More Related Content
Similar to Ce hv8 module 04 enumeration
Similar to Ce hv8 module 04 enumeration (20)
Ce hv8 module 04 enumeration
- 2. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
Enumeration
Module 04
Engineered by Hackers. Presented by Professionals.
CEH
Ethical H acking and C ounterm easures v8
Module 04: Enumeration
Exam 312-50
Module 04 Page 435
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 3. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
solutions
news
October 20, 2012 11:28AM
write us
H a c k e rs A tta c k U S W e ath e r S e rv ic e
THE US National Weather Service computer network was hacked with a group from Kosovo
claiming credit and posting sensitive data, security experts said Friday.
Data released by the Kosovo Hackers Security group includes directory structures, sensitive files
of the Web server and other data that could enable later access, according to Chrysostomos
Daniel of the security firm Acunetix.
"The hacker group stated that the attack is a protest against the US policies that target Muslim
countries," Daniel said.
"Moreover, the attack was a payback for hacker attacks against nuclear plants in Muslim
countries, according to a member of the hacking group who said, "They hack our nuclear plants
using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent — hack
to payback them."
.
h ttp :/ / w w w . theaustralian. com . ou
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
N E W S
S ecurity New s
Hackers Attack US Weather Service
Source: http://www.theaustralian.com.au
The US National W eather Service computer network was hacked with a group from Kosovo
claiming credit and posting sensitive data, security experts said recently.
Data released by the Kosovo Hackers Security group includes directory structures, sensitive
files from the web server, and other data that could enable later access, according to
Chrysostomos Daniel of the security firm Acunetix.
"The hacker group stated that the attack is a protest against the US policies that target Muslim
countries," Daniel said.
Moreover, the attack was a payback for hacker attacks against nuclear plants in Muslim
countries, according to a member of the hacking group who said, "They hack our nuclear plants
using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent - hack
to payback them."
Module 04 Page 436
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 4. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
Paul Roberts, writing on the Sophos Naked Security blog, said the leaked information includes a
list of administrative account names, which could open the hacked servers to subsequent
"brute force attacks."
"Little is known about the group claiming responsibility for the attack," he said.
"However, they allege that the weather.gov hack was just one of many US government hacks
the group had carried out and that more releases are pending."
© 2011 CBS Interactive. All rights reserved.
http://www.theaustralian.com.au/australian-it/hackers-attack-us-weather-service/storye6frgakx-1226499796122
Module 04 Page 437
Ethical Hacking and Countermeasures Copyright © by
EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 5. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
CE
H
M odule O bjectives
J
J
J
NetBIOS Enumeration
J
Enumerate Systems Using Default
Passwords
J
t
SNMP Enumeration
־X
J
SMTP Enumeration
DNS Enumeration
J
Services and Ports to Enumerate
NTP Enumeration
J
Techniques for Enumeration
LDAP Enumeration
Enumeration Countermeasures
J
J
J
What Is Enumeration?
UNIX/Linux Enumeration
׳J
'J
Enumeration Pen Testing
־
----------
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
l&SJ
~
—ב
I* =
M odule O b jectiv es
In the previous modules, you learned about foot printing and scanning networks. The
next phase of penetration testing is enumeration. As a pen tester, you should know the
purpose of performing enumeration, techniques used to perform enumeration, where you
should
apply
enumeration,
what
information
you
get,
enumeration
tools,
and
the
countermeasures that can make network security stronger. All these things are covered in this
module. This module will familiarize you with the following:
©
9
UNIX/Linux Enumeration
© Techniques for Enumeration
9
LDAP Enumeration
©
Services and Ports to Enumerate
9
NTP Enumeration
©
NetBIOS Enumeration
9
SMTP Enumeration
©
Enumerate Systems Using Default
9
DNS Enumeration
Passwords
9
Enumeration Countermeasures
SNM P Enumeration
9
Enumeration Pen Testing
©
W hat Is Enumeration?
Module 04 Page 438
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 6. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
M odule Flow
4
CEH
M odule Flow
In order to make you better understand the concept of enumeration, we have divided
the module into various sections. Each section deals with different services and ports to
enumerate. Before beginning with the actual enumeration process, first we will discuss
enumeration concepts.
