ECCouncil CEH V9 312-50 – Enumernation – What Can We Get For Free? Part 2

5. DNS Enumeration

Now, if you recall, the reason that we actually are in this chapter is because the enumeration is what it can give up for free. In other words, we haven’t logged in to our system. It just simply gives this information up and you’ll start to see a lot of information that really we shouldn’t be giving out. Let’s take, for example, SNMP Insecurity. Now, SNMP actually comes in versions one, two, and three, but you’ve got to use the lowest comma denominator in your environment, and that generally is SNMP version one. And SNMP version one doesn’t even require a password. Password is actually public and it’s just in clear text. It’s very easy to get.

So the SNMP is an Internet standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers switches, servers, workstations, printers, modem racks, and a whole lot more. Is used mostly in network management systems to monitor network attached devices for conditions that warrant administrative action. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force, or IETF.

It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects. Now, SNMP exposes management data in the form of variables on the managed systems which describe the system configuration. These variables can then be queried and sometimes set by managing applications. Some of the managing applications might be tivoli from IBM or HP open View. There are several tools that we can use to enumerate SNMP, and I’m going to show you one of them here. In just a second, I’m going to use our online lab and get access to a couple of servers that I have installed the SNMP agent on.

The advantage to using the online lab is you don’t have to set anything up.

Everything is already installed for you. So let’s go ahead and go into our XP attacker, and I’m going to want to target the one I put my agent on, and I put an agent on this. 110 41 156. Okay, so I’m going to click here under Net Tools and I’m going to pick look at Land. This is a really neat little utility, but it’s very noisy. That means your IDs will know you’re using this. But if it’s your own system, I use this all the time. I’m going to create a new profile and I’m going to tell it that I want to get access to everything that is on this 10 41 52 using that list.

So I’m going to click on this and you’re going to see quite a few little machines on here, and you’ll also see any of them that have the SNMP agent on it because it will actually turn on. It’s going to do a port scan, of course, but I’m more interested in the look at Land details. And let’s expose just a little bit of what we’re looking at here. It tells us all of our network interfaces, tells us our TCP IP networks, the routes that are in our IP that are in the server, the protocols that we are using, the type of CPU we have, and for God’s sakes, user accounts, too.

Oh my gosh. It shows us any shares that we have on our system, the services that we are running. So if we know any of those services to be vulnerable, we can attack those. How many drives that we have, how much virtual memory, the devices that we have on our system, processes that are running on our system. If any of those are available to attack, we can do that. Any instance, installed software on our system. All right? And it gives us some land manager information as well. So as you can see, it gives us a tremendous amount of information by just simply asking for it. That’s all we needed to do.

6. SNMP Countermeasures, AD and AD Countermeasures

Let’s talk about some of the countermeasures to SNMP enumeration, because you saw how easy it is to get. First off, don’t install the management and Monitoring Windows component if it’s not going to be used. It’s senseless to do that because just somebody can do exactly what I did. In case it is required, ensure that only legally authorized persons have access to it. Else it might be turned into an obvious backdoor. You can basically edit the registry permit only approved access to the SNMP community name. In other words, only certain IP addresses like your Tivoli or your HP open view. Change the community name to properly configured ones, preferably with private community names, not the default of public.

Whereas possible restrict access by the SNMP agent. By restriction, we mean allowing SNMP requests from only specific addresses, again like our Tivoli or HP Open View. Additionally, these requests should be restricted to only read only wherever possible. All these configurations can be done by changing the properties of the SNMP service. Authenticate encrypt using IPsec if you can using SNMP version one, you may not have adequate authentication and encryption facilities built in, but this is where IPsec can come to the rescue. IPsec policies can be defined in the monitored systems and management stations so that all SNMP traffic is authenticated or encrypted. You can also collect traps if SNMP is enabled. Monitor the windows event logs. Effective auditing can actually raise your level of security. Then let’s talk about active directory enumeration.

Although there are several security vulnerabilities exist in Active Directory, a hacker interested in enumerating it is only really focusing on one function a dump of the tree. All existing users and groups could be enumerated with a simple LDAP query tool like Microsoft’s LDP Tool. The only thing required to perform this enumeration is to create an authenticated session via LDAP, so any person session will typically work. Connect to any active directory server using LDP port 389. Authenticate yourself using Guest or any domain account. Now, all of the users and built in groups can be enumerated. Here’s a good example of using the LDP tool. This is found on our Windows support tools. It’s a utility that you can use to query the Active Directory and dump all of the names. Let’s finish up with a few countermeasures. First and foremost, filter access to TCP ports 389 and 32 68 as a network border. Don’t allow this information to go out of your network.

Unless you plan on exporting ad to the world, no one should have unauthenticated access to the directory. To prevent this information from leaking out to unauthorized party on internal semi trusted networks, permissions on the ad need to be restricted. This is something called Ou filtering. The difference between legacy compatible mode, which is read or less secure, and the native server 2003 and above essentially boils down to the membership of the built in local pre Windows 2000 compatible access group.

