1. Enumerating slides (c) 2012 by Richard Newman based on Hacking Exposed 7 by McClure, Scambray, and Kurtz

2. What is Enumeration? How does it differ from footprinting and scanning? – Footprinting did not necessarily attempt to access the target system(s) directly – Scanning involved transient contact – Enumeration involves establishing connections and directed queries Information typically gathered – User account names (for password attacks) – Misconfigured shared resources – Software version and patch state (for known vulnerabilities) Detailed examination of target systems Platform specific – how you interact depends on target s ervice/system

3. Service Fingerprinting Automated method – Easy to use, use likely to increase – Generates a lot of traffic – likely to be noticed – Takes significant time Nmap Version Scanning – Popularity=9; Simplicity=8; Impact=3; Risk Rating=7 – Use -sV switch – Can find “hidden” services (use same port as other service) Amap Version Scanning (thc.org/thc-amap/) – Popularity=9; Simplicity=8; Impact=3; Risk Rating=7 – Older than nmap – Uses different patterns, so gives a second opinion

4. Vulnerability Scanners - 1 Automated VS tools – Use when stealth not required – Know defender is not monitoring – Moving too fast to care Countermeasures – Keep system patched – Do your own scans – IDS – detect (pretty noisy) – IPS – prevent (slow down attacks to discourage, delay attacker)

5. Vulnerability Scanners - 2 Nessus Scanning (nessus.org/products/nessus) Popularity=9; Simplicity=9; Impact=6; Risk Rating=8 – Easy to use GUI – Kept up to date – Optimized performance – Client ported to iPhone and Android – Extendable with user-developed custom plug-ins – Nessus Attack Scripting Language (NASL) – Open source version OpenVAS (openvas.org) is free

6. Vulnerability Scanners - 3 Nmap Scanning Engine (NSE) Scanning Popularity=7; Simplicity=6; Impact=5; Risk Rating=6 – Extendable with user-developed scripts – Lua interpreted language – Intended for specific probing – - - script or -sC options to run scripts

7. Basic Banner Grabbing Popularity=5; Simplicity=9; Impact=1; Risk Rating=5 telnet – Ascii-based interactive session client – Can use to connect to many servers (ASCII-based) netcat – “TCP/IP Swiss army knife” – Allows file input for tedious probes Countermeasures – Shut down unnecessary services – Restrict access to services – Disable banner display (vendor dependent) – Do your own checks

8. Common Network Services - 1 - FTP - Telnet - SMTP - DNS - TFTP - Finger - HTTP - MSRPC - NetBIOS Name Service - SMB Null Session

9. Common Network Services - 2 - SNMP - BGP - Active Directory LDAP - Unix RPC - rwho, rusers - NIS - SQL Resolution Service - Oracle TNS - NFS - IPSec/IKE

10. FTP Enumeration Popularity=1; Simplicity=10; Impact=1; Risk Rating=4 - File Transfer Protocol – TCP port 21 – Less used now – Allows upload of (malicious) files – Often allows anonymous access using any email address – Get banner – Determine access - Countermeasures – Turn off – Secure FTP (SFTP) uses SSH – FTP Secure (FTPS) uses SSL – HTTP for public information access

11. Telnet Enumeration Popularity=4; Simplicity=9; Impact=3; Risk Rating=5 Telnet TCP 23 – Used for remote access – Transmits data in cleartext – Often displays host system info – Even if it doesn't, the prompt may reveal system – May be used for attacking accounts if lockout not used – May reveal valid usernames from login attempts Countermeasures – Turn off – Use secure shell (SSH) instead – Modify banner messages – Modify error messages – Account locking/drop connection on login failure

12. SMTP Enumeration Popularity=5; Simplicity=9; Impact=1; Risk Rating=5 Simple Mail Transport Protocol – TCP 25 – Used universally for email transfer – ASCII protocol for requests/replies – VRFY – verify user names – EXPN – provide actual delivery email address of alias – vrfy.pl script allows a file containing a list of user names to be tested and valid user names reported Countermeasures – Configure to turn off VRFY and EXPN, or – Configure to require authentication/privileges to use them