^
Enumeration Concepts
^
NTP Enumeration
י׳-
!t__^
NetBios Enumeration
^
SMTP Enumeration
SNMP Enumertion
DNS Enumeration
Unix/Linux Enumeration
Enumeration Countermeasures
LDAP Enumeration
Enumeration Pen Testing
This section briefs you about what enumeration is, enumeration techniques, and services and
ports to enumerate.
Module 04 Page 439
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 7. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
What Is Enumeration?
J
CEH
In the enumeration phase, attacker creates active connections to system and performs
directed queries to gain more information about the target
a
J
Attackers use extracted information to identify system attack points and perform password
attacks to gain unauthorized access to information system resources
J
Enumeration techniques are conducted in an intranet environment
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W hat Is E n u m e ra tio n ?
Enumeration is defined as the process of extracting user names, machine names,
network resources, shares, and services from a system. In the enumeration phase, the attacker
creates active connections to the system and performs directed queries to gain more
information about the target. The attacker uses the gathered information to identify the
vulnerabilities or weak points in system security and then tries to exploit them. Enumeration
techniques are conducted in an intranet environment. It involves making active connections to
the target system. It is possible that the attacker stumbles upon a remote IPC share, such as
IPC$ in W indows, that can be probed with a null session allowing shares and accounts to be
enumerated.
The previous modules highlighted how the attacker gathers necessary information about the
target without really getting on the wrong side of the legal barrier. The type of information
enumerated by attackers can be loosely grouped into the following categories:
Information Enumerated by Intruders:
9
Network resources and shares
9
Users and groups
Module 04 Page 440
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 8. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
9
Routing tables
9
Auditing and service settings
9
Machine names
9
Applications and banners
9
SNM P and DNS details
Module 04 Page 441
Ethical Hacking and Countermeasures Copyright © by
EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 9. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
Techniques for Enumeration
CEH
IUkjI N h
MM
Extract information
using the default
Extract user names
using email IDs
passwords
Extract user names
using SN M P
Extract information
using DNS Zone
Transfer
Extract user groups
from Windows
T e c h n iq u e s for E n u m e ra tio n
^
In the enumeration process, an attacker collects data such as network users and
group names, routing tables, and Simple Network Management Protocol (SNM P) information.
This module explores possible ways an attacker might enumerate a target network, and what
countermeasures can be taken.
The following are the different enumeration techniques that can be used by attackers:
Extract u se r n am es usin g em ail IDs
In general, every email ID contains two parts; one is user name and the other is
domain name. The structure of an email address is username@domainname. Consider
abc@gmail.com; in this email ID "abc" (characters preceding the
and "gmail.com" (characters proceeding the
symbol) is the user name
symbol) is the domain name.
Extract inform ation usin g the default passw ords
Many
online
resources
provide
lists
of
default
passwords
assigned
by the
manufacturer for their products. Often users forget to change the default passwords provided
by the manufacturer or developer of the product. If users don't change their passwords for a
long time, then attackers can easily enumerate their data.
Module 04 Page 442
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 10. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
Brute force Active D irectory
Microsoft Active Directory is susceptible to a user name enumeration weakness at the
time of user-supplied input verification. This is the consequence of design error in the
application. If the "logon hours" feature is enabled, then attempts to the service authentication
result in varying error messages. Attackers take this advantage and exploit the weakness to
enumerate valid user names. If an attacker succeeds in revealing valid user names, then he or
she can conduct a brute-force attack to reveal respective passwords.
Extract u se r n am es usin g SNMP
Attackers can easily guess the "strings" using this SNM P API through which they can
extract required user names.
Extract u se r groups from W indows
These extract user accounts from specified groups and store the results and also verify
if the session accounts are in the group or not.
Extract inform ation usin g DNS Zone T ransfer
DNS zone transfer reveals a lot of valuable information about the particular zone you
request. W hen a DNS zone transfer request is sent to the DNS server, the server transfers its
DNS records containing information such as DNS zone transfer. An attacker can get valuable
topological information about a target's internal network using DNS zone transfer.