The pre Windows 2000 compatible access group has the default access permission to the directory. Now, I can’t tell you the number of times I have seen people upgrade, upgrade, upgrade, upgrade and upgrade all the way to, let’s say, Server 2012, but it still allows the Everyone group or the anonymous login into the pre Windows 2000 compatible access group. This is something you definitely need to check on your system to make sure that it is taken out. These special identities include authenticated sessions with anyone, including null sessions, and we’ll give you an example of that in a few seconds. By removing the Everyone and anonymous login group for the pre Windows 2000 compatible access and then rebooting the domain controllers. The domain operates with greater security.

7. Null Sessions

Now folks, I’m going to go back in time just a little bit because I have seen this on the test. Even though they’re not really supported any longer with Windows Nt and all the way up to Windows 2003, able to support something called a null session and an old session is particularly evil when you see how much information I’m going to be able to get. Now Null session is an anonymous connection freely accessible by network share called IPC on the Windows based servers. It allows immediate read and write access on Nt in 2000 and read only access with XP in 2003. Now you’re going to see how much information I actually grab from here when I do this. Let’s first go over the syntax that I’m going to use. I’m going to type in net use and I’m going to use the Windows 2000 server.

And I know that’s very old, but this is for just a demonstration. Backslash, backslash and then IPC space, double quote, double quote space forward slash, ultimate double quote. Now let’s go ahead and see this in action. I’m pulling up our online lab and you’ll be able to see what it looks like. So I’m going to simply type in net use the IP address of the target machine which is our Windows 2000 server. 1156 IPC dollar sign space, double quote Ucolan. Now before I actually implement this, I’m going to do a couple of things on our Windows 2000 server. On the server I’m going to go in by just simply clicking on Manage and I’m going to go down to our local users.

And you can see I only have a few users in here. So I’m just going to add a couple of users. I’m going to create one called Plain Jane. I’m not going to give Plain Jane a password, all right? And I’m just simply going to click on Create. I’m then going to create one called Backdoor and I’m going to not give it a password, but Backdoor. I’m going to make a member of the local administrators group. Okay, now I’m going to change the administrator’s name. I’m just simply going to rename this to something other than administrator. I’m going to call this how about just S admin, all right? For super admin. Okay, now I’m going to just minimize this and I’m going to do our null attach to that server. You can see it says Command completed successfully. That’s great. I’m going to next open up one of my tools and the tool name is called Dump SEC. Again, all of these tools are on the CD that I will make available for you on class or if you’re running it in the online lab, all the tools are already installed.

The next thing I’m going to do is click on Report, select Computer and I’m going to use the IP address of the computer that I’ve done and all attached to 1041 156. And if all goes well, that should appear up in the title bar of your machine. Now I’m going to click on Report and I’m going to dump my users as a table. I’m going to take all of the available fields right here and click added at every single one of them over here to the right hand side and I’m going to click OK.

You can see we’re going through the users right here. And when it finishes, you’ll be able to tell I have dumped all of my users here. And the most important part, if I scroll all the way over to the right hand side, the user that ends in Sid 500 is indeed my super user. The 501 indicates the guest account and 1000 is the very first user. This is a test question, so you need to be aware of this.

500 is the built in administrator account. 501 is the guest account. And 1000 starts the very first user account. So I can tell what we’ve renamed my administrator to and I can start attacking that. And the administrator by default cannot be locked out locally. So I can sit there and hammer on that all day long until I guess the password. Now let’s see what else it gave away for free. All right. It tells me that I have access to a group comment, the group type, the full name, the account type, a comment on the account, what home directories we have access to, the profile, the login script, what workstations. We can log on to. Passwords can be changed, yes or no. Password was last set date and password required. Password expires account is disabled, yes or no. And most important of everything is the last log on time. Now I tell you right now, folks, I could go into your organization right now and pretty much guarantee you that I can find accounts that have never been logged into before.

If you know much about that organization, you probably also know what the password is. I have no problem supplying the password. If I know they’ve never been logged on, then more than likely what’s happened is we made some hire for somebody that’s going to be coming into our organization and for some reason or another they didn’t show up on Monday. Maybe they got offered more money to stay. Maybe the boss sweetened the pie somehow. Or maybe their wife just said, I’m not leaving, mother. Whatever the case may be. You being the security minded, diligent individual that you are, naturally called back to the security department and had them take out that individual user account. But if you did, kudos to you. You’re actually much further ahead than most people are because they generally don’t do that. Let’s go over and see what we could do with just a plain Jane user account. I’m going to log in to my system as that plain Jane user account.

So log off as administrator, click OK and I’m going to press CTRL Alt Insert, and I’m going to log on as Plain Jane. When I click OK, it goes ahead and logs me in. But as you can imagine, we only have access to various functions. Now, if we did indeed have access as administrator, the first thing that’s going to pop up is configure your server. But I can go in here, drill down in my lab folders, and I’m going to drill down to a little utility called Get Admin. Now, Get Admin is a privilege escalation tool. I’m going to simply take the Plain Jane user and move it over here to this side. I’m going to click OK, and it says, excellent, successful. Surely that didn’t work, did it? Well, let’s try it. We’re going to need to log off and log back on as Plain Jane. And if we really did get administrator privilege, they configure your server. Oh, there it is. All right. Now, this particular vulnerability has been patched. Of course, it would be a very good demonstration if it didn’t work, would it? I just wanted to show you a vulnerability and how we can demo that with a privilege escalation.