SlideShare a Scribd company logo

Ceh v5 module 04 enumeration

Vi Tính Hoàng Nam
Vi Tính Hoàng Nam

Ceh v5 module 04 enumeration

Technology
1 of 33
Download to read offline
Module IV Enumeration Ethical Hacking Version 5
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Objective This module will familiarize you with the following: Overview of System Hacking Cycle Enumeration Techniques for Enumeration Establishing Null Session Enumerating User Accounts Null User Countermeasures SNMP Scan SNMP Enumeration MIB SNMP Util Example SNMP Enumeration Countermeasures Active Directory Enumeration AD Enumeration Countermeasures
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Flow Overview of SHC Enumeration Establishing Null Session Enumerating User Accounts MIB Null User Countermeasures SNMP Scan AD Enumeration Countermeasures SNMP Util Example SNMP Enumeration Countermeasures Active Directory Enumeration SNMP Enumeration Techniques for Enumeration
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Overview of System Hacking Cycle Step 1: Enumerate users • Extract user names using Win 2K enumeration, SNMP probing Step 2: Crack the password • Crack the password of the user and gain access to the system Step 3: Escalate privileges • Escalate to the level of administrator Step 4: Execute applications • Plant keyloggers, spywares, and rootkits on the machine Step 5: Hide files • Use steganography to hide hacking tools, and source code Step 6: Cover your tracks • Erase tracks so that you will not be caught Enumerate Crack Escalate Execute Hide Tracks
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Enumeration? Enumeration is defined as extraction of user names, machine names, network resources, shares, and services Enumeration techniques are conducted in an intranet environment Enumeration involves active connections to systems and directed queries The type of information enumerated by intruders: • Network resources and shares • Users and groups • Applications and banners • Auditing settings
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Techniques for Enumeration Some of the techniques for enumeration are: • Extract user names using Win2k enumeration • Extract user names using SNMP • Extract user names using email IDs • Extract information using default passwords • Brute force Active Directory
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Netbios Null Sessions The null session is often refereed to as the Holy Grail of Windows hacking. Null sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) You can establish a null session with a Windows (NT/2000/XP) host by logging on with a null user name and password Using these null connections allows you to gather the following information from the host: • List of users and groups • List of machines • List of shares • Users and host SIDs (Security Identifiers)
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited So What's the Big Deal? Anyone with a NetBIOS connection to your computer can easily get a full dump of all your user names, groups, shares, permissions, policies, services, and more using the null user. The following syntax connects to the hidden Inter Process Communication 'share' (IPC$) at IP address 192.34.34.2 with the built-in anonymous user (/u:'''') with a ('''') null password The attacker now has a channel over which to attempt various techniques. The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return rich information about a machine via TCP port 139— even to unauthenticated users. This works on Windows 2000/XP systems, but not on Win 2003 Windows: C:>net use 192.34.34.2IPC$ “” /u:”” Linux: $ smbclient targetipc$ "" –U ""
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: DumpSec DumpSec reveals shares over a null session with the target computer
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited NetBIOS Enumeration Using Netview The Netview tool allows you to gather two essential bits of information: 1. List of computers that belong to a domain 2. List of shares on individual hosts on the network The first thing a remote attacker will try on a Windows 2000 network is to get a list of hosts attached to the wire net view /domain Net view <some-computer> nbstat -A <some IP>
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Nbtstat Enumeration Tool Nbtstat is a Windows command-line tool that can be used to display information about a computer’s NetBIOS connections and name tables Run: nbtstat –A <some ip address> C:nbtstat Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP). NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval] ]
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: SuperScan4 A powerful connect-based TCP port scanner, pinger, and hostname resolver Performs ping scans and port scans by using any IP range or by specifying a text file to extract addresses Scans any port range from a built-in list or specified range Resolves and reverse-lookup any IP address or range Modifies the port list and port descriptions using the built-in editor Connects to any discovered open port using user-specified "helper" applications (e.g., Telnet, web browser, FTP), and assigns a custom helper application to any port
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Snapshot for Windows Enumeration
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: enum Available for download from http://razor.bindview.com enum is a console-based Win32 information enumeration utility Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and membership lists, and password and LSA policy information enum is also capable of rudimentary brute-force dictionary attacks on individual accounts
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Enumerating User Accounts Two powerful NT/2000 enumeration tools are: • 1.sid2user • 2.user2sid They can be downloaded at www.chem.msu.su/^rudnyi/NT/ These are command-line tools that look up NT SIDs from user name input and vice versa
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: GetAcct GetAcct sidesteps "Restrict Anonymous=1" and acquires account information on Windows NT/2000 machines Downloadable from www.securityfriday.com
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Null Session Countermeasures Null sessions require access to TCP 139 and/or TCP 445 ports Null sessions do not work with Windows 2003 You could also disable SMB services entirely on individual hosts by unbinding the WINS Client TCP/IP from the interface Edit the registry to restrict the anonymous user: 1. Open regedt32 and navigate to HKLMSYSTEMCurrentControlSetLSA 2. Choose edit | add value • value name: Restrict Anonymous • Data Type: REG_WORD • Value: 2