Module 04 Page 443
Ethical Hacking and Countermeasures Copyright © by
EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 11. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
Services and Ports to Enum erate
CEH
T C P 53
UDP 161
DNS zone transfer
Simple Network Management
protocol (SNMP)
T C P 135
TCP/UDP 389
Microsoft RPC Endpoint Mapper
Lightweight Directory Access
Protocol (LDAP)
T C P 137
TCP/UDP 3368
NetBIOS Name Service (NBNS)
Global Catalog Service
T C P 139
T C P 25
NetBIOS Session Service (SMB over
NetBIOS)
Simple Mail Transfer Protocol (SMTP)
T C P 445
SM B over TCP (Direct Host)
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
S ervices an d P o rts to E n u m e ra te
TCP 53: DNS zone tran sfer
O
6
DNS zone transfer relies on TCP 53 port rather than UDP 53. If TCP 53 is in use then it
means that DNS zone transfer is in process. The TCP protocol helps to maintain a
consistent DNS database between DNS servers. This communication occurs only between DNS
servers. DNS servers always use TCP protocol for the zone transfer. The connection established
between DNS servers transfers the zone data and also helps both source and destination DNS
servers to ensure the data consistency by means of TCP ACK bit.
TCP 135: M icrosoft RPC E ndpoint M apper
-■—!־
The RPC port 135 is used in client/server applications to exploit message services. To
stop the popup you will need to filter port 135 at the firewall level. W hen trying to connect to a
service, you go through this mapper to discover where it is located.
TCP 137: NetBIOS N am e Service (NBNS)
NBNS, also known as Windows Internet Name Service (WINS), provides name
resolution service for computers running NetBIOS. NetBIOS Name Servers maintain a database
Module 04 Page 444
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 12. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
of the NetBIOS names for hosts and the corresponding IP address the host is using. The job of
NBNS is to match IP addresses with NetBIOS names and queries. The name service is usually
the first service that will be attacked.
TCP 139: NetBIOS Session Service (SMB over NetBIOS)
NetBIOS session service is used to set up and tear down sessions between NetBIOScapable computers.
Sessions are established by exchanging packets. The computer establishing the session
attempts to make a TCP connection to port 139 on the computer with which the session is to be
established. If the connection is made, the computer establishing the session then sends over
the connection a "Session Request" packet with the NetBIOS names of the application
establishing the session and the NetBIOS name to which the session is to be established. The
computer with which the session is to be established will respond with a "Positive Session
Response," indicating that a session can be established or a "Negative Session Response,"
indicating that no session can be established.
TCP 445: SMB over TCP (Direct Host)
By using TCP port 445 you can directly access the TCP/IP MS Networking without the
help of a NetBIOS layer. You can only get this service in recent versions of Windows, such as
Windows2K/XP. File sharing in Windows2K/XP can be done only by using Server Message Block
(SM B) protocol. You can also run SM B directly over TCP/IP in Windows 2K/XP without using the
help of extra layer of NetBT. They use TCP port 445 for this purpose.
UDP 161: Sim ple N etwork M an ag em en t protocol (SNMP)
You can use the SN M P protocol for various devices and applications (including
firewalls and routers) to communicate logging and management information with remote
monitoring applications. SNM P agents listen on UDP port 161; asynchronous traps are received
on port 162.
TCP/UDP 389: L ightw eight D irectory A ccess Protocol (LDAP)
m
You can use LDAP (Lightweight Directory Access Protocol) Internet protocol, used my
M S Active Directory, as well as some email programs to look up contact information from a
server. Both Microsoft Exchange and NetMeeting install an LDAP server on this port.
TCP/UDP 3368: G lobal C atalog Service
You can use TCP port 3368, which uses one of the main protocols in TCP/IP a
connection-oriented protocol networks; it requires three-way handshaking to set up end-toend communications. Only then a connection is set up to user data and can be sent bidirectionally over the connection. TCP guarantees delivery of data packets on port 3368 in the
same order in which they were sent.
You can use UDP port 3368 for non-guaranteed communication. It provides an unreliable
service and datagrams may arrive duplicated, out of order, or missing without notice and error
Module 04 Page 445
Ethical Hacking and CountermeasuresCopyright © by EC-COUIICil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 13. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Checking and correction is not necessary or performed in the application, avoiding the
overhead of such processing at the network interface level.
UDP (User Datagram Protocol) is a minimal message-oriented Transport Layer protocol.
