CEHv8 module 04 enumeration

Học viện Công Nghệ Thông Tin Bach Khoa Enumerating User Accounts SMTP and DNS Enumeration SNMP Enumeration Enumeration Countermeasures... Học viện Công Nghệ Thông Tin Bach Khoa names,

Trang 2

THE US National Weather Service computer network was hacked with a group from Kosovo claiming credit and posting sensitive data, security experts said Friday

Data released by the Kosovo Hackers Security group includes directory structures, sensitive files

of the Web server and other data that could enable later access, according to Chrysostomos Daniel of the security firm Acunetix

“The hacker group stated that the attack is a protest against the US policies that target Muslim countries," Daniel said

“Moreover, the attack was a payback for hacker attacks against nuclear plants in Muslim countries, according to a member of the hacking group who said, "They hack our nuclear plants using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent hack

to payback them." http://www.theaustralian.com.au

Trang 3

Học viện Công Nghệ Thông Tin Bach Khoa

Enumerating User Accounts SMTP and DNS Enumeration

SNMP Enumeration Enumeration Countermeasures

Trang 5

names, network resources, shares, and services from a system Enumeration techniques are conducted in an

Types of information

Enumerated by intruders:

SPORE EEE EEE eC OOP w * 6 `6 eee eee eee eee

Network resources and

shares

ˆ na

Trang 6

Extract user names using SNMP

Extract user groups from Windows

Trang 8

ws Bk ACAD

Enumeration

Attackers use the NetBios enumeration to obtain:

1 List of computers that belong to s domain

2 List of shares on the individual hosts on the network

TCP 53 | TCP 135 | TCP 137 |

UDP 139 |

TCP 445 | UDP 161 |

Trang 9

MAL &therer ‘ TwIovs Mock et etiesn setwice nae / wt 2 ater WOO c?ccrp, Mork»w*x' 19% 4v (174 heme

Trang 10

to: 192.168.168.135 wat ~ Fibe Server Service

Works? ation Service

Trang 12

ey

é

Passwords

default password list

might still be enabled with a “default password”

systems Using Default

Trang 14

(Simple Network Management Protocol)

Enumeration

F—] SNMP enumeration uses these default community strings to extract information about a

Trang 15

MIB is a virtual database containing formal description of all the network

objects that can be managed using SNMP

The MIB database is hierarchical and each managed object in a MIB is addressed through object identifiers (OID)

MIB managed objects include scalar objects that define a single object instance and tabular objects that define group of related object instances

The OID includes the object's type such as counter, string, or address, access

level such as read or read/write, size restrictions, and range information

SNMP manager uses the MIB as a codebook for translating the OID numbers into a human-readable display

Trang 16

SNMP Enumeration Tool: OpUtils

Network Monitoring Toolset

Trang 17

7

SNIMIP Enumeration Tool:

File Edt Nodes MIBs Decovery Submet Yew Help

Services Accounts

= Administrator Gue et

tUSP *QOY

©\ tưAn soy

linkage Roy

> Shares + Hub ports

Subnet Scan Completed

Trang 18

~ Nsauditor Network Securit

Trang 20

Enumeration

Commands used to enumerate UNIX network resources are as follows:

1 Enumerates the user and the host

2 Enables you to view the user’s home directory,

1 Finds the shared directories ’ : : y

~~

~

>> —

1 Using rpcchent we can enumerate 2, RPC protocol allows applications

usernames on Linux and OS X to communicate over the network [root $] rpcclient $> netshareenum [root] rpcinfo —p 19x.16x.xxx.xx

Trang 21

sh-3.2$ cnus4linax.p1 -rx 192.168.255 Starting enum4linux v0.8.2 ( http abs portcullis.co.uk/application/ enum=4 linux ) on Wed Apr 2 14:14:35 20 Target information

Domain Name: WORKCROUP Linux Enumeration

Doeain Sid: $-0-0

*! | Ho iont 1 : part par of é a workgroup 1O (not not œ4 đo øwmw1 a domain) Tool:

Session Check on 192.168.2.55 + Server 192.168.2.55 allows sessions using username * Ppa=sword

Users on 197.168.2.55 via RID cycling (CRIDS SDO-S5! 1000-1050)

I) Assuming that user “administrator” exists

S~-1-5-21-1801674531-1482476501-725345343-301 W2KSQOL\Guest (CLocal User)

S~1-5-21~-18016745831-14824676501-725345543-1000 W2KSOL\TsInternetUser (Local User) S-1-5-71-1801674531-1482476501 -725345543-1001L WZKSOL\IUSR_PORTCULLIS (Local User

S-1-5-21-1801674531-1482476501 25345543-1002 W2ZKSQOL\ IMAM PORTCULLIS «Local User)

S-1-5-21-14016745311-1432476501-725345543-1004 W2KSQL\&ark (locai User) s~-1-5-21-18013674511-1442476501-7253455S413-1005 W2KSQL\vbliahn CLocal User) S-1-5-21-1801674531-1482476501-725345543-1006 W2ZKSOL\basic (Local User) cnmumélinux complete on Wed Apr 2 14:14:40 20608

http://labs_portcullis.co.uk

Trang 23

The Lightweight Directory Access Protocol is a protocol used to access the directory listings within

