Ce hv8 module 04 enumeration

1,068 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,068
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
262
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Ce hv8 module 04 enumeration

  1. 1. Enumeration Module 04
  2. 2. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration Enumeration Module 04 Engineered by Hackers. Presented by Professionals. CEH Ethical H acking and C ounterm easures v8 Module 04: Enumeration Exam 312-50 Module 04 Page 435 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration solutions news October 20, 2012 11:28AM write us H a c k e rs A tta c k U S W e ath e r S e rv ic e THE US National Weather Service computer network was hacked with a group from Kosovo claiming credit and posting sensitive data, security experts said Friday. Data released by the Kosovo Hackers Security group includes directory structures, sensitive files of the Web server and other data that could enable later access, according to Chrysostomos Daniel of the security firm Acunetix. "The hacker group stated that the attack is a protest against the US policies that target Muslim countries," Daniel said. "Moreover, the attack was a payback for hacker attacks against nuclear plants in Muslim countries, according to a member of the hacking group who said, "They hack our nuclear plants using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent — hack to payback them." . h ttp :/ / w w w . theaustralian. com . ou Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. N E W S S ecurity New s Hackers Attack US Weather Service Source: http://www.theaustralian.com.au The US National W eather Service computer network was hacked with a group from Kosovo claiming credit and posting sensitive data, security experts said recently. Data released by the Kosovo Hackers Security group includes directory structures, sensitive files from the web server, and other data that could enable later access, according to Chrysostomos Daniel of the security firm Acunetix. "The hacker group stated that the attack is a protest against the US policies that target Muslim countries," Daniel said. Moreover, the attack was a payback for hacker attacks against nuclear plants in Muslim countries, according to a member of the hacking group who said, "They hack our nuclear plants using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent - hack to payback them." Module 04 Page 436 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration Paul Roberts, writing on the Sophos Naked Security blog, said the leaked information includes a list of administrative account names, which could open the hacked servers to subsequent "brute force attacks." "Little is known about the group claiming responsibility for the attack," he said. "However, they allege that the weather.gov hack was just one of many US government hacks the group had carried out and that more releases are pending." © 2011 CBS Interactive. All rights reserved. http://www.theaustralian.com.au/australian-it/hackers-attack-us-weather-service/storye6frgakx-1226499796122 Module 04 Page 437 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration CE H M odule O bjectives J J J NetBIOS Enumeration J Enumerate Systems Using Default Passwords J t SNMP Enumeration ‫־‬X J SMTP Enumeration DNS Enumeration J Services and Ports to Enumerate NTP Enumeration J Techniques for Enumeration LDAP Enumeration Enumeration Countermeasures J J J What Is Enumeration? UNIX/Linux Enumeration ‫׳‬J 'J Enumeration Pen Testing ‫־‬ ---------- Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. l&SJ ~ —‫ב‬ I* = M odule O b jectiv es In the previous modules, you learned about foot printing and scanning networks. The next phase of penetration testing is enumeration. As a pen tester, you should know the purpose of performing enumeration, techniques used to perform enumeration, where you should apply enumeration, what information you get, enumeration tools, and the countermeasures that can make network security stronger. All these things are covered in this module. This module will familiarize you with the following: © 9 UNIX/Linux Enumeration © Techniques for Enumeration 9 LDAP Enumeration © Services and Ports to Enumerate 9 NTP Enumeration © NetBIOS Enumeration 9 SMTP Enumeration © Enumerate Systems Using Default 9 DNS Enumeration Passwords 9 Enumeration Countermeasures SNM P Enumeration 9 Enumeration Pen Testing © W hat Is Enumeration? Module 04 Page 438 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration M odule Flow 4 CEH M odule Flow In order to make you better understand the concept of enumeration, we have divided the module into various sections. Each section deals with different services and ports to enumerate. Before beginning with the actual enumeration process, first we will discuss enumeration concepts. ^ Enumeration Concepts ^ NTP Enumeration ‫י׳‬- !t__^ NetBios Enumeration ^ SMTP Enumeration SNMP Enumertion DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures LDAP Enumeration Enumeration Pen Testing This section briefs you about what enumeration is, enumeration techniques, and services and ports to enumerate. Module 04 Page 439 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration What Is Enumeration? J CEH In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target a J Attackers use extracted information to identify system attack points and perform password attacks to gain unauthorized access to information system resources J Enumeration techniques are conducted in an intranet environment Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. W hat Is E n u m e ra tio n ? Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. In the enumeration phase, the attacker creates active connections to the system and performs directed queries to gain more information about the target. The attacker uses the gathered information to identify the vulnerabilities or weak points in system security and then tries to exploit them. Enumeration techniques are conducted in an intranet environment. It involves making active connections to the target system. It is possible that the attacker stumbles upon a remote IPC share, such as IPC$ in W indows, that can be probed with a null session allowing shares and accounts to be enumerated. The previous modules highlighted how the attacker gathers necessary information about the target without really getting on the wrong side of the legal barrier. The type of information enumerated by attackers can be loosely grouped into the following categories: Information Enumerated by Intruders: 9 Network resources and shares 9 Users and groups Module 04 Page 440 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration 9 Routing tables 9 Auditing and service settings 9 Machine names 9 Applications and banners 9 SNM P and DNS details Module 04 Page 441 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration Techniques for Enumeration CEH IUkjI N h MM Extract information using the default Extract user names using email IDs passwords Extract user names using SN M P Extract information using DNS Zone Transfer Extract user groups from Windows T e c h n iq u e s for E n u m e ra tio n ^ In the enumeration process, an attacker collects data such as network users and group names, routing tables, and Simple Network Management Protocol (SNM P) information. This module explores possible ways an attacker might enumerate a target network, and what countermeasures can be taken. The following are the different enumeration techniques that can be used by attackers: Extract u se r n am es usin g em ail IDs In general, every email ID contains two parts; one is user name and the other is domain name. The structure of an email address is username@domainname. Consider abc@gmail.com; in this email ID "abc" (characters preceding the and "gmail.com" (characters proceeding the symbol) is the user name symbol) is the domain name. Extract inform ation usin g the default passw ords Many online resources provide lists of default passwords assigned by the manufacturer for their products. Often users forget to change the default passwords provided by the manufacturer or developer of the product. If users don't change their passwords for a long time, then attackers can easily enumerate their data. Module 04 Page 442 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration Brute force Active D irectory Microsoft Active Directory is susceptible to a user name enumeration weakness at the time of user-supplied input verification. This is the consequence of design error in the application. If the "logon hours" feature is enabled, then attempts to the service authentication result in varying error messages. Attackers take this advantage and exploit the weakness to enumerate valid user names. If an attacker succeeds in revealing valid user names, then he or she can conduct a brute-force attack to reveal respective passwords. Extract u se r n am es usin g SNMP Attackers can easily guess the "strings" using this SNM P API through which they can extract required user names. Extract u se r groups from W indows These extract user accounts from specified groups and store the results and also verify if the session accounts are in the group or not. Extract inform ation usin g DNS Zone T ransfer DNS zone transfer reveals a lot of valuable information about the particular zone you request. W hen a DNS zone transfer request is sent to the DNS server, the server transfers its DNS records containing information such as DNS zone transfer. An attacker can get valuable topological information about a target's internal network using DNS zone transfer. Module 04 Page 443 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration Services and Ports to Enum erate CEH T C P 53 UDP 161 DNS zone transfer Simple Network Management protocol (SNMP) T C P 135 TCP/UDP 389 Microsoft RPC Endpoint Mapper Lightweight Directory Access Protocol (LDAP) T C P 137 TCP/UDP 3368 NetBIOS Name Service (NBNS) Global Catalog Service T C P 139 T C P 25 NetBIOS Session Service (SMB over NetBIOS) Simple Mail Transfer Protocol (SMTP) T C P 445 SM B over TCP (Direct Host) Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. S ervices an d P o rts to E n u m e ra te TCP 53: DNS zone tran sfer O 6 DNS zone transfer relies on TCP 53 port rather than UDP 53. If TCP 53 is in use then it means that DNS zone transfer is in process. The TCP protocol helps to maintain a consistent DNS database between DNS servers. This communication occurs only between DNS servers. DNS servers always use TCP protocol for the zone transfer. The connection established between DNS servers transfers the zone data and also helps both source and destination DNS servers to ensure the data consistency by means of TCP ACK bit. TCP 135: M icrosoft RPC E ndpoint M apper ‫-■—!־‬ The RPC port 135 is used in client/server applications to exploit message services. To stop the popup you will need to filter port 135 at the firewall level. W hen trying to connect to a service, you go through this mapper to discover where it is located. TCP 137: NetBIOS N am e Service (NBNS) NBNS, also known as Windows Internet Name Service (WINS), provides name resolution service for computers running NetBIOS. NetBIOS Name Servers maintain a database Module 04 Page 444 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker of the NetBIOS names for hosts and the corresponding IP address the host is using. The job of NBNS is to match IP addresses with NetBIOS names and queries. The name service is usually the first service that will be attacked. TCP 139: NetBIOS Session Service (SMB over NetBIOS) NetBIOS session service is used to set up and tear down sessions between NetBIOScapable computers. Sessions are established by exchanging packets. The computer establishing the session attempts to make a TCP connection to port 139 on the computer with which the session is to be established. If the connection is made, the computer establishing the session then sends over the connection a "Session Request" packet with the NetBIOS names of the application establishing the session and the NetBIOS name to which the session is to be established. The computer with which the session is to be established will respond with a "Positive Session Response," indicating that a session can be established or a "Negative Session Response," indicating that no session can be established. TCP 445: SMB over TCP (Direct Host) By using TCP port 445 you can directly access the TCP/IP MS Networking without the help of a NetBIOS layer. You can only get this service in recent versions of Windows, such as Windows2K/XP. File sharing in Windows2K/XP can be done only by using Server Message Block (SM B) protocol. You can also run SM B directly over TCP/IP in Windows 2K/XP without using the help of extra layer of NetBT. They use TCP port 445 for this purpose. UDP 161: Sim ple N etwork M an ag em en t protocol (SNMP) You can use the SN M P protocol for various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications. SNM P agents listen on UDP port 161; asynchronous traps are received on port 162. TCP/UDP 389: L ightw eight D irectory A ccess Protocol (LDAP) m You can use LDAP (Lightweight Directory Access Protocol) Internet protocol, used my M S Active Directory, as well as some email programs to look up contact information from a server. Both Microsoft Exchange and NetMeeting install an LDAP server on this port. TCP/UDP 3368: G lobal C atalog Service You can use TCP port 3368, which uses one of the main protocols in TCP/IP a connection-oriented protocol networks; it requires three-way handshaking to set up end-toend communications. Only then a connection is set up to user data and can be sent bidirectionally over the connection. TCP guarantees delivery of data packets on port 3368 in the same order in which they were sent. You can use UDP port 3368 for non-guaranteed communication. It provides an unreliable service and datagrams may arrive duplicated, out of order, or missing without notice and error Module 04 Page 445 Ethical Hacking and CountermeasuresCopyright © by EC-COUIICil All Rights Reserved. Reproduction is Strictly Prohibited.