Examples that often use UDP include voice over IP (VoIP), streaming media, and real-time
multiplayer games.
TCP 25: Sim ple M ail T ransfer Protocol (SMTP)
SMTP allows moving email across the Internet and across your local network. It runs
on the connection-oriented service provided by Transmission Control Protocol
(TCP), and it uses well-known port number 25. Telnet to port 25 on a remote host; this
technique is sometimes used to test a remote system's SMTP server but here you can use this
command-line technique to illustrate how mail is delivered between systems.
Module 04 Page 446
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 14. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
information through enumeration; now it's time to put them into practice. If you are trying to
enumerate information of a target network, then NetBIOS is the first place from where you
should try to extract as much information as possible.
Enumeration Concepts
4 1 NTP Enumeration
NetBios Enumeration
SMTP Enumeration
SNMP Enumertion
DNS Enumeration
Unix/Linux Enumeration
Enumeration Countermeasures
LDAP Enumeration
|£ 3 |
Enumeration Pen Testing
This section describes NetBIOS enumeration and the information you can extract through
enumeration, as well as NetBIOS enumeration tools.
Module 04 Page 447
Ethical Hacking and Countermeasures Copyright © by EC-COUItCll
All Rights Reserved. Reproduction is Strictly Prohibited.
- 15. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
NetBIOS Enumeration
CEH
NetBIOS name is a unique 16 ASCII character string used to identify the network
devices over TCP/IP; 15 characters are used for the device name and 16th character
is reserved for the service or name record type
WWW
N e tB IO S N a m e L is t
Attackers use the NetBios
enumeration to obtain:
NetBIOS
Code
Name
Type
UN IQ UE
8 List of computers that belong
to a domain
S
<domain>
<00>
GROUP
<hostname>
<03>
UN IQ UE
Policies and passwords
<username>
<03>
UN IQ UE
chost name>
<20>
UN IQ UE
<domain>
<1D>
GROUP
<domain>
s
List of shares on the individual
hosts on the network
<1B>
UN IQ UE
Information Obtained
Hostnam e
Domain nam e
M essenger service running for th at
com puter
M essenger service running for th at
in dividual logged-in user
Server service running
M aster brow ser nam e for the
subnet
Domain m aster brow ser name,
identifies the PDC for th at domain
Note: NetBIOS name resolution is not supported by Microsoft for Internet Protocol Version 6 (IPv6)
C op yright © b y IC -C c u n c il. All Rights Reserved. Rep rod u ctio n is Strictly Prohibited.
NetBIOS E n u m e ra tio n
The first step in enumerating a Windows machine is to take advantage of the
NetBIOS API. NetBIOS stands for Network Basic Input Output System. IBM, in
association with Sytek, developed NetBIOS. It was developed as an Application Programming
Interface (API), originally to facilitate the access of LAN resources by the client's software. The
NetBIOS name is a unique 16 ASCII character string used to identify the network devices over
TCP/IP; 15 characters are used for the device name and the 16th character is reserved for the
service or name record type.
Attackers use the NetBIOS enumeration to obtain:
9
List of computers that belong to a domain and shares of the individual hosts on the
network
9
Policies and passwords
If an attacker finds a Windows OS with port 139 open, he or she would be interested in
checking what resources he or she can access, or view, on the remote system. However, to
enumerate the NetBIOS names, the remote system must have enabled file and printer sharing.
Using these techniques, the attacker can launch two types of attacks on a remote computer
Module 04 Page 448
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 16. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
that has NetBIOS. The attacker can choose to read/write to a remote computer system,
depending on the availability of shares, or launch a denial-of-service.
NetBIOS Name List
Name
NetBIOS
Code
Type
Information Obtained
<host name>
<00>
UNIQUE
Hostname
<domain>
<00>
GROUP
Domain name
<host name>
<03>
UNIQUE
Messenger service running for that
computer
<username>
<03>
UNIQUE
Messenger service running for that
individual logged-in user
<host name>
<20>
UNIQUE
Server service running
<domain>
<1D>
GROUP
Master browser name for the subnet
<domain>
<1B>
UNIQUE
Domain master browser name,
identifies the PDC for that domain
Note: NetBIOS name resolution is not supported by Microsoft for Internet Protocol Version 6
(IPv6).
