Chapter 6 Enumeration Flashcards

1
Q

Phase 3: Enumeration

A

process of extracting info from target in an organized and methodical manner by initiating active connections (may be crossing legal boundaries)

Info includes:

  • strengths & weaknesses of system;
  • NW resources & shares
  • Users & groups
  • routing tables
  • machine names
  • apps & banners
  • SNMP & DNS details
  • ARP tables
  • traffic stats
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Enumeration Techniques

A

1) Extracting info from Email IDs
2) Obtaining info through Default PWs
3) Using Brute-force attacks on Directory Services
4) Exploiting SNMP
5) Working w/ DNS Zone Transfers
6) Capturing User Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

1) Extracting info from Email IDs

A

used to obtain username & domain name info

e-mail address contains two parts, the first before @ is username, and after @ is the domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

2) Obtaining info through Default PWs

A

every device has default settings in place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

3) Using Brute-force attacks on Directory Services

A

a directory service is a DB that contains info used to administer the NW; many directories are vulnerable to input verification deficiencies that may be exploited in discovering & compromising user accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

4) Exploiting SNMP

A

The Simple NW Mgmt Protocol can be exploited by an attacker who can guess the strings & use them to extract usernames

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

5) Working with DNS Zone Transfers

A

Zone transfer in DNS is used to synchronize server info; contains info that could map the NW

info could fall into wrong hands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

6) Capturing Users Groups

A

extract user accounts from specified groups, storing the results, & determining whether the session accounts are in the group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Windows

A

designed to be used as either stand-alone or in networked environment; the following will be assumed for NW setup only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define users

Processes in Windows are run under one of the following user contexts:

A

Users are most responsible for controlling access to the system

1) Local Service - user account w/ high than normal access to the local system but only limited access to the NW
2) NW service - A user account w/ normal access to the NW but only limited access to the local system
3) System - A super-user style account that has nearly unlimited access to the local system
4) Current User - The currently logged-in user, who can run applications & tasks but is still subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an Admin account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Groups

Default Groups in Windows:

A

groups are used to simplify mgmt; they are effective admin tools that enable mgmt of multiple users;

1) Anonymous Logon Designed - to allow anonymous access to resources; typically used when accessing a web server or web applications
2) Batch - used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files
3) Creator Group - Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file
4) Creator Owner - the person who created the file is a member of this group. Windows 2000 & later uses this group to automatically grant access permissions to the creator of the file
5) Everyone - All users are members of this group; This group is used to give wide access to a system resource
6) Interactive - any user logged on to the local system has the Interactive identity, which allows only local users to access a resource
7) Network - Any user accessing the system through a NW has the NW identity, which allows only remote users to access a resource
8) Restricted Users & computers with restricted capabilities have the restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.
9) Self- refers to the object & allows the object to modify itself
10) Service - any service accessing the system has the Service identity, which grants access to processes run
11) System - The OS has the System identity, which is used when the OS needs to perform a system-level function
12) Terminal Server User - allows Terminal Server users to access Terminal Server applications & to perform other necessary tasks w/ terminal services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Identifiers (SID)

A

Each user account in windows has an SID (S-1-3-43-4993949…) Even though you use a username to access the system, Windows identifies each user, group, or object by the SID. Windows uses the SID to match passwords and check permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Services & ports of interest for Enumeration phase:

A

1) TCP 53
2) TCP 135
3) TCP 137
4) TCP 139
5) TCP 445
6) UDP 161 and 162
7) TCP/UDP 389
8) UCP/UDP 3368
9) TCP 25

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

1) TCP 53

A

Used for DNS Zone Transfers; DNS system keeps servers up to date w/ latest Zone data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

2) TCP 135

A

communications between client-server apps, such as Microsoft Outlook to communicate w/ Microsoft Exchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

3) TCP 137

A

associated w/ NetBIOS Name Service (NBNS) is designed to provide name resolution services involving the NetBIOS protocol;

