Chapter 6 Enumeration
Monitor SNMP ports
Block or monitor activity on ports 161 and 162 and any other ports that you have configured for SNMP traffic.
Change default passwords
Change default passwords on all devices and services.
DNS zone restriction
DNS zone restriction ensures that a server provides copies of zone files to only specific servers.
Enumerate IPsec
ESP, AH, IKE, to secure VPN endpoints pull encryption , hashing, authentication type and key distro algorithm
Digital signatures
Modern systems include digital signatures that help with DNS zone restriction.
TCP 135 RPC
Port 135 is used by the Remote Procedure Call service in Windows for client-server communications.
Split DNS
Splitting the DNS into internal and external groups provides an added layer of security.
SMTP Countermeasures
The most basic way to counteract Simple Mail Transfer Protocol (SMTP) exploitation is to simply ignore messages to unknown recipients instead of sending back error messages. Additionally, you'll want to configure your server to block open SMTP relaying.
Username
UID (similar to SID) above 500 for users
Run SNScan
Use SNScan, a utility that detects network SNMP devices that are vulnerable to attack.
Update SNMP
Verify that you are running the most recent version of SNMP at all times.
Creator group
Windows 2000 specific grant permissions to user in the same group as creator
Everyone
all users are members of this group wide range access to resources
Network
all users that access a system through a network are in this group provides remote users access to specific resources
Anonymous logon
anon access to resources web server/app
boy
cat
Network service
limited local machine access high level network access
Guest
limited use Windows account not enabled by default
PsTools
manage local and remote Windows systems change passwords, suspend processes, measure network performance dump event log, kill
Enumerate VoIP
uses SIP to enable voice and video over IP 2000,2001,5060,5061
LDAP Countermeasures
Hardening against Lightweight Directory Access Protocol (LDAP) enumeration can be tricky. Although blocking LDAP port 389 is an option, you can't always block ports, or you'll risk impacting your network. Blocking LDAP ports could prevent your clients from querying necessary services. The best way to secure LDAP is to review and implement the security settings and services available with your server software.
TCP 137 NetBIOS
Port 137 is used by the NetBIOS Name Server (NBNS.) NBNS is used to associate names and IP addresses of systems and services.
TCP 139 NetBIOS
Port 139 is used by the NetBIOS Session Service (SMB over NetBIOS.) SMB over NetBIOS allows you to manage connection between NetBIOS clients and applications.
TCP 21 FTP
Port 21 is used for the File Transfer Protocol (FTP). FTP is used by all operating systems to transfer files between client and server machines.
TCP 23 Telnet
Port 23 is used for the Telnet protocol/software. Telnet is used to connect to and run services on remote systems. Because of security concerns, Telnet is not used as frequently as it once was.
TCP 25 SMTP
Port 25 is used for the Simple Mail Transfer Protocol (SMTP). SMTP is used to send emails between client and server and between server and server.
TCP/UDP 3268 Global Catalog Service
Port 3268 is used by the Global Catalog Service. The Global Catalog Service is used by Windows 2000 and later systems to locate information in Active Directory.
TCP/UDP 389 LDAP
Port 389 is used by the Lightweight Directory Access Protocol (LDAP.) LDAP is an internet protocol for accessing distributed directory service. If this port is open, it indicates that Active Directory or Exchange may be in use.
TCP 445 SMB over TCP
Port 445 is used by SMB over TCP. SMB over TCP also known as Direct Host is a service used to improve network access. This service is available in Windows 2000 and newer.
TCP 53 DNS
Port 53 is used for DNS zone transfers. DNS zone transfer is the process of transferring a copy of the DNS zone file from the primary DNS server to a secondary DNS server. Zone transfers are designed to provide updated network and access information to the DNS servers.
UDP 53 DNS
Port 53 is used for UDP queries about IP-to-name and name-to-IP mappings.
TCP 80 HTTP
Port 80 is used for Hypertext Transport Protocol. HTTP is used by all web browsers and most web applications.
UDP 161 and 162 SNMP
Ports 161 and 162 are used by the Simple Network Management Protocol (SNMP.) SNMP is a standard method of managing devices and software from most manufacturers.
Remove SNMP agent
Remove the SNMP agent or turn off the SNMP service completely.
Perform DNS zone transfer
copy of DNS zone file from primary to secondary designed to provide updated network/access info to DNS servers hacker pretends to be client, sends zone transfer request to DNS server, server then sends portion of database
SuperScan
enumerate info from Windows host NetBIOS, services, NULL session, trusted domains, MAC, logon, policies, users, groups
Local service
high level local machine access limited network access
Retrieve system polices
how security matters are handled
Enumerate RPC
identify any vuln services on service ports nmap nmap -sR IP/network nmap -T4 -A IP/network
Finger
info about a user finger -s username finger -s (all users) finger -l user@host (all remote users)
attack directory services
input verification deficiencies thus brute force attacks automated
Exploit SNMP
manage routers, hubs, switches agent and client public and private access public may include default passwords Application layer 7
Groups
manages permissions and rights GID /etc/passwd default primary group can be assigned secondary groups (/etc/group)
Administrator
many changes user accounts are default now
enumeration
method of gathering information from a system to learn about its config software and services
NULL session
no credentials for Windows system exploited to find users, groups, machines, shares, host SIDs net use //hostname/ipc$ \\hostname\ipc$"" /user:"" net view \\hostname net use s:\\hostname\shared folder name
Batch
run scheduled batch tasks
Exploit SMTP
scanning tools and commands can verify specific email recon
SID
security identifier when user object created gets SID cannot be used again 500 built in admin 501 built in guest Stored in SAM in LM and NTLM hash format
dns split
split DNS into internal/external groups
Creator owner
the file or directory creator is a member of this group post 2000, use to grant permissions to creator of file/directory
System
unlimited local machine access
/etc/passwd
username and UID encrypted passwords GID