Module 04 Page 449
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 17. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
NetBIOS Enumeration
CE
H
(Cont’d)
Nbtstat displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables
for both the local computer and remote computers, and the NetBIOS name cache
J
Run nbtstat command "nbtstat. exe -a <
NetBIOS Name of remote machine>"to
get the NetBIOS name table of a remote computer
C:Windowssystem32cmd.exe
Run nbtstat command "nbstat.exe - c " t o
display the contents of the NetBIOS name cache, the
table of NetBIOS names, and their resolved IP addresses
l
H
C:Wi ndowssystem 32cmd .exe
ב נS.U 8 c 1*0 'sfl d m in ) n b t 8 1 a t . c
UsersAdnin)nbtstat .exe -a:2 ♦ * יa
•י
Ethernet:
*lode IpAddress : (192.168 .168.170 נScope Id: M
NetBIOS Renote Cache Nane Table
NetBIOS Renote flachine Nane Table
Nane
Type
<••׳
»»<
Ml
t
•DM
M
י
"■*י
MAC Address - m
<00>
<00>
<1C>
<20>
<1B>
Status
UNIQUE
GROUP
GROUP
UNIQUE
UNIQUE
Registered
Registered
Registered
Registered
Registered
*• Ut •י
*
•
05
http://technet.microsoft.com
2:MJ sersAd«in>
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
NetBIOS E n u m e ra tio n (C ont’d)
x
—
Source: http://technet.microsoft.com
Nbtstat displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both
the local computer and remote computers, and the NetBIOS name cache. Nbtstat allows a
refresh of the NetBIOS name cache and the names registered with Windows Internet Name
Service (WINS). Used without parameters, Nbtstat displays help.
Run the nbtstat command "nbtstat.exe -a < NetBIOS Name of remote machine>" to get
the NetBIOS name table of a remote computer.
Module 04 Page 450
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 18. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
C:Windowssystem32cmd.exe
C:UsersAdmin)nbtstat.exe -a ■־
«
Ethernet:
Mode IpAddress: [192.168 .168.170] Scope Id: U
NetBIOS Renote Machine Nane Table
Name
Type
<00>
<00>
<1c>
<20>
>1B <
•■ י
י
MAC Address =
Status
UNIQUE
GROUP
GROUP
UNIQUE
UNIQUE
Registered
Registered
Registered
Registered
Registered
• !* 50 ־ י
:
C:UsersAdnin>
B
FIGURE 4.1: Enumeration Screenshot
Run the nbtstat command "nbstat.exe
-c" to display the contents of the NetBIOS name
cache, the table of NetBIOS names, and their resolved IP addresses.
S3
0
C:Windowssystem32cmd.exe
2:UsersAdmi1Cnbtstat •exe -c
Ethernet:
40de IpAddress:
[192.168.168.170] Scope
Id:
[]
NetBIOS Remote Cache Name Table
Name
Type
<20>
<20>
UNIQUE
UNIQUE
Host Address
Life
[sec]
1 9 2.168.168.170
192.168.168.1
i:UsersAdmin>
FIGURE 4.2: Enumeration Screenshot
Module 04 Page 451
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 19. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
NetBIOS E n u m e ra tio n Tool:
S uperS can
scanner, pinger, and hostname resolver
Goan | Hosl end Soivce Discovery | Scon Options] Tods
Hostnarae/IP/UHl
Features:
0
n
□
n
0
□
n
□
□
Q
□
Q
n
□
0
Q
Support for unlimited IP ranges
Host detection by multiple ICMP
methods
o
Simple HTML report generation
fenurefate^
NetBIOS Name Tabic
NULL Session
MAC Addresses
Workstation t p
ye
User?
Groups
RFCEnc^oirt Dunp
Account P l c e
oiis
Shares
Domains
Remote Time0 Day
1
Logon Sesiicnj
Die
rvs
Trusted Domains
Seivbcs
Rgir
eity
3 name ־m
WORKGROUP
00
WIK-MSS2LCK4K41 00
W:N-.H£S־
:LCK4K41 20
WcricstaTioa service naze
Horkscafioa service atec
Server services naze
s
Uaora on 10.0.0.2
.
