Scanning and enumeration TO5 and TO6
RPC Enumeration
Remote procedure call allows client and server communication. Enum. RPC endpoints might reveal vulnerable services on ports using nmap commands
Active Scan
Transmits to nodes internally to determine exposed ports. Can repair security flaws and simulate attacks to identify and fix weak areas in system
'nmap --script banner 10.10.10.1'
grab banner with nmap command
What tools evade security measures when scanning ports/network?
ACK scan, fragment packets, Spoof IP addresses, proxy
APT goal
Advanced Persistent Threat\ Gains access>remains hidden
net use s: \\hostname\sharedfoldername
After connecting to a system and running net view command, this command allows the available share to be viewed
net view \\hostname
After connecting to a system via null session, this command can be used to view available shares on a system
Host Based vulnerability test
All types of user risks-malicious, untrained, vendor, administrators. Also may test weakness in database, firewalls, files, servers, flag config errors
Vulnerability Management Lifecycle
Baseline creation Vulnerability assessment Risk Assessment Remediation Verification Monitoring
TCP 21 -
File Transfer Protocol -(FTP)
Misconfigurations
Cause: Human error Risk: unauthorized access Check: outdated software, unnecessary services, external systems for incorrect authentications, disabled security settings, debug enabled on running application
Preventing buffer overflows
Cause: More data is stored than allotted in an application. Poor design. Risk: Overflows go into other memory areas, exposing sensitive data, system file alterations by hacker, system instability Check: if system is crashing, do error checking
Unpatched server
Cause: Not updating and patching Risk: Server access Check: fix bugs, update, patch
Default settings
Cause: weak policy settings Risk: easy access to network by attacker Check: all settings, default SSIDs and admin passwords, password policy
Default user/pass
Change frequently, good password policy measures prevent attacks
ACK scanning
Checks to see if ports are open- open AND closed ports report RST if port is unfiltered. Filtered returns error or no response
Open Services
Close ports to prevent DoS, secure info loss, attacks on nodes
net use //hostname/ipc$ \\hostname\ipc$ "" /user:''
Command to enter a system via null session
DNS Zone Transfers
Copy DNS zone file from primary to secondary DNS server. Used to get information by sending transfer request to DNS server> DNS sends a portion of its database back
Design Flaws
Design flaws like broken authentication and access control cross site scripting, insufficient logging and monitoring, incorrect encryption put system at risk
Attack directory services
Directory service holds information used for network administration. Some directories are vuln. to input verification deficiencies- use an automated brute force attack to exploit
Attack SNMP
Exploit public access and private access default configuration passwords. Public- includes info about device Private- read/write access to config including usernames, network device info, routing tables, network traffic, file transfers
NMAP -sF(Fin), -sX(Xmas) -sN(Null)
Fin-Acknowledges all the available open ports, passes through FW's. Xmas-Sends FIN packets with Urgent(URG) and push(PSH) flags. Null-Sends FIN packets with all flags set to off.
'nmap - -script ftp-anon - -script-trace -p 21 10.10.10.196'
Find anonymous FTP logins, bad idea
Retrieve system policies
Get info about target by viewing security policies. Method varies based upon OS
Application flaws
Greatest threat in transactional applications are in flaws present in validation and authorization of users
'nmap -script http-headers 10.10.10.1'
HTTP headers nmap command
HTTP
Hypertext Transfer Protocol
IP-Tools
IP-Tools has 20 scanning utilities, including SNMP Scanner, UDP Scanner, Trace, Finger, Telnet, IP-Monitor, and Trap Watcher. The program supports multitasking so that you can use all utilities at once. IP-Tools is designed to work on a Windows system.
IPSec enumeration
IPsec uses ESP(encapsulated security payload), AH (authentication header), and IKE (internet key exchange) to communicate between VPN endpoints. Exploitation tools pull hashing algorithm, authentication type, key distribution algorithm
Nessus scan
Identifies software flaws, malware, missing/outdated patches, network config errors
Passive Scanning
Identifies weakness without interacting with the target network under normal circumstances. Scans constantly or identified times
Idle Scan
Is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. Zombie scan
Finger, Null session, PsTools, Superscan
Linux enumeration tools
/etc/passwd /etc/shadow
Linux files used to retrieve user/password hashes are?
UID
Linux unique identificaion ID
GID group id
Linux- Group ID stored in /etc/passwd file usually, secondary users stored in /etc/group
Passive Testing
Looking for weakness by observation, no direct network interaction. Sniffer traces from remote system can determine OS, and network info. Wireshark
nmap -sV 10.10.10.1 nmap -sV --script=banner <target> gets banner
Looks for the version of services running on a device, then a hacker can check if any known issues exist and add script to grab banner
Fragment packet
Most common to avoid scanning detection. Breaking packets up into smaller units, system lets them pass
Windows SAM
Part of system registry, stores all user/pass encrypted in LM and NTLM hash formats. Large networks use Active directory instead of SAM
Wireless network assessment (vuln test) -
Patching errors, authentication and encryption problems and unnecessary services to prevent sniffing and other attacks
Scanner limitaiton
Point in time- data can change with time and activity levels, information accurate for test time only New Vulnerabilities- can only identify known issues
Anonymous logon, batch (for scheduled tasks), creator owner (creator of the file or directory), everyone (wide access to resources and all users are also in this group), network (all users that access a network are members)
Preconfigured user groups
nmap -sR ipaddress/network nmap -T4 -A ipaddress/network
RPC endpoint enumeration
perform internal scans, keep tools up to date, use a variety of tools.