  13. 13. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Checking and correction is not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. UDP (User Datagram Protocol) is a minimal message-oriented Transport Layer protocol. Examples that often use UDP include voice over IP (VoIP), streaming media, and real-time multiplayer games. TCP 25: Sim ple M ail T ransfer Protocol (SMTP) SMTP allows moving email across the Internet and across your local network. It runs on the connection-oriented service provided by Transmission Control Protocol (TCP), and it uses well-known port number 25. Telnet to port 25 on a remote host; this technique is sometimes used to test a remote system's SMTP server but here you can use this command-line technique to illustrate how mail is delivered between systems. Module 04 Page 446 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker information through enumeration; now it's time to put them into practice. If you are trying to enumerate information of a target network, then NetBIOS is the first place from where you should try to extract as much information as possible. Enumeration Concepts 4 1 NTP Enumeration NetBios Enumeration SMTP Enumeration SNMP Enumertion DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures LDAP Enumeration |£ 3 | Enumeration Pen Testing This section describes NetBIOS enumeration and the information you can extract through enumeration, as well as NetBIOS enumeration tools. Module 04 Page 447 Ethical Hacking and Countermeasures Copyright © by EC-COUItCll All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration NetBIOS Enumeration CEH NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP; 15 characters are used for the device name and 16th character is reserved for the service or name record type WWW N e tB IO S N a m e L is t Attackers use the NetBios enumeration to obtain: NetBIOS Code Name Type UN IQ UE 8 List of computers that belong to a domain S <domain> <00> GROUP <hostname> <03> UN IQ UE Policies and passwords <username> <03> UN IQ UE chost name> <20> UN IQ UE <domain> <1D> GROUP <domain> s List of shares on the individual hosts on the network <1B> UN IQ UE Information Obtained Hostnam e Domain nam e M essenger service running for th at com puter M essenger service running for th at in dividual logged-in user Server service running M aster brow ser nam e for the subnet Domain m aster brow ser name, identifies the PDC for th at domain Note: NetBIOS name resolution is not supported by Microsoft for Internet Protocol Version 6 (IPv6) C op yright © b y IC -C c u n c il. All Rights Reserved. Rep rod u ctio n is Strictly Prohibited. NetBIOS E n u m e ra tio n The first step in enumerating a Windows machine is to take advantage of the NetBIOS API. NetBIOS stands for Network Basic Input Output System. IBM, in association with Sytek, developed NetBIOS. It was developed as an Application Programming Interface (API), originally to facilitate the access of LAN resources by the client's software. The NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP; 15 characters are used for the device name and the 16th character is reserved for the service or name record type. Attackers use the NetBIOS enumeration to obtain: 9 List of computers that belong to a domain and shares of the individual hosts on the network 9 Policies and passwords If an attacker finds a Windows OS with port 139 open, he or she would be interested in checking what resources he or she can access, or view, on the remote system. However, to enumerate the NetBIOS names, the remote system must have enabled file and printer sharing. Using these techniques, the attacker can launch two types of attacks on a remote computer Module 04 Page 448 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  16. 16. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker that has NetBIOS. The attacker can choose to read/write to a remote computer system, depending on the availability of shares, or launch a denial-of-service. NetBIOS Name List Name NetBIOS Code Type Information Obtained <host name> <00> UNIQUE Hostname <domain> <00> GROUP Domain name <host name> <03> UNIQUE Messenger service running for that computer <username> <03> UNIQUE Messenger service running for that individual logged-in user <host name> <20> UNIQUE Server service running <domain> <1D> GROUP Master browser name for the subnet <domain> <1B> UNIQUE Domain master browser name, identifies the PDC for that domain Note: NetBIOS name resolution is not supported by Microsoft for Internet Protocol Version 6 (IPv6). Module 04 Page 449 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration NetBIOS Enumeration CE H (Cont’d) Nbtstat displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache J Run nbtstat command "nbtstat. exe -a < NetBIOS Name of remote machine>"to get the NetBIOS name table of a remote computer C:Windowssystem32cmd.exe Run nbtstat command "nbstat.exe - c " t o display the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses l H C:Wi ndowssystem 32cmd .exe ‫ ב נ‬S.U 8 c 1*0 'sfl d m in ) n b t 8 1 a t . c UsersAdnin)nbtstat .exe -a:2 ♦ ‫* י‬a ‫•י‬ Ethernet: *lode IpAddress : (192.168 .168.170 ‫ נ‬Scope Id: M NetBIOS Renote Cache Nane Table NetBIOS Renote flachine Nane Table Nane Type <•‫•׳‬ »»< Ml t •DM M ‫י‬ "‫■*י‬ MAC Address - m <00> <00> <1C> <20> <1B> Status UNIQUE GROUP GROUP UNIQUE UNIQUE Registered Registered Registered Registered Registered *• Ut •‫י‬ * • 05 http://technet.microsoft.com 2:MJ sersAd«in> Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. NetBIOS E n u m e ra tio n (C ont’d) x — Source: http://technet.microsoft.com Nbtstat displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local computer and remote computers, and the NetBIOS name cache. Nbtstat allows a refresh of the NetBIOS name cache and the names registered with Windows Internet Name Service (WINS). Used without parameters, Nbtstat displays help. Run the nbtstat command "nbtstat.exe -a < NetBIOS Name of remote machine>" to get the NetBIOS name table of a remote computer. Module 04 Page 450 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker C:Windowssystem32cmd.exe C:UsersAdmin)nbtstat.exe -a ■‫־‬ « Ethernet: Mode IpAddress: [192.168 .168.170] Scope Id: U NetBIOS Renote Machine Nane Table Name Type <00> <00> <1c> <20> >1B < •■ ‫י‬ ‫י‬ MAC Address = Status UNIQUE GROUP GROUP UNIQUE UNIQUE Registered Registered Registered Registered Registered • !* ‫50 ־ י‬ : C:UsersAdnin> B FIGURE 4.1: Enumeration Screenshot Run the nbtstat command "nbstat.exe -c" to display the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses. S3 0 C:Windowssystem32cmd.exe 2:UsersAdmi1Cnbtstat •exe -c Ethernet: 40de IpAddress: [192.168.168.170] Scope Id: [] NetBIOS Remote Cache Name Table Name Type <20> <20> UNIQUE UNIQUE Host Address Life [sec] 1 9 2.168.168.170 192.168.168.1 i:UsersAdmin> FIGURE 4.2: Enumeration Screenshot Module 04 Page 451 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration NetBIOS E n u m e ra tio n Tool: S uperS can scanner, pinger, and hostname resolver Goan | Hosl end Soivce Discovery | Scon Options] Tods Hostnarae/IP/UHl Features: 0 n □ n 0 □ n □ □ Q □ Q n □ 0 Q Support for unlimited IP ranges Host detection by multiple ICMP methods o Simple HTML report generation fenurefate^ NetBIOS Name Tabic NULL Session MAC Addresses Workstation t p ye User? Groups RFCEnc^oirt Dunp Account P l c e oiis Shares Domains Remote Time0 Day 1 Logon Sesiicnj Die rvs Trusted Domains Seivbcs Rgir eity 3 name‫ ־‬m WORKGROUP 00 WIK-MSS2LCK4K41 00 W:N-.H£S‫־‬ :LCK4K41 20 WcricstaTioa service naze Horkscafioa service atec Server services naze s Uaora on 10.0.0.2 . _ Admin , *Adnd.niscrator" m m Full Ks m : 31.11‫־‬i q a ‫ב‬count ror administering .-1 System Comnent: the camD-iter/donsin* Fast hostname resolving Extensive banner grabbing *Jset Liv k O Saved log file GROUP UH1QCJE UNIQ'JE Totsi Users: 4 m 00:02 A MAC addcess 0: - Last logon: Password expires: Password changed: Locked out: Disabled Nunber of logons: 3ac p a ss ve rd count: Extensive W indow s host enumeration Q ea> | cable Source port scanning m 3pbons._ | Nerbios lnromaticn cn 10.0.0.2 m B W1 nd»v*eEnun*f*liar‫| ־‬Aocul | 10.D02 Enuneratbn Type TCP SYN and UDP scanning m L= l£l SuperScar! 4.0 SuperScan is a connect-based TCP port S 8 CEH rri Aug 17 93:27:14 2012 (0 lays ago) Never 9 days age No No 1 te 0 "H u n t* |TCP open: 0 [UOPopenTO |1 1 done / http ://www. mcafee. com Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. NetBIOS E n u m e ra tio n Tool: SuperS can Source: http://www.mcafee.com SuperScan is a connect-based TCP port scanner, pinger, and hostname resolver. It performs ping sweeps and scans any IP range with multithreading and asynchronous techniques. You can restore some functionality by running the following at the Windows command prompt before stating SuperScan: 0 Support for unlimited IP ranges 0 Host detection using multiple ICMP methods 0 TCP SYN , UDP, and source port scanning 0 Hostname resolving 0 IP and port scan order randomization 0 Extensive Windows host enumeration capability 0 Extensive banner grabbing 0 Source port scanning 0 Simple HTML report generation Module 04 Page 452 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker % SuperScan 4.0 Scan | Host and Service Discovery | Scan Options | Tools Windows Enunciation | About | Hostname/I P/URL 1 10.0.0.2 Enumeration Type 1‫ו‬ / §. 1‫ו‬ / 0 □ □ □ 0 □ □ □ □ □ □ □ □ □ □ □ NetBIOS Name Table NULL Session MAC Addresses Workstation type Users Groups RPC Endpont Dum p Account Policies Shares Domains Remote Time of Day Logon Sessions Drives Trusted Domains Services Registry Saved log file Qptions | £lea! 3 nazr.es in table WORKGROUP 00 WIN-MSSELCK4K41 0 0 WIN-MSSELCK4K41 2 0 MAC address 0 : • GROUP Workstation service UNIQUZ Workstation service UNIQUZ Server services name ‫•יי‬ •‫• י‬ name name • Users on 10.0.0.2 Total Users: 4 Admin ‫״‬Administrator" Full Naxne: "" System Comment: ‫״‬Built-in account for administering the computer/domain‫״‬ User Coxzsaent: "‫״‬ Last logon: Fri Aug 17 0 9 : 2 7 : 1 4 2 0 1 2 (0 days ago) Password expires: Never Password changed: 8 days ago Locked out: No Disabled: No Number of logons: 1 58 Bad password count: 0 User 0002 Enumerate | NetBIOS information on 10.0.0.2 Live: 0 3 ‫״‬Guest" TCP open: 0 UDP open: 0 1/1 done FIGURE 4.3: SuperScan Screenshot Module 04 Page 453 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration NetBIOS Enumeration Tool: Hyena Hyena is GUI product for managing and securing Microsoft operating systems. It shows shares and user logon names for Windows servers and domain controllers It displays graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc. Srie evc9e*mCV» %a E* M m V '!