EC-Council CEH 312-50 v10 – Enumernation – What Can We Get For Free?
In this section we’ll discuss the definition of enumeration. We’ll discuss grabbing banners, shot in zone transfers, DNS enumeration SNP enumeration and countermeasures null sections. Net BIOS compatible machines as well.
Now, the first thing we want to talk about in our enumeration chapter is grabbing banners. And grabbing banners is a very common technique because most pieces of software will provide a banner to the client so they know how to configure themselves to be able to make a request. Now the hacker is not going to do this. The hacker is going to use that information to determine what kind of operating system and software version is actually running. To give you an example, we could use a command to use Telnet web server and port number 80. Hit it a few times and we’ll get an error showing that the web server is running. And you can see on this one right here is 50. And if you have that one, that one’s about as open as Swiss cheese. But it’s a good example of how we grab a banner. We typically use Telnet or some banner grabbing software to do this with.
So I’m going to open up the online lab and let’s go ahead and open up a couple of machines. Just to demonstrate this, I’m going to open up an older version of Windows 2000 just for grins and giggles, press CTRL Alt Insert and log in so that I be able to determine what the IP address of this particular machine is. And it looks like this one is at IP address 1041 156. I’m going to just use my XP attacker because it’s very convenient right here and it all automatically has a telnet client in it. If you use your Windows seven or above, you have to install the telnet client. So it just kind of saved me a little bit of time. It’s exactly the same. Let me go ahead and just open up a command prompt here and I’ll type in Telnet, the IP address of our Windows 2000 machine.
And I have to put in the port number after this because Telnet, if you recall, is going to try and connect on port number 23. I wanted to try and connect on port 80. I’m going to hit it or three times quickly and press Escape. And you can see right here it’s returned. The banner telling it how to connect to that server it’s going to use is 50. This is called grabbing a banner. Now, grabbing banners is more of a fingerprinting technique. The term fingerprint comes from an old fashioned police work. It refers to any trace, in other words, fingerprints that could be used for identification purposes. Banner grabbing essentially relies on a morphed or empty TCP packet that are sent over to a target machine.
The response is in most cases, an error is then initialized and analyzed for identification. In some scenarios, a simple connection request could be exploited. Linux would respond differently than Windows Apache and IIS. Internet Information Services will reply differently as well. Valuable information is excavated out of nothing but a harmless, rather friendly message. When you can see there are some other things that we need to do if we do this over telnet.
So we typically rely on grabbing a banner from a banner tool. Sam Spade is a free utility containing tools to gather information on internet host, analyze email headers, display website code, perform other types of tasks. Sam Spade is also called the Swiss Army Knife of network analysis. Most of the functionality contained in Sanskade is available in other utilities as well, usually command line. But Sam Spade puts them all into a single graphical user interface that allows one to concentrate on the problem at hand and not worries so much about the different tools needed for the particular task one is working on. Sansbade also has built in logging capabilities that are very handy in chronicling an investigation. Sansa for Windows is free.
This version of Sansbade is on your CD. This tool called Super Scan from Found Stone is also a free tool and it’s also available on your CD that came with this course. Notice it can do a number of different things like an Http head request which is a banner grab. It can also do things like a zone transfer that we’ll look at in a couple of moments. If you’re, you use Windows 2003 and above you’re going to need to use a piece of software to grab that banner. Now the banners can be grabbed things other than just a web server, they can be grabbed on an email server. It tells us the versions of our email server and a number of other things.
Now wouldn’t it be really nice if someone were to grab all of the banners that were available in the IP version for address space? So we have about 4 billion different addresses. If we were to start with IP address one and grab the popular banners and save them to, let’s say an SQL database, then we’d go to IP address two, save the pop popular ones of that one to a database and so on all the way through to all of our IP addresses. Well, somebody has thought of that. Welcome to Shoran. Showed in our pre grabbed banners, all kept in an SQL database ready for searching. Let’s take a look at how that might work for us.
