Chapter 7 Enumeration/comp hacking
computer has the name "ninja" as the host name, which would mean that you can connect to the computer using the following command, where the host is the Internet Protocol (IP) address or name of the system being targeted:
( net use \\ninja\ipc$ "" /user: )
If shared resources are available, they will be displayed as a list, at which point the attacker can attach to a shared resource as follows:
( net use s:\\ninja\ (shared folder name) )
To view the shared folders on the system, you can use the following command: (ninja host name )
( net view \\ninja )
SYSTEM
A super user-style account that gets nearly unlimited access to the local system and can perform actions on the local system with little or no restriction
Local service—
A user account with greater access to the local system but limited access to the network
Network service—
A user account with greater access to the network but limited access to the local system
System Hacking
After an attacker has performed enumeration, he or she can begin actually attacking the system.
Active Directory security group Domain Computers—
All computers in a domain that are not domain controllers. All computers accounts are a member of this group by default.
Before Enumeration
All the steps leading up to this point have been aimed at gaining information about the target to discover the vulnerabilities that exist and how the network is configured.
Active Directory security groups Account Operators—
Allows members to create and modify most types of accounts and can log in locally to domain controllers.
Active Directory security groups Domain Guests—
Allows members to log in a local guest on a computer that is part of a domain. A domain profile is created on each computer to which a member logs in.
Active Directory security groups Guests—
Allows one-time users to log in to a computer in a domain with basic privileges of a regular user. When a member of the Guests groups logs out, the entire profile is deleted.
Active Directory security groups Remote Desktop Users—
Allows users to establish remote connections to a Remote Desktop Session Host server.
nbtstat.
Another tool that you can be use in the enumeration process
Kerberos Windows 2000
Available with Active Directory
password is hashed.
Because the database on the system already has a hashed form of the user's password on file, the authentication system can compare the stored hashed password with the value that was just provided. If the comparison between what the user provides and what is on file matches, the use is authenticated.
Active Directory security groups IIS_IUSRS—
Built-in group used by all versions of Internet Information Services since version 7.0. The IUSR account is a member of this group and provides consistency for web users.
Examples of password crackers in this category include:
Cain and Abel—Has the ability to crack password hashes offline; works with Windows, Cisco, VNS, and other similar passwords John the Ripper—Cracks UNIX/Linux, Mac OS, and Windows passwords RainbowCrack—Designed to crack passwords by comparing hashed input values with precomputed stored password hashes (i.e., rainbow tables); you will learn more about rainbow tables later in this chapter Ophcrack—Another popular password cracker that uses rainbow tables THC-Hydra—Extremely fast password cracker with available modules for most operating systems and common network protocols
packet sniffer is effective, but
Can be thwarted by technology that prevents the observation of network traffic. Specifically, packet sniffing will work only if the hosts are on the same collision domain
LAN Manager (LM) Windows for Workgroups
Considered weak because of the way hashes are created and stored
goal of a process of enumeration.
Determining what value a system possesses
The nbstat tool has several different functions -r Resolved
Displays a count of all names resolved by broadcast or Windows Internet Name Service (WINS) server
The nbstat tool has several different functions -n Names
Displays the names registered locally by NetBIOS applications, such as the server and redirector
Security Identifiers
Each user account in Windows has a unique ID assigned to it, commonly known as a security identifier (SID), that is used to identify the account or group. The SID is a combination of characters that looks like this: S-1-5-32-1045337234-12924708993-5683276719-19000
What is the most aggressive of the information-gathering processes in any attack
Enumeration
_______requires more interaction with the target than in previous techniques
Enumeration
Oversharing From Windows 2003 on
Everyone group is given read-only access. In either situation, it is possible for an attacker to at least view the contents of a folder and in the case of full control, do much worse
Oversharing Prior to Windows 2003
Everyone group was granted full control of a folder
Active Directory security groups Users
General group for normal users that allows users to run applications, access local resources, shut down or lock a computer, and install per-user applications.
