ECCouncil CEH V9 312-50 – Enumernation – What Can We Get For Free?

1. Intro to Enumeration

In this section we’ll discuss the definition of enumeration. We’ll discuss grabbing banners, shot in zone transfers, DNS enumeration SNP enumeration and countermeasures null sections. Net BIOS compatible machines as well.

2. Grabbing Banners

Now, the first thing we want to talk about in our enumeration chapter is grabbing banners. And grabbing banners is a very common technique because most pieces of software will provide a banner to the client so they know how to configure themselves to be able to make a request. Now the hacker is not going to do this. The hacker is going to use that information to determine what kind of operating system and software version is actually running. To give you an example, we could use a command to use Telnet web server and port number 80. Hit it a few times and we’ll get an error showing that the web server is running. And you can see on this one right here is 50 and if you have that one, that one’s about as open as Swiss cheese. But it’s a good example of how we grab a banner. We typically use Telnet or some banner grabbing software to do this with.

So I’m going to open up the online lab and let’s go ahead and open up a couple of machines. Just to demonstrate this, I’m going to open up an older version of Windows 2000 just for grandson giggles. Press CTRL Alt Insert and log in so that I be able to determine what the IP address of this particular machine is. And it looks like this one is at IP address 1041 156. I’m going to just use my XP attacker because it’s very convenient right here and it all automatically has a telnet client in it. If you use your Windows seven or above you have to install the telnet client.

So it just kind of saved me a little bit of time. It’s exactly the same. Let me go ahead and just open up a command prompt here and I’ll type in Telnet, the IP address of our Windows 2000 machine. And I have to put in the port number after this because Telnet, if you recall, is going to try and connect on port number 23. I wanted to try and connect on port 80. I’m going to hit it or three times quickly and press Escape. And you can see right here it’s returned. The banner telling it how to connect to that server it’s going to use is 50. This is called grabbing a banner. Now, grabbing banners is more of a fingerprinting technique.

The term fingerprint comes with an old fashioned police work. It refers to any trace, in other words, fingerprints that could be used for identification purposes. Banner grabbing essentially relies on a morphed or empty TCP packet that are sent over to a target machine. The response is in most cases an error is then initialized and analyzed for identification. In some scenarios, a simple connection request could be exploited. Linux would respond differently than Windows apache and IIS Internet Information Service will reply differently as well. Valuable information is excavated out of nothing but a harmless, rather friendly message. When you can see there are some other things that we need to do if we do this over telnet. So we typically rely on grabbing a banner from a banner tool.

Sam Spade is a free utility containing tools to gather information on internet host, analyze email headers, display website code, perform other types of tasks. Sam Spade is also called the Swiss Army Knife of network analysis. Most of the functionality contained in Sanskade is available in other utilities as well, usually command line but Sam Spade puts them all into a single graphical user interface that allows one to concentrate on the problem at hand and not worries so much about the different tools needed for the particular task one is working on. Sansbade also has built in logging capabilities that are very handy in chronicling an investigation.

Sansa for Windows is free. This version of Sansbade is on your CD. This tool called Super Scan from Found Stone is also a free tool and it’s also available on your CD that came with this course. Notice it can do a number of different things like an Http head request which is a banner grab. It can also do things like a zone transfer that we’ll look at in a couple of moments. It’s you use Windows 2003 and above you’re going to need to use a piece of software to grab that banner. Now the banners can be grabbed things other than just a web server, they can be grabbed on an email server. It tells us the versions of our email server and a number of other things.

3. Shodan

Now wouldn’t it be really nice if someone were to grab all of the banners that were available in the IP version for address space? So we have about 4 billion different addresses. If we were to start with IP address one and grab the popular banners and save them to, let’s say an SQL database, then we’d go to IP address two, save the pop popular ones of that one to a database and so on all the way through to all of our IP addresses. Well, somebody has thought of that. Welcome to Shodan showed in our pre grabbed banners, all kept in an SQL database ready for searching. Let’s take a look at how that might work for us. Now in recent years Showed has gone to calling themselves the Internet of Things, the search engine for the web, for webcams, for refrigerators, whatever is on the Internet. And let’s go ahead and take a look at some of the things that we can look at here. Let’s just try one that I did in a conference one time and I’m going to do ESX.

Now, ESX really shouldn’t be on the Internet per se. It should be behind a firewall and things of that nature. Nobody’s going to be silly enough to do that, are they? We click on Search right here. We can see that there are a number of people that have ESX in their notice that the United States has 192 of them, germany 31 and so on. So I’m just simply going to take a look at some of these and see if I can get into them. This one right here is definitely a VMware server. So these are the ports that it’s scanned on its key algorithms, what it’s going to use to get in what kind of VMware it is. All of this was grabbed from a banner. Look at all the information that’s actually giving us.