Now in recent years, Shooting has gone to calling themselves the Internet of Things, the search engine for the web, for Webcams, for refrigerators, whatever is on the Internet. And let’s go ahead and take a look at some of the things that we can look at here. Let’s just try one that I did in a conference one time and I’m going to do ESX. Now, ESX really shouldn’t be on the Internet per se. It should be behind a firewall and things of that nature. Nobody’s going to be silly enough to do that, are they? We click on Search right here. We can see that there are a number of people that have ESX in their notice that the United States has 192 of them, Germany 31 and so on.
So I’m just simply going to take a look at some of these and see if I can get into them. This one right here is definitely a VMware server. So these are the ports that it’s scanned on its key algorithms, what it’s going to use to get in what kind of VMware it is. All of this was grabbed from a banner. Look at all the information that’s actually giving us. And the best part about this is we haven’t touched their website directly. Here are the ports that are open 22, 123, 161, 443 and 902. 902 is a popular port in VMware and so I know this server is placed directly on the Internet.
Let’s see if I can get access to it. For grins and giggles here, I need to use the Https because it doesn’t have an 80 as you can see. So I want to connect to it this way. Let’s see if it’ll work. Okay, the connection is not secure. That’s really good news for me. Add an exception. Go ahead, confirm the exception. And this is not good folks.
This is not good at all. I can download the VMware client, the V center. I can even go into the Linux installer, browse data stores in this directory. I’m actually touching their VMware server right here as an example. Now from this opening screen right here, let’s go ahead and just click on Exploit. And this is looking for exploits on ESA. Guys, I tell you what it’s got? 66 CBEs. And that stands for Common Vulnerabilities and Exposures. And we could look up the exploit for each one of these and attack these servers. Exploit DB. There’s one exploit. And this one right here.
Multiple information disclosures for vulnerability. This one here, ESX one Five to Two before patch four A VMware consolidated backup that’s available to us, ESX 40 and four one allow remote attackers to cause a denial of service attack. And we could just simply go on down through here and pick and choose the ones we want to attack. I mean, this right here is very, very concerning. And the biggest concern is for the Internet of Things.
And the Internet of Things is going to be the bane of our existence. You can quote me on that because I guarantee it’s going to be true when we go down to our favorite electronics store, let’s say it’s Best Buy or let’s say it Fries electronics here in the US. And we purchase an inexpensive webcam or an inexpensive doorbell or something like that that hooks up to our Internet. Those individual pieces of software, or I should say firmware, that are actually embedded in the device are generally not updated. And so, consequently, when somebody buys that, the company is registered more than likely out of Taiwan or perhaps out of China.
And it’s not in their best interest to go ahead and upgrade them when they find a bug. So there’s going to be hundreds of thousands of bugs that are available on the Internet of Things as we move through this process, and it’s very easy to find them right here with Shodin. I could type in this Explorer feature here. Gives us the various keywords that we want to use. Industrial control systems, databases, video games. And this is a very good example of the piece of software on the Internet we call Shot.
The next thing I want to talk about is zone transfers. And while it’s not really legal for me to go out and do a zone transfer to anybody, I have this friend of mine at Digi Ninja who’s created a zone transfer domain so we can see exactly what it looks like. And so I’m going to go ahead and demonstrate that. I’m going to do this in our online lab and I’m just simply going to open up a fresh command prompt and I’m going to move that up to the root so it’s easier for me to see. And I’m going to type in Nslookup before I actually do all this. Let’s go ahead and see how we might be able to get access to that by going out to Central Ops net and I’m going to put in as the domain and that is zone transfer me. I’m going to click on Go and I’m going to look for a service scan and a trace route.
Now, if you recall from our previous demonstration on this, I am very interested in this particular server right here because it contains the SOA record. So that’s the server that I want to use. So I’m going to click on Copy in S, Lookup, press Enter, and notice that it’s already attached to my default server on the Internet. This is the one that I’m using for my DNS, which is Google’s. So I’m going to just simply type in server and put in Nsztm One dija. Now you notice right here, it’s no longer attached to eight eight, it’s attached to their DNS server. There is actually nothing that stops you from attaching to anyone’s DNS server. But it would be kind of like my grandmother would say, it’s just not done.
