Posts
The process of identifying user accounts and poorly protected computing resources. During the enumeration stage, the hacker connects to computers in the target network and pokes around these systems to gain more information. While the scanning phase might be compared to a knock on the door or a turn of the doorknob to see if it is locked, enumeration could be compared to entering an office and rifling through a file cabinet or desk drawer for information. It is definitely more intrusive.
Network Enumeration
The first step in the network enumeration process is to identify domain names and associated
networks related to a particular organization. Domain names represent the company’s presence on the Internet and are the Internet equivalent to your company’s name, such as “AAAApainting.com” and “moetavern.com.” To enumerate these domains and begin to discover the networks attached to them, you must scour the Internet. There are multiple whois databases you can query that will
provide a wealth of information about each entity
Example :
https://encrypted.google.com/search?hl=en&source=hp&biw=1600&bih=799&q=whois+database&aq=3&aqi=g10&gs_rfai=CqwvGvfbtTOrKBJaONf2Y7JkLAAAAqgQFT9CdNaA
enumeration involves active connections to systems and directed queries. As such, they may (should!) be logged or otherwise noticed. I will show you what to look for and how to block it, if possible.Much of the information garnered through enumeration may appear harmless at first
glance. However, the information that leaks from the following holes can be your undoing
In general, once a valid username or share is enumerated, it’s usually only a matter of time before the intruder guesses the corresponding password or identifies some weakness associated with the resource sharing protocol. By closing these easily fixed loopholes, you eliminate the first foothold of the hacker.The type of information enumerated by intruders can be loosely grouped into the following
categories:
Network resources and shares
Users and groups
Applications and banners
This tutorial is divided into three sections based on operating system
WindowsNT/2000
Novell NetWare
UNIX
WINDOWS NT/2000 ENUMERATION
During its lifetime, Windows NT has achieved a well-deserved reputation for giving away free information to remote pilferers :)
The Windows NT/2000 Hacking Kit
Since the release of Windows NT 3.1, Microsoft has provided (at extra cost) a supplementary
set of documentation and a CD-ROM full of software utilities for administering
NT networks: the Windows NT Resource Kit (Workstation and Server versions). The
NTRK (as we’ll call it throughout this book) contains a diverse collection of powerful utilities,
from a limited implementation of the popular Perl scripting language, to ports of
many common UNIX utilities, to remote administration tools not provided in the retail
version of NT. No serious NT admin should live without it.
There is a dark side to all the conveniences provided by NTRK, however. Many of these
tools can be used by intruders to gain valuable information, earning it the moniker “The
Windows NT Hacking Kit” in some circles. Since NTRK retails for around $200, including
two updated Supplements, it’s fair to assume that “resourceful” attackers might be using
these tools against you (some are available free at ftp://ftp.microsoft.com/bussys/winnt/
winnt-public/reskit/).
Null Sessions: The Holy Grail of Enumeration
As alluded to previously, Windows NT/2000 has a serious Achilles heel in its default reliance on CIFS/SMB and NetBIOS. The CIFS/SMB and NetBIOS standards include APIs that return rich information about a machine via TCP port 139—even to unauthenticated users. The first step in accessing these APIs remotely is creating just such an unauthenticated connection to an NT/2000 system by using the so-called “null session” command, assuming TCP port 139 is shown listening by a previous port scan: net use \\192.168.202.33\IPC$ "" /u:"" The preceding syntax connects to the hidden interprocess communications “share” (IPC$) at IP address 192.168.202.33 as the built-in anonymous user (/u:””) with a null (““) password. If successful, the attacker now has an open channel over which to attempt all the various techniques outlined in this chapter to pillage as much information as possible from the target: network information, shares, users, groups, Registry keys, and so on.
Almost all the information-gathering techniques described in this tutorial take advantage
of this one out-of-the-box security failing of Windows NT/2000. Whether you’ve heard it called the “Red Button” vulnerability, null session connections, or anonymous logon, it can be the single most devastating network foothold sought by intruders.
Null Session Countermeasure
Null sessions require access to TCP 139, so the most prudent way to stop them is to filter the
NetBIOS-related TCP and UDP ports 135 through 139 at all perimeter network access devices.
You could also disable NetBIOS over TCP/IP on individual NT hosts by unbinding
WINS Client (TCP/IP) from the appropriate interface using the Network Control Panel’s
Bindings tab. Under 2000, this is more easily accomplished via the appropriate Network
Connection applet, Advanced TCP/IP Settings,WINStab: Disable NetBIOS Over TCP/IP.
What are null sessions and why are they dangerous in details
Processes on Windows machines need to talk to each other; they do this by using the interprocess communication share, or IPC$. A null session is a connection to this share without specifying a user name or password.
The original purpose of null sessions was to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS networking.
Null sessions are one of the most frequently used methods for network reconnaissance employed by "hackers." A null session connection allows you to connect to a remote machine without using a user name or password. Instead, you are given anonymous/guest access. Please note, even if you have disabled the Guest account, this will still work.