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited PS Tools PS Tools was developed by Mark Russinovich of SysInternals, and contains a collection of enumeration tools. Some of the tools require user authentication to the system: • PsExec - Executes processes remotely • PsFile - Shows files opened remotely • PsGetSid - Displays the SID of a computer or a user • PsKill - Kills processes by name or process ID • PsInfo - Lists information about a system • PsList - Lists detailed information about processes • PsLoggedOn - Shows who's logged on locally and via resource sharing • PsLogList - Dumps event log records • PsPasswd - Changes account passwords • PsService - Views and controls services • PsShutdown - Shuts down and optionally reboots a computer • PsSuspend - Suspends processes • PsUptime - Shows how long a system has been running since its last reboot
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMP Enumeration SNMP stands for Simple Network Management Protocol Managers send requests to agents, and the agents send back replies The requests and replies refer to variables accessible to agent software Managers can also send requests to set values for certain variables Traps let the manager know that something significant has happened at the agent's end of things: • A reboot • An interface failure • Or, that something else that is potentially bad has happened Enumerating NT users via SNMP protocol is easy using snmputil GET/SET TRAP Agent Mgmt
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Management Information Base MIB provides a standard representation of the SNMP agent’s available information and where it is stored MIB is the most basic element of network management MIB-II is the updated version of the standard MIB MIB-II adds new SYNTAX types and adds more manageable objects to the MIB tree Look for SNMP systems with the community string “public,” which is the default for most systems.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMPutil Example
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: Solarwinds It is a set of network management tools The tool set consists of the following: • Discovery • Cisco Tools • Ping Tools • Address Management • Monitoring • MIB Browser • Security • Miscellaneous
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: SNScan V1.05 It is a Windows-based SNMP scanner that can effectively detect SNMP- enabled devices on the network It scans specific SNMP ports and uses public and user-defined SNMP community names It is a handy tool for information gathering
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Getif SNMP MIB Browser
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited UNIX Enumeration Commands used to enumerate Unix network resources are as follows: • showmount: – Finds the shared directories on the machine – [root $] showmount –e 19x.16x. xxx.xx • Finger: – Enumerates the user and host – Enables you to view the user’s home directory, login time, idle times, office location, and the last time they both received or read mail – [root$] finger –1 @target.hackme.com • rpcinfo: – Helps to enumerate Remote Procedure Call protocol – RPC protocol allows applications to talk to one another over the network – [root] rpcinfo –p 19x.16x.xxx.xx
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMP UNIX Enumeration An SNMP agent in the Unix platform can be enumerated using the snmpwalk tool SNMP running on UDP port 161 can be enumerated using the command: • [root] # nmap –sU –p161 19x.16x.1.60 • Query is passed to any MIB agent with snmpget: – [root] # snmpwalk 19x.16x.x.xx public system. Sysname.x Countermeasures: • Ensure proper configuration with required names “PUBLIC” and “PRIVATE.” • Implement SNMP v3 version, which is a more secure version
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMP Enumeration Countermeasures Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service If shutting off SNMP is not an option, then change the default “public” community name Implement the Group Policy security option called “Additional restrictions for anonymous connections.” Access to null session pipes, null session shares, and IPSec filtering should also be restricted
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: Winfingerprint Winfingerprint is GUI- based It has the option of scanning a single host or a continuous network block Has two main windows: • IP address range • Windows options Source: http://winfingerprint.sourceforge.net
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Windows Active Directory Attack Tool w2kdad.pl is a perl script that attacks Windows 2000/2003 against Active Directory Enumerates users and passwords in a native W2k AD There is an option to use SNMP to gather user data, as well as a DoS option to lock out every user found A successful DoS attack will depend on whether or not the domain has account lockout enabled
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited IP Tools Scanner IP Tools is a complete suite of 19 essential TCP/IP networking utilities that includes : • Local Info • Connections Monitor • NetBIOS Scanner • Shared resources • Scanner, SNMP • Scanner, HostName • Scanner, Ports • Scanner, UDP Scanner • Ping Scanner • Trace, LookUp • Finger • WhoIs • Time Synchronizer • Telnet client • HTTP client • IP-Monitor • Hosts Monitor and SNMP Trap Watcher
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Enumerate Systems Using Default Passwords Many devices like switches/hubs/routers might still be enabled with “default password” Try to gain access using default passwords www.phenoelit.de/dpl/dpl.html contains interesting list of passwords
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Steps to Perform Enumeration 1. Extract user names using win 2k enumeration 2. Gather information from the host using null sessions 3. Perform Windows enumeration using the tool Super Scan4 4. Get the users’ accounts using the tool GetAcct 5. Perform an SNMP port scan using the tool SNScan V1.05
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Summary Enumeration involves active connections to systems and directed queries The type of information enumerated by intruders includes network resources and shares, users and groups, and applications and banners Crackers often use Null sessions to connect to target systems NetBIOS and SNMP enumerations can be disguised using tools such as snmputil, and nat Tools such as user2sid, sid2user, and userinfo can be used to identify vulnerable user accounts