Well, it’s typically not done because you’re using resources off of them. You should be using a public one that’s meant to be attached to like Google’s or perhaps your own. But I’m going to do something a little bit differently with this. I’m going to attach to the SOA server.
And if you recall, we knew it was the SOA server here from Central Ops. I’m attached to the SOA server or the primary server, and I’m going to try and coerce it to do a zone transfer to me as if I was a secondary DNS server. So let’s see if I can get it to do that. I’m going to type in set type equals any because I want all of the records and I’m going to do a LSD to the zone that I wanted to transfer and that zone was zone transfer me. Now as you can see, this right here would not be good if this was actually a legitimate because it’s revealed all of its internal or possibly external DNS names.
Now you might say, well Tim, that’s fine, but what really good is that going to do? Because all you have is a particular IP address and a name, you still don’t know what the credentials are to get in. That’s true. That’s absolutely true. But we, as systems administrators, will typically name the machine for the function that they do. So payroll might be named payroll, HR might be named HR.
And as we talked about in the last section, having an HR database or having a payroll database where we get the Social Security number, the full legal name and address, and birth date of an individual, that’s all I need to steal their identity. And let’s say I go into three m corporation. I’m just making that up as an example. And I was able to get access to their payroll records, and they had 100,000 people that I was able to grab all that information from. Information a Social Security number, date of birth, and your full legal name and address is worth about $10 on the black market. So if I transfer 100,000 of them, I just made myself a millionaire. That’s exactly what they’re trying to get. I’m on other things.
Now, if you recall, the reason that we actually are in this chapter is because the enumeration is what it can give up for free. In other words, we haven’t logged in to our system. It just simply gives this information up and you’ll start to see a lot of information that really we shouldn’t be giving out. Let’s take, for example, SNMP Insecurity. Now, SNMP actually comes in versions one, two, and three, but you’ve got to use the lowest comma denominator in your environment, and that generally is SNMP version one. And SNMP version one doesn’t even require a password. Password is actually public and it’s just in clear text. It’s very easy to get.
So the SNMP is an Internet standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers switches, servers, workstations, printers, modem racks, and a whole lot more. Is used mostly in network management systems to monitor network attached devices for conditions that warrant administrative action. SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task Force, or IETF. It consists of a set of standards for network management, including an application layer protocol, a database schema, and a set of data objects.
Now, SNMP exposes management data in the form of variables on the managed systems which describe the system configuration. These variables can then be queried and sometimes set by managing applications. Some of the managing applications might be tivoli from IBM or HP open View. There are several tools that we can use to enumerate SNMP, and I’m going to show you one of them here. In just a second, I’m going to use our online lab and get access to a couple of servers that I have installed the SNMP agent on. The advantage to using the online lab is you don’t have to set anything up.
Everything is already installed for you. So let’s go ahead and go into our XP attacker, and I’m going to want to target the one I put my agent on, and I put an agent on this. 110 41 156. Okay, so I’m going to click here under Net Tools and I’m going to pick look at Land. This is a really neat little utility, but it’s very noisy. That means your IDs will know you’re using this. But if it’s your own system, I use this all the time. I’m going to create a new profile and I’m going to tell it that I want to get access to everything that is on this 10 41 52 using that list.
So I’m going to click on this and you’re going to see quite a few little machines on here, and you’ll also see any of them that have the SNMP agent on it because it will actually turn on. It’s going to do a port scan, of course, but I’m more interested in the look at Land details. And let’s expose just a little bit of what we’re looking at here. It tells us all of our network interfaces, tells us our TCP IP networks, the routes that are in our IP that are in the server, the protocols that we are using, the type of CPU we have, and for God’s sakes, user accounts, too. Oh my gosh. It shows us any shares that we have on our system, the services that we are running.
