Enumeration in Windows Networks
Enumeration
Enumeration
Local IP addresses
Local IP addresses
(review)
m
Some special IP addresses
m
localhost 127.0.0.1 (loopback address)
m
Internal networks
m
Class A 10.0.0.0
m
Class B 172.16.0.0 to 172.31.0.0
m
Class C 192.168.0.0 to 192.168.255.0
m
Machines behind a firewall can use these internal
IP numbers to communicate among them.
m
Only the firewall machine/device (host) needs to
have an IP address valid in the Internet.
What is enumeration?
What is enumeration?
í
Categories
í
network resources and shares
í
users and groups
í
applications and banners
í
Techniques (OS specific)
í
Windows
í
UNIX/Linux
Obtain information about accounts, network
resources and shares.
Windows
Windows
applications and banner enumeration
applications and banner enumeration
í
Telnet and netcat: same in Windows and UNIX.
í
Telnet: Connect to a known port and see the software it is running, as
in this
example
.
í
Netcat: similar to telnet but provides
more information
.
í
Countermeasures: log remotely in your applications and edit banners.
í
FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later).
Disable telnet in mail servers, use ssh.
í
Registry enumeration: default in Windows. Server is Administrators only.
í
Tools:
regdmp.exe
,
DumpSec
see an
example
and
limitations
(more
later).
í
Countermeasures: be sure the registry is set for Administrators only
and no command prompt is accessible remotely (telnet, etc).
í
.
Windows
Windows
sources of information
sources of information
ê
Protocols
providing information: CIFS/SMB and NetBIOS, through TCP
port 139, and another SMB port, 445.
ê
Banner enumeration is not the main issue. (UDP 137),
ê
Null session command: net use \\19x.16x.11x.xx\IPC$ “” /u:””
ê
countermeasures:
ê
filter out NetBIOS related TCP, UDP ports 135-139 (firewall).
ê
disable NetBIOS over TCP/IP see
ShieldsUp!
page on
binding.
ê
restrict anonymous using the
Local Security Policy applet
. More
here
.
ê
GetAcct
bypasses these actions (download the
GetAcct tool
).
ê
.
Windows
Windows
network resources
network resources
í
NetBIOS enumeration (if port closed, none work)
í
NetBIOS Domain hosts:
net view
í
NetBios Name Table: nbtstat
use
and
example
and
nbtscan
(
download
).
í
NetBIOS shares:
DumpSec
, NetBIOS Auditing Tool (
NAT
),
NBTdump
(
use
,
output
). ShareEnum (
download
,
example
).
í
Countermeasures: as discussed previously => close ports 135-139,
disable NetBIOS over TCP/IP
í
SNMP enumeration: SolarWinds IP Network Browser (commercial).
í
Countermeasures: close port 445.
í
Windows DNS Zone Transfers: Active Directory is based on DNS and
create new vulnerability, but provides tool -- “
Computer Management
”
Microsoft Management Console (MMC) -- to restrict zone transfers to
certain IP numbers.
Windows:
Windows:
user and group enumeration
user and group enumeration
í
Enumerating Users via NetBIOS: usernames and (
common
) passwords.
Enum(
NBTEnum
):
use
and
output
. DumpSec:
output
.
í
Countermeasures: as before (close ports, no NetBIOS over TCP/IP)
í
Using
sid2user and u
ser2sid
and download them
here
.
í
Using Cain and Abel for both network resources and user and group
enumeration. See
manual
and
download
. We will use it again in future
classes for more involved uses.
í
Enumerating Users using SNMP: SolarWinds
IP Network Browser
. See
also
snmputil
.
í
Windows Active Directory enumeration using ldp: Win 2k on added LDAP
through the active directory -- you login once (the good) and have access
to all resources (the security problem).
í
close ports 389 and 3268. You will not practice this in the course.
Enumeration in Windows networks involves obtaining information about accounts, network resources, shares, users, groups, applications, and banners. Techniques such as Telnet, netcat, Registry enumeration, Windows sources of information like protocols CIFS/SMB and NetBIOS, NetBIOS enumeration, SNMP enumeration, and user and group enumeration are discussed along with countermeasures to secure the network against unauthorized access.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Local IP addresses (review) Some special IP addresses localhost 127.0.0.1 (loopback address) Internal networks Class A 10.0.0.0 Class B 172.16.0.0 to 172.31.0.0 Class C 192.168.0.0 to 192.168.255.0 Machines behind a firewall can use these internal IP numbers to communicate among them. Only the firewall machine/device (host) needs to have an IP address valid in the Internet.
What is enumeration? Obtain information about accounts, network resources and shares. Categories network resources and shares users and groups applications and banners Techniques (OS specific) Windows UNIX/Linux
Windows applications and banner enumeration Telnet and netcat: same in Windows and UNIX. Telnet: Connect to a known port and see the software it is running, as in this example. Netcat: similar to telnet but provides more information. Countermeasures: log remotely in your applications and edit banners. FTP (TCP 21), SMTP (TCP 25) : close ftp, use ssh (we will see it later). Disable telnet in mail servers, use ssh. Registry enumeration: default in Windows. Server is Administrators only. Tools:regdmp.exe, DumpSec see an example and limitations (more later). Countermeasures: be sure the registry is set for Administrators only and no command prompt is accessible remotely (telnet, etc). .
Windows sources of information Protocolsproviding information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445. Banner enumeration is not the main issue. (UDP 137), Null session command: net use \\19x.16x.11x.xx\IPC$ /u: countermeasures: filter out NetBIOS related TCP, UDP ports 135-139 (firewall). disable NetBIOS over TCP/IP see ShieldsUp! page on binding. restrict anonymous using the Local Security Policy applet. More here. GetAcct bypasses these actions (download the GetAcct tool). .
Windows network resources NetBIOS enumeration (if port closed, none work) NetBIOS Domain hosts: net view NetBios Name Table: nbtstat use and example and nbtscan (download). NetBIOS shares: DumpSec, NetBIOS Auditing Tool (NAT), NBTdump (use, output). ShareEnum (download, example). Countermeasures: as discussed previously => close ports 135-139, disable NetBIOS over TCP/IP SNMP enumeration: SolarWinds IP Network Browser (commercial). Countermeasures: close port 445. Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- Computer Management Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.
Windows: user and group enumeration Enumerating Users via NetBIOS: usernames and (common) passwords. Enum(NBTEnum): use and output. DumpSec: output. Countermeasures: as before (close ports, no NetBIOS over TCP/IP) Usingsid2user and user2sid and download them here. Using Cain and Abel for both network resources and user and group enumeration. See manual and download. We will use it again in future classes for more involved uses. Enumerating Users using SNMP: SolarWinds IP Network Browser. See also snmputil. Windows Active Directory enumeration using ldp: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem). close ports 389 and 3268. You will not practice this in the course.
