Scanning and enumeration TO5 and TO6

RPC Enumeration

Remote procedure call allows client and server communication. Enum. RPC endpoints might reveal vulnerable services on ports using nmap commands

Active Scan

Transmits to nodes internally to determine exposed ports. Can repair security flaws and simulate attacks to identify and fix weak areas in system

'nmap --script banner 10.10.10.1'

grab banner with nmap command

What tools evade security measures when scanning ports/network?

ACK scan, fragment packets, Spoof IP addresses, proxy

APT goal

Advanced Persistent Threat\ Gains access>remains hidden

net use s: \\hostname\sharedfoldername

After connecting to a system and running net view command, this command allows the available share to be viewed

net view \\hostname

After connecting to a system via null session, this command can be used to view available shares on a system

Host Based vulnerability test

All types of user risks-malicious, untrained, vendor, administrators. Also may test weakness in database, firewalls, files, servers, flag config errors

Vulnerability Management Lifecycle

Baseline creation Vulnerability assessment Risk Assessment Remediation Verification Monitoring

TCP 21 -

File Transfer Protocol -(FTP)

Misconfigurations

Cause: Human error Risk: unauthorized access Check: outdated software, unnecessary services, external systems for incorrect authentications, disabled security settings, debug enabled on running application

Preventing buffer overflows

Cause: More data is stored than allotted in an application. Poor design. Risk: Overflows go into other memory areas, exposing sensitive data, system file alterations by hacker, system instability Check: if system is crashing, do error checking

Unpatched server

Cause: Not updating and patching Risk: Server access Check: fix bugs, update, patch

Default settings

Cause: weak policy settings Risk: easy access to network by attacker Check: all settings, default SSIDs and admin passwords, password policy

Default user/pass

Change frequently, good password policy measures prevent attacks

ACK scanning

Checks to see if ports are open- open AND closed ports report RST if port is unfiltered. Filtered returns error or no response

Open Services

Close ports to prevent DoS, secure info loss, attacks on nodes

net use //hostname/ipc$ \\hostname\ipc$ "" /user:''

Command to enter a system via null session

DNS Zone Transfers

Copy DNS zone file from primary to secondary DNS server. Used to get information by sending transfer request to DNS server> DNS sends a portion of its database back

Design Flaws

Design flaws like broken authentication and access control cross site scripting, insufficient logging and monitoring, incorrect encryption put system at risk

Attack directory services

Directory service holds information used for network administration. Some directories are vuln. to input verification deficiencies- use an automated brute force attack to exploit

Attack SNMP

Exploit public access and private access default configuration passwords. Public- includes info about device Private- read/write access to config including usernames, network device info, routing tables, network traffic, file transfers

NMAP -sF(Fin), -sX(Xmas) -sN(Null)

Fin-Acknowledges all the available open ports, passes through FW's. Xmas-Sends FIN packets with Urgent(URG) and push(PSH) flags. Null-Sends FIN packets with all flags set to off.

'nmap - -script ftp-anon - -script-trace -p 21 10.10.10.196'

Find anonymous FTP logins, bad idea

Retrieve system policies

Get info about target by viewing security policies. Method varies based upon OS

Application flaws

Greatest threat in transactional applications are in flaws present in validation and authorization of users

'nmap -script http-headers 10.10.10.1'

HTTP headers nmap command

HTTP

Hypertext Transfer Protocol

IP-Tools

IP-Tools has 20 scanning utilities, including SNMP Scanner, UDP Scanner, Trace, Finger, Telnet, IP-Monitor, and Trap Watcher. The program supports multitasking so that you can use all utilities at once. IP-Tools is designed to work on a Windows system.

IPSec enumeration

IPsec uses ESP(encapsulated security payload), AH (authentication header), and IKE (internet key exchange) to communicate between VPN endpoints. Exploitation tools pull hashing algorithm, authentication type, key distribution algorithm

Nessus scan

Identifies software flaws, malware, missing/outdated patches, network config errors

Passive Scanning

Identifies weakness without interacting with the target network under normal circumstances. Scans constantly or identified times

Idle Scan

Is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available. Zombie scan

Finger, Null session, PsTools, Superscan

Linux enumeration tools

/etc/passwd /etc/shadow

Linux files used to retrieve user/password hashes are?

UID

Linux unique identificaion ID

GID group id

Linux- Group ID stored in /etc/passwd file usually, secondary users stored in /etc/group

Passive Testing

Looking for weakness by observation, no direct network interaction. Sniffer traces from remote system can determine OS, and network info. Wireshark

nmap -sV 10.10.10.1 nmap -sV --script=banner <target> gets banner

Looks for the version of services running on a device, then a hacker can check if any known issues exist and add script to grab banner

Fragment packet

Most common to avoid scanning detection. Breaking packets up into smaller units, system lets them pass

Windows SAM

Part of system registry, stores all user/pass encrypted in LM and NTLM hash formats. Large networks use Active directory instead of SAM

Wireless network assessment (vuln test) -

Patching errors, authentication and encryption problems and unnecessary services to prevent sniffing and other attacks

Scanner limitaiton

Point in time- data can change with time and activity levels, information accurate for test time only New Vulnerabilities- can only identify known issues

Anonymous logon, batch (for scheduled tasks), creator owner (creator of the file or directory), everyone (wide access to resources and all users are also in this group), network (all users that access a network are members)

Preconfigured user groups

nmap -sR ipaddress/network nmap -T4 -A ipaddress/network

RPC endpoint enumeration

perform internal scans, keep tools up to date, use a variety of tools.