Active Directory security group Domain Admins—
Group for users that administer a domain. The Domain Admins group is a member of the Administrators group for all computers in that domain.
Active Directory security groups Domain Controllers---
Includes all domain controllers in a domain. Any new domain controllers added to a domain automatically become a member of this group.
Active Directory security groups Domain Users—
Includes all user accounts for a domain. All new accounts created in a domain become a member of this group by default.
The nbstat tool has several different functions s Sessions
Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names
The nbstat tool has several different functions -c Cache
Lists the contents of the NetBIOS name cache
The nbstat tool has several different functions -S Sessions
Lists the current NetBIOS sessions and their status, with the IP address
The nbstat tool has several different functions -A Adapter status
Lists the same information as -a when given the target's IP address -A switch can be used to return a list of addresses and NetBIOS names the system has resolved. The command line that uses this option would look like the following if the targeted system had an IP address of 192.168.1.1: (nbstat -A 192.168.1.1)
Active Directory security group Backup Operators—
Members can back up and restore all files on a specific computer, regardless of what permissions are in place for those files.
Active Directory security group Administrators-
Members have unrestricted access to the computer, or if the computer is a domain controller, to the entire domain.
SuperScan offers a number of useful enumeration utilities designed for extracting information from a Windows-based host:
NetBIOS name table NULL session MAC addresses Workstation type Users Groups Remote procedure call (RPC) endpoint dump Account policies Shares Domains Logon sessions Trusted domains Services
services running in Windows, one of the most commonly targeted
NetBIOS service, which uses User Datagram Protocol (UDP) ports 137 and 138 Transmission Control Protocol (TCP) port 139.
Enumeration
Once port scanning has been performed, it is time to dig deeper into the target system itself to determine what is available on that specific system. Represents a more aggressive step in the hacking and penetration testing process because the attacker has now started to access the system to see specifically what is available.
Examples of password crackers that use rainbow tables include:
Ophcrack RainbowCrack
password cracking.
Password cracking is used to obtain the credentials of an account with the intent of using the information to gain unauthorized access to the system as an authorized user.
The nbstat tool has several different functions -a Adapter status
Returns the NetBIOS name table and mandatory access control (MAC) address of the address card for the computer name specified
User account information can be physically stored in two locations on a Windows system:
Security Account Manager (SAM) or the Active Directory (AD).
NT LAN Manager (NTLM) Windows NT
Stronger than LM but somewhat similar
Current user—
The currently logged-on user who can run applications and tasks but is still subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an administrator account.
How to Perform Enumeration Tasks activities overlap the two steps.
The idea is to start with a list of hosts and open, or active, ports. This information comes from the port scanning phase. Then, you use utilities in your hacking toolbox to explore these open ports further. In addition to just exploring open ports, you can learn a lot more about how a computer (or network or domain) is being used and who is using it.
TheHarvester—
TheHarvester is an interesting tool that executes Internet searches for email addresses for a given domain. This is a great tool for finding people associated with an organization.
Sid2user and User2sid—
These utilities require an established SMB connection to a host. Then, they are able to use Windows application programming interfaces (APIs) to return valuable information about Windows users and their SIDs.
SNMPwalk—
This simple tool can return a lot of information about networks with the Simple Network Management Protocol (SNMP) service running.
Enum4Linux
This utility can provide a tremendous amount of information through Server Message Block (SMB) and Samba services. If you find SMB or Samba available on one or more hosts, try enum4Linux to see whether you can get more information on the OS, users, groups, and shares.
Overall system security requires that you carefully protect the confidentiality and integrity of these items.
Two ways to protect these valuable credentials are encryption and hashing.
Details that tend to appear at this point include the following:
User accounts Group settings Group membership Application settings Service banners Audit settings
SPARTA Network Infrastructure Penetration Testing Tool—
a Python program that provides a graphical user interface (GUI) front end for many popular security tools, such as Nmap. It makes the process of carrying out attacks easier and more organized.
