Ethical Hacking

Module IV
Enumeration
 Module Objective
• Understanding Windows 2000 enumeration
• How to Connect via Null Session
• How to disguise NetBIOS Enumeration
• Disguise using SNMP enumeration
• How to steal Windows 2000 DNS information
using zone transfers
• Learn to enumerate users via CIFS/SMB
• Active Directory enumerations
 What is Enumeration
• If acquisition and non intrusive probing have not turned up
any results, then an attacker will next turn to identifying valid
user accounts or poorly protected resource shares.
• Enumeration involves active connections to systems and
directed queries.
• The type of information enumerated by intruders:
– Network resources and shares
– Users and groups
– Applications and banners
 Net Bios Null Sessions
• A null session occurs when you log in to a system with no username
or password.
• NetBIOS null sessions are vulnerability found in the Common
Internet File System (CIFS) or SMB, depending on the operating
system.
• You can establish a Null Session with a Windows (NT/2000/XP) host
by logging on with a null user name and password.
• Using these null connections allows you to gather the following
information from the host:
– List of users and groups
– List of machines
– List of shares
– Users and host SIDs (Security Identifiers)
 So What's the Big Deal?
Anyone with a NetBIOS The attacker now has a
connection to your computer channel over which to attempt
can easily get a full dump of all various techniques.
your usernames, groups, The CIFS/SMB and NetBIOS
shares, permissions, policies, standards in Windows 2000
services and more using the include APIs that return rich
Null user. information about a machine
One method of connecting via TCP port 139 - even to
a NetBIOS null session to a unauthenticated users.
Windows system is to the C: \>net use \\192.34.34.2
hidden Inter Process \IPC$ '''' /u: '''‘
Communication 'share' (IPC$)
at IP address 192.34.34.2 with
the built- in anonymous user
(/u:'''') with ('''') null
password.
 Null Session Countermeasure
• Null sessions require access to TCP 139 and/ or TCP 445 ports. One
countermeasure is to close these ports on the target system.
• You could also disable SMB(Server Message Block-network protocol)
services entirely on individual hosts by unbinding WINS Client TCP/IP from
the interface.
• To implement this countermeasure, perform the following steps:
1. Open the properties of the network connection.
2. Click TCP/IP and then the Properties button.
3. Click the Advanced button.
4. On the WINS tab, select disable NetBIOS over TCP/IP. A security
administrator can also edit the registry directly to restrict the
anonymous user from login.
 SNMP Enumeration
• SNMP(Simple Network Management Protocol) is simple.
Managers send requests to agents, and the agents send back
replies.
• The requests and replies refer to variables accessible to agent
software.
• Managers can also send requests to set values for certain
variables.
• Traps let the manager know that something significant has
happened at the agent's end of things:
– a reboot
– an interface failure,
– or that something else that is potentially bad has happened.
• Enumerating NT users via SNMP protocol is easy using
snmputil
SNMPutil example
Tool: IP Network Browser
SNMP Enumeration Countermeasures

• Simplest way to prevent such activity is to remove the SNMP

agent or turn off the SNMP service.
• If shutting off SNMP is not an option, then change the default
'public' community name.
• Implement the Group Policy security option called Additional
restrictions for anonymous connections.
• Access to null session pipes and null session shares, and IPSec
filtering should also be restricted.
 Windows 2000 DNS Zone transfer

• For clients to locate Win 2k domain services such as Ad

(Active Directory )and kerberos, Win 2k relies on DNS
SRV records.
• A simple zone transfer performed with the nslookup
command can enumerate lots of interesting network
information.
nslookup ls -d domainname
• An attacker would look at the following records closely:
1. Global Catalog Service (_gc._tcp_)
2. Domain Controllers (_ldap._tcp)
3. Kerberos Authentication (_kerberos._tcp)
 Blocking Win 2k DNS Zone transfer
You can easily block zone
transfers using the DNS
property sheet as
shown here.
 Identifying Accounts
• Two powerful NT/2000 enumeration tools are:
– 1.sid2user
– 2.user2sid
• They can be downloaded at (www.chem.msu.su/^rudnyi/NT/)
• These are command line tools that look up NT SIDs from username input
and vice versa.