« T* m nap X ♦ + : ie : 1-4 > ^ od y *< 5‫גני ׳״‬ j j j t • ra u J_bs2----------------- 1 Artw D irecto W S ry eb ervices A licatio E p rien pp n x e ce * JJ le e in tC fe o a id ro iu • iU itfo d e jtc n e rfo fp n - 11Mirages Ser-iceAccoists(Man* car^intt 2 3 J) E 9 j£ Mcse fca jcS M )1 »4 ) a f.k 1 te C & s 3 LZ Macscf: uJiar.je Sjiar- C je ts ] fc c * 21 ‫ מז א‬Q uotasiQ.ctaspecAcabensccwCaK-e': * Cl P0rr Cte.O*Ukxrtoif(‫ ׳‬C rjre ' 9»n a ea t w f g Cl System systemsettv^s » J Uiei Crfadl ec• ‫ •״‬farup edu a « *• grad ser c 5 jjj Cwla-itsOX sflnww - ■1iM tl 0 H mj *Sflress C>r - Pogn~ fdes**crcso/TE M rnj A3**NS r: /ft-so s: w (S.JCSICW B mj dew-lead t AMtadl •jCSOA} :• mj tKhenyeCAl C'M yiin FWcs'Mcx s £1 « U 0« * <C1M-*«*SV9r0Lw* T«J « P‫®׳‬r«a‫ ״‬fW sM ew C e T *J yrSVOt.(C .*n«r-«>SWOloyw«« elr.optrtiiatien.viOJ0 2 .3 77 2 41e p ‫«״‬ac*sn_*2JJ0727jM !‫_׳‬o e e&c)r.optmjat.c«.v4J)J03I9J2 At1r.opem .at1on.1A0J0Jl9.64 *COMSytApp ♦ c-.pt',.: 4 c ma K l0o L u t1 *"‫-ייי‬ AppfcaticnHo# H erService elp Ap p licatio Id tity n en Sto p d pe A p ca nWormjton p A fco Sto p p ed (A ppficatcnUinrjriryr ASPiiETStateService A ow A io(ndpeeit Bu er 'etd s ud ild Sto p d pe W indow A d s u io Sto p p ed 8eseF*enngEn9 rv e B e1q u ( :‫!׳‬tellqert T sferService o ro rv ran Sto p p ed C putrr Bro ser om w Sto p d pe C ertificatePro ag n p atio Wrosoft J4ETFrtrrtew lcN ENv2 5 ?2 _X 6 Sto p d & G AC 7 * pe M so MgT Framed N »2 J0 2 _X 4 Sto p d icro ft GfN .0 7 7 » pe M crosoft .N Fram ET «w«kNO v 10 3 1 .X 6 tN 4 ■ W 9 S **SVrosoft .N Fr1m ET e»«rkN C ■ 030319J GNA CO * SystemA p M p licatio n C p g p Ser.ices !> to ra *»c DC MServerPro lat*1c r O cess t1e D O m tar ali rfrag en DfSMamewce O R licatio FS ep n DHCPCUrt D 5ferret M D SC N lient )W A eed atoConfl D n stic Pdky Seroce iag o C ib A en cstio Pro co item le r/th b n to l ne{ ‫< ׳‬ * ) 11ngFileSystem(IK Andowi Event log Sto p d pe Service(O nP cess) w ro Service(ScaredP cess) ro Servite(C o Proem hn ) Service(Sh P cess) ared ro Soviet (Sh P cess) ared ro Service(Sh P e sa ared *o e ) Service(Sh redProem o ) Service(O nP cess) w ro Service(Sh Proem ared ) Service(Sh Proem ared ) Service(SharedPro cessJ Service(Sh P cess) ared ro Service !;S a dProem h re ) Service(Sh P cess) ared ro Service(O nP cess) w ro Service(O nProem w ) Service(O nP cess) w ro Service(O nPro w cessJ Service(O nProem w ) Service(Sh P cess) ared ro Service(Sh P cess) ared ro Service(O nProem w ) Service(O nProem w ! Service(O nP cess) w ro Service(Sh Proem ared ) Service(O nPro ml w c Service(Sh Proem ared ) Service(Sh Procml ared Service (Sh redP cess) o ro Serv.ce(Sh Proeeu) ared Service(Sh Proem ared ) Service (Sh Proem ared ) Service(Sh P cess) ared ro h ftp ://w w w . system too ls.co m Copyright ffi by IC-Cmcil. All Rights Reserved. Reproduction is Strictly Prohibited. NetBIOS E n u m e ra tio n Tool: H yena Source: http://www.systemtools.com Hyena is GUI product for managing and securing any Windows operating system such as Windows NT, Windows 2000, Windows XP/Vista, Windows 7, or Windows Server 2003/2008 installation. It uses an Explorer-style interface for all operations and to manage users, groups (both local and global), shares, domains, computers, services, devices, events, files, printers and print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling, processes, and printing. It shows shares and user logon names for Windows servers and domain controllers. It displays a graphical representation of the web client network, Microsoft terminal services, and Windows network. Module 04 Page 454 Ethical Hacking and Countermeasures Copyright © by EC-COUItCll All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Enumeration H» h* Exam 312-50 Certified Ethical Hacker * m lea■ N* 0 Y -! *‫ ׳‬X ♦ 5* : : E O i T • ^ ‫יי‬ A J .2 J 1* Q « JjU L - S#rw* |Qm1 P1MM4) Art‫•״׳‬OeodetyWe* Wm(»1 Lfmnci Service(Own PlCKtlt) AepUceton layer Gateway Service **heat*• M «t HaiderService o Semcr (Vxred>twml Seevire(Uu*od Pw m i W (»hj*«dP«*<m) Mm m I >X« i* f« f (Omi hwm) WvKt (Vx»t<tV»<ml Service (SheeedProeeM) » t J J Ifc W i titfw y 1 <o« 0>)W » 1 g J M M Qmw <QvU 1»oe»< m 1n1 taw • |Wm < N < «) M y w r ft1H» t1n < 4V 1 M IX M jD ««»»C n N » n r- » 3,’v‫״‬ ,‫״‬ 8 • j A4*0m C f4«t.lAuceo* I M mj 1 M M (CNWWidcan) SeJC A SfC J m e j afWBU C x .n i il ■■JaCM 9 * j briM ^KUS <CProgramMr 'M ck ■ t j Ckx»M«*x> (C A-iy»» ?in'Ate* !C-,ttb»«e i''t iii iJbi a O N OO IU G N ifS S X jy YXV r a• jl lO yn F N o ^ lo M ra a •J S S X(O .d .i'S S d y Q VM .*• e V V ie ^ Service C< e t1f-c*t« Prefa'ater' MKiOKft X T fra‫׳‬r«v.< *N‫ ־‬W C.XW .tH ■ i(N UemoD NIT lre<»e»«*NO<N*JC.M7;7.tt4 MkmsA X T f,*r*»*kNCtM viC K M -M Mirttno* NIT hn1<M«1lrNMN^t.l01n.ll4 COM SyMeraAfffcceUen • Crfptoy*phtt icM tn KOMS«n«PrMmUyn<N' DakC a e ce ef> «m n r [>i Narweifeee DfSM m iw O C CIM MP M DNSSorver DNSCSart EiKryptan^f 4cSyilem (US) AmtoMbwilef COM- tv«‫׳‬y Sjnt• ‫יי׳‬ Witicwrt fibre ChannelPlatformfegiiticticn S_ tuwebe* 0*cowy Provide*M e o* Stooped Service(SHeredProeen) Servtcr (Slured Proem! Service (lKj»«d Proem) Seme* (Own Picccm) Service (Omi h t(M | Service(Own tocot) Service(Own Pk*m<) W1X1 (Own Piwcm) Servicf (UuwdProem) Service (SfctretfhKM | 5«nx« (Own Preceu) W«<«(Own Prc««<) Service (Own Pioceu) Smite Itawd Proem) W vki (Own Pieceu) W>1c* (ViMd Pt« m l Service l«u*ed P‫««׳‬n) itmcc (ShercdProem) Wx1 (SkerodProem) Service(SK4»«dProem) Service(Uiwd Proem) Service (SK*»*dProem) Service(SheiedProem) Service(SkwedProeew) Service(SharedProea*) Service (SharedProem) NT *UThOWTViIm Mmm iwrftysiem NT k* r K t CAttMtaiH‫־‬ lx»K)H> w c !N r iM i • IM m i M oomUMT C caw »«i ■ — 0% NT AUTMOtfnriMrftortu NT AUThO CSTV m U rlU (.M M m 'V « n 1 rK t O M M M 'M w M t M r ( ', M M ' l l M M l M n C0fc»*»■ • BoxfcMT• >!* c w »M U < «««M r 0 4 ( -.H ko <«yOT^<*». ~ C « >7 > •1 .'C W « 1 ,* * 0 T? C M M M iy iM U U K lI C A-4*m FIGURE 4.4: Hyena Screenshot Module 04 Page 455 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  23. 23. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker http ://www. winfingerprin t.com Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. NetBIOS E n u m e ra tio n Tool: W in F in g erp rin t Source: http://www.winfingerprint.com WinFingerprint is an administrative network resource scanner that allows you to scan machines on your LAN and returns various details about each host. This includes NetBIOS shares, disk information, services, users, groups, and more. WinFingerprint is an administrative network resource scanner that allows you to scan machines on your LAN and returns various details about each host. This includes NetBIOS shares, disk information, services, users, groups, and more. You can choose to perform a passive scan or interactively explorer network shares, map network drives, browse HTTP/FTP sites and more. Scans can be run on a single host or the entire network neighborhood. Module 04 Page 456 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  24. 24. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Winfingerprint 0.6.2 Input Options C IP Range Scan Options (• Domain C IP List Single Host C Neighborhood IP Address: C Active Directory C WMI API I 10.0.0.3 W Win32 OS Version W Users W 1 “ (• Null IPC$ Sessions P Services [7 MAC Address NetBIOS Shares W W Date and Time W Patch Level P Disks f7 Sessions I” Groups I” Event Log Ping Host(s) Show RPC Bindings Help V‫ ־‬Traceroute Host General Options ~ Timeout for TCP/UDP/ICMP/SNMP: Retries: [3 TCP Portscan Range: f~ UDP Portscan Range: ” P Max Connections: SNMP Community String: public Pinging 10.0.0.3 with 44 bytes of data: Reply from 10.0.0.3 0 ms (id* 1, seq* 1) IP Address: 10.0.0.3 WINDOWS8 Computername: WORKGROUPWINDOWS8 MAC Addresses: 00155da86e06 Scan completed in 0.27 seconds Done. httD ://w infinQ erprint.s o u rc e fo ra e .n e t m a1 lto:vacu u m < au sers.s o u rc e fo ro e .n e t Winfingerprint 0.6.2 S c a n O ptions In p u t Options <• I P R a n g e C (* D o m ain I P List (‫ "־‬S in g le Host C N e ighborhood S ta rtin g I P A d d re s s : | 192 . 168 . 168 1 192 . 168 . 168 . 4 f7 Null I P C S Se ss io n s W S e r v ic e s f ? M AC A d d res s N e tB IO S S h a r e s W D is k s p Se ss io n s f* D a te and T im e W G ro u p s W E v e n t Log f ” Ping H o s t(s ) f ‫ ־‬N e tm a s k W U s e rs C WMI API W in 3 2 O S V ersio n [* ! En ding I P A d d ress: | C" A c tiv e D ire c to ry I* W Patch Le v e l wR C gs r P Bin din Show E rro rs Help G e n e r a l Options ‫־‬ 31 | B ro a d co m N e tU n k (T M ) G ig a b it E th e rn e t T im e o u t fo r T C P / U D P / IC M P / S N M P : R e trie s : f3 M ax C o n n e c tio n s : I P A d d re s s : 192.168.168.1 C o m p u te rn a m e : [5 ” | 1024 f~ T C P P o rtsca n R a n g e : U D P P o rtsca n R a n g e : S N M P C o m m u n ity Strin g : public 1A T rac in g rou te to 192.168.168.1 1 0 ms 0 ms 0 m s 192.168.168.1 ‫•׳‬ X M A C A d d re s s e s : 5 R P C Bin d in g s: n c a c n _ip _tc p U U ID A d d re s s 192.168.168.1 E n d P o in t 49158 n c a c n _ ip _ tc p U U ID A d d re s s 192.168.168.1 E n d P o in t 49219 n c a c n _ 1 _tcp U U ID p A d d re s s 192.168.168.1 En d P o in t 49219 n c a c n _ 1 _tcp U U ID p A d d re s s 192.168.168.1 E n d P o in t 49219 n c a c n _ 1 _tcp U U ID p A d d re s s 192.168.168.1 En d P o in t 49219 n c a c n _ip _tc p U U ID A d d re s s 192.168.168.1 En d P o in t 49190 n c a c n _ 1 _tcp U U ID p A d d re s s 192.168.168.1 En d P o in t 49181 FIGURE 4.5: Winfingerprint Screenshots Module 04 Page 457 Ethical Hacking and Countermeasures Copyright © by EC-COIillCil All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker NetBIOS E n u m e ra tio n Tool: N etBIOS E n u m e ra to r ‫־‬iijjA 1 ■ ^. ? ]WORKGROUP[ 10.0.0.7 ? 