Recommended

Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
Vi Tính Hoàng Nam
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
n|u - The Open Security Community
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 

Recommended

Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
Vi Tính Hoàng Nam
 
Reconnaissance
ReconnaissanceReconnaissance
Reconnaissance
n|u - The Open Security Community
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
Vi Tính Hoàng Nam
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
amiable_indian
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijacking
leminhvuong
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack Methodologies
Geeks Anonymes
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
Wail Hassan
 
Ceh v5 module 09 social engineering
Ceh v5 module 09 social engineeringCeh v5 module 09 social engineering
Ceh v5 module 09 social engineering
Vi Tính Hoàng Nam
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
Vi Tính Hoàng Nam
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
Allan Pratt MBA
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniques
Vi Tính Hoàng Nam
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
Vi Tính Hoàng Nam
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
Vi Tính Hoàng Nam
 

More Related Content

What's hot

Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijacking
leminhvuong
 

What's hot (20)

Ceh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hackingCeh v5 module 01 introduction to ethical hacking
Ceh v5 module 01 introduction to ethical hacking
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijacking
 
Cyber Attack Methodologies
Cyber Attack MethodologiesCyber Attack Methodologies
Cyber Attack Methodologies
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
 
Module 2 (footprinting)
Module 2 (footprinting)Module 2 (footprinting)
Module 2 (footprinting)
 
Ceh v5 module 09 social engineering
Ceh v5 module 09 social engineeringCeh v5 module 09 social engineering
Ceh v5 module 09 social engineering
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Ceh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniquesCeh v5 module 13 web based password cracking techniques
Ceh v5 module 13 web based password cracking techniques
 
Cia security model
Cia security modelCia security model
Cia security model
 

Viewers also liked

Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
tharindunew
 

Viewers also liked (11)

Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoorsCeh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
 