Using a null session connection to a remote machine and tools freely available on the Internet, "hackers" are able to export all manner of information from your machine, including password policy, user names on the machine, account lockout period, last logon time, blank password, etc. This will also inform the "hacker" if you have changed the name of the local administrator account, and it will neatly display the name of all accounts on the target machine, including the renamed Admin account.
Once a null session connection has been established, all that is needed is to type "Net view \\TargetComputerName" to be presented with a list of shared resources on the Target machine.
How do I stop this?
1. Get a Firewall.
or
a) Disable Netbios over TCP/IP, since Null Sessions are a "feature" of Netbios.
b) Add RestrictAnonymous=1 to HKLM\SYSTEM\CurrentControSet\Control\LSA, even though there are tools which sidestep this measure.
How do I know if this is happening to me?
Certain utilities are available on the Net, Desktop Sentry for one, which enable you to see who is connected to your machine, giving user name and IP address and if the connection is a null session or not.
It is estimated that 80% of attacks on NT systems occur in this manner.
The need for Anonymous Connections
I always said that hacking is an intention, I mean if you have the power (i.e. knowledge) you can protect or attack but I'm not into the hacking definition now so into the point. Anonymous Connections is needed by computers in a network to efficiently share resources and here you are a scenario for it.
Computer A has a one way trust with Computer B which means that computer A trust B's established connections to it self (i.e.
A) but B does not trust A's established connections to it self (B). Still don't get it?!
A trust B
B doesn't trust A
End of story!!
So what?!
So when A tries to gain access to a resource on B, it has to request permission first. This permission can be granted by a group or a user whom which has the appropriate authority to do so.
.:Why the panic ?:.
First we need to know some terms and then we will answer the right question.
[Active Directory]
Microsoft's directory database for Windows 2000 networks. Stores information about resources on the network and provides a means of centrally organizing, managing, and controlling access to the resources. Windows Server 2003 makes Active Directory simpler to manage, easing migration and deployment.
[Security Identifier (SID)]
In Windows NT and 2000 operating systems, the security identifier (SID) is a unique alphanumeric character string that identifies each operating system and each user in a network of NT/2000 systems.
So what can a null session can reveal ?
Right question and here is the answer :
* Lists of users sharing your computer, including Active Directory
* Lists of groups from your computer, including Active Directory
* Lists of domains trusted by your domain
* List of shares from your computer
* SIDs for user accounts
* User accounts for SIDs
* Account policies from your computer
* NetBIOS name from your computer
* Domain name that your computer is associated with
.:Authenticated Users Built-in Group:.
A built-in group is created when installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hot fix known as "Authenticated Users". The Authenticated Users group is accessible by almost every one except for anonymous logon users. The built-in SID for Authenticated Users is S-1-5-11. Authenticated network connections from any account in the server's Windows NT domain, or any domain trusted by the server's domain, is identified as an Authenticated User. The Authenticated Users group is available for granting access rights to resources in the security ACL editor. Windows NT 4.0 Service Pack 3 and the Windows NT 3.51 hot fix do not modify any access control lists to change access rights granted to everyone to use Authenticated Users. But it provides a mechanism for administrators to restrict the ability for anonymous logon users.
Solution
[Restricting access for authenticated users only]
Windows NT environments that want to restrict anonymous connections from listing account names can control this operation after installing Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hot fix.After installation of Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 hot fix, administrators who want to require only authenticated users to list account names, and exclude anonymous connections from doing so, need to make the following change to the registry:
WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows
NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.
[Windows NT]
1. Run Registry Editor (Regedt32.exe).
2. Go to the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA
3. On the Edit menu, click Add Value and use the following entry:
Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 1
4. Exit Registry Editor and Reboot the system.
[Windows 2000]
Ensure that the RestrictNullSessAccess registry value is set to 1. By default, the RestrictNullSessAccess registry does not
exist. To ensure that the RestrictNullSessAccess registry value is set to 1, perform the following steps:
1. Run Registry Editor (Regedt32.exe).
2. Go to the following key in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\RestrictNullSessAccess.
3. Edit the key and in the Value Name field, type 1, then select OK.
4. Exit Registry Editor and Reboot the system.
[Windows XP/2003]
Ensure that the RestrictNullSessAccess registry value is set to 1 AND ensure the Local Security Policy settings "Network
access: Let Everyone permissions apply to anonymous users" is set to Disabled. By default, the RestrictNullSessAccess
registry does not exist. To ensure that the RestrictNullSessAccess registry value is set to 1, perform the following steps:
1. Run Registry Editor (Regedt32.exe).
2. Go to the following key in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\RestrictNullSessAccess.
3. If RestrictNullSessAccess does not exist (by default), please create the "REG_DWORD" value.
4. Edit the the key and in the Value Name field, type 1, then select OK.
5. Exit Registry Editor and Reboot the system.
Note: Remote access to the registry may still be possible after you follow the steps in this article if the RestrictNullSessAccess registry value has been created and is set to 0. This value allows remote access to the registry by using a null session. The value overrides other explicit restrictive settings.