5 ♦ W1N-MSSB.OC4M1J[ 10.0.0.2 ? ‫ש‬ i ? ? £ Scamwo from: 10 .0 0 1 to: 10.0 0 5 0 s? 1)14 (j) 5 SCimrg Von: li.ao 1 to: 10.0X50 $ 131 NetBIOS '< ( Ra y e d• m t X M U -R ‫ ־‬Serve Sowe WINDOWS8I[ 10.0.0.3 10.0.0.5 [WW-UQr0WR3R9< 1 [ CEH *•*V % % % % WINDOWS® • Watetaton s«‫ ״‬t a WORKGROUP •Cwran Kane WORKGROUP - PotenSa Masto 3r‫•־‬ WORKGRCXP - Master frowse ‫ ■ ו _6 » 0 מ מ א _ו‬m o S m Username: (No one logged on] = 2 O mn W R G O P o a : OK R U ! G R0l‫ ״‬l T T * PTT): 1 - T U f rp in «« T«» o g •? 10.0.0.7 [WORKGRCXf] B J S NetBIOS Na‫ ״‬w (3) ( S . vvoRKGROl^ * Doman Name “ Do‫ ״ ״ ״‬w «K G ‫־׳‬O JP so rcfo e e u e rg-nt http://‫״‬btenum Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. NetBIOS E n u m e ra tio n Tool: NetBIOS E n u m e ra to r , M Source: http://nbtenum.sourceforge.net This application is recommended when you want to determine how to use remote network support and how to deal with some other interesting web techniques, such as SM B. ‫י‬ Module 04 Page 458 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker NetBIOS Enumerator f!y IP range to scan from:| 10.0.0.1 Clear Scan Settings 10.0.0.7 W [1...254] Debug window 10.0.0.4 [WINDOWS8] ? ‫ם‬ Your local ip: to: | 10.0.0.50 S - Scanning from: 10.0.0.1 to: 10.0.0.50 Ready! 10.0.0.7 [WORKGROUP] ₪ ? 10.0.0.2 [WIN-MSSELCK4K41] S 10.0.0.3 [WINDOWS8] ? ₪ ? 10.0.0.5 [WIN-LXQN3WR3R9M] J NetBIOS Enumerator - fs j IP range to scan --from:| 10.0.0.1 Settings Your local ip: 10.0.0.7 to: 10.0.0.50 W B ? Clear Scan [1...254] Debug window Scanning from: 10.0.0. 1 to: 10.0.0.50 Ready! 10.0.0.4 [WINDOWS8] B m NetBIOS Names (6) 1 S p WINDOWS8 -File Server Service • *I WINDOWS8 -Workstation Service | % WORKGROUP ‫ ־‬Domain Name I WORKGROUP - Potential Master Bro j WORKGROUP ‫ ־‬Master Browser % ‫ך‬ MSBROWSE ‫ך‬ ‫ ־‬Master Br! !Q Username: (No one logged on) I 3 | [‫־‬ i B ? 6 Domain: WORKGROUP Round Trip Time (RTT): 1ms-Time To Li 10.0.0.7 [WORKGROUP] NetBIOS Names (3) WORKGROUP -Domain Name ‫נ‬ WIN-D39MR 5HL9E4 -Workstation S« WIN • 39MR 5HL9E4 -File Server Se O | J J ; Username: (No one logged on) j D o m a i n : WORKGROUP 1 Ef Round Trip Time (RTT): 0 ms -Time To Li v III I > i f FIGURE 4.6: Enumeration Screenshot Module 04 Page 459 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Enumerating User Accounts PsExec PsList h ttp ://technet.m icrosoft.com CEH h ttp ://technet.m icrosoft.com ‫־ ^ ־‬ ^ PsFile PsLoggedOn http ://te ch ne t.m icro soft.co m h ttp ://te ch n e t. microsoft. com PsGetSid PsLogList http ://te ch ne t.m icro soft.co m h ttp ://te ch n e t. microsoft. com PsKill L^V PsPasswd h ttp ://technet.m icrosoft.com http ://te ch ne t.m icro soft.co m Pslnfo h ttp ://technet.m icrosoft.com y/ ‫ל‬ PsShutdown h ttp ://te ch n e t. microsoft. com Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. E n u m e ra tin g U ser A ccounts PsExec Source: http://technet.microsoft.com PsExec is a command-line tool used for telnet-replacement that lets you execute processes on other systems and console applications, without having to manually install client software. W hen you use a specific user account, PsExec passes credentials in the clear to the remote workstation, thus exposing the credentials to anyone who happens to be listening in. PsFile Source: http://technet.microsoft.com PsFile is a command-line utility that shows a list of files on a system that is opened remotely, and it also allows you to close opened files either by name or by a file identifier. The default behavior of PsFile is to list the files on the local system that are open by remote systems. Typing a command followed by ‫ " ־ ״‬displays information on the syntax for the command. Module 04 Page 460 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker PsGetSid Source: http://technet.microsoft.com f PsGetsid allows you to translate SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. It also allows you to see the SIDs of user accounts and translates a SID into the name that represents it and works across the network so that you can query SIDs remotely. PsKill Source: http://technet.microsoft.com PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. You don't need to install any client software on the target computer to use PsKill to terminate a remote process. Pslnfo Source: http://technet.microsoft.com Pslnfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system and, if it is a trial version, the expiration date. PsList ^ Source: http://technet.microsoft.com PsList is a command-line tool that administrators use to view information about process CPU and memory information or thread statistics. The tools in the Resource kits, pstat and pmon, show you different types of data but display only the information regarding the processes on the system on which you run the tools. jjpjF PsLoggedO n Source: http://technet.microsoft.com PsLoggedOn is an applet that displays local and remote logged users. If you specify a user name instead of a computer, the PsLoggedOn tool searches all the computers in the network neighborhood and tells you if the user is currently logged on PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. o PsLogList Source: http://technet.microsoft.com The default behavior of PsLogList is to show the contents of the System Event Log on the local computer, with visually-friendly formatting of Event Log records. Command-line options let you Module 04 Page 461 Ethical Hacking and CountermeasuresCopyright © by EC-C0lMCil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker view logs on different computers, use a different account to view a log, or to have the output formatted in a string-search friendly way. PsPassw d Source: http://technet.microsoft.com sPasswd is a tool that enables the administrator to create batch files that run PsPasswd on the network of computers to change the administrator password as a part of standard security practice. ‫ ״‬J PsShutdown |*jc . ‫ך‬ Source: http://technet.microsoft.com PsShutdown is a command-line tool that allows you to remotely shut down the PC in networks. It can log off the console user or lock the console (locking requires Windows 2000 or higher). It does not require any manual installation of client software. Module 04 Page 462 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker E num erate S ystem s U sing D efault P assw ord s CE H Devices like switches, hubs, routers, access points might still be enabled with a "default password" Attackers gain unauthorized access to the organization computer network and information resources by using default and common passwords 3COM 3COM 3COM 3COM 3COM 3COM L T te A'P X 2O DO LANpiex LinkSwitch NetbuiWer NetBuider Ottnc Conncct ISDW Roiicrs 2500 2000/2700 Ortwg teen tech PASSWORD Aann h ttp://www. vims. org/default_passwds Enterprise Network Default Username/Pwd Ex: admin/synnet Router Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. E n u m e ra te S ystem s U sing D efault P a ssw o rd s Source: http://www.defaultpassword.com Devices such as switches, hubs, routers, and access points usually come with "default passwords." Not only network devices but also a few local and online applications have built-in default passwords. These passwords are provided by vendors or application programmers during development of the product. Most users use these applications or devices without changing the default passwords provided by the vendor or the programmer. If you do not change these default passwords, then you might be at risk because lists of default passwords for many products and applications are available online. Once such example is http://www.virus.org/default_passwds; it provides verified default login/password pairs for common networked devices. The logins and passwords contained in this database are either set by default when the hardware or software is first installed or are in some cases hardcoded into the hardware or software. Module 04 Page 463 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  31. 31. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration S earch Sear[■ ^ ® vendor O Product O Model 2 | 3 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | 0 | P | Q | R | S | T | U | V | W |X |Z |All Vendor 2w1re 3COM 3COM 3COM 3COM 3COM 3COM 3COM 3COM 3COM 3COM Product W iF i Routers CellPlex CoreBuiider CoreBuilder HiPerARC LANptex LANplex LinkSwitch NetBuikler NetBuilder Office Connect ISDN Routers ModelRev1slon 7000 7000/6000/3500/2500 7000/6000/3500/2500 V4 I X 2500 2500 2000/2700 5x0 Password Wireless tech synnet tech (none) synnet tech tech ANYCOM ILMI n/a A ccess Level Admin PASSWORD Login (none) tech debug tech adm debug tech tech Admin snmp-read snmp-read FIGURE 4.7: Enumeration Screenshot Attackers take advantage of these default passwords and the online resources that provide default passwords for various products and application. Attackers gain unauthorized access to the organization computer network and information resources by using default and common passwords. Router FIGURE 4.8: Enumeration Screenshot Module 04 Page 464 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker M odule Flow Enumeration Concepts CEH NetBIOS Enumeration HP UNIX/Linux Enumeration DNS Enumeration □ SMTP Enumeration Enumeration Counterm easures Enumeration Pen Testing is Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow This section describes the UNIX/Linux commands that can be used for enumeration and Linux enumeration tools. Enumeration Concepts 1 y" NTP Enumeration NetBios Enumeration SMTP Enumeration SN M P Enumertion DNS Enumeration Unix/Linux Enumeration t__J| Enumeration Countermeasures LDAP Enumeration Module 04 Page 465 _^ Enumeration Pen Testing ‫ן‬ Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker SNMP (Sim ple N etw ork M an ag em en t Protocol) E n u m eratio n J CEH SN M P enumeration is a process of enumerating user accounts and devices on a target system using SN M P J SN M P consists of a manager and an agent; agents are embedded on every network device, and the manager is installed on a separate computer J SN M P holds tw o passwords to access and configure the SN M P agent from the management station © Read community string: It is public by default, allows to view the device or system configuration 6 J Read/write community string: It is private by default, allows to edit or alter configuration on the device Attacker uses these default com munity strings to extract information about a device = = J Attackers enumerate SN M P to extract information about network resources such as hosts, routers, devices, shares, etc. and network information such as ARP tables, routing tables, traffic statistics, device specific information, etc. Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. SNMP (Sim ple N etw ork M a n a g e m e n t Protocol) E n u m e ra tio n SNM P (Simple Network Management Protocol) is an application layer protocol that runs on UDP, and is used to maintain and manage routers, hubs, and switches on an IP network. SN M P agents run on Windows and UNIX networks on networking devices. SN M P enumeration is the process of enumerating the user's accounts and devices on a target computer using SNMP. Two types of software components are employed by SNM P for communicating. They are the SN M P agent and SNM P management station. The SN M P agent is located on the networking device whereas the SNM P management station is communicated with the agent. Almost all the network infrastructure devices such as routers, switches, etc. contain an SNM P agent for managing the system or devices. The SNM P management station sends the requests to the agent; after receiving the request the agent sends back the replies. Both requests and replies are the configuration variables accessible by the agent software. Requests are also sent by SN M P management stations for setting values to some variables. Trap let the management station know if anything has happened at the agent's side such as a reboot or interface failure or any other abnormal event. Module 04 Page 466 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker SNM P contains two passwords that you can use for configuring as well as for accessing the SNM P agent from the management station. The two SNM P passwords are: • Read community string: o o • Configuration of the device or system can be viewed with the help of this password These strings are public Read/write community string: o Configuration on the device can be changed or edited using this password o These strings are private W hen the community strings are left at the default setting, attackers take the opportunity and find the loopholes in it. Then, the attacker can uses these default passwords for changing or viewing the configuration of the device or system. Attackers enumerate SN M P to extract information about network resources such as hosts, routers, devices, shares, etc. and network information such as ARP tables, routing tables, device specific information, and traffic statistics. Commonly used SNM P enumeration tools include SN M PU til and IP Network Browser. Module 04 Page 467 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Enumeration CEH Working of SNMP itktjl H..U1 Active Session Information (No. of sessions: 2, Comm: Complnfo, IP: 10.10.2.15) Host X (SN M P M anager) Host Y (SN M P Agent) Community String: If the community string does not match with the string stored in the MIB database, host Y will send a community string to a pre configured SNMP manager indicating the error IP: 10.10.2.12 & Host Z (SN M P Manager) Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. W orking of SNMP MIB Community String: Complnfo Software version hard drive space session table r‫־‬ Community String: Comf Comm unity String: Alarm IP: 10.10.2.1 IP: 10.10.2.15 Sends request for active session (Community String: Complnfo, IP: 10.10.2.15) Active Session Information (No. of sessions: 2, Comm: Complnfo, IP: 10.10.2.15) Host X (SNMP Manager) Host Y (SNMP Agent) If the community string does not match with the string stored in the M IB database, host Y will send a community string to a pre-configured I SNMf^nanagenndicatin^h^rroi^ Host Z (SNMP Manager) FIGURE 4.9: SNMP Screenshot Module 04 Page 468 Ethical Hacking and CountermeasuresCopyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker M an agem en t Inform ation B ase (MIB) CE H M IB is a virtual database containing can be managed using SNMP The M IB database is hierarchical and each managed object in a M IB is addressed through object identifiers (OIDs) Two types of managed objects exist: 9 Scalar objects that define a single object instance e Tabular objects that define multiple related object instances that are grouped in MIB tables The OID includes the type of M IB object such as counter, string, or address, access level such as not-accessible, accessible-for-notify, read-only or read-write, size restrictions, and range information SNMP uses the MIB's hierarchical namespace containing object identifiers (OIDs) to translate the OID numbers into a human-readable display Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. M a n a g e m e n t In fo rm atio n B ase (MIB) M IB is a virtual database containing a formal description of all the network objects that can be managed using SNMP. M IB is the collection of hierarchically organized information. It provides a standard representation of the SN M P agent's information and storage. M IB elements are recognized using object identifiers. Object ID is the numeric name given to the object and begins with the root of the M IB tree. The object identifier can uniquely identify the object present in the M IB hierarchy. MIB-managed objects include scalar objects that define a single object instance and tabular objects that define group of related object instances. The object identifiers include the object's type such as counter, string, or address, access level such as read or read/write, size restrictions, and range information. M IB is used as a codebook by the SNM P manager for converting the OID numbers into a human-readable display. The contents of the M IB can be accessed and viewed using a web browser either by entering the IP address and Lseries.mib or by entering DNS library name and Lseries.mib. For example, http://IP.Address/Lseries.mib or http://library_name/Lseries.mib. Microsoft provides the list of MIBs that are installed with the SN M P Service in the Windows resource kit. The major ones are: Module 04 Page 469 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Enumeration Q DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts 9 HOSTMIB.MIB: Monitors and manages host resources 9 LNMIB2.MIB: Contains object types for workstation and server services e W IN S.M IB: For Windows Internet Name Service Module 04 Page 470 Ethical Hacking and Countermeasures Copyright © by EC-C0l1ncil All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker SNMP Enum eration Tool: OpUtils C EH U * Itb jl rtrfi• K OpUtils with its integrated set of tools helps network engineers to monitor, diagnose, and troubleshoot their IT resources Copyright © by IC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. SNMP Enum eration Tool: OpUtils Source: http://www.manageer 1Rine.com OpUtils is a collection of tools using which network engineers can monitor, diagnose, and troubleshoot their IT resources. You can monitor the availability and other activities of critical devices, detect unauthorized network access, and manage IP addresses. It allows you to create a custom SNMP tools through which you can monitor M IB nodes. Module 04 Page 471 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Enumeration Module 04 Page 472 Exam 312-50 Certified Ethical Hacker Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker SNMP Enumeration Tool: SolarWind’s IP Network Browser Sola.Wintls Oe Tata VWw Oev*n rterluen Gadqm f *ffral Tools CEH kspace studio Help U4rw 5HMOCr«d«f'I^K Q KUnqt Ttintl'&H Credentials *^Settings9* ^0 .‫ *״‬S4tup‫{•‘ .״‬JN«v»T*b *Hi SaveSeated T»bs 9< £Tftnft/$SH tg inttrfxt Chart / TnccRoul( 1 216a1 a 3 - — 4 6 •4J-63 1S3S PC 13216a 168x ‫י‬ fc 152.16a168 32 . ~ ‫« ״‬T 132.168168 35 ‫״**י‬ mm— .... WindowsNTWiykSttton er System M£ J"* System Nam * * 0 i SystemDescrpBon‫׳‬ J1 Location‫׳‬ sys0t!ec30 1.181.41311.1.1.1 F J Lasttoo; 8 2 4 1 9.6766AM 1102 0O SI Services• v Interfaces — ■2interlaces © £ US TCP looptacfc 1 t«n c« n 9 g} 0 Reaitek RTLB16a811 Family Gig 0 to 5 «‫*׳‬C*S(60) Accounts It ARP Tawe ♦nUor-ttmc'cch , SW7c□,♦ » 1 Pass• *‫ 5 נ‬f t ‫«׳‬ ■ 1a Q ‫ ״:..־‬j 5teU‫״‬ ‫־‬ Q v ,‫♦-*׳‬P ODR Routes I© Snares It! SMrrt onottfi feTCmPNtfwo'ts l±, TCPC0nn«ctl(K*S 3 13 .1 8 6 42 1 2 1 8 6 .4 2 618 3 6 .1 8 2 3 13 .1 8 6 4 2 618 3 •I 3 13 .1 8 6 5 1 2 1 8 6 .5 2 6 1 8 0 3 6 .1 8 0 J IP Network Browser performs network discovery on a single subnet or a range of subnets using ICMP and SNMP J It scans a single IP, IP address range, or subnet and displays network devices discovered in real time, providing immediate access to detailed information about the devices on network iS ‫^׳יזיי״אי‬ http://www.solarwinds.com Copyright ffl by —‫ £ ° ־‬j c. IC-Ctuncil. All Rights Reserved. Reproduction is Strictly Prohibited. SNMP Enum eration Tool: SolarW ind’s IP Network Browser Source: http://www.solarwinds.com IP Network Browser from SolarWinds is a network discovery application. It collects information via ICMP and SNMP locally or on a remote network. It scans a single IP, IP address range, or subnet and displays network devices as they are discovered in real time, providing you with immediate access to detailed information about the devices on your network. It is easy for the attacker to discover information about the target network after performing scanning of the entire subnet. Using IP Network Browser, an attacker can gather information from a poorly configured Windows system. The information that can be gathered includes server name, operating system version, SNMP contact and location information, list of services and network interfaces, list of all user accounts, machine date/time, etc. For example, on a Cisco router, Solar Winds IP Network Browser will determine the current IOS version and release, as well as identify which cards are installed into which slots, the status of each port, and ARP tables. When the IP Network Browser discovers a Windows server, it returns information including interface status, bandwidth utilization, services running, and even details of software that is installed and running. Module 04 Page 473 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker SolarWinds I I File Tab< V1 w « In t d f x K ?Add Nen Device-. Gadget* External Tool* Studio H#lp Martagc SNMP Credcrteh Q Manage Telnet/SSHCredential! Setting j... Setup... ,jJNewTeb c jSave SelectedTabs I 3 Switch Port Mapper ‫ ״‬Trtrwt/SSH *J rtertace Chart / TraeeRoute I Explorer 1♦ IP Nerwert Growter * *•" Gadgets ^ g 1 /P3 Monitoring d;Ca C P Ja ro Mewocy Ml interface on»r O ‫! ׳‬erfaceGawse dt 1 rte<face~atoe * | Respont# TneCnart fft Response T*»e Gauge & Ratpoma T « « Telia - , n Took *‫ ׳‬C3 Ad ‫׳ ג‬ess Manatraert 1i> Q C u Tool* 0 ( 1 192163163 5 f C ls>g 192163168 30 ♦j ... »‫ץ‬ 192 163 15332 ^ 3 ♦a5fiW* j3 » * -:T 6 C 3sco^ar> Tccb > < littAOrc Browser a = t.7 W O F !