So if we know any of those services to be vulnerable, we can attack those. How many drives that we have, how much virtual memory, the devices that we have on our system, processes that are running on our system. If any of those are available to attack, we can do that. Any instance, installed software on our system. All right? And it gives us some land manager information as well. So as you can see, it gives us a tremendous amount of information by just simply asking for it. That’s all we needed to do.
Let’s talk about some of the countermeasures to SNMP enumeration, because you saw how easy it is to get. First off, don’t install the management and Monitoring Windows component if it’s not going to be used. It’s senseless to do that because just somebody can do exactly what I did. In case it is required, ensure that only legally authorized persons have access to it. Else it might be turned into an obvious backdoor. You can basically edit the registry permit only approved access to the SNMP community name. In other words, only certain IP addresses like your Tivoli or your HP open view. Change the community name to properly configured ones, preferably with private community names, not the default of public. Whereas possible restrict access by the SNMP agent.
By restriction, we mean allowing SNMP requests from only specific addresses, again like our Tivoli or HP Open View. Additionally, these requests should be restricted to only read only wherever possible. All these configurations can be done by changing the properties of the SNMP service. Authenticate encrypt using IPsec if you can using SNMP version one, you may not have adequate authentication and encryption facilities built in, but this is where IPsec can come to the rescue. IPsec policies can be defined in the monitored systems and management stations so that all SNMP traffic is authenticated or encrypted. You can also collect traps if SNMP is enabled.
Monitor the windows event logs. Effective auditing can actually raise your level of security. Then let’s talk about active directory enumeration. Although there are several security vulnerabilities exist in Active Directory, a hacker interested in enumerating it is only really focusing on one function a dump of the tree. All existing users and groups could be enumerated with a simple LDAP query tool like Microsoft’s LDP Tool. The only thing required to perform this enumeration is to create an authenticated session via LDAP, so any person session will typically work. Connect to any active directory server using LDP port 389. Authenticate yourself using Guest or any domain account. Now, all of the users and built in groups can be enumerated.
Here’s a good example of using the LDP tool. This is found on our Windows support tools. It’s a utility that you can use to query the Active Directory and dump all of the names. Let’s finish up with a few countermeasures. First and foremost, filter access to TCP ports 389 and 32 68 as a network border. Don’t allow this information to go out of your network. Unless you plan on exporting ad to the world, no one should have unauthenticated access to the directory. To prevent this information from leaking out to unauthorized party on internal semi trusted networks, permissions on the ad need to be restricted. This is something called Our filtering.
The difference between legacy compatible mode, which is read or less secure, and the native server 2003 and above essentially boils down to the membership of the built in local pre Windows 2000 compatible access group. The pre Windows 2000 compatible access group has the default access permission to the directory. Now, I can’t tell you the number of times I have seen people upgrade, upgrade, upgrade, upgrade and upgrade all the way to, let’s say, Server 2012, but it still allows the Everyone group or the anonymous login into the pre Windows 2000 compatible access group.
This is something you definitely need to check on your system to make sure that it is taken out. These special identities include authenticated sessions with anyone, including null sessions, and we’ll give you an example of that in a few seconds. By removing the Everyone and anonymous login group for the pre Windows 2000 compatible access and then rebooting the domain controllers. The domain operates with greater security.
Now folks, I’m going to go back in time just a little bit because I have seen this on the test. Even though they’re not really supported any longer with Windows Nt and all the way up to Windows 2003, able to support something called a null session and an old session is particularly evil when you see how much information I’m going to be able to get. Now Null session is an anonymous connection freely accessible by network share called IPC on the Windows based servers. It allows immediate read and write access on Nt in 2000 and read only access with XP in 2003. Now you’re going to see how much information I actually grab from here when I do this. Let’s first go over the syntax that I’m going to use. I’m going to type in net use and I’m going to use the Windows 2000 server.
And I know that’s very old, but this is for just a demonstration. Backslash, backslash and then IPC space, double quote, double quote space forward slash, ultimate double quote. Now let’s go ahead and see this in action. I’m pulling up our online lab and you’ll be able to see what it looks like. So I’m going to simply type in net use the IP address of the target machine which is our Windows 2000 server. 1156 IPC dollar sign space, double quote Ucolan. Now before I actually implement this, I’m going to do a couple of things on our Windows 2000 server.