CATALOGUE QUESTEK (Tiếng Việt)
CATALOGUE QUESTEK (Tiếng Việt)CATALOGUE QUESTEK (Tiếng Việt)
CATALOGUE QUESTEK (Tiếng Việt)
 
CEH - Module4 : Enumeration
CEH - Module4 : EnumerationCEH - Module4 : Enumeration
CEH - Module4 : Enumeration
 
Enumerated data types in C
Enumerated data types in CEnumerated data types in C
Enumerated data types in C
 
Presentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasuresPresentation buffer overflow attacks and theircountermeasures
Presentation buffer overflow attacks and theircountermeasures
 
Snmp mib oid тухай
Snmp mib oid тухайSnmp mib oid тухай
Snmp mib oid тухай
 
Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
 
Ceh v8 Labs - Module18: Buffer Overflow.
Ceh v8 Labs - Module18: Buffer Overflow.Ceh v8 Labs - Module18: Buffer Overflow.
Ceh v8 Labs - Module18: Buffer Overflow.
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 

Similar to Ceh v5 module 04 enumeration

Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
leminhvuong
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache),
webhostingguy
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache),
webhostingguy
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
leminhvuong
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 

Similar to Ceh v5 module 04 enumeration (20)

Module 4 Enumeration
Module 4 EnumerationModule 4 Enumeration
Module 4 Enumeration
 
File000125
File000125File000125
File000125
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Ch06.ppt
Ch06.pptCh06.ppt
Ch06.ppt
 
RemoteAdmin.pptx
RemoteAdmin.pptxRemoteAdmin.pptx
RemoteAdmin.pptx
 
File000126
File000126File000126
File000126
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnets
 
Network security
Network securityNetwork security
Network security
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache),
 
Web Server(Apache),
Web Server(Apache), Web Server(Apache),
Web Server(Apache),
 
Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg
Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric VanderburgNetworking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg
Networking Concepts Lesson 10 part 1 - Network Admin & Support - Eric Vanderburg
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
 
Class Presentation
Class PresentationClass Presentation
Class Presentation
 
Start Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
 
Module 8 System Hacking
Module 8 System HackingModule 8 System Hacking
Module 8 System Hacking
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 

More from Vi Tính Hoàng Nam

More from Vi Tính Hoàng Nam (20)

CATALOG KBVISION (Tiếng Việt)
CATALOG KBVISION (Tiếng Việt)CATALOG KBVISION (Tiếng Việt)
CATALOG KBVISION (Tiếng Việt)
 
Catalogue 2015
Catalogue 2015Catalogue 2015
Catalogue 2015
 
Tl wr740 n-v4_user_guide_1910010682_vn
Tl wr740 n-v4_user_guide_1910010682_vnTl wr740 n-v4_user_guide_1910010682_vn
Tl wr740 n-v4_user_guide_1910010682_vn
 
CATALOGUE CAMERA GIÁM SÁT
CATALOGUE CAMERA GIÁM SÁTCATALOGUE CAMERA GIÁM SÁT
CATALOGUE CAMERA GIÁM SÁT
 
HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108
HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108
HƯỚNG DẪN SỬ DỤNG ĐẦU GHI QTD-6108
 
Các loại cáp mạng
Các loại cáp mạngCác loại cáp mạng
Các loại cáp mạng
 
Catalogue 10-2014-new
Catalogue 10-2014-newCatalogue 10-2014-new
Catalogue 10-2014-new
 
Qtx 6404
Qtx 6404Qtx 6404
Qtx 6404
 
Camera QTX-1210
Camera QTX-1210Camera QTX-1210
Camera QTX-1210
 
Brochua đầu ghi hình QTD-6100 Series
Brochua đầu ghi hình QTD-6100 SeriesBrochua đầu ghi hình QTD-6100 Series
Brochua đầu ghi hình QTD-6100 Series
 
NSRT: Dụng cụ tháo đầu báo
NSRT: Dụng cụ tháo đầu báoNSRT: Dụng cụ tháo đầu báo
NSRT: Dụng cụ tháo đầu báo
 
SLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quangSLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quang
 
SLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quangSLV-24N: Đầu báo khói quang
SLV-24N: Đầu báo khói quang
 
PEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQ
PEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQPEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQ
PEX-xx: Bộ hiển thị phụ 5-210 zone cho tủ RPP, RPS, RPQ
 
HRA-1000: Hiển thị phụ cho TT HCP-1008E
HRA-1000: Hiển thị phụ cho TT HCP-1008EHRA-1000: Hiển thị phụ cho TT HCP-1008E
HRA-1000: Hiển thị phụ cho TT HCP-1008E
 
RPP-ABW: TT báo cháy 10-20 kênh
RPP-ABW: TT báo cháy 10-20 kênhRPP-ABW: TT báo cháy 10-20 kênh
RPP-ABW: TT báo cháy 10-20 kênh
 
RPP-ECW: TT báo cháy 3-5 kênh
RPP-ECW: TT báo cháy 3-5 kênhRPP-ECW: TT báo cháy 3-5 kênh
RPP-ECW: TT báo cháy 3-5 kênh
 
HCP-1008E: TT báo cháy 8-24 kênh
HCP-1008E: TT báo cháy 8-24 kênhHCP-1008E: TT báo cháy 8-24 kênh
HCP-1008E: TT báo cháy 8-24 kênh
 
HCV-2/4/8: TT báo cháy 2,4,8 kênh
HCV-2/4/8: TT báo cháy 2,4,8 kênhHCV-2/4/8: TT báo cháy 2,4,8 kênh
HCV-2/4/8: TT báo cháy 2,4,8 kênh
 
I phone v1.2_e
I phone v1.2_eI phone v1.2_e
I phone v1.2_e
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Ceh v5 module 04 enumeration