‫ 3<׳‬e ■ t ? 'Js gnbo* Wap Ang Sweep © 19216316336 !r|h»T«T68:3r i f WircovisNT Aorujtanon : SyiUnMlS .P) S»st«« None. -** !♦ | Systan Description: ‫׳‬ i £ Contact‫־‬ sysCfcjectC: 1.3.6.1 4.1.311.1.1.31.1 JTj lattboor 3/210012 367-MAM tt• 0 9 Service* in rfae te c s 2interfaces (£/ % MS TCP Loopback interface *>9 Raaltefc RTL81SWM10 Fain ly Gigabit Etharret NIC - Packet Scheduler Miniport RajleYtavef $. 1» Serv cesGC) Snnp Sweep ^ ‫ ■י‬S»rten Port Mapper Lt. Accounts *. ARPTaWe t Routes » C1 Routes CR ,♦ Snares .‫׳‬ *. Snared Pr rtacs 1». *CP^P Networks 1* TCPComecaons T:aceRou:e / AMI B ro w r + *, 7‫־‬ MonrtoinjTook 2 tZ2 SNVPTools+ i f 15 AetoGedgets word Generator***® Q a d a Location ♦>r3 ConngTaas - 192 163 168 1 • ■a 1921631533 3en re Stated O More Help ^3 126132 126.132 91364 9.136.4 ^a 1 - - 4135‫מו‬ 3613 03 126130:126.130 91355 9.186.5 V u j *•centy Used *3 . > D ray 2 : second' FIGURE 4.11: SNMP Enumeration Tool Screenshot Module 04 Page 474 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker S N M P E n u m e r a tio n T o o ls C EH Getif SoftPerfect Network Scanner h tt p :/ / w w w . wtcs. org h tt p :/ / w w w . softperfect.com OiDViEW SN M P M IB Browser SN M P Informant h tt p :/ / w w w . oidvie w . com h ttp ://w w w .s n m p -in fo rm a n t.c o m iReasoning M IB Browser Net-SNMP h ttp ://tll.ire a so n in g .c o m http ://ne t-sn m p .sou rce fo rge.n et SNScan Nsauditor Network Security Auditor h ttp ://w w w .m c a fe e .c o m h tt p :/ / w w w . nsauditor. com Spiceworks SN M P Scanner h ttp ://w w w .se cu re -b yte s.co m - ■ ‫י‬ Copyright © by h tt p :/ / w w w .soice ttD ://w w . spiceworks.com IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. SNMP Enum eration Tools In addition to OpUtils and SolarWind's are listed as follows: IP Network Browser, a few more SNMP tools Q Getif available at http://www.wtcs.org Q OiDViEW SNMP MIB Browser available at http://www.oidview.com Q iReasoning MIB Browser available at http://tll.ireasoning.com e SNScan available at http://www.mcafee.com Q SNMP Scanner available at http://www.secure-bytes.com Q SoftPerfect Network Scanner available at http://www.softperfect.com e SNMP Informant available at http://www.snmp-informant.com e Net-SNMP available at http://net-snmp.sourceforge.net 9 Nsauditor Network Security Auditor available at http://www.nsauditor.com 6 Spiceworks available at http://www.spiceworks.com Module 04 Page 475 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Module Flow Enumeration Concepts SNMP Enumeration NetBIOS Enumeration □ SMTP Enumeration DNS Enumeration Enumeration Countermeasures Enumeration Pen Testing i s Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow This section describes the UNIX/Linux commands that can be used for enumeration and Linux enumeration tools. Enumeration Concepts 1 y" NTP Enumeration ^ NetBios Enumeration SMTP Enumeration SNMP Enumertion t__J| DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures LDAP Enumeration Module 04 Page 476 _^ Enumeration Pen Testing ‫ן‬ Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker UNIX/Linux Enum eration C om m ands EH o Enumerates the user and the host « Enables you to view the user's home directory, login time, idle times, office location, and the last time they both received or read mail [root$] finger -1 0target.hackme.com « Helps to enumerate Remote Procedure Call protocol e RPC protocol allows applications to communicate over the network [root] rpcinfo -p 19x.16x.xxx.xx 6 Using rpcclient we can enumerate user names on Linux and OSX [root $] rpcclient $> netshareenum 9 Finds the shared directories on the machine [root $] showmount -e 19x.l6x. xxx.xx Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. U N IX /Linux E n u m e ra tio n C o m m a n d s Commands used to enumerate UNIX network resources are as follows: showmount, finger, rpcinfo (RPC), and rpcclient. O Finger: The finder command is used for enumerating the users on the remote machine. It finger enables you to view the user's home directory, login time, idle times, office location, and the last time they both received or read mail. The syntax for finger is: finger [-b] [-f] [-h] [-i] [- ] [-m] [-p] [-q] [-s] [‫־‬w] [username] 1 O p tio n s: -b Suppresses printing the user's home directory and shell in a long format printout. -f Suppresses printing the header that is normally printed in a non-long format printout.___________ I h Suppresses printing of the .project file in a long format printout. -I Forces "idle" output format, which is similar to short format except that only the login name, terminal, login time, and idle time are printed. Module 04 Page 477 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  45. 45. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker ­‫ו‬ Forces long output format. ­‫ווו‬ Matches arguments only on the user's name. Suppresses printing of the .plan file in a long format printout. P q Forces quick output format, which is similar to short format except that only the login name, terminal, and login time are printed. -s Forces short output format. -w Suppresses printing the full name in a short format printout. For example, if the command root$] finger-1 (®target.hackme.com is executed, then you can get the list of users on the target host. IfS ^ rpcinfo (R PC ) 1 rpcinfo (RPC) helps you to enumerate Remote Procedure Call protocol. This in turn allows the applications to communicate over the network. The syntax for rpcinfo follows: rpcinfo [-m | -s ] [ host ] rpcinfo ‫־‬P [ host ] rpcinfo -T transport host prognum [ versnum ] rpcinfo -1 [ -T transport ] host prognum versnum rpcinfo ] ‫־‬n portnum ] -u host prognum [ versnum ] rpcinfo ] ‫־‬n portnum ] -t host prognum [ versnum ] rpcinfo -a serv address ? transport prognum [ versnum rpcinfo -b [ -T transport ] prognum versnum rpcinfo -d [ -T transport ] prognum versnum O p tio n s: -m Displays a table of statistics of rpcbind operations 011 the given host. The table shows statistics for each version of rpcbind (versions 2, 3 and 4), giving the number of times each procedure was requested and successfully serviced, the number and type of remote call requests that were made, and information about RPC address lookups that were handled. This is useful for monitoring RPC activities 011 the host. -s Displays a concise list of all registered RPC programs on host. If host is not specified, it defaults to the local host. -P Probes rpcbind on host using version 2 of the rpcbind protocol, and display a list of all registered RPC programs. If host is not specified, it defaults to the local host. Note that version 2 of the rpcbind protocol was previously known as the portmapper protocol. -t Makes a RPC call to procedure 0 of prognum on the specified host using TCP, and report whether or not a response was received. This option is made obsolete by the -T option as shown in the third synopsis. Module 04 Page 478 Ethical Hacking and CountermeasuresCopyright © by EC-C0IM Cil All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker 1 ‫־‬ Displays a list of entries with a given prognum and versnum 011 the specified host. Entries are returned for all transports in the same protocol family as that used to contact the remote rpcbind. -b Makes a RPC broadcast to procedure 0 of the specified prognum and versnum and report all hosts that respond. If transport is specified, it broadcasts its request only on the specified transport. If broadcasting is not supported by any transport, an error message is printed. Use of broadcasting should be limited because of the potential for adverse effect on other systems. -d Deletes registration for the RPC service of the specified prognum and versnum. If transport is specified, unregister the service on only that transport; otherwise, unregister the service on all the transports on which it was registered. Only the owner of a service can delete a registration, except the superuser, who can delete any service. -u Makes an RPC call to procedure 0 of prognum on the specified host using UDP, and report whether or not a response was received. This option is made obsolete by the -T option as shown in the third synopsis. -a serv_address Uses serv_address as the (universal) address for the service on transport to ping procedure 0 of the specified prognum and report whether or not a response was received. The -T option is required with the -a option. If versnum is not specified, rpcinfo tries to ping all available version numbers for that program number. This option avoids calls to remote rpcbind to find the address of the service. The serv_address is specified in universal address format of the given transport. -n p o rtn u m Uses portnum as the port number for the -t and -u options instead of the port number given by rpcbind. Use of this option avoids a call to the remote rpcbind to find out the address of the service. This option is made obsolete by the -a option. -T tra nsp o rt Specifies the transport on which the service is required. If this option is not specified, rpcinfo uses the transport specified in the NETPATH environment variable, or if that is unset or NULL, the transport in the netconfig database is used. This is a generic option, and can be used in conjunction with other options as shown in the SYNOPSIS. Host Specifies host of rpc information required. For example, if the command [root] rpcinfo -p 19x.16x.xxx.xx is executed, then you can get the rpc information of the host you are currently connected to. rpcclient rpcclient is used to enumerate usernames on Linux and OS X. The syntax for rpcclient follows: rpcclient [-A authfile] [-c ccommand string>] [-d debuglevel] [-h] [- logdir] [-N] [-s <smb config 1 file>] [-U username[%password]] [-W workgroup] [- destinationIP] {server} 1 O p tio n s: ■c Module 04 Page 479 Execute semicolon-separated commands. Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker -I IP address is the address of the server to connect to. It should be specified in standard "a.b.c.d" notation. Z'-p This number is the TCP port number used when making connections to the server. The standard TCP port number for an SMB/CIFS server is 139, which is the default. -d debuglevel is an integer from 0 to 10. The default value if this parameter is not specified is 0 . -V Prints the program version number. -s The file specified contains the configuration details required by the server. 1 Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbdient, log.smbd, etc...). The log file is never removed by the client. -N If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password. -A This option allows you to specify a file from which to read the username and password used in the connection. -U Sets the SMB user name or user name and password. -W Set the SMB domain of the use rname. h Print a summary of command-line options. For example, if the command root $] rpcclient $> netshareenum is executed, then it displays all the user names. showmount showmount identifies and lists the shared directories available on a system. The clients that are remotely mounted on a file system from a host are listed by showmount. mountd is an RPC server that replies to the NFS access information and file system mount requests. The mountd server on the host maintains the obtained information. The file /etc/rmtab saves the information from crashing. The default value for the host is the value returned by hostname ( 1). The syntax for the mountd:/usr/lib/nfs/mountd [-v] [-r] The syntax for Showmount: /usr/sbin/showmount [-ade] Module 04 Page 480 [hostname] Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker O p tio n s: -a Print all remote mounts in the format. -d List directories that have been remotely mounted by clients. -e Print the list of shared file systems. For example, if the command [root $] showmount -e 19x.l6x. xxx.xx is executed, then it displays the list of all shared directories that are mounted by a host. Module 04 Page 481 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Linux Enum eration Tool: Enum41inux sh-3.2S enum41inux.pl •r 192.168.2.55 Starting enum41inux vO.8.2 ( http://labs.portcullis.co.uk/applic11tion/enura41inux/ ) on Wed Apr 2 14:14:35 20( ---- Target information ----Target ................. 192.168.2.55 RID Range ............ 500-550.1000-1050 Uscmane ............. *‫י‬ Password.............. *‫י‬ Known Usernames .. adm inistrator, guest, krbtgt, domain admins, root, bin, none Enuraerating Workgroup/Domain on 192.168.2.55 [‫ ־־‬Got domain/workgroup name: W *] ORKGRO UP ---- Getting domain SID for 192.168.2.55 ---Donain Nane: W RKG UP O RO Donain Sid: S-0-0 [+] Host is part of a workgroup (not a domain) Session Check on 192.168.2.55 [‫ ] ־‬Server 192.168.2.55 allows sessions using username ‫ , י י‬password ‫יי‬ ► Users on 192.168.2.55 via RID cycling (RIDS: 500-550,1000-1050) [ I] Assuming that user "adm inistrator" exists Got SID: S - l - 5 - 2 1 7 2 5 3 4 5 5 4 3 ‫ ־1056742841 ־1354761081 ־‬using username " , password S-l-5-21-1801674531-1482476501-725345543-500 W2KSQLAdministrator (Local User) S-l-5-21-1801674531-1482476501-725345543-501 W2KSQLGuest (Local User) S-l-5-21-18016745311482476501-725345543-513‫ ־‬W2KSQLN0ne (Domain Group) S-l-51801674531-1482476501-725345543-1000‫ ־12 ־‬W2KSQLTsInternetUser (Local User) S-l-5-21-1801674531-1482476501-725345543-1001 W2KSQLIUSR_PORTCULLIS (Local User) S-1-5-21-1801674531-1482476501-725345543-1002 W2KSQLIWAM_P0RTCULLIS (Local User) S-1-5-21-1801674531-1482476501-725345543-1004 W2KSQLmark (Local User) S-l-5-21-1801674531-1482476501-725345543-1005 W2KSQLblah (Local User) S-l-5-21-1801674531-1482476501-725345543-1006 W2KSQLbasic (Local User) [♦j cnun411nux complete on Wed Apr 2 14:14:40 2008 http://labs,portcullis,co.uk Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. Linux Enum eration Tool: Enum41inux I Source: http://labs.portcullis.co.uk Enum4linux is a tool that allows you to enumerate information from samba, as well as Windows systems. Features: Q RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000) e User Listing (When RestrictAnonymous is set to 0 on Windows 2000) Q Listing of Group Membership Information 9 Share Enumeration e Detecting if host is in a Workgroup or a Domain e Identifying the remote Operating System 9 Password Policy Retrieval (using polenum) Module 04 Page 482 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker s h -3 .2 J e riu M Iin u x :p r • r :1 9 2 .1 6 8 .2 .5 V ‫: ־‬ S ta r t in g enum41inux v0.8.;2 ( h t t p : / / l a b s . p o r t c u l l l s . c o u k /a p p lic a tio n /e n u m 4 1 in u x / ) on Ned Apr 2 14:14:35 2(X --------- . T a rg e t in fo rm a tio n -------T arg et ........................................................................................ SS. 1 9 2 .1 6 8 .2 RID Range ;................ 500-550.1000-1050 U sernaae J ........................................................................................ ‫י י‬ m woM ‫................. : .......׳:.׳.׳.;.׳.׳.;׳‬ Known Usernames . . a d m in is tr a to r , g u e st k r b tg t , domain adm ins, ro o t, b in . none ------- Enum erating Workgrciup/Domain on 1 9 2 .1 6 8 .2 .5 5 (♦] Got dom ain/w orkgroup name: W ORKGROUP ------- G e ttin g domain SID ■tor 1 9 2 .1 6 8 .2 .$ S --------D e ta in ‫ ׳‬Name: W ORKGROUP ; D oaain S id : S -0 -0 [+] Host i s p a r t o f a workgroup (n o t a domain) .......... S e ssio n Check on 1 S 2 .1 6 8 .2 .5 S — — [♦] S e rv e r 1 9 2 .1 6 8 .2 .SS a llo w s s e s s io n s u sin g username ' ' . passw ord * U sers on 192:168.2.;S5‫ ־‬viar RID c y c lin g (RIDS: SO0-SSO;1000-1050) [X] Assuming t h a t u s e r " a d m in is tra to r" e x i s t s [♦ ] Cot SID: S - l- 5 - 2 1 - 1801674531-14824765O1-725345543 vising username f ‫ . ׳‬passw ord S-1-S-21-I801674S31-1482476SO1-72534S543-S00 W 2KSQLAdrtinistrator (L o ta l U ser) S-1-S-21-1801674531-1482476501-72534SS43-501 W2KSQLGuest (L ocal U ser) S-1-S-21-1801674S31-1482476S01-72S34SS43-S13 W2KSQLNone (Domain Group) S-1-S-21-I801674531-1482476501-72S345543-1000 W2KSQLTsInternetUser ( lo c a l U ser) ■ S -l-S -2 1 -l8 0 ‫־‬i674531j 1432476501-72S345543j 1001 #2KSQLIUSR_PORTCULLIS (L ocal U ser) S - l - 5-21-1801674531-1482476501-725345543-1002 W2KSQLIWAM_PORTCULLIS (L ocal U ser) S-1-S-21-1801674S31-1482476S01-725345543-1004 W2KSQLmark (L ocal U ser) S-1-S-21-1801674531-1482476501-72S34S543-100S W2KSQLblah (L ocal U ser) S -l-S -2 1 -1 8 0 1 6 7 4 S 3 1 -1482476501-725345543-1006 W2KSQLbasic (L ocal U ser) enum-JlinuX com plete on W<d Apr 2 1 4 :1 4 '4 0 2008 FIGURE 4.11: Enum4linux Tool Screenshot Module 04 Page 483 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Module Flow Enumeration Concepts CEH SNMP Enumeration NetBIOS Enumeration UNIX/Linux Enumeration DNS Enumeration □ SMTP Enumeration Enumeration Countermeasures Enumeration Pen Testing Copyright © by IC-Ccuncil. All i s Rights Reserved. Reproduction is Strictly Prohibited. M odule Flow To enable communication and manage data transfer between network resources, various protocols are employed. All these protocols carry valuable information about network resources along with the data to be transferred. If any external user is able to enumerate that information by manipulating the protocols, then he or she can break into the network and may misuse the network resources. LDAP is one such protocol intended to access the directory listings. Enumeration Concepts ! — NTP Enumeration ‫״ג‬ % NetBios Enumeration SMTP Enumeration SNMP Enumertion !t__5 DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures IfF LDAP Enumeration v Enumeration Pen Testing This section focuses on LDAP enumeration and LDAP enumeration tools Module 04 Page 484 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker LDAP E num eration CEH Itfc l N w tu «k Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services t t -*‫־‬*‫־‬ Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory A client starts an LDAP session by connecting to a Directory System Agent (DSA) on TCP port 389 and sends an operation request to the DSA Information is transmitted between the client and the server using Basic Encoding Rules (BER) Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc. that can be further used to perform attacks Copyright © by n> IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. LDAP Enum eration The Lightweight Directory Access Protocol (LDAP) is used to access directory listings within an Active Directory or from other directory services. A directory is compiled in hierarchical or logical form, slightly like the levels of management and employees in a company. It is suitable to attach with the Domain Name System (DNS) to allow quick lookups and fast resolution of queries. It usually runs on the port 389 and other similar protocols. You can anonymously query the LDAP service. The query will disclose sensitive information such as user names, addresses, departmental details, server names, etc., which can be used by the attacker for launching the attack. Module 04 Page 485 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker LDAP Enumeration Tool: Softerra LDAP Administrator EH c1 UrlA H ItbKJl HMkM LDAP Adrn»'nistrator HT ML V i e w hf(P'' '1 Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. LDAP Enum eration Tool: Softerra LDAP Adm inistrator Source: http://www.ldapadministrator.com Softerra LDAP Administrator is a LDAP administration tool that allows you to work with LDAP servers such as Active Directory, Novell Directory Services, Netscape/iPlanet, etc. It generates customizable directory reports with information necessary for effective monitoring and audit. Features: • It provides directory search facilities, management facilities, etc. bulk update operations, group membership It supports LDAP-SQL, which allows you to manage LDAP entries using SQL-like syntax Module 04 Page 486 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker CN=Franko Barucci.OU =HR Department.DC=example,DC= com -Softerra LDAP Administrator 2011.1 £11* £drt ¥'*w Fjvontes Sf£»er * J s i -JM» ‫ - ׳‬X Entry Schema Refiorts X -u4 '* 3 dtf 3 S i OU -HR Department I E 2 CN - Aaron Dorben | S) £ CN-Alexander Lemming I IS £ CN-Alexander McDoughal I E £ CN-Andrew Anderson : S £ CN-Andrew Wfe ! f i £ CN ‫ ־‬Andrew Wfcon : E E $ $ ft E B ft ft ft ft (S £ £ £ £ £ £? £ £ £ £ £ £5 Hf lP ■» 2 £ £ £ £ CN ‫ ־‬Cordon Summer CN ‫ ־‬Gregory Murrey CN ‫ ־‬Henry Richards CN-HR Managers C N -IT Department CN ‫ ־‬James Garfield CN*Jason Guard CN -le e dark Franko Barucci *331 587 268 45 U F.Barucci(j>Example.com Planning Manager CN=Ann Doe CN-Anny Hobbs CN-Aron Piersoi CN ‫ ־‬Aurora Namuia CN ‫ ־‬Clarence Bulwmkei CN‫ ־‬C0ns1dting Department CN ‫ ־‬David Morris CN=Oavid Smith CN ‫ ־‬David Watson CN=Oerrxs Martin CN-Szabeth Johnson CN=EMEA Group ft ft ft E ! j j Window • 9 w Scope Pane | !ools .'