On the server I’m going to go in by just simply clicking on Manage and I’m going to go down to our local users. And you can see I only have a few users in here. So I’m just going to add a couple of users. I’m going to create one called Plain Jane. I’m not going to give Plain Jane a password, all right? And I’m just simply going to click on Create. I’m then going to create one called Backdoor and I’m going to not give it a password, but Backdoor. I’m going to make a member of the local administrators group. Okay, now I’m going to change the administrator’s name. I’m just simply going to rename this to something other than administrator. I’m going to call this how about just S admin, all right? For super admin.
Okay, now I’m going to just minimize this and I’m going to do our null attach to that server. You can see it says Command completed successfully. That’s great. I’m going to next open up one of my tools and the tool name is called Dump SEC. Again, all of these tools are on the CD that I will make available for you on class or if you’re running it in the online lab, all the tools are already installed. The next thing I’m going to do is click on Report, select Computer and I’m going to use the IP address of the computer that I’ve done and all attached to 1041 156.
And if all goes well, that should appear up in the title bar of your machine. Now I’m going to click on Report and I’m going to dump my users as a table. I’m going to take all of the available fields right here and click added at every single one of them over here to the right hand side and I’m going to click OK. You can see we’re going through the users right here. And when it finishes, you’ll be able to tell I have dumped all of my users here. And the most important part, if I scroll all the way over to the right hand side, the user that ends in Sid 500 is indeed my super user. The 501 indicates the guest account and 1000 is the very first user. This is a test question, so you need to be aware of this.
500 is the built in administrator account. 501 is the guest account. And 1000 starts the very first user account. So I can tell what we’ve renamed my administrator to and I can start attacking that. And the administrator by default cannot be locked out locally. So I can sit there and hammer on that all day long until I guess the password. Now let’s see what else it gave away for free.
All right. It tells me that I have access to a group comment, the group type, the full name, the account type, a comment on the account, what home directories we have access to, the profile, the login script, what workstations. We can log on to. Passwords can be changed, yes or no. Password was last set date and password required. Password expires account is disabled, yes or no. And most important of everything is the last log on time.
Now I tell you right now, folks, I could go into your organization right now and pretty much guarantee you that I can find accounts that have never been logged into before. If you know much about that organization, you probably also know what the password is. I have no problem supplying the password. If I know they’ve never been logged on, then more than likely what’s happened is we made some hire for somebody that’s going to be coming into our organization and for some reason or another they didn’t show up on Monday. Maybe they got offered more money to stay. Maybe the boss sweetened the pie somehow.
Or maybe their wife just said, I’m not leaving, mother. Whatever the case may be. You being the security minded, diligent individual that you are, naturally called back to the security department and had them take out that individual user account. But if you did, kudos to you. You’re actually much further ahead than most people are because they generally don’t do that. Let’s go over and see what we could do with just a plain Jane user account. I’m going to log in to my system as that plain Jane user account. So log off as administrator, click OK and I’m going to press CTRL Alt Insert, and I’m going to log on as Plain Jane. When I click OK, it goes ahead and logs me in.
But as you can imagine, we only have access to various functions. Now, if we did indeed have access as administrator, the first thing that’s going to pop up is configure your server. But I can go in here, drill down in my lab folders, and I’m going to drill down to a little utility called Get Admin.
Now, Get Admin is a privilege escalation tool. I’m going to simply take the Plain Jane user and move it over here to this side. I’m going to click OK, and it says, excellent, successful. Surely that didn’t work, did it? Well, let’s try it. We’re going to need to log off and log back on as Plain Jane. And if we really did get administrator privilege, they configure your server. Oh, there it is. All right. Now, this particular vulnerability has been patched. Of course, it would be a very good demonstration if it didn’t work, would it? I just wanted to show you a vulnerability and how we can demo that with a privilege escalation.
Popular posts
Recent Posts