  • 2. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Objective This module will familiarize you with the following: Overview of System Hacking Cycle Enumeration Techniques for Enumeration Establishing Null Session Enumerating User Accounts Null User Countermeasures SNMP Scan SNMP Enumeration MIB SNMP Util Example SNMP Enumeration Countermeasures Active Directory Enumeration AD Enumeration Countermeasures
  • 3. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Module Flow Overview of SHC Enumeration Establishing Null Session Enumerating User Accounts MIB Null User Countermeasures SNMP Scan AD Enumeration Countermeasures SNMP Util Example SNMP Enumeration Countermeasures Active Directory Enumeration SNMP Enumeration Techniques for Enumeration
  • 4. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Overview of System Hacking Cycle Step 1: Enumerate users • Extract user names using Win 2K enumeration, SNMP probing Step 2: Crack the password • Crack the password of the user and gain access to the system Step 3: Escalate privileges • Escalate to the level of administrator Step 4: Execute applications • Plant keyloggers, spywares, and rootkits on the machine Step 5: Hide files • Use steganography to hide hacking tools, and source code Step 6: Cover your tracks • Erase tracks so that you will not be caught Enumerate Crack Escalate Execute Hide Tracks
  • 5. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited What is Enumeration? Enumeration is defined as extraction of user names, machine names, network resources, shares, and services Enumeration techniques are conducted in an intranet environment Enumeration involves active connections to systems and directed queries The type of information enumerated by intruders: • Network resources and shares • Users and groups • Applications and banners • Auditing settings
  • 6. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Techniques for Enumeration Some of the techniques for enumeration are: • Extract user names using Win2k enumeration • Extract user names using SNMP • Extract user names using email IDs • Extract information using default passwords • Brute force Active Directory
  • 7. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Netbios Null Sessions The null session is often refereed to as the Holy Grail of Windows hacking. Null sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block) You can establish a null session with a Windows (NT/2000/XP) host by logging on with a null user name and password Using these null connections allows you to gather the following information from the host: • List of users and groups • List of machines • List of shares • Users and host SIDs (Security Identifiers)
  • 8. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited So What's the Big Deal? Anyone with a NetBIOS connection to your computer can easily get a full dump of all your user names, groups, shares, permissions, policies, services, and more using the null user. The following syntax connects to the hidden Inter Process Communication 'share' (IPC$) at IP address 192.34.34.2 with the built-in anonymous user (/u:'''') with a ('''') null password The attacker now has a channel over which to attempt various techniques. The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return rich information about a machine via TCP port 139— even to unauthenticated users. This works on Windows 2000/XP systems, but not on Win 2003 Windows: C:>net use 192.34.34.2IPC$ “” /u:”” Linux: $ smbclient targetipc$ "" –U ""
  • 9. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: DumpSec DumpSec reveals shares over a null session with the target computer
  • 10. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited NetBIOS Enumeration Using Netview The Netview tool allows you to gather two essential bits of information: 1. List of computers that belong to a domain 2. List of shares on individual hosts on the network The first thing a remote attacker will try on a Windows 2000 network is to get a list of hosts attached to the wire net view /domain Net view <some-computer> nbstat -A <some IP>
  • 11. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Nbtstat Enumeration Tool Nbtstat is a Windows command-line tool that can be used to display information about a computer’s NetBIOS connections and name tables Run: nbtstat –A <some ip address> C:nbtstat Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP). NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S] [interval] ]
  • 12. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: SuperScan4 A powerful connect-based TCP port scanner, pinger, and hostname resolver Performs ping scans and port scans by using any IP range or by specifying a text file to extract addresses Scans any port range from a built-in list or specified range Resolves and reverse-lookup any IP address or range Modifies the port list and port descriptions using the built-in editor Connects to any discovered open port using user-specified "helper" applications (e.g., Telnet, web browser, FTP), and assigns a custom helper application to any port
  • 13. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Snapshot for Windows Enumeration
  • 14. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: enum Available for download from http://razor.bindview.com enum is a console-based Win32 information enumeration utility Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and membership lists, and password and LSA policy information enum is also capable of rudimentary brute-force dictionary attacks on individual accounts
  • 15. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Enumerating User Accounts Two powerful NT/2000 enumeration tools are: • 1.sid2user • 2.user2sid They can be downloaded at www.chem.msu.su/^rudnyi/NT/ These are command-line tools that look up NT SIDs from user name input and vice versa
  • 16. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: GetAcct GetAcct sidesteps "Restrict Anonymous=1" and acquires account information on Windows NT/2000 machines Downloadable from www.securityfriday.com
  • 17. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Null Session Countermeasures Null sessions require access to TCP 139 and/or TCP 445 ports Null sessions do not work with Windows 2003 You could also disable SMB services entirely on individual hosts by unbinding the WINS Client TCP/IP from the interface Edit the registry to restrict the anonymous user: 1. Open regedt32 and navigate to HKLMSYSTEMCurrentControlSetLSA 2. Choose edit | add value • value name: Restrict Anonymous • Data Type: REG_WORD • Value: 2