And the best part about this is we haven’t touched their website directly. Here are the ports that are open, 2212-316-1443 and 902. 902 is a popular port in VMware. And so I know this server is placed directly on the Internet. Let’s see if I can get access to it. For grins and giggles here, I need to use the Https because it doesn’t have an 80 as you can see. So I want to connect to it this way. Let’s see if it’ll work. Okay, the connection is not secure. That’s really good news for me. Add an exception. Go ahead, confirm the exception. And this is not good, folks.

This is not good at all. I can download the VMware client, the V center. I can even go into the Linux installer, browse data stores in this directory. I’m actually touching their VMware server right here as an example. Now from this opening screen right here, let’s go ahead and just click on Exploit. And this is looking for exploits on ESA. Guys, I tell you what, it’s got 66 CBEs, and that stands for Common Vulnerabilities and Exposures. And we could look up the exploit for each one of these and attack these servers. Exploit DB. There’s one exploit. And this one right here. Multiple information disclosures for vulnerability. This one here. ESX one five to two before patch four. A VMware consolidated backup that’s available to us, ESX. 40 and four one allow remote attackers to cause a denial of service attack. And we could just simply go on down through here and pick and choose the ones we want to attack. I mean, this right here is very, very concerning.

And the biggest concern is for the Internet of Things. And the Internet of Things is going to be the bane of our existence. You can quote me on that because I guarantee it’s going to be true when we go down to our favorite electronics store, let’s say it’s Best Buy or let’s say it Fries electronics here in the US. And we purchase an inexpensive webcam or an inexpensive doorbell or something like that that hooks up to our Internet. Those individual pieces of software, or I should say firmware, that are actually embedded in the device are generally not updated.

And so, consequently, when somebody buys that, the company is registered more than likely out of Taiwan or perhaps out of China. And it’s not in their best interest to go ahead and upgrade them when they find a bug. So there’s going to be hundreds of thousands of bugs that are available on the Internet of Things as we move through this process, and it’s very easy to find them right here with Shodin. I could type in this Explorer feature here. Gives us the various keywords that we want to use. Industrial control systems, databases, video games. And this is a very good example of the piece of software on the Internet we call Shot.

4. ZoneTransfers

The next thing I want to talk about is zone transfers. And while it’s not really legal for me to go out and do a zone transfer to anybody, I have this friend of mine at Digi Ninja who’s created a zone transfer domain so we can see exactly what it looks like. And so I’m going to go ahead and demonstrate that. I’m going to do this in our online lab and I’m just simply going to open up a fresh command prompt and I’m going to move that up to the root so it’s easier for me to see. And I’m going to type in Nslookup before I actually do all this. Let’s go ahead and see how we might be able to get access to that by going out to Central Ops net and I’m going to put in as the domain and that is zone transfer me.

I’m going to click on Go and I’m going to look for a service scan and a trace route. Now, if you recall from our previous demonstration on this, I am very interested in this particular server right here because it contains the SOA record. So that’s the server that I want to use. So I’m going to click on Copy in S, Lookup, press Enter, and notice that it’s already attached to my default server on the Internet. This is the one that I’m using for my DNS, which is Google’s.

So I’m going to just simply type in server and put in Nsztm One dija. Now you notice right here, it’s no longer attached to eight, it’s attached to their DNS server. There is actually nothing that stops you from attaching to anyone’s DNS server. But it would be kind of like my grandmother would say, it’s just not done. Well, it’s typically not done because you’re using resources off of them.

You should be using a public one that’s meant to be attached to like Google’s or perhaps your own. But I’m going to do something a little bit differently with this. I’m going to attach to the SOA server.

And if you recall, we knew it was the SOA server here from Central Ops. I’m attached to the SOA server or the primary server, and I’m going to try and coerce it to do a zone transfer to me as if I was a secondary DNS server. So let’s see if I can get it to do that. I’m going to type in set type equals any because I want all of the records and I’m going to do a LSD to the zone that I wanted to transfer and that zone was zone transfer me.

Now as you can see, this right here would not be good if this was actually a legitimate because it’s revealed all of its internal or possibly external DNS names. Now you might say, well Tim, that’s fine, but what really good is that going to do? Because all you have is a particular IP address and a name, you still don’t know what the credentials are to get in.

That’s true. That’s absolutely true. But we, as systems administrators, will typically name the machine for the function that they do. So payroll might be named payroll, HR might be named HR. And as we talked about in the last section, having an HR database or having a payroll database where we get the Social Security number, the full legal name and address, and birth date of an individual, that’s all I need to steal their identity.

And let’s say I go into three m corporation. I’m just making that up as an example. And I was able to get access to their payroll records, and they had 100,000 people that I was able to grab all that information from. Information a Social Security number, date of birth, and your full legal name and address is worth about $10 on the black market. So if I transfer 100,000 of them, I just made myself a millionaire. That’s exactly what they’re trying to get. I’m on other things.