_
Admin ,
*Adnd.niscrator"
m
m
Full Ks m :
31.11־i q a בcount ror administering
.-1
System Comnent:
the camD-iter/donsin*
Fast hostname resolving
Extensive banner grabbing
*Jset
Liv k O
Saved log file
GROUP
UH1QCJE
UNIQ'JE
Totsi Users: 4
m
00:02
A
MAC addcess 0: -
Last logon:
Password expires:
Password changed:
Locked out:
Disabled
Nunber of logons:
3ac p a ss ve rd count:
Extensive W indow s host enumeration
Q
ea> |
cable
Source port scanning
m
3pbons._ |
Nerbios lnromaticn cn 10.0.0.2
m
B
W1
nd»v*eEnun*f*liar| ־Aocul |
10.D02
Enuneratbn Type
TCP SYN and UDP scanning
m
L= l£l
SuperScar! 4.0
SuperScan is a connect-based TCP port
S
8
CEH
rri Aug 17 93:27:14 2012 (0 lays ago)
Never
9 days age
No
No
1 te
0
"H u n t*
|TCP open: 0
[UOPopenTO
|1 1 done
/
http ://www. mcafee. com
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
NetBIOS E n u m e ra tio n Tool: SuperS can
Source: http://www.mcafee.com
SuperScan is a connect-based TCP port scanner, pinger, and hostname resolver. It performs
ping sweeps and scans any IP range with multithreading and asynchronous techniques. You can
restore some functionality by running the following at the Windows command prompt before
stating SuperScan:
0
Support for unlimited IP ranges
0
Host detection using multiple ICMP methods
0
TCP SYN , UDP, and source port scanning
0
Hostname resolving
0
IP and port scan order randomization
0
Extensive Windows host enumeration capability
0
Extensive banner grabbing
0
Source port scanning
0
Simple HTML report generation
Module 04 Page 452
Ethical Hacking and Countermeasures Copyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 20. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
%
SuperScan 4.0
Scan | Host and Service Discovery | Scan Options | Tools
Windows Enunciation | About |
Hostname/I P/URL 1
10.0.0.2
Enumeration Type
1ו
/
§.
1ו
/
0
□
□
□
0
□
□
□
□
□
□
□
□
□
□
□
NetBIOS Name Table
NULL Session
MAC Addresses
Workstation type
Users
Groups
RPC Endpont Dum
p
Account Policies
Shares
Domains
Remote Time of Day
Logon Sessions
Drives
Trusted Domains
Services
Registry
Saved log file
Qptions
|
£lea!
3 nazr.es in table
WORKGROUP
00
WIN-MSSELCK4K41 0 0
WIN-MSSELCK4K41 2 0
MAC address 0 :
•
GROUP Workstation service
UNIQUZ Workstation service
UNIQUZ Server services name
•יי
•• י
name
name
•
Users on 10.0.0.2
Total Users: 4
Admin ״Administrator"
Full Naxne:
""
System Comment:
״Built-in account for administering
the computer/domain״
User Coxzsaent:
"״
Last logon:
Fri Aug 17 0 9 : 2 7 : 1 4 2 0 1 2 (0 days ago)
Password expires:
Never
Password changed:
8 days ago
Locked out:
No
Disabled:
No
Number of logons:
1 58
Bad password count: 0
User
0002
Enumerate |
NetBIOS information on 10.0.0.2
Live: 0
3
״Guest"
TCP open: 0
UDP open: 0
1/1 done
FIGURE 4.3: SuperScan Screenshot
Module 04 Page 453
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 21. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
NetBIOS Enumeration Tool: Hyena
Hyena is GUI product for managing and securing Microsoft operating systems. It shows shares and user logon names for
Windows servers and domain controllers
It displays graphical representation of Microsoft Terminal Services, Microsoft Windows Network, Web Client Network, etc.