13. DNS Enumeration - 1 Popularity=5; Simplicity=9; Impact=2; Risk Rating=5 Domain Name Service (DNS) – TCP/UDP 53 – Used for footprinting already – UDP used for most interactions – TCP for zone transfers – Zone transfer dumps entire contents of zone files HINFO, hostname-IP mappings – SRV records allow search by service type – Nslookup, dig to access – BIND (Berkeley Internet Name Domain) enumeration Reveals BIND version Often allows zone transfer

14. DNS Enumeration - 2 Domain Name Service (DNS) – DNS Cache snooping DNS servers cache responses to recent queries Attacker can force server to only use cache – +norecurse option in dig Find recent accesses (or not) to particular FQDN Answer flag set to 0 if not, 1 if recent access – Automated DNS Enumeration Dnsenum (code.google.com/p/dnsenum/) Fierce.pl (ha.ckers.org/fierce) Web services for same (e.g., centralops.net) Countermeasures – Two DNS servers – one for public, one for private use – Block DNS zone transfers except to authorized hosts – Block version.bind requests – Disable DNS cache-snooping

15. TFTP Enumeration Popularity=1; Simplicity=3; Impact=7; Risk Rating=3 Trivial FTP (TFTP) – TCP/UDP 69 – Quick-and-dirty FTP – Cleartext, no authentication – Requires knowledge of file name (exactly) – May allow download of sensitive file (e.g., /etc/passwd, /etc/shadow, network device configuration files, etc.) Countermeasures – Turn off, if possible – Wrap in TCP wrapper to restrict access – Limit access to /tftpboot/ directory – Block at border firewall

16. Finger Enumeration Popularity=7; Simplicity=10; Impact=1; Risk Rating=6 Finger – TCP/UDP 79 – Reveals logged-in users, idle times – User info given from public file info Countermeasures – Turn off – Block port 79 – Restrict access – Restrict info given

17. HTTP Enumeration Popularity=5; Simplicity=9; Impact=1; Risk Rating=5 Hypertext Transfer Protocol (HTTP) – TCP 80 – Get type and version of web server – HEAD can get banner info But so popular with worms it can trigger IDS – If server uses SSL, use openssl or sll proxy to connect – Can download all web pages for offline search Grendel-scan Robots.txt file for “do not search” regions.... Countermeasures – Change banner – Microsoft IIS lockdown tool

18. MSRPC Enumeration Popularity=7; Simplicity=8; Impact=1; Risk Rating=5 Microsoft Remote Procedure Call (MSRPC) – TCP 135 – RPC portmapper for windows – Gives list of services with version and IP/protocol/port info – Winfingerprint tool (sourceforge) – See hsc.fr/ressources/articles/win_net_srv Countermeasures – Restrict outside access – Require use of VPN for external access – Use OWA (Outlook Web Access) for remote mail access

19. NBNS Enumeration Popularity=7; Simplicity=5; Impact=3; Risk Rating=5 NetBIOS Name Service (NBNS) – UDP 137 – Early windows version of DNS – net view command Usually only works on local LAN segment /domain for domains /domain:dname for hosts on specific domain (dname) – nltest tool – identifies domain controllers (with auth creds) – netviewx tool – lists servers with specific services – nbstat, nbtscan – dump netbios name table, with users – nmbscan tool for Linux Countermeasures – Restrict access on hosts, routers (test – may break apps) – Disable Alerter and Messenger Service on hosts

20. SMB Null Session Enumeration Popularity=8; Simplicity=10; Impact=8; Risk Rating=9 Server Message Block (SMB) Null Session – TCP 139/445 – Windows NT and descendents – file and print sharing – Samba in Linux – Can give remote access to attacker – a.k.a. Red Button, anonymous login, null session connection