Windows operating system, nbtstat
a utility intended to assist in network troubleshooting and maintenance. The utility is specifically designed to troubleshoot name resolution issues that are a result of the NetBIOS service is a command-line utility designed to locate problems with this service.
Prior to the introduction of Windows XP,
all system services ran under the SYSTEM account, which allowed all the services to run as designed but also gave each service more access than it needed.
hybrid attack
another form of offline attack that functions much like a dictionary attack but with an extra level of sophistication. Hybrid attacks start out like a dictionary attack, in which different combinations of words from the dictionary are attempted; if this is unsuccessful at uncovering the password, the process changes
hacking phase,
attack has reached an advanced stage in which the attacker starts to use the information gathered from the previous phases to break into or penetrate the system.
Passive Online Attacks
attacker obtains a password simply by listening for it. This attack can be carried out using two methods: packet sniffing or man-in-the-middle and replay attacks Dictionary attacks are most successful for password
Encryption provides
barrier against unauthorized disclosure, whereas hashing ensures the integrity of these credentials.
Commonly Attacked and Exploited Services All operating systems potentially expose a large number of services to other computers and devices
can be exploited in some way by an attacker. Each service that runs on a system is designed to offer features and capabilities to a system and its users, and as such, OSs have a lot of basic services running by default, which are supplemented by the ones applications also install.
In the Windows OS, the NetBIOS service
can be used by an attacker to discover information about a system. Information that can be obtained via the service is detailed and can include usernames, share names, and service information enumeration phase, you will see how to obtain this information using what is known as a NULL session.
Rainbow tables
compute hashes every possible combination of characters within some range prior to capturing a password. Once all the hashes have been generated, the attacker can then capture the password hash from the network and compare it with the hashes that have already been generated.
Password cracking can take one of four forms
designed to obtain a password that the attacker is not authorized to possess. The following are the four password cracking methods that can be utilized by an attacker: Passive online attacks Active online attacks Offline attacks Nontechnical attacks
to determining what services and settings are present
enumeration phase can also employ techniques used to determine the placement and capabilities of countermeasures.
NULL session
feature in the Windows operating system that is used to give access to certain types of information across the network. NULL sessions are a feature that has been a part of Windows for some time—one that is used to gain access to parts of the system in ways that are both useful and insecure.
offline attack
form of password attack that relies on weaknesses in how passwords are stored on a system. The previous attack types attempted to gain access to a password by capturing it or trying to break it directly. Offline attacks go after passwords where they happen to be stored on a system.
Brute-Force Attacks
functions like online attacks because they attempt all possible combinations or a suspected subset of possible passwords. Brute force has the benefit of always working, but the downside is that it takes a long time. Typically, this method starts using simple combinations of characters and then increases complexity until the password is revealed. Examples of brute-force password crackers include: Ophcrack Proactive Password Auditor
Enumeration legal or illegal
has gone beyond actively probing a target to see what OS it may be running to determining specific configuration details passive reconnaissance is likened to slowly driving past a target house, then enumeration would be akin to shining your flashlight through the windows and examining any door locks.
NetBIOS
has long been a target for attackers because of its ease of exploitation and the fact that it is often enabled on Windows systems even when it is not needed Designed to facilitate communications between applications in local area networks but is now considered to be a legacy service and usually can (and should) be disabled.
Controlling access Any security professional must understand prior to securing Windows
how to manage and control access to resources, such as file shares, devices, and other items.
Nontechnical Attacks Keyboard Sniffing
intercepts the password as a user is entering it. This attack can be carried out when users are the victims of keystroke logging software or if they regularly log on to systems remotely without using any protection. Keystroke loggers are available both as software and hardware devices.
Security Account Manager (SAM)
is a database on the local system that is used to store user account information. By default, the SAM resides within the Windows folder %SystemRoot%/system32/config/SAM. This is true of all versions of Windows clients and servers.