Reduce scanning vulnerabilities by
Misconfigurations, default settings, buffer overflows, unpatched servers, design flaws, OS flaws, application flaws, open services, default usern/pass
Research these areas to prevent attacks
OS Flaws
Risk for malware- Solution firewalls, minimal application usage, regular system patches
SID Enumeration
SID ending numbers identify the Microsoft user- 500 is admin account, 501 guest account
TCP flags
SYN, ACK, FIN, RST, URG, PSH
Nessus, OpenVAS, Beyond Trust, InsightVM
Scanning vulnerability tools
Application assessment
Scrutinize completed application when source is unknown for input controls and data processing information
TCP 25 -
Simple Mail Transfer Protocol
Web server communication
TCP 135 -
RPC Remote procedure call service in windows for client-server communications
TCP 137 -
NetBIOS Name Service (NBNS) used to associate names with IP addresses
TCP 139 -
Actively testing for weakness- sending custom packets to nodes to determine OS, hosts, services, and other vuln. Nmap can be used.
TCP 445
Transfer email between mail servers
TCP 53 -
DNS name queries IP to name and name to IP mapping
TCP 80 -
TCP 23 -
Telnet-not used as frequently. Connect and run services on remote systems
External assessment
Testing external systems and testing outside of network. Seeks open firewall ports, routers, webservers, web pages, public DNS servers. Can include: looking for network maps examine rule set for external network/router config detecting open ports Identifying DNS Zones
Internal Assessment
Testing, analyzing internal processes and systems in the network like Physical security open ports Scanning malware Eval. remote management processes Flaws, patches necessary on devices
Internal assessment
Testing, analyzing internal processes and systems in the network like Physical security open ports Scanning malware Eval. remote management processes Flaws, patches necessary on devices
DNS (Domain Name Services) zone transfers
UDP 53 -
SID Identification number
Unique set of numbers and letters used to identify each user and each group in Microsoft environments
VOIP Enumeration
VOIP uses SIP (session initiation protocol) over UDP/TCP ports 2000, 2001, 5060, 5061
Attack SNTP
Verify existence of specific email addresses, potentially get a list of users on distribution list
Guest-not enabled but installed-has limited privileges Administrator-Vista and beyond disable by default. Local service- high access to machine but low network access Network service-normal access to network, limited access to machine System- unlimited access to machine
Windows default users are
OpenVAS scan
authentication testing, protocol testing, performance turning- Can handle large scale networks
'nmap 10.10.10.0/24'
basic scan- will scan every ip on network and all ports. Takes a long time
'nmap -sS 10.10.10.1 -oN scan.txt' cat scan.txt brings up results in terminal from file
default SYN scan and save to a text file
enumeration processes
extract email IDs, use default passwords, attack directory services, exploit SNMP and SMTP, perform DNS zone transfers, retrieve system policies, enumerate IPsec, enumerate VOIP, enumerate RPC
nmap -f 10.10.10.0/24
fast network scan, scans 100 most common ports on each device
'nmap -script whois-domain tampicoil.com'
find domain information with nmap
nc -v ipaddress
grab banner on netcat
Banner grabbing attack
hacker transmit bogus requests for connection to servers or applications to get information about running services. Solution: disable banner, hide file extensions, enable custom error pages
Connect to host> send request to port >analyze network traffic
how to grab banner
Beyond Trust
identifies and prioritizes network vulnerabilities
SolarWinds
is a command line tool that provides a list of open, closed, or filtered ports.
Angry IP Scanner
is a network scanner. It scans local and remote networks and returns an IP range via a command-line interface.
Colasoft
is a packet crafting software that can modify flags and adjust other packet content.
Scany
is a scanner application for iOS devices. It scans networks, websites, and ports to find open network devices. It can obtain domain and network names and includes basic networking utilities such as ping, traceroute, and whois.
SNTP
is used to manage devices such as routers, hubs, and switches
CurrPorts
lists all open UDP and TCP/IP ports on your computer. It also provides information about the process that opened the port, the user who created the process, and what time the port was created.
Enumeration (define)
method for gathering information from a system to learn about config, software, services. Could be illegal, starts active recon phase
'nmap -o 10.10.10.0
might reveal information about the OS a system is running
What is a null session
no credentials are used to connect to a Windows system. Enumerated by exploiting for users, groups, machines, shares, and host SIDs
SolarWinds Network Topology Manager
provides automated network discovery and mapping.
Spoofing IP to avoid detection
recraft packet to hide source IP, adopting another
NetAuditor
reports, manages, and diagrams network configurations.
finger -l user@host
retrieves information about all users on a remote system
finger -s username
retrieves login name, real name, terminal name write status, idle time, login time, office location, office number for a single user on a linux system
finger -s
retrieves login name, real name, terminal name write status, idle time, login time, office location, office number for all users on a linux system
'nmap -sU 10.10.10.1'
scans for the UDP ports on a device
'nmap 10.10.10.1 -p80-443'
scans ports within a specified range
hping3
sends packets across a network and can also create custom packets that can analyze the host. In addition to the normal ICMP pings, hping3 supports TCP and UDP, has a traceroute mode, and can send and receive files. This tool was primarily designed for the Linux operating system, but does have cross-platform capabilities.
Banner grabbing tools
telnet, netcraft, P0f, nmap
Computer > usr > share > nmap > scripts
where to find nmap scripts