 Hacking Tool: Enum
• Available for download from http://razor.bindview.com
• enum is a console-based Win32 information enumeration
utility.
• Using null sessions, enum can retrieve user lists, machine lists,
share lists, name lists, group and membership lists, password
and LSA policy information.
• enum is also capable of rudimentary brute force dictionary
attack on individual accounts.
 Hacking tool: Userinfo
• Userinfo is a little function that retrieves all available
information about any known user from any NT/Win2k
system that you can hit 139 on.
• Specifically calling the NetUserGetInfo API call at Level 3,
Userinfo returns standard info like
– SID and Primary group
– logon restrictions and smart card requirements
– special group information
– pw expiration information and pw age
• This application works as a null user, even if the RA set to 1 to
specifically deny anonymous enumeration.
 Hacking Tool: GetAcct
• GetAcct sidesteps "RestrictAnonymous=1" and acquires
account information on Windows NT/2000 machines.
• Downloadable from (www.securityfriday.com)
 Sniffing
• Sniffing is the process of monitoring and capturing all the packets passing
through a given network using sniffing tools.
• It is a form of “tapping phone wires” and get to know about the
conversation. It is also called wiretapping applied to the computer
networks.
• There is so much possibility that if a set of enterprise switch ports is open,
then one of their employees can sniff the whole traffic of the network.
• Anyone in the same physical location can plug into the network using
Ethernet cable or connect wirelessly to that network and sniff the total
traffic.
• In other words, Sniffing allows you to see all sorts of traffic, both
protected and unprotected.
What can be sniffed?
•One can sniff the following sensitive information from a
network
– Email traffic
– FTP passwords
– Web traffics
– Telnet passwords
– Router configuration
– Chat sessions
– DNS traffic
How it works
•A sniffer normally turns the NIC of the system to the promiscuous mode so
that it listens to all the data transmitted on its segment.
•Promiscuous mode refers to the unique way of Ethernet hardware, in
particular, network interface cards (NICs), that allows an NIC to receive all
traffic on the network, even if it is not addressed to this NIC.
•By default, a NIC ignores all traffic that is not addressed to it, which is done
by comparing the destination address of the Ethernet packet with the
hardware address (a.k.a. MAC) of the device.
•While this makes perfect sense for networking, non-promiscuous mode
makes it difficult to use network monitoring and analysis software for
diagnosing connectivity issues or traffic accounting.
• A sniffer can continuously monitor all the
traffic to a computer through the NIC by
decoding the information encapsulated in the
data packets.
Types of Sniffing
Sniffing can be either Active or Passive in nature.
Passive Sniffing
• In passive sniffing, the traffic is locked but it is not altered in any way. Passive sniffing allows
listening only. It works with Hub devices.
• On a hub device, the traffic is sent to all the ports. In a network that uses hubs to connect
systems, all hosts on the network can see the traffic. Therefore, an attacker can easily capture
traffic going through.
• The good news is that hubs are almost obsolete nowadays. Most modern networks use
switches. Hence, passive sniffing is no more effective.
Active Sniffing
• In active sniffing, the traffic is not only locked and monitored, but it may also be altered in some
way as determined by the attack. Active sniffing is used to sniff a switch-based network.
• It involves injecting address resolution packets (ARP) into a target network to flood on the
switch content addressable memory (CAM) table. CAM keeps track of which host is connected
to which port.
• Following are the Active Sniffing Techniques −
– MAC Flooding
– DHCP Attacks
– DNS Poisoning
– Spoofing Attacks
– ARP Poisoning
Several rules lend themselves to easy sniffing −
• HTTP − It is used to send information in the clear text without any encryption and thus a
real target.
• SMTP (Simple Mail Transfer Protocol) − SMTP is basically utilized in the transfer of emails.
This protocol is efficient, but it does not include any protection against sniffing.
• NNTP (Network News Transfer Protocol)− It is used for all types of communications, but its
main drawback is that data and even passwords are sent over the network as clear text.
• POP (Post Office Protocol) − POP is strictly used to receive emails from the servers. This
protocol does not include protection against sniffing because it can be trapped.
• FTP (File Transfer Protocol) − FTP is used to send and receive files, but it does not offer any
security features. All the data is sent as clear text that can be easily sniffed.