The service allows NetBIOS to associate names & IP addresses of individuals systems & services; This service is a natural & easy target for many attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

4) TCP 139

A

NetBIOS Session Service, aka SMB over NetBIOS; management of connections between NetBIOS-enabled clients & apps; service is used by NetBIOS to establish connections & tear them down when they are no longer needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

5) TCP 445

A

SMB over TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

6) UDP 161 and 162

A

SNMP is a protocol used to manage & monitor NW devices & hosts; The protocol is designed to facilitate messsaging, monitoring, auditing, & other capabilities;

Listening takes place on 161 & traps are received on 162

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

7) TCP/UDP 389

A

LDAP (Lightweight Directory Access Protocol) is used by many apps; Two of the most common are Active Directory & Exchange;

Used to exchange info beetween two parties; If this port is open, that means one of these or a similar product is present

21
Q

8) TCP/UDP 3368

A

Global Catalog Service associated w/ AD;

service used to locate information within AD

22
Q

9) TCP 25

A

SMTP (Simple Mail Transfer Protocol) is used for the transmission of messages in the form of e-mail across NWs.

23
Q

NetBIOS - a blessing to some & a curse to others, why?

A

NetBIOS API was used to assist in the access to resources on a LAN only; Used 16 char names, the first 15 identifying the machine & the last char representing a service or item on the machine itself; It resolves NetBIOS names to IP addresses

Much info can be found here; Using scanning techniques, an attacker can find port 139 open; they can attempt to view or access info such as file shares, printing shares, usernames, group info, etc

One of the tools used to work w/ NetBIOS is a command-line utility nbtstat; This can display info, including name tables, protocol stats, etc; actually used to locate problems w/ NetBIOS over TCP/IP

Has the baility to return names registered with the WINS (Windows Internet Naming Service)

24
Q

Tasks that can be done w/ nbtstat

A

command line

nbtstat -a
—-This returns the NetBIOS name table & mandatory access control (MAC) address of the address card the computer name specified

nbtstat -A
—-Lists the same info as -a but using IP

  • c (lists contents of the NetBIOS name cache)
  • n (displays names registered locally by NetBIOS)
  • r (displays count of all names resolved by broadcast)
  • s (lists sessions table & converts destination IP addresses to computer NetBIOS names)
  • S (lists the current NetBIOS sesssions & their statuses, along w/ IPs)
25
Q

Null Sessions

A

allows clients of a connection to access certain types of info across the NW; it is something that occurs when a connection is made w/ out credentials being provided

Connection can only be made at a special location called the interprocess communication (IPC), an administrative share;

Info obtained:

  • List of users & groups
  • List of machines
  • List of shares
  • Users & host SIDs

The NULL session allows access to a system using a special account called a NULL user; can be used to reveal info while not requiring username or PW

26
Q

How to exploit a NULL session

A

Attach to the system by:
net use \hostnameorIP\ipc$ “ \user:”

View the shares available:
net view \hostnameorIP

Once an attacker has this list of shares, next step is to connect to a share & view the data:
net use s: \hostnameorIP\sharedFolderName

27
Q

SNMP

A

app layer protocol functions using UDP; used in mgmt of devices such as routers, hubs, swtiches, etc; It comes in 3 versions; main requirement is the NW is running TCP/IP protocol

SNMPv1 - introduced a standardized protocol managing NW devices; does not include any security measures

SNMPv2 - backwards compatible w/ SNMPv1, offered security features

SNMPv3 - latest; increased emphasis on security in two areas:

  1) Authentication - ensure traps are read by only the intended recipient
  2) Privacy - encrypts the payload of the SNMP msg to ensure it cannot be read by unauthorized users
28
Q

Enumeration w/ SNMP

A

leverage weakness in the protocol to reveal user accounts & devices on a target;

The system works through the user of the agent & mgmt station:

1) The SNMP mgmt station sends a request to the agent
2) The agent receives the request & sends back a reply

29
Q

Management Information Base (MIB)

A

DB containing descriptions of NW objects that can be managed through SNMP; it is the collection of hierarchically organized information;

MIB elements are recognized by object identifiers (OID); Each OID begins w/ the root of the MIB tree;

30
Q

Scalar Objects

Tabular Objects

A

MIB-managed objects include:

1) Scalar Objects define a single object instance
2) Tabular objects define groups of related object instances

31
Q

What do Object Identifiers include?