Srie
evc9e*mCV»
%a E*
M
m
V '!«
T*
m
nap
X ♦ + : ie
:
1-4 > ^
od y *< 5גני ׳״
j
j j t • ra u
J_bs2----------------- 1
Artw D
irecto W S
ry eb ervices
A licatio E p rien
pp
n x e ce
* JJ le e in tC fe o a id ro iu •
iU itfo d e jtc n e rfo fp n
- 11Mirages Ser-iceAccoists(Man* car^intt
2
3 J)
E
9 j£ Mcse fca jcS M )1 »4
) a f.k 1 te C & s
3 LZ Macscf: uJiar.je Sjiar- C je ts
]
fc c
* 21 מז אQ
uotasiQ.ctaspecAcabensccwCaK-e':
* Cl P0rr Cte.O*Ukxrtoif( ׳C rjre
' 9»n a ea t
w f
g Cl System
systemsettv^s
» J Uiei Crfadl ec• •״farup edu a «
*•
grad ser c
5 jjj Cwla-itsOX
sflnww
- ■1iM tl
0
H mj *Sflress C>r
- Pogn~ fdes**crcso/TE
M rnj A3**NS r: /ft-so s:
w
(S.JCSICW
B mj dew-lead t AMtadl
•jCSOA}
:• mj tKhenyeCAl C'M yiin FWcs'Mcx
s £1 « U 0« * <C1M-*«*SV9r0Lw*
T«J
« P®׳r«a ״fW sM ew
C
e
T *J yrSVOt.(C .*n«r-«>SWOloyw««
elr.optrtiiatien.viOJ0 2 .3
77 2
41e p «״ac*sn_*2JJ0727jM
!_׳o e
e&c)r.optmjat.c«.v4J)J03I9J2
At1r.opem
.at1on.1A0J0Jl9.64
*COMSytApp
♦ c-.pt',.:
4 c ma K
l0o L u t1
*"-ייי
AppfcaticnHo# H erService
elp
Ap
p licatio Id tity
n en
Sto p d
pe
A p ca nWormjton
p A fco
Sto p
p ed
(A
ppficatcnUinrjriryr
ASPiiETStateService
A ow A io(ndpeeit Bu er
'etd s ud
ild
Sto p d
pe
W
indow A d
s u io
Sto p
p ed
8eseF*enngEn9 rv
e
B e1q u ( :!׳tellqert T sferService
o ro rv
ran
Sto p
p ed
C putrr Bro ser
om
w
Sto p d
pe
C
ertificatePro ag n
p atio
Wrosoft J4ETFrtrrtew lcN ENv2 5 ?2 _X 6 Sto p d
& G
AC 7 *
pe
M so MgT Framed N »2 J0 2 _X 4 Sto p d
icro ft
GfN .0 7 7 »
pe
M
crosoft .N Fram
ET
«w«kNO v 10 3 1 .X 6
tN 4 ■ W 9 S
**SVrosoft .N Fr1m
ET
e»«rkN C ■ 030319J
GNA
CO * SystemA p
M
p licatio
n
C p g p Ser.ices
!> to ra *»c
DC MServerPro lat*1c r
O
cess
t1e
D O m tar
ali rfrag en
DfSMamewce
O R licatio
FS ep
n
DHCPCUrt
D 5ferret
M
D SC
N lient
)W A
eed atoConfl
D n stic Pdky Seroce
iag o
C ib A en cstio Pro co
item le r/th b n to l
ne{ < ׳
* ) 11ngFileSystem(IK
Andowi Event log
Sto p d
pe
Service(O nP cess)
w ro
Service(ScaredP cess)
ro
Servite(C o Proem
hn
)
Service(Sh P cess)
ared ro
Soviet (Sh P cess)
ared ro
Service(Sh P e sa
ared *o e )
Service(Sh redProem
o
)
Service(O nP cess)
w ro
Service(Sh Proem
ared
)
Service(Sh Proem
ared
)
Service(SharedPro
cessJ
Service(Sh P cess)
ared ro
Service !;S a dProem
h re
)
Service(Sh P cess)
ared ro
Service(O nP cess)
w ro
Service(O nProem
w
)
Service(O nP cess)
w ro
Service(O nPro
w cessJ
Service(O nProem
w
)
Service(Sh P cess)
ared ro
Service(Sh P cess)
ared ro
Service(O nProem
w
)
Service(O nProem
w
!
Service(O nP cess)
w ro
Service(Sh Proem
ared
)
Service(O nPro ml
w c
Service(Sh Proem
ared
)
Service(Sh Procml
ared
Service (Sh redP cess)
o ro
Serv.ce(Sh Proeeu)
ared
Service(Sh Proem
ared
)