• IMAP (Internet Message Access Protocol) − IMAP is same as SMTP in its functions, but it is
highly vulnerable to sniffing.
• Telnet − Telnet sends everything (usernames, passwords, keystrokes) over the network as
clear text and hence, it can be easily sniffed.
Hardware Protocol Analyzers
• Hardware protocol analyzers are used to monitor and identify
malicious network traffic generated by hacking software
installed in the system.
• They capture a data packet, decode it, and analyze its content
according to certain rules.
• Hardware protocol analyzers allow attackers to see individual
data bytes of each packet passing through the cable.
• These hardware devices are not readily available to most
ethical hackers due to their enormous cost in many cases.
Lawful Interception
• Lawful Interception (LI) is defined as legally sanctioned access to
communications network data such as telephone calls or email messages.
• LI was formerly known as wiretapping and has existed since the inception
of electronic communications.
MALWARE THREATS
• Trojans and backdoors are two ways a hacker can gain access to a target
system.
• They come in many different varieties, but they all have one thing in
common: They must be installed by another program, or the user must be
tricked into installing the Trojan or backdoor on their system.
• Trojans and backdoors are potentially harmful tools in the ethical hacker’s
toolkit and should be used judiciously to test the security of a system or
network.
• Viruses and worms can be just as destructive to systems and networks as
Trojans and backdoors. In fact, many viruses carry Trojan executables and
can infect a system then create a backdoor for hackers.
Trojans and Backdoors
• A backdoor is a program or a set of related programs that a hacker installs on a target
system to allow access to the system at a later time.
• A backdoor’s goal is to remove the evidence of initial entry from the system’s log files.
But a backdoor may also let a hacker retain access to a machine it has penetrated even
if the intrusion has already been detected and remedied by the system administrator.
• Adding a new service is the most common technique to disguise backdoors in the
Windows operating system. Before the installation of a backdoor, a hacker must
investigate the system to find services that are running.
• The hacker could add a new service and give it an inconspicuous name or better yet
choose a service that’s never used and that is either activated manually or completely
disabled.
• This technique is effective because when a hacking attempt occurs the system
administrator usually focuses on looking for something odd in the system, leaving all
existing services unchecked.
• The backdoor technique is simple but efficient: The hacker can get back into the
machine with the least amount of visibility in the server logs.
• The back doored service lets the hacker use higher privileges—in most cases, as a
System account.
• Remote Administration Trojans (RATs) are a class of backdoors used to enable remote
control over a compromised machine. They provide apparently useful functions to the
user and, at the same time, open a network port on the victim computer.
• Once the RAT is started, it behaves as an executable file, interacting with certain
registry keys responsible for starting processes and sometimes creating its own
system services.
What Is a Trojan?
• A Trojan is a malicious program.
• Trojans are often downloaded along with another program or software
package. Once installed on a system, they can cause data theft and loss,
and system crashes or slowdowns; they can also be used as launching
points for other attacks such as Distributed Denial of Service (DDOS).
• Many Trojans are used to manipulate files on the victim computer,
manage processes, remotely run commands, intercept keystrokes, watch
screen images, and restart or shut down infected hosts.
List the Different Types of Trojans
• Trojans can be created and used to perform different attacks. Some of the
most common types of Trojans are:
• Remote Access Trojans (RATs)—used to gain remote access to a system
• Data-Sending Trojans—used to find data on a system and deliver data to a
hacker
• Destructive Trojans—used to delete or corrupt files on a system
• Denial of Service Trojans—used to launch a denial or service attack
• Proxy Trojans—used to tunnel traffic or launch hacking attacks via other
system
• FTP Trojans—used to create an FTP server in order to copy files onto a
system
• Security software disabler Trojans—used to stop antivirus software
What Is Meant by “Wrapping”?
• Wrappers are software packages that can be used to deliver a Trojan. The
wrapper binds a legitimate file to the Trojan file. Both the legitimate software
and the Trojan are combined into a single executable file and installed when the
program is run.
• Generally, games or other animated installations are used as wrappers because
they entertain the user while the Trojan in being installed.
• This way, the user doesn’t notice the slower processing that occurs while the
Trojan is being installed on the system—the user only sees the legitimate
application being installed.
