Ethical Hacking Module 8 Notes
Enumeration Tools
- Use Hyena for Enumeration - Perform SNMP Enumeration using IP Network Browser
Vulnerability Scanners
- Use Nikto for Vulnerability Scanning - Perform Vulnerability Scanning using OpenVAS - Use Lynis for System Vulnerability Scanning
NetBIOS Extended User Interface (NETBEUI)
A fast, efficient protocol that requires little configuration and allows transmitting NetBIOS packets over TCP/IP and various network topologies. NetBIOS over TCP/IP is disabled by default on current versions of Windows but was enabled by default prior to Windows Vista and Server 2008.
Common Internet File System (CIFS)
A standardized protocol that replaced SMB in Windows 2000 Server, but to allow backward compatibility, the original SMB was still used. CIFS is a remote file system protocol that enables computers to share network resources over the Internet. In other words, files, folders, printers, and other resources can be made available to users throughout a network. For sharing to occur, the network must have an infrastructure that allows placing these resources on the network and a method to control access to resources. CIFS relies on other protocols to handle service announcements notifying users what resources are available on the network and to handle authentication and authorization for accessing these resources. CIFS is also available for many *nix systems. CIFS is now considered obsolete and SMBv3 is normally used instead. However, CIFS might still be used in some legacy systems or as a method of file sharing between Linux/Unix systems and Windows.
Mandatory Access Control (MAC)
An OS security mechanism that enforces access rules based on privileges for interactions between processes, files, and users. If an intrusion happens on a system running SELinux, it's less likely the intruder will be able to take complete control of the system.
Remote Procedure Call (RPC)
An interprocess communication mechanism that allows a program running on one host to run code on a remote host.
Chkrootkit
Can detect rootkits on *nix systems.
Common Windows Server Configuration and Security Issues (3)
SQL configuration: - Check SQL Server authentication mode type to make sure it matches security requirements. The number of Sysadmin role members should be at the minimum. Desktop application configuration: - IE security zone settings for each local user should match company policy. - Is IE Enhanced Security Configuration enabled for Administrator accounts and is it configured to be secure? Administrator accounts should avoid browsing the Internet, and sessions need to be highly secured. - Is IE Enhanced Security Configuration enabled for non-Administrator accounts? This setting must be configured to match company policy and not accidentally left at default settings. - What are the Microsoft Office security zone settings for each local user? These should be set to match company policy and not accidentally left at default settings.
Windows Software Update Services (WSUS)
WSUS is a client/server technology designed to manage patching and updating system software from the network. Instead of downloading updates to each computer, WSUS downloads patches and publishes them internally to servers and desktop systems. Unlike Automatic Updates, which downloads and installs updates automatically, the administrator has control over which updates are deployed. This feature is a major advantage, considering that some updates can cause problems with certain network and application configurations and should be tested before being deployed.
Systems Management Server (SMS)
Was the standard for managing Windows security patches on multiple computers in a network. This service assessed machines in a defined domain and could be configured to manage patch deployment.
Samba
With Samba, *nix servers can share resources with Windows clients, and Windows clients can access a *nix resource without realizing that the resource is on a *nix computer. Samba has been ported to non-*nix systems, too, including OpenVMS, NetWare, and AmigaOS. At the time of this writing, security professionals should have a basic knowledge of SMB and Samba because many companies have a mixed environment of Windows and *nix systems. To access a *nix resource from a Windows computer, CIFS must be enabled on both systems. On networks that require *nix computers to access Windows resources, Samba is often used. It's not a hacking tool; this product was designed to enable *nix computers to "trick" Windows services into believing that *nix resources are Windows resources. A *nix client can connect to a Windows shared printer and vice versa when Samba is configured on the *nix computer. Most new versions of Linux include Samba as an optional package, so you don't need to download, install, and compile it.
Center for Internet Security
Offers free benchmark information for Windows and Linux.
Systems Center Configuration Manager (SCCM)
SCCM includes a suite of tools to help administrators deploy and manage servers alongside updated patch-management functionality. SCCM even allows for administrators to control mobile devices running Android, iOS, and Windows Mobile OS.
Common Windows Server Configuration and Security Issues (2)
IIS (Internet Information Service): - Is the IIS Lockdown tool running? If the server version is older than 2003, IIS Lockdown needs to be running. - Are IIS sample applications and the IIS Admin virtual folder installed? These are default installation items and should be removed or secured. - Are IIS parent paths enabled? If enabled, this default setting may need to be evaluated or disabled. - MSADC and Scripts virtual directories are installed by default and should be removed or disabled. - IIS logging should be enabled. - IIS should not be running on a domain controller. - Does the Administrators group belong in the Sysadmin role? This setting may be a default configuration. If not intended, remove the Administrators group. - Make sure the CmdExec role is restricted to Sysadmin only. - SQL Server should not be running on a domain controller. - The SA account password should not be default or blank, and the Guest account should not have database access. - Access permissions to SQL Server installation folders should not be left at default settings. - The Everyone group should not have access to SQL Server Registry keys. - SQL Server service accounts should not be members of the local Administrators group. If compromised, hackers will have admin access. - SQL Server accounts should not have blank or simple passwords.
Server Message Block (SMB)
Is used to share files and usually runs on top of NetBIOS, NetBEUI, or TCP/IP. Ports 137-139 and 445 should be filtered out to protect a network from SMB attacks.
Common Windows Server Configuration and Security Issues (1)
Security updates missing: - Missing Windows, IIS, and SQL Security updates missing - Server security updates - Missing Exchange Server security updates - Missing IE security updates - Missing Windows Media Player and Office security updates - Missing Microsoft Virtual Machine (VM) and Microsoft Data Access Components (MDAC) security updates - Missing MSXML and Content Management Server security updates Windows configuration: - Account password expirations left at default settings, not matching company policy (30 days, etc.). This should be changed to match company policy. - Blank or simple passwords are used for local user accounts. This should be changed to match company password policy. - File system type on hard drives is insecure. FAT being used when NTFS should be used to provide ACLs. Change to NTFS if possible. - Auto Logon feature is enabled. Disable if this feature is not required. - Number of local Administrator accounts should be 1 or 2 at most. - Is the Guest account enabled? Disable this account if it is not required. - Restrict Anonymous Registry key setting should be set to not allow anonymous access if not a business requirement. - List shares on the computer and any unnecessary services running. Make sure shares are credential secured and stop unnecessary services. - Windows version and whether Windows auditing is enabled. Is the Windows version supported by updates? Auditing creates log entries to track file access. Is this set to meet company policy? - Firewall status and Automatic Updates status. Is the firewall enabled and configured to match company policy or left at defaults? Are automatic updates configured to match company policy?
Domain Controllers
Servers that handle authentication. Windows domain controllers are used to authenticate user accounts, so they contain much of the information attackers want to access. By default, Windows domain controllers listen on the following ports: - DNS (port 53) - HTTP (port 80) - Kerberos (port 88) - RPC (port 135) - NetBIOS Name Service (port 137) - NetBIOS Datagram Service (port 139) - LDAP (port 389) - HTTPS (port 443) - SMB/CIFS (port 445) - LDAP over SSL (port 636) - Active Directory global catalog (port 3268) Windows domain controllers are usually also global catalog (GC) servers. Global catalog servers are used to locate resources in a domain containing thousands or even millions of objects. For example, if a user wants to locate a printer with the word "color" in its description, the domain queries a GC server, which contains attributes such as the resource's name and location and points the user to the network resource.
