the NetBIOS table, type – nbtstat –a IPaddress
Hands-On Ethical Hacking and Network Defense, 3rd 12
Edition NetBIOS Enumeration Tools
Hands-On Ethical Hacking and Network Defense, 3rd 13
Edition NetBIOS Enumeration Tools • Another built-in Windows too is the net view command – Shows shared resources on a network host – To see syntax for this command, type • net view ?
Hands-On Ethical Hacking and Network Defense, 3rd 14
Edition NetBIOS Enumeration Tools • You can also use the IP address or hostname of computers you discovered with port-scanning tools
Hands-On Ethical Hacking and Network Defense, 3rd 15
Edition NetBIOS Enumeration Tools • Although you can download or buy enumeration tools – You should learn how to take advantage of the tools available in Windows – A simple command-line utility can give you the name of a logged-on user • User’s password can then be guessed in order to gain access to a system
Hands-On Ethical Hacking and Network Defense, 3rd 16
Edition Additional Enumeration Tools • DumpSec – Enumeration tool for Windows systems – Produced by Foundstone, Inc. • Allows user to connect to a server and “dump”: – Permissions for shares – Permissions for printers – Permissions for the Registry – Users in column or table format – Policies – Rights and services
Hands-On Ethical Hacking and Network Defense, 3rd 17
Edition Additional Enumeration Tools • Hyena – Excellent GUI product for managing and securing Windows OSs • Shows shares and user logon names for Windows servers and domain controllers • Displays graphical representation of: – Microsoft Terminal Services – Microsoft Windows Network – Web Client Network – Find User/Group
Hands-On Ethical Hacking and Network Defense, 3rd 18
Edition Additional Enumeration Tools • Nessus and OpenVAS (aka Greenbone Security Assistant) – OpenVAS (GSA) • Operates in client/server mode • Open-source descendent of Nessus – Popular tool for identifying vulnerabilities – Nessus Server and Client • Latest version can run on Windows, Mac OS X, FreeBSD, and most Linux distributions • Handy when enumerating different OSs on a large network – Many servers in different locations Hands-On Ethical Hacking and Network Defense, 3rd 19 Edition Additional Enumeration Tools
Hands-On Ethical Hacking and Network Defense, 3rd 20
Edition Additional Enumeration Tools
Hands-On Ethical Hacking and Network Defense, 3rd 21
Edition Additional Enumeration Tools • The next several figures show Nessus in action • This figure shows six NetBIOS names Nessus has gathered
Hands-On Ethical Hacking and Network Defense, 3rd 22
Edition Additional Enumeration Tools • Nessus indicates a security problem: The EMPPASSWORDS share can be accessed
Hands-On Ethical Hacking and Network Defense, 3rd 23
Edition Additional Enumeration Tools • Nessus is helpful in identifying the OS and service pack running on a computer
Hands-On Ethical Hacking and Network Defense, 3rd 24
Edition Enumerating *nix Operating System • Several variations of UNIX – Solaris and OpenSolaris – HP-UX – Mac OS X and OpenDarwin, based on FreeBSD – AIX – BSD UNIX – FreeBSD – OpenBSD – NetBSD – Linux, including several distributions
Hands-On Ethical Hacking and Network Defense, 3rd 25
Edition *nix Enumeration • Simple Network Management Protocol (SNMP) – A network management service for network administrators that enables remote administration – Can run on both Windows and *nix • This section focuses on *nix • SNMP is useful for administrators who want to see: – System statistics – Version numbers – Other detailed host information remotely • SNMP is also useful for hackers
Hands-On Ethical Hacking and Network Defense, 3rd 26
Edition *nix Enumeration • SNMPWalk – A tool useful in enumerating hosts running SNMP with the default configuration – If attackers know the processor architecture and detailed version number of the remote OS • They will have an easier time finding exploits that will be successful • The SNMP daemon (snmpd) listens on UDP port 161
Hands-On Ethical Hacking and Network Defense, 3rd 27
Edition *nix Enumeration
Hands-On Ethical Hacking and Network Defense, 3rd 28
Edition *nix Enumeration • Nessus is also helpful in *nix enumeration
Hands-On Ethical Hacking and Network Defense, 3rd 29
Edition *nix Enumeration • NMap script scanning can also help an attacker gain information about remote *nix hosts
Hands-On Ethical Hacking and Network Defense, 3rd 30
Edition *nix Enumeration • Finger utility – An older but sometimes useful enumeration tool for security testers and hackers – Enables you to find out who is logged in to a *nix system – The Finger daemon (fingerd) listens on TCP port 79
Hands-On Ethical Hacking and Network Defense, 3rd 31
Edition Summary • Enumeration – Process of extracting information • User names • Passwords • Shared resources • Enumeration can give an attacker insight into – Sensitive areas of a network – Systems running old software – Misconfigurations that the attacker can take advantage of
Hands-On Ethical Hacking and Network Defense, 3rd 32
Edition Summary • Tools for enumerating Windows targets – Nbtstat – Net view – Net use – Other utilities • Tools for enumerating *nix systems – Nessus – OpenVAS • SNMP can be used to enumerate both *nix and Windows hosts running the SNMP service/daemon Hands-On Ethical Hacking and Network Defense, 3rd 33 Edition