Net Use
Use this command as an example of establishing null sessions and extracting information using them. If you use net use command without any parameters, you will retrieve a list of network current connections. And before you apply this, just have an eye scan on what's here first before applying any thing because if you apply first then you will probably get bored, just
read and learn then apply later please. For example:
Net use [Enter]
net use [{DeviceName | *}] [ComputerNameShareName[volume]] [{Password | *}]] [/user:[DomainName]UserName] [/user:
[DottedDomainName]UserName] [/user: [UserName@DottedDomainName] [/savecred] [/smartcard] [{/delete | /persistent:{yes | no}}]
net use [DeviceName [/home[{Password | *}] [/delete:{yes | no}]]
Net use [/persistent:{yes | no}]
DEVICE :
Specifies the device to connect or disconnect from and there 2 types of shared devices:
I] Disk drives (that is, D: through Z:)
II]Printers (that is, LPT1: through LPT3:)
Type an asterisk (*) instead of a specific device name to assign the next available device name.
ComputerNameShareName :
Specifies the name of the remote computer and the shared resource. If ComputerName contains spaces, use quotation marks
around the entire computer name from the double backslash () to the end of the computer name. For example:
"Computer NameShare Name"
The computer name can be from 1 to 15 characters long.
volume :
Specifies a NetWare volume on the server. You must have Client Service for NetWare installed and running to connect to
NetWare servers.
Password :
Specifies the password needed to access the shared resource. Type an asterisk (*) to produce a prompt for the password. The
password is not displayed when you type it at the password prompt(i.e. more security if someone is looking at your monitor).
/user :
Specifies a different user name with which the connection is made.
DomainName :
Specifies another domain. If you omit DomainName, net use uses the current logged on domain.
UserName :
Specifies the user name with which to log on.
DottedDomainName :
Specifies the fully-qualified domain name for the domain where the user account exists.
/savecred :
Stores the provided credentials(i.e. certificate) for reuse.
/smartcard :
Specifies the network connection is to use the credentials on a smart card. If multiple smart cards are available, you are
asked to specify the credential.
/delete :
Cancels the specified network connection. If you specify the connection with an asterisk (*), all network connections are
cancelled.
/persistent:{yes | no} :
Controls the use of persistent network connections. The default is the setting used last. Deviceless connections are not
persistent. Yes saves all connections as they are made, and restores them at next logon. No does not save the connection
being made or subsequent connections. Existing connections are restored at the next logon. Use /delete to remove persistent
connections.
/home :
Connects a user to the home directory.
Net help command :
Displays help for the specified net command.
[Connecting and disconnecting from a network resource]
Use net use to connect to and disconnect from a network resource, and to view your current connections to network resources.
You cannot disconnect from a shared directory if you use it as your current drive or an active process is using it.
[Viewing connection information]
To get information about a specific connection.
Net use DeviceName
To get a list of all the computer's connections.
Net use
[Connecting to NetWare servers]
After you install and run Client Service for NetWare, you can connect to a NetWare server on a Novell network. Use the same
syntax that you use to connect to a Windows Networking server, except you must include the volume you to which you want to
connect.
[Using quotation marks]
If the ServerName that you supply contains spaces, use quotation marks around the text (that is, "Server Name"). If you omit
quotation marks, an error message appears.
When you use the NET USE command to connect to a share on a server in a domain, the following authentication process
verifications take place:
=> If the client's user name (i.e. you) is in the domain's users account database, the passwords are compared. If the
passwords match, access is allowed to the share. If the passwords do not match, an access denied message is returned.
The behaviour allows for backward compatibility with Windows for Workgroups and other clients. These clients do not pass the
domain name to the Server.
=> If the client's user name does not match a user name in the domain's users account database, the domain controller checks
to see if the client's domain is listed in its trust list. If the client's domain name is on the target domain's trust list,
the domain controller communicates with the other domain to see if the client's user account and password are valid. If so,
access is allowed to the share. If not, an access denied message is returned.
[Net Use Command Examples]
To assign the disk-drive device name E: to the Letters shared directory on the Fin server, type:
Net use e: finletters
To assign (map) the disk-drive device name M: to the directory Mike within the Letters volume on the Fin NetWare server,
type:
Net use m: finlettersmike
To connect the user identifier Dan as if the connection were made from the Accounts domain, type:
Net use d:servershare /USER:AccountsDan
To disconnect from the FinPublic directory, type:
Net use f: finpublic /DELETE
To connect to the resource memos shared on the Fin 3 server, type:
Net use k: "fin 3" memos
To restore the current connections at each logon, regardless of future changes, type:
Net use /PERSISTENT:yes
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment