Scribd Logo
Upload

Welcome to Scribd!

  • ch06

    Uploaded by

    Siddhartha Bikram Karki
    6 views33 pages

    Original Title

    PPT_ch06

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views33 pages

    ch06

    Uploaded by

    Siddhartha Bikram Karki

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    Hands-On Ethical Hacking

    and Network Defense, 3rd


    Edition

    Chapter 6
    Enumeration
    Objectives

    After completing this chapter, you will be able to:


    •Describe the enumeration step of security testing
    •Enumerate Windows OS targets
    •Enumerate *nix OS targets

    Hands-On Ethical Hacking and Network Defense, 3rd 2


    Edition
    Introduction to Enumeration
    • Enumeration extracts information about:
    – Resources or shares on the network
    – Network topology and architecture
    – Usernames or groups assigned on the network
    – Information about users and recent logon times
    • Port scanning and footprinting
    – Used to determine what OS is used
    • Enumeration is more intrusive
    – Attempting to access a resource, not just identify it

    Hands-On Ethical Hacking and Network Defense, 3rd 3


    Edition
    Introduction to Enumeration
    • NBTscan (NetBIOS over TCP/IP)
    – Tool for enumerating Windows OSs
    – Part of the Kali Linux suite of security tools

    Hands-On Ethical Hacking and Network Defense, 3rd 4


    Edition
    Enumerating Windows Operating
    Systems
    • To understand how an attacker might gain access
    to resources or shares on a Windows network
    – This section takes a brief look at Windows OSs
    • This chapter focuses on Windows OS
    – As it relates to enumeration
    – Very little information can be enumerated from
    Window’s systems after Windows 7

    Hands-On Ethical Hacking and Network Defense, 3rd 5


    Edition
    Enumerating Windows Operating
    Systems

    Hands-On Ethical Hacking and Network Defense, 3rd 6


    Edition
    Enumerating Windows Operating
    Systems

    Hands-On Ethical Hacking and Network Defense, 3rd 7


    Edition
    NetBIOS Basics
    • Network Basic Input Output System (NetBIOS)
    – Programming interface
    – Allows computer communication over a LAN
    – Most Windows OSs use it to share files and printers
    • Requires Server Message Block (SMB)
    • NetBIOS names
    – Computer names on Windows systems
    – Limit of 16 characters
    – Last character identifies type of service running
    – Must be unique on a network

    Hands-On Ethical Hacking and Network Defense, 3rd 8


    Edition
    NetBIOS Basics

    Hands-On Ethical Hacking and Network Defense, 3rd 9


    Edition
    NetBIOS Basics
    • You do not need to memorize all these suffixes
    – But note that some identify the computer or server
    being enumerated as a stand-alone computer or
    domain controller
    – Hackers often exert more effort to attack domain
    controllers
    • These systems store more information, including
    logon names for user accounts and network resources

    Hands-On Ethical Hacking and Network Defense, 3rd 10


    Edition
    NetBIOS Null Sessions
    • Null session
    – Unauthenticated connection to a Windows computer
    – Does not use logon and passwords values
    • Many enumeration tools establish a null session to
    gather information such as logon accounts, group
    membership, and file shares
    • Around for over a decade
    – Still present on Windows XP
    – Disabled by default in Windows Server 2003
    – Not available in Windows Vista and Server 2008

    Hands-On Ethical Hacking and Network Defense, 3rd 11


    Edition
    NetBIOS Enumeration Tools
    • Nbtstat command
    – Powerful enumeration tool
    – Included with Windows
    – Displays NetBIOS table
    • To display the NetBIOS table, type
    – nbtstat –a IPaddress

    Hands-On Ethical Hacking and Network Defense, 3rd 12


    Edition
    NetBIOS Enumeration Tools

    Hands-On Ethical Hacking and Network Defense, 3rd 13


    Edition
    NetBIOS Enumeration Tools
    • Another built-in Windows too is the net view
    command
    – Shows shared resources on a network host
    – To see syntax for this command, type
    • net view ?

    Hands-On Ethical Hacking and Network Defense, 3rd 14


    Edition
    NetBIOS Enumeration Tools
    • You can also use the IP address or hostname of
    computers you discovered with port-scanning tools

    Hands-On Ethical Hacking and Network Defense, 3rd 15


    Edition
    NetBIOS Enumeration Tools
    • Although you can download or buy enumeration
    tools
    – You should learn how to take advantage of the tools
    available in Windows
    – A simple command-line utility can give you the name
    of a logged-on user
    • User’s password can then be guessed in order to gain
    access to a system

    Hands-On Ethical Hacking and Network Defense, 3rd 16


    Edition
    Additional Enumeration Tools
    • DumpSec
    – Enumeration tool for Windows systems
    – Produced by Foundstone, Inc.
    • Allows user to connect to a server and “dump”:
    – Permissions for shares
    – Permissions for printers
    – Permissions for the Registry
    – Users in column or table format
    – Policies
    – Rights and services