A

object’s type (counter, string, address), access level (r, r/w), size restrictions, range info

32
Q

MIB & SNMP mgr

A

MIB is used as a codebook by SNMP mgr for converting the OID #s into human readable display

33
Q

SNMP passwords (attackers can take adv of default PWs here)

SNMP protocol tends to contain 2 passwords:

A

SNMP protocol tends to contain 2 passwords used to both configure and read the info from an agent:
1) Read community String - configuration of the device or system can be viewed w/ the help of this PW; These strings are public

2) Read/write community string - configuration on the device can be viewed and changed using this PW; These strings are private
tools: SNScan

34
Q

Unix & Linux Enumeration commands

A

1) finger command
finger username
—returns info about a user on a given system (i.e. user’s home directory, login time, idle times, office location, last time they both received or read mail)

Switches that be used w/ the finger command include:

  • b //removes home directory & shell from user display
  • f //removes header info from display
  • w //removes full name from display
  • l //returns list of users

2) rpcinfo command
rpcinfo hostname
—enumerates info over RPC (remote procedure call) protocol

Switches used:

  • m //displays list of stats for RPC on given host
  • s //displays list registered RPC apps on given host

3) showmount command
/usr/sbin/showmount [- ade ] [hostname]
—lists & identifies shared directories on given system; also displays list of all clients that have remotely mounted a file system

Switches used:

  • a //prints all remote mounts
  • d //lists directories that have been remotely mounted by clients
  • e //prints list of shared file systems
35
Q

LDAP

A

Lightweight Directory Access Protocol - used to query and organize DBs

36
Q

A directory is

A

A directory is a DB, but the data is organized in a hierarchical or logical format

37
Q

LDAP enumeration

A

the queries performed through LDAP against a DB tend to disclose sensitive data that could be leveraged by an attacker

38
Q

NTP & port #

A

protocol used to synchronize the clocks across hosts on a NW; important b/c directory services rely on clock settings for logon purposes

uses UDP Port 123 for communication purposes

39
Q

NTP enumeration commands

A

The following commands can be used against an NTP server

1) ntpdate
2) ntptrace
3) ntpdc
4) ntpq

40
Q

SMTP

A

protocol used to send messages between servers that send & receive e-mail

41
Q

SMTP enumeration command: VRFY

A

using telnet & VRFY in cmd:

//SMTP uses port 25
//use telnet command to attach to the target & extract info; use VRFY command to check if specific user ID is present

telnet 25
//connected
VRFY username
//response

**Countermeasure - deactivate VRFY command, but before doing so, research to determine if your environment needs to have that command enabled

42
Q

SMTP enumeration command: EXPN

A

similar to VRFY, but rather than returning on user, it returns all users on a distribution list

telnet 25
//connect
EXPN

43
Q

SMTP enumeration command: RCPT TO

A

identifies the recipient of an email message

telnet  25
MAIL FROM: link
//response
RCPT TO:link
//response
44
Q

SMTP Relay

A

lets users send emails through external servers;

spammers & hackers can use email server to send spam/malware through email

45
Q

A ______ is used to connect to a remote system using NetBIOS

A

A NULL session can be used to connect to a remote system via the ipc$ share

46
Q

Which command can be used to view NetBIOS information?

A

nbtstat

47
Q

SNScan is used to access information for which protocol

A

SNMP

48
Q

SNMP is used to

A

Monitor NW devices & trap messages