Reduce scanning vulnerabilities by

Misconfigurations, default settings, buffer overflows, unpatched servers, design flaws, OS flaws, application flaws, open services, default usern/pass

Research these areas to prevent attacks

OS Flaws

Risk for malware- Solution firewalls, minimal application usage, regular system patches

SID Enumeration

SID ending numbers identify the Microsoft user- 500 is admin account, 501 guest account

TCP flags

SYN, ACK, FIN, RST, URG, PSH

Nessus, OpenVAS, Beyond Trust, InsightVM

Scanning vulnerability tools

Application assessment

Scrutinize completed application when source is unknown for input controls and data processing information

TCP 25 -

Simple Mail Transfer Protocol

Web server communication

TCP 135 -

RPC Remote procedure call service in windows for client-server communications

TCP 137 -

NetBIOS Name Service (NBNS) used to associate names with IP addresses

TCP 139 -

Actively testing for weakness- sending custom packets to nodes to determine OS, hosts, services, and other vuln. Nmap can be used.

TCP 445

Transfer email between mail servers

TCP 53 -

DNS name queries IP to name and name to IP mapping

TCP 80 -

TCP 23 -

Telnet-not used as frequently. Connect and run services on remote systems

External assessment

Testing external systems and testing outside of network. Seeks open firewall ports, routers, webservers, web pages, public DNS servers. Can include: looking for network maps examine rule set for external network/router config detecting open ports Identifying DNS Zones

Internal Assessment

Testing, analyzing internal processes and systems in the network like Physical security open ports Scanning malware Eval. remote management processes Flaws, patches necessary on devices

Internal assessment

Testing, analyzing internal processes and systems in the network like Physical security open ports Scanning malware Eval. remote management processes Flaws, patches necessary on devices

DNS (Domain Name Services) zone transfers

UDP 53 -

SID Identification number

Unique set of numbers and letters used to identify each user and each group in Microsoft environments

VOIP Enumeration

VOIP uses SIP (session initiation protocol) over UDP/TCP ports 2000, 2001, 5060, 5061

Attack SNTP

Verify existence of specific email addresses, potentially get a list of users on distribution list

Guest-not enabled but installed-has limited privileges Administrator-Vista and beyond disable by default. Local service- high access to machine but low network access Network service-normal access to network, limited access to machine System- unlimited access to machine

Windows default users are

OpenVAS scan

authentication testing, protocol testing, performance turning- Can handle large scale networks

'nmap 10.10.10.0/24'

basic scan- will scan every ip on network and all ports. Takes a long time

'nmap -sS 10.10.10.1 -oN scan.txt' cat scan.txt brings up results in terminal from file

default SYN scan and save to a text file

enumeration processes

extract email IDs, use default passwords, attack directory services, exploit SNMP and SMTP, perform DNS zone transfers, retrieve system policies, enumerate IPsec, enumerate VOIP, enumerate RPC

nmap -f 10.10.10.0/24

fast network scan, scans 100 most common ports on each device

'nmap -script whois-domain tampicoil.com'

find domain information with nmap

nc -v ipaddress

grab banner on netcat

Banner grabbing attack

hacker transmit bogus requests for connection to servers or applications to get information about running services. Solution: disable banner, hide file extensions, enable custom error pages

Connect to host> send request to port >analyze network traffic

how to grab banner

Beyond Trust

identifies and prioritizes network vulnerabilities

SolarWinds

is a command line tool that provides a list of open, closed, or filtered ports.

Angry IP Scanner

is a network scanner. It scans local and remote networks and returns an IP range via a command-line interface.

Colasoft

is a packet crafting software that can modify flags and adjust other packet content.

Scany

is a scanner application for iOS devices. It scans networks, websites, and ports to find open network devices. It can obtain domain and network names and includes basic networking utilities such as ping, traceroute, and whois.

SNTP

is used to manage devices such as routers, hubs, and switches

CurrPorts

lists all open UDP and TCP/IP ports on your computer. It also provides information about the process that opened the port, the user who created the process, and what time the port was created.

Enumeration (define)

method for gathering information from a system to learn about config, software, services. Could be illegal, starts active recon phase

'nmap -o 10.10.10.0

might reveal information about the OS a system is running

What is a null session

no credentials are used to connect to a Windows system. Enumerated by exploiting for users, groups, machines, shares, and host SIDs

SolarWinds Network Topology Manager

provides automated network discovery and mapping.

Spoofing IP to avoid detection

recraft packet to hide source IP, adopting another

NetAuditor

reports, manages, and diagrams network configurations.

finger -l user@host

retrieves information about all users on a remote system

finger -s username

retrieves login name, real name, terminal name write status, idle time, login time, office location, office number for a single user on a linux system

finger -s

retrieves login name, real name, terminal name write status, idle time, login time, office location, office number for all users on a linux system

'nmap -sU 10.10.10.1'

scans for the UDP ports on a device

'nmap 10.10.10.1 -p80-443'

scans ports within a specified range

hping3

sends packets across a network and can also create custom packets that can analyze the host. In addition to the normal ICMP pings, hping3 supports TCP and UDP, has a traceroute mode, and can send and receive files. This tool was primarily designed for the Linux operating system, but does have cross-platform capabilities.

Banner grabbing tools

telnet, netcraft, P0f, nmap

Computer > usr > share > nmap > scripts

where to find nmap scripts