Nontechnical Attacks Shoulder Surfing
is a method of obtaining a password by observing people entering their passwords. In this attack, the individual wanting to gain access to the password takes a position to see what a user is typing or what is appearing onscreen
AN IMPORTANT STEP IN THE ATTACK PROCESS
is determining which systems are worth attacking and which ones are a waste of time.
The SAM stores within
it hashed versions of users' passwords used to authenticate user accounts. These hashes are stored in a number of ways depending on the version of Windows.
In Windows, once a SID is used,
it is never reused, meaning that even if the username is the same, Windows doesn't treat it as the same. By using this setup, an attacker cannot gain access to your files or resources simply by naming their account the same as yours.
the SAM is a file
physically resides on the hard drive and is actively accessed while Windows is running.
enumeration has been completed
process of system hacking can begin
Oversharing? Remember that in the Windows OS,
shared folders give access to the Everyone group by default. If the Everyone group is given default access to a folder and this is not changed, it creates a situation in which attackers can easily browse the contents of the folder because they will be part of the Everyone group by default
One of the big issues of securing Windows in the networked environment is
sheer number of features that must be considered and locked down to prevent exploitation.
dictionary attack
similar to an active online attack in that the attacker tries all possible combinations until the correct combination is discovered. The difference between this type of attack and the active online version is how the correct combination is uncovered
Nontechnical Attacks
some cases, an attacker may choose to use nontechnical method because of the conditions in the environment or just because it is easier. The nontechnical methods represent a change over previous attacks.
account that ends in 1000 or higher, the SID
standard user.
account that ends in 501, the SID
stating that the account is an administrator-level account.
Enumeration
takes the information that an attacker has already carefully gathered and attempts to extract information about the exact nature of the system itself
account that ends in 500, the SID
the account becomes a guest account.
When performing enumeration
the attacker has the goal of uncovering specific information about the system itself. During a typical enumeration process, an attacker will make active connections to the target system to discover items such as user accounts, share names, groups, and other information that may be available via the services discovered previously.
NULL sessions are designed
to allow connections between systems on a network to allow one system to enumerate the processes and shares on another List of users and groups List of computers and devices List of shares Users and host SIDs
SuperScan
tool used to perform port scanning, but it can also be used to perform enumeration. On top of SuperScan's abilities to scan TCP and UDP ports, perform ping scans, and run Whois and Traceroute, it has a formidable suite of features designed to query a system and return useful information.
Groups
used by Windows to grant access to resources to a collection of users and to simplify management. Groups are effective administration tools because a group can contain a large number of users that can then be managed as a unit
User accounts
used in Windows to control access to everything from file shares to run services that keep the system functioning
Precomputed hashes
used in an attack type known as a rainbow table.
Information extracted during Enumeration
usernames, group info, share names, and other details.
SNScan
utility designed to detect SNMP-enabled devices on a network. The utility is designed to locate and identify devices that are vulnerable to SNMP attacks. SNScan scans specific ports (for example, UDP 161, 193, 391, and 1993) and looks for the use of standard (public and private) and user-defined SNMP community names
Angry IP Scanner
utility is a good alternative to SuperScan. It performs many of the same tasks and is useful for multiple steps in the early attack phases. Angry IP Scanner is distributed as open-source software and can run on Windows, Linux, or MAC OS environments
A NULL session occurs
when a user attempts a connection to a Windows system without providing a standard username and password. This connection type cannot be made to just any Windows share, but it can be made to an interprocess communication (IPC) administrative share. NULL sessions are designed to allow connections between systems on anetwork to allow one system to enumerate the processes and shares on another
active online attack,
which consists of more aggressive methods, such as brute-force and dictionary attacks. Active online attacks are effective in situations in which the target system has weak or poorly chosen passwords in use. In such cases, active online attacks can often crack passwords very quickly brute-force attack all possible combinations of characters are tried until the correct combination is discovered.
other method of storing user information is in Active Directory
which is used in larger network environments, such as those present in mid- to enterprise-level businesses. AD essentially stores multiple copies of SAM contents on one or more special servers called domain controllers.