‫־‬iff i '"JJ' -J i; K?-2JIM-EfI J -331 587 268 48 Paris Organization | Telephones Address Account Franko Barucci Franko Barucci ft £ a £ E £ .‫:; ך‬ Planning Manager Paris Telephone Number + 331 587 268 45 I examples [example.com:389] -Softerra LDAP Administrator 2011.1 Entry I - ‫ ־ *‘ ־‬J ; ! *■ jtlew- 3 ^ x Scope Pane ▼ ? x Softerra LDAP Admr»trator ajJ Internet Pubk Servers $ 0 ‫ ־־‬Adressen der Bundesverwaltu f f l - y Came^e Melon University ₪ Colorado State University ♦ J Debian ® 0 ffl 0 Deutsche Telekom AG D‫־‬TrustCAs New York University ± 0 Trust Center £ h 0 University of MKhigan ft‫ ״‬VeriSign g Local Servers $ ufj Mcrosoft Exchange Servers -j 0 ^ Testing Servers Schema Iools Recorts Window tjelp ± a) K? ‫; ־‬ | - I J ‫ג‬ ^ O k Name Value Type 13CN L3CN 5JDC 3‫׳‬ DC £3DC Configuration Entry unknown Schema Entry unknown DomatnDnsZones Entry unknown example Entry unknown ForestDnsZones Entry unknown H currentTme 20110620130837.0Z Attribute 17 l*J dsServiceName CN-NTDS Settings,CN *SERVER 1,CN... Attnbute 109 S DC ‫ ־‬example,DC ‫ ־‬com Attribute 17 CN ■Schema,CN •Configuration,DC*... Attribute 44 defaultNamingContext &J schemaNamingContext S configurabonNamingContext CN Configuration,DC =example,DC=... Size Attribute 34 & J rootDomainNamingContext DC ‫ ־‬example ,DC ■com Attribute 17 S supportedLDAPPobaes MaxPoolThreads Attnbute 14 E supportedLDAPPoliaes MaxDatagramRecv Attribute 15 ® £3‫״‬ CN=Config1ration & ‫־‬S 3 CN ‫ ־‬Schema f t § 3 DC=DomainDnsZones j ft‫־‬SJ DC ‫ ־‬example f t |»3 DC‫ ־‬ForestDnsZones f t - 0 rainbow f t - Q umbrella E 0 AD i - 0 CA Directory 4 9 Planet (=J supportedLDAPPobaes MaxReceiveBuffer Attnbute 16 S supportedLDAPPobaes i .‫ .־‬j InitRecvTimeout Attribute 15 (=J supportedLDAPPobaes MaxConnections Attribute 14 ® supportedLDAPPobaes MaxConnldleTime Attribute 15 C J supportedLDAPPobaes = MaxPageSize Attribute 11 (=] supportedLDAPPobaes MaxQueryDuration Attribute 16 C J supportedLDAPPobaes * MaxTempTableSize Attribute 16 (=J supportedLDAPPobaes MaxResultSetSize Attnbute 16 H supportedLDAPPobaes MaxNotficationPerConn Attribute 22 (=J supportedLDAPPobaes MaxValRange Attnbute 11 ® highestCommittedUSN 28907 Attribute 5 (*J dnsHostName server 1 .example.com Attnbute ____________19 d H List View X ₪ HTML View B Output C Basket S subnodes FIGURE 4.12: Softerra LDAP Administrator tool Screenshot Module 04 Page 487 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited. "
  55. 55. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker LDAP E num eration Tools CEH JXplorer Active Directory Explorer h ttp ://w w w .jx p lo re r.o rg h ttp ://technet.m icrosoft.com LDAP Admin Tool ( h tt p :/ / w w w . Idapsoft. com LDAP Administration Tool http ://sou rce fo rge.n et LDAP Account Manager fi ^ LDAP Search h ttp ://w w w .ld a p -a cco u n t-m a n a g e r.o rg http ://secu rityxp lo de d .com LEX-The LDAP Explorer m n- h ttp ://w w w .ld a p e x p lo re r.co m Active Directory Domain Services Management Pack h ttp ://w w w .m icro so ft.co m LDAP Admin © h ttp ://w w w .ld a p a d m in .o rg LDAP Browser/Editor h ttp ://w w w .n o v e ll.c o m Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited. LDAP Enum eration Tools There are many LDAP enumeration tools that can be used to access the directory listings within Active Directory or from other directory services. Using these tools attackers can enumerate information such as valid user names, addresses, departmental details, etc. from different LDAP servers. A few LDAP enumeration tools are listed as follows: Q JXplorer available at http://www.ixplorer.org Q LDAP Admin Tool available at http://www.ldapsoft.com Q LDAP Account Manager available at http://www.ldap-account-manager.org Q LEX - The LDAP Explorer available at http://www.ldapexplorer.com e LDAP Admin available at http://www.ldapadmin.org e Active Directory Explorer available at http://technet.microsoft.com e LDAP Administration Tool available at http://sourceforge.net 9 LDAP Search available at http://securitvxploded.com t? Active Directory Domain Services Management Pack available at http://www.microsoft.com 9 LDAP Browser/Editor available at http://www.novell.com Module 04 Page 488 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker Module Flow C EH M odule Flow Often, the NTP server is overlooked in terms of security. But, if queried properly, it can also provide a lot of valuable network information to the attackers. Therefore, it is necessary to test what information an attacker can enumerate about your network through NTP enumeration. Enumeration Concepts t__5 NetBios Enumeration ^j£r^‫ ׳־‬NTP Enumeration ^ SMTP Enumeration SNMP Enumertion DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures If* > - LDAP Enumeration Enumeration Pen Testing This section describes what is NTP, what information can be extracted through NTP enumeration, and NTP enumeration commands Module 04 Page 489 Ethical Hacking and CountermeasuresCopyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker NTP E num eration Network Time Protocol (NTP) is designed to synchronize clocks of networked computers a ggi Rip y It uses as its primary means of communication It can achieve accuracies of or better in local area networks under ideal conditions CEH NTP can maintain time to within 1 0 milliseconds ( 1 / 1 0 0 seconds)over the public Internet Attacker queries NTP server to gather valuable information such as: S List of hosts connected to NTP server S Clients IP addresses in a network, their system names and OSs » Internal IPs can also be obtained if NTP server is in the DMZ Cbpyright C by I - c n i . All RightsJteServfci Reproduction is Strictly Prohibited. CCucl NTP Enumeration Before beginning with NTP enumeration, let's first discuss what NTP is. NTP is a network protocol designed to synchronize clocks of networked computer systems. NTP is important when using Directory Services. It uses UDP port 123 as its primary means for communication. NTP can maintain time to within 10 milliseconds (1/100 seconds) over the public Internet. It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions. Through NTP enumeration, you can gather information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the client systems in a network. All this information can be enumerated by querying the NTP server. If the NTP server is in the DMZ, then it can also be possible to obtain internal IPs. Module 04 Page 490 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Enumeration Exam 312-50 Certified Ethical Hacker CEH NTP E n u m era tio n C o m m a n d s CeflrfWd ntptrace 6 • <0 4 ‫ • יז‬vlrt jal-marMnt- • • • vlrtM l* 1w c M M :‫־‬S ntpdc ntpdc* / ntpdc connands: aridp«*1‫״‬r control key fudge aridrefcloefc ctls ta ts help addtorvof debug host add ‫ ז‬rap delay hostnanes outhlnfo deW estrlct Ifrrloed broadcast disable U s u is elkbug dnpeers lostats clockstat enable kerplnfo clrtrap exit keyld ntpdc* nonlist renote address port local *44 & Traces a chain of NTP servers back to the primary source 5 ntptrace [ -vdn ] [ -r retries ] [ t timeout ] [ server ] ntpdc © Monitors operation of the NTP daemon, ntpd keytype lt«K*r* looplnfo "* ‫ * ״‬H t * m llit passed peers preset pstets curoplun.canonical.ton 123 J9J.1C0 125.02.193.121 123 ]92.168. 1 2 0 1 0 *46‫ . ׳38 ׳‬sni tZl . hn123 192.168. se0«ent119-226‫. ־‬s lfy.n 123 192.168. ns3.nel - .con 123 192.168. ntpdc* | 6 /usr/bin/ntpdc t‫־‬n] [-v] hostl I IPaddressl... IU k j I N a• a*h ntpq r**A»y( tlnerstats trap! r«qv*1 tk«y ‫־׳‬es«t r n llt t r e s tric t shMpter systnfo t y t U it s W T M trU t untrastedkey versto* ‫׳‬ 25 28 27 26 4 4 4 4 lit t n t 4 4 4 4 ntpdc: monlist query 9 Monitors NTP daemon ntpd operations and determines performance e ntpq [-inp] [-c co m m and ] m -vlr tual-nachlne:-J ntpq 1tpq> . ‫׳‬ itpq connands: [host] [• •■ I :learvara :lo ckllst keyld keytype passoclatlons passwd save<onfl9 showers .onflg-fron-rile lopeeis poll version :ooked ipassoclatlons pstatus w rite lls t :v Ipeers quit •rltevar lebug nreadllst raw _ »tpq> readllst ■ issoctdaO status>061S leap none. sync_ntp. 1 event, clock sync, rerston-’ntpd 4 7 ftpigi Tue lun « ?•:17:11 UTC ?81? (1 )*. . irocettor-"1696‫ , ׳‬syctem-*llnux/3.2.• 23 generic-pae*, leap‫,•♦־‬ itratun-3, precision• 22, rootdelay-141.734, rootdlsp-1•!.•34, cr1d-120.0e.46.10, eftlne«d3cl9d3d.elOcM7B r r l , Aug 24 2012 11:37:09.MO, ;locked3el9e4r.ac34l2cc r r l . Aug 24 2012 12:91:43.072, peer•304‫ ,לל‬tc*o. iln tc O , orrset«04.020, frequency80.008‫ .־‬sys Jlt t e r a r s .179, :Ik )ltter-83.672, elk wander-9.28d ntptrace ntpq: readlist query Copyright C by IC-Ctuncil. All Rights Reserved. Reproduction is Strictly Prohibited. EB NTP Enum eration C om m ands NTP enumeration can be performed using the NTP suite command-line tool. NTP Suite is used for querying the NTP server to get desired information from the NTP. This command-line tool includes the following commands: Q ntptrace © ntpdc © ntpq These commands will help you extract the data from the NTP protocol used in the target network. ntptrace: This command helps you determine from where the NTP server updates its time and traces the chain of NTP servers from a given host back to the prime source. Syntax: ntptrace [-vdn] [-r retries ] [-t timeout] [servername/IP_address] Example: # ntptrace localhost: Module 04 Page 491 stratum 4, offset 0.0019529, synch distance 0.143235 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.

×