21. SMB Null Session (2) Establish “null session” – C:\>net use \\192.168.202.33\IPC$ “” /u:“” C:\\\192.168.202.33\IPC$ – Similar to mount network drive command – Connects to hidden IPC share at given IP as built-in anonymous user (/u:“”) with null password (“”) – Allows access to targeted host Enumerating File Shares – C:\>net view \\host C:\ – Shows IP address and shares on remote systems – Srvcheck, srvinfo (microsoft.com/downloads/...) – DumpSec (nee DumpAcl) – SomarSoft.com – Wholesale approach – for sysadmin (not hacker) ShareEnum (SysInternal) Networkscanner (SoftPerfect)

22. SMB Null Session (3) Share Scanning wholesale for hackers – Includes password brute-forcing (may be intelligent) – Legion – NetBIOS Auditing Tool (NAT) (see hackingexposed.com) Registry Enumeration – Registry holds keys indicating applications installed – Also holds user info – and services – and holds configuration info (e.g., lockout number for failed password attempts) – Also may hold pointers to back doors – All of which can suggest exploits – Check if Registry is locked down using reg

23. SMB Null Session (4) Enumerating Trusted Domains – Nltest /server:server_name /trusted_domains User Enumeration – DumpSec List of users, groups, system policies, user rights – Following work with RestrictAnonymous=1, with null session – UserInfo/UserDump (hammerofgod.com) – GetAcct (securityFriday.com) – sid2user & user2sid (evgenii.rudnyi.ru/soft/sid/sid.txt) SID is security ID – variable length value set at install See also http://en.wikipedia.org/wiki/Security_Identifier http://en.wikipedia.org/wiki/Security_Identifier User IDs (and much more) based on SID

24. SMB Null Session (5) SIDs – C:\>user2sid \\targetIP “domain users” – Returns SID of host (hyphenated, S-1-...) – Digits following last hyphen is Relative ID (RID) – RID predefined for built-in users and groups 500=admin 501=guest – RID for users starts at 1000 for NT and increments RID not reused => can see users past and present All-in-one tools – Cain & Abel (oxid.it/cain.html) – Winfingerprint (sourceforge.net) – also Active Directory, WMI – NBTEnum (try on packetstorm) – includes intelligent BF attack – enum (BindView, Symantec). Enum4linux (Portcullis Security) – NetE (cult of the dead cow) – Winfo (ntsecurity.nu)

25. SMB Null Session (6) Popularity=8; Simplicity=10; Impact=8; Risk Rating=9 Countermeasures – Filter TCP/UDP ports 139 & 445 at perimeter – Self audit – Unbind WINS Client, or – Set RestrictAnonymous key (=0 is open, =1 can be bypassed, =2 means no null sessions possible) in NT – More granular access control in later Windows versions – HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winre g and subkeys (e.g., AllowedPaths)

26. SNMP Enumeration Popularity=7; Simplicity=9; Impact=3; Risk Rating=6 Simple Network Management Protocol – UDP 161 – “Security Not My Problem” - lacks strong protections – Password authentication – well-known default pw – Access to get and set MIBs (mgt info bases) – Vendor specific extensions to MIBs – Uses ASN.1 syntax for object IDs (OIDs)

27. SNMP Enumeration (2) Tools – Snmputil, snmpget, snmpwalk commandline tools – Snmpget (linux/unix) in net-snmp suite at SourceForge – Copy-router-config.pl (muts) – IP Network Browser – GUI tool (solarwinds.com) Targets – Running services – Share names – Share paths – Comments on shares – Usernames – Domain name – Architecture, OS version

28. SNMP Enumeration (3) SNMP Scanners – Simple, light-weight => perfect for automated scanning – SNScan (mcafee.com/us/downloads/free-tools/snscan.aspx) Community and range to scan (or in file) Hostname and (MIB version of) OS version Csv file export – onesixtyone (portcullis-security.com/16.php) Command line version of SNScan Countermeasures – Remove or disable SNMP agents on hosts – Use obscure community names (e.g., NOT “public” or “private”) – Block port 161 at all perimeter network access devices – Restrict access to specific IP addresses – Use SNMPv3 (more secure) – Set Registry to permit only authorized access