    Hands-On Ethical Hacking and Network Defense, 3rd 17


    Edition
    Additional Enumeration Tools
    • Hyena
    – Excellent GUI product for managing and securing
    Windows OSs
    • Shows shares and user logon names for Windows
    servers and domain controllers
    • Displays graphical representation of:
    – Microsoft Terminal Services
    – Microsoft Windows Network
    – Web Client Network
    – Find User/Group

    Hands-On Ethical Hacking and Network Defense, 3rd 18


    Edition
    Additional Enumeration Tools
    • Nessus and OpenVAS (aka Greenbone Security
    Assistant)
    – OpenVAS (GSA)
    • Operates in client/server mode
    • Open-source descendent of Nessus
    – Popular tool for identifying vulnerabilities
    – Nessus Server and Client
    • Latest version can run on Windows, Mac OS X,
    FreeBSD, and most Linux distributions
    • Handy when enumerating different OSs on a large
    network
    – Many servers in different locations
    Hands-On Ethical Hacking and Network Defense, 3rd 19
    Edition
    Additional Enumeration Tools

    Hands-On Ethical Hacking and Network Defense, 3rd 20


    Edition
    Additional Enumeration Tools

    Hands-On Ethical Hacking and Network Defense, 3rd 21


    Edition
    Additional Enumeration Tools
    • The next several figures show Nessus in action
    • This figure shows six NetBIOS names Nessus has
    gathered

    Hands-On Ethical Hacking and Network Defense, 3rd 22


    Edition
    Additional Enumeration Tools
    • Nessus indicates a security problem: The
    EMPPASSWORDS share can be accessed

    Hands-On Ethical Hacking and Network Defense, 3rd 23


    Edition
    Additional Enumeration Tools
    • Nessus is helpful in identifying the OS and service
    pack running on a computer

    Hands-On Ethical Hacking and Network Defense, 3rd 24


    Edition
    Enumerating *nix Operating System
    • Several variations of UNIX
    – Solaris and OpenSolaris
    – HP-UX
    – Mac OS X and OpenDarwin, based on FreeBSD
    – AIX
    – BSD UNIX
    – FreeBSD
    – OpenBSD
    – NetBSD
    – Linux, including several distributions

    Hands-On Ethical Hacking and Network Defense, 3rd 25


    Edition
    *nix Enumeration
    • Simple Network Management Protocol (SNMP)
    – A network management service for network
    administrators that enables remote administration
    – Can run on both Windows and *nix
    • This section focuses on *nix
    • SNMP is useful for administrators who want to see:
    – System statistics
    – Version numbers
    – Other detailed host information remotely
    • SNMP is also useful for hackers

    Hands-On Ethical Hacking and Network Defense, 3rd 26


    Edition
    *nix Enumeration
    • SNMPWalk
    – A tool useful in enumerating hosts running SNMP
    with the default configuration
    – If attackers know the processor architecture and
    detailed version number of the remote OS
    • They will have an easier time finding exploits that will
    be successful
    • The SNMP daemon (snmpd) listens on UDP port
    161

    Hands-On Ethical Hacking and Network Defense, 3rd 27


    Edition
    *nix Enumeration

    Hands-On Ethical Hacking and Network Defense, 3rd 28


    Edition
    *nix Enumeration
    • Nessus is also helpful in *nix enumeration

    Hands-On Ethical Hacking and Network Defense, 3rd 29


    Edition
    *nix Enumeration
    • NMap script scanning can also help an attacker
    gain information about remote *nix hosts

    Hands-On Ethical Hacking and Network Defense, 3rd 30


    Edition
    *nix Enumeration
    • Finger utility
    – An older but sometimes useful enumeration tool for
    security testers and hackers
    – Enables you to find out who is logged in to a *nix
    system
    – The Finger daemon (fingerd) listens on TCP port 79

    Hands-On Ethical Hacking and Network Defense, 3rd 31


    Edition
    Summary
    • Enumeration
    – Process of extracting information
    • User names
    • Passwords
    • Shared resources
    • Enumeration can give an attacker insight into
    – Sensitive areas of a network
    – Systems running old software
    – Misconfigurations that the attacker can take
    advantage of

    Hands-On Ethical Hacking and Network Defense, 3rd 32


    Edition
    Summary
    • Tools for enumerating Windows targets
    – Nbtstat
    – Net view
    – Net use
    – Other utilities
    • Tools for enumerating *nix systems
    – Nessus
    – OpenVAS
    • SNMP can be used to enumerate both *nix and
    Windows hosts running the SNMP service/daemon
    Hands-On Ethical Hacking and Network Defense, 3rd 33
    Edition

    You might also like