Trojan Construction Kit and Trojan Makers
• Several Trojan-generator tools enable hackers to create their own Trojans. Such
toolkits help hackers construct Trojans that can be customized.
• These tools can be dangerous and can backfire if not executed properly. New
Trojans created by hackers usually have the added benefit of passing
undetected through virus-scanning and Trojan-scanning tools because they
don’t match any know signatures.
• Some of the Trojan kits available in the wild are Senna Spy Generator, the Trojan
Horse Construction Kit v2.0, Progenic Mail Trojan Construction Kit, and
Pandora’s Box.
What Are the Countermeasure Techniques in Preventing Trojans?
• Most commercial antivirus program has anti-Trojan capabilities as well as spyware detection and
removal functionality.
• These tools can automatically scan hard drives on start up to detect backdoor and Trojan programs
before they can cause damage.
• Once a system is infected, it’s more difficult to clean, but you can do so with commercially available
tools.
• It’s important to use commercial applications to clean a system instead of freeware tools, because
many freeware removal tools can further infect the system.
• In addition, port-monitoring tools can identify ports that have been opened or files that have
changed.
Understand Trojan-Evading Techniques
• The key to preventing Trojans and backdoors from being installed on a system is to educate users not
to install applications downloaded from the Internet or open e-mail attachments from parties they
don’t know.
• Many systems administrators don’t give users the system permissions necessary to install programs
on their system for that very reason.
Viruses and Worms
• Viruses and worms can be used to infect a system and modify a system to allow a hacker to gain access.
• Many viruses and worms carry Trojans and backdoors.
• In this way a virus or worm is a carrier and allows malicious code such as Trojans and backdoors to be
transferred from system to system much in the way that contact between people allows germs to
spread.
Understand the Difference between a Virus and a Worm
• A virus and a worm are similar in that they’re both forms of malicious software (malware).
• A virus infects another executable and uses this carrier program to spread itself.
• The virus code is injected into the previously benign program and is spread when the program is run.
Examples of virus carrier programs are macros, games, e-mail attachments, Visual Basic scripts, games,
and animations.
• A worm is a type of virus, but it’s self-replicating.
• A worm spreads from system to system automatically, but a virus needs another program in order to
spread.
• Viruses and worms both execute without the knowledge or desire of the end user.
How a Virus Spreads and Infects the System
A virus infects through interaction with an outside system. Viruses are categorized according to their
infection technique, as follows:
• Polymorphic viruses These viruses encrypt the code in a different way with each infection and can
change to different forms to try to evade detection.
• Stealth viruses These hide the normal virus characteristics, such as modifying the original time and
date stamp of the file so as to prevent the virus from being noticed as a new file on the system.
• Fast and slow infectors These can evade detection by infecting very quickly or very slowly.
• Sparse infectors These viruses infect only a few systems or applications.
• Armored viruses These are encrypted to prevent detection.
• Multipartite viruses These advanced viruses create multiple infections.
• Cavity (space-filler) viruses these viruses attach to empty areas of files.
• Tunnelling viruses These are sent via a different protocol or encrypted to prevent detection or allow
it to pass through a firewall.
• Camouflage viruses These viruses appear to be another program.
• NTFS and Active Directory viruses These specifically attack the NT file system or Active Directory on
Windows systems.
Understand Antivirus Evasion Techniques
• An attacker can write a custom script or virus that won’t be detected by antivirus programs. Virus detection
and removal is based on a signature of the program.
• Until the virus is detected and antivirus companies have a chance to update virus definitions, the virus goes
undetected.
• This allows an attacker to evade antivirus detection and removal for a period of time.
Understand Virus Detection Methods
The following techniques are used to detect viruses:
_ Scanning
_ Integrity checking with checksums
_ Interception based on a virus signature
The process of virus detection and removal is as follows:
1. Detect the attack as a virus. Not all anomalous behaviour can be attributed to a virus.
2. Trace processes using utilities such as handle.exe, listdlls.exe, fport.exe, netstat.exe, and pslist.exe, and map
commonalities between affected systems.
3. Detect the virus payload by looking for altered, replaced, or deleted files. New files, changed file attributes, or
shared library files should be checked.
4. Acquire the infection vector and isolate it. Then, update your antivirus definitions and rescan all systems.