A directory is compiled ina |

, like the levels of management and

employees in a company

it tends to be tied into the [ to allow the integrated quick lookups and fast

resolution of queries

it runs on and tends to confirm to a distinct

set of rules Request for comments (RFC's) like other

protocols

Trang 24

^ +* - olector

` T} Perey vwM w‹

} hen PA/ñ2+ 14S:

Xetrvnr VNOCEN Mew MACKENMIE

Pheto:

Cemmen Meme: b asta Smemcess

omege WA Geven Name:

Trang 25

SN g LDAP Account Manager Lord) LDAP Explorer Tool

~ ~ễ httn://wwwwv Ídap-œccourrt-rraanogecr.org v—» httpa://kÍaptool sourccforgc.net

Trang 27

NTP

, is designed NTP can maintain time to within

to synchronize clocks of networked over the public Internet

@ lItcan achieve accuracies of; ‹ or

it uses as its primary means better in local area networks under ideal

Trang 29

EE SNTP Tiere Sonar Bint Ei Mere inhouse GPS receiver, and offer time services

GPS / Rado Ck

Tok Mad Aden

a PReterence Tene Souece

“M7? P ae mad

Foam Acktecs

» Serve NTP Vee mon P et

` SMTP Sewe

“se xa S ` ~Te=‹m 2nd Rederdaers Serve Maxexsz~ Pod irmer~a

_ Use bert mote

oft me ect rep oor’ đeẹectb

CIEH © › ® Copyrght © ty EB-Đauaci!

Trang 30

Enumeration Tools

Trang 33

W ek cxe — —_ a - - - — = —uaaaamn m—

> putomated SMTP Email Generator and Relay Test Use tres tool to sex test can messages wth Str K

- san Teck SMTP serwers tor open refeys wtheet sereteg creat worry 17 comenon retiey tests

T oote |

— ———-—————-—————ẽ

—

@ Pocket Grew eo ores SAM CORN

“~~ Packet Viewer

Poet Scare

+ REC Reference <j Message Setters

" Your Serving Doren Nere

Goda Test Settings pur “se x6 c7!

*®% LR Cacture

Wưak—n-L A04 P 24X 3 1? Wew Rests nm Web frosweser

View Log + de View @eaw« as “ext

>

Cre

http://www netscantools.com

Trang 35

DNS Zone Transfer Enumeration

Using

itis a process of locating the DONS server and the records of a target network

» An attacker can valuable network information such as DNS server names, hostnames, machine

names, user names, etc

W Ina DONS zone transfer enumeration, an attacker tries to a copy of the entire zone file fora

domain from a DNS server

Trang 36

IPAM Anatyzing &

Management Management Monitoring

Trang 38

implement the Group Policy security option called “Additional restrictions for anonymous connections”

Access to null session pipes, null

session shares, and IPSec filtering

should also be restricted

Ensure that HINFO and other records

Provide standard network

administration contact details

to prevent social engineering and war dialing attacks

Trang 39

these types of information:

— Details of ' being used (such as Sendmail o MIS Exchange)

s or host information

by configuring SMTP servers

Trang 40

check boxes, and click

Mp Reatek RTLS169/81 10 Fant Gosb

T her oormecthon uses the fofowens fer

fortron

~~) Show on 7 nothoeton aes when corrected iw] Not@y mre when Ges Comection hes leeted of no Compmectivey

j ' ' | Lace

Ajl ?tphex Reservedli ftocporociuctfon 1x Str«tly Ðroh4eb(tte‹i

Trang 42

Enumeration

connections to systems and directed queries The information can be

Trang 43

: = in order to enumerate important servers, tind the network range using

Y tools such as Whols Lookup and Graphical DNS Zones

- > many of the ping sweep and port scamming tools by using tools such 4s

subnet ma sk SubnéetMask Calculator

: = Find the servers connected ta the Internet using tools such as Nmap

v = Perform port scanning to check for the open ports on the noces using

tools such as nmap

Use tools such as Undergo host

-+ ->> & Perform ONS crumeration using tcols such as nslookup and the Men

(nmap discovery & Mice Suite

< R -F >>

network aS ) ; = Perform NetBiCS enumeration using tools such es SuperScan, NetBios

v Crumerator, and PsTools suite

Use tools such as Perform port i‘

Trang 44

Perform TV ie , Use tools such as OpuUtils

@ Perform SNMP enumeration using tools

such as‘ ; Network | i " :

such as ntpdate, ntptrace, ntpdc

such as Super Webscan and | eS as ntpdate, ntptrace,

|; ntpdc, ntpq

yYYY) Document all the Perform SMTP Use tools such as Super

Email Collector

Trang 45

network resources, shares, and services from a system

«ẴÌ Simple Network Management Protocol (SNMP) is a TCP/IP protocol used for remote

monitoring and managing hosts, routers, and other devices on a network

— MIB provides a standard representation of the SNMP agent’s available information and

where it is stored

— The Lightweight Directory Access Protocol (LDAP) is a protocol used to access the

directory listings within Active Directory or from other directory services

L Network Time Protocol (NTP) is designed to synchronize clocks of networked computers

Định dạng
Số trang	46
Dung lượng	2,36 MB