29. BGP Enumeration Popularity=2; Simplicity=6; Impact=2; Risk Rating=3 Border Gateway Protocol (BGP) – TCP 179 – Interdomain routing protocol – Determine Autonomous Systems Number (ASN) of target – Query routers to get all networks where AS Path ends with desired ASN – Only uses IP addresses and ASNs Get ASN from whois search (if name known) Get ASN from router using IP address (if known) – Use telnet to router – show ASN path – Use last ASN on list as target ASN – May be false if BGP not used!!! Countermeasures - none

30. Active Directory LDAP Enumeration Popularity=2; Simplicity=2; Impact=5; Risk Rating=3 Active Directory/Lightweight Directory Access Protocol (LDAP) – TCP/UDP 389 and 3268 - Active Directory holds info on all objects in system - ldp.exe is AD Administration Tool – connect/browse - view users, groups, e.g. - requires authenticated session via LDAP - user enum alternative if NetBIOS ports blocked - LUMA or JXplorer on Linux/X Windows - ldapenum command-line script (Windows/Linux) Countermeasures Filter access to ports 389 and 3268 Remove Everyone group from pre-Win2K Compatible Access

31. Unix RPC Enumeration Popularity=7; Simplicity=10; Impact=1; Risk Rating=6 Unix Remote Procedure Call (RPC) – TCP/UDP 111, 32771 - Portmapper/rpcbind used for dynamic port assignment for services available using RPC/RMI - remains very popular for distributed systems - rpcinfo –p lists pgm, version, proto, port - nmap –sS –sR works nicely Countermeasures Not easy in general – needed for distr. sys. operation. Can use Sun’s Secure RPC (using PKC) Filter or disable ports 111, 32771, etc.

32. rwho, rusers Enumeration Popularity=3; Simplicity=8; Impact=1; Risk Rating=4 rwho (UDP 513), rusers (RPC pgm 100002) rwho returns currently logged-in users using rwhod rusers can provide a little more info Countermeasures Turn off (look in start-up scripts /etc/init.d, /etc/rc*.d)

33. NIS Enumeration Popularity=3; Simplicity=8; Impact=1; Risk Rating=4 Network Information System (NIS) – RPC pgm 100004 - Once NIS domain name is known, NIS maps (distributed mappings of host’s critical info, e.g., passwd file contents) are available using RPC - pscan –n tool Countermeasures Use hard-to-guess NIS domain name Use NIS+ (uses secure RPC) At least edit /var/yp/securenets file to restrict access Don’t include root/system acct info in NIS tables

34. SQL Resolution Service Enumeration Popularity=5; Simplicity=8; Impact=2; Risk Rating=5 SQL Resolution Service – UDP 1434 Works like portmapper as “instance mapper” for SQL SQLPing tool Countermeasures Restrict access at firewall Use “hide server” option

35. Oracle TNS Enumeration Popularity=1; Simplicity=10; Impact=1; Risk Rating=4 Transparent Network Substrate (TNS) – TCP 1521/2483 Oracle TNS listener manages client-server DB traffic Can get database SID, version, OS, etc. Need SID to access DB – can try default accts AppSentry Listener Security Check tool tnscmd.pl/tnscmd10g.pl, getsids tools Oracle Assessment Kit (OAK) Oracle Auditing Tool (OAT) Countermeasures Configure to require password access See Project Lockdown and Integrigy papers

36. NFS Enumeration Popularity=7; Simplicity=10; Impact=1; Risk Rating=6 Network File System (NFS) – TCP/UDP 2049 Unix utility showmount shows exported directories Countermeasures Not much you can do Make sure permissions are correct on directories Block 2049 at firewall Log requests

37. IPSec/IKE Enumeration Popularity=6; Simplicity=6; Impact=9; Risk Rating=7 IPSec/Internet Key Exchange (IKE) – UDP 500 - IPSec used for VPN - IKE used manage key negotiations - Malformed packets are silently dropped – hard to see - ike-scan forms packets that get responses - gets negotiation info, like PSK or certs Main Mode/Aggressive Mode Which ciphersuites are in use - PSK/Aggressive Mode => get hash of PSK, use psk-crack Countermeasures Restrict VPN access to specific IP addrs, if possible Use Main Mode and certificates