  • 18. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited PS Tools PS Tools was developed by Mark Russinovich of SysInternals, and contains a collection of enumeration tools. Some of the tools require user authentication to the system: • PsExec - Executes processes remotely • PsFile - Shows files opened remotely • PsGetSid - Displays the SID of a computer or a user • PsKill - Kills processes by name or process ID • PsInfo - Lists information about a system • PsList - Lists detailed information about processes • PsLoggedOn - Shows who's logged on locally and via resource sharing • PsLogList - Dumps event log records • PsPasswd - Changes account passwords • PsService - Views and controls services • PsShutdown - Shuts down and optionally reboots a computer • PsSuspend - Suspends processes • PsUptime - Shows how long a system has been running since its last reboot
  • 19. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMP Enumeration SNMP stands for Simple Network Management Protocol Managers send requests to agents, and the agents send back replies The requests and replies refer to variables accessible to agent software Managers can also send requests to set values for certain variables Traps let the manager know that something significant has happened at the agent's end of things: • A reboot • An interface failure • Or, that something else that is potentially bad has happened Enumerating NT users via SNMP protocol is easy using snmputil GET/SET TRAP Agent Mgmt
  • 20. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Management Information Base MIB provides a standard representation of the SNMP agent’s available information and where it is stored MIB is the most basic element of network management MIB-II is the updated version of the standard MIB MIB-II adds new SYNTAX types and adds more manageable objects to the MIB tree Look for SNMP systems with the community string “public,” which is the default for most systems.
  • 21. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMPutil Example
  • 22. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: Solarwinds It is a set of network management tools The tool set consists of the following: • Discovery • Cisco Tools • Ping Tools • Address Management • Monitoring • MIB Browser • Security • Miscellaneous
  • 23. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: SNScan V1.05 It is a Windows-based SNMP scanner that can effectively detect SNMP- enabled devices on the network It scans specific SNMP ports and uses public and user-defined SNMP community names It is a handy tool for information gathering
  • 24. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Getif SNMP MIB Browser
  • 25. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited UNIX Enumeration Commands used to enumerate Unix network resources are as follows: • showmount: – Finds the shared directories on the machine – [root $] showmount –e 19x.16x. xxx.xx • Finger: – Enumerates the user and host – Enables you to view the user’s home directory, login time, idle times, office location, and the last time they both received or read mail – [root$] finger –1 @target.hackme.com • rpcinfo: – Helps to enumerate Remote Procedure Call protocol – RPC protocol allows applications to talk to one another over the network – [root] rpcinfo –p 19x.16x.xxx.xx
  • 26. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMP UNIX Enumeration An SNMP agent in the Unix platform can be enumerated using the snmpwalk tool SNMP running on UDP port 161 can be enumerated using the command: • [root] # nmap –sU –p161 19x.16x.1.60 • Query is passed to any MIB agent with snmpget: – [root] # snmpwalk 19x.16x.x.xx public system. Sysname.x Countermeasures: • Ensure proper configuration with required names “PUBLIC” and “PRIVATE.” • Implement SNMP v3 version, which is a more secure version
  • 27. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited SNMP Enumeration Countermeasures Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service If shutting off SNMP is not an option, then change the default “public” community name Implement the Group Policy security option called “Additional restrictions for anonymous connections.” Access to null session pipes, null session shares, and IPSec filtering should also be restricted
  • 28. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Tool: Winfingerprint Winfingerprint is GUI- based It has the option of scanning a single host or a continuous network block Has two main windows: • IP address range • Windows options Source: http://winfingerprint.sourceforge.net
  • 29. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Windows Active Directory Attack Tool w2kdad.pl is a perl script that attacks Windows 2000/2003 against Active Directory Enumerates users and passwords in a native W2k AD There is an option to use SNMP to gather user data, as well as a DoS option to lock out every user found A successful DoS attack will depend on whether or not the domain has account lockout enabled
  • 30. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited IP Tools Scanner IP Tools is a complete suite of 19 essential TCP/IP networking utilities that includes : • Local Info • Connections Monitor • NetBIOS Scanner • Shared resources • Scanner, SNMP • Scanner, HostName • Scanner, Ports • Scanner, UDP Scanner • Ping Scanner • Trace, LookUp • Finger • WhoIs • Time Synchronizer • Telnet client • HTTP client • IP-Monitor • Hosts Monitor and SNMP Trap Watcher
  • 31. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Enumerate Systems Using Default Passwords Many devices like switches/hubs/routers might still be enabled with “default password” Try to gain access using default passwords www.phenoelit.de/dpl/dpl.html contains interesting list of passwords
  • 32. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Steps to Perform Enumeration 1. Extract user names using win 2k enumeration 2. Gather information from the host using null sessions 3. Perform Windows enumeration using the tool Super Scan4 4. Get the users’ accounts using the tool GetAcct 5. Perform an SNMP port scan using the tool SNScan V1.05
  • 33. EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Summary Enumeration involves active connections to systems and directed queries The type of information enumerated by intruders includes network resources and shares, users and groups, and applications and banners Crackers often use Null sessions to connect to target systems NetBIOS and SNMP enumerations can be disguised using tools such as snmputil, and nat Tools such as user2sid, sid2user, and userinfo can be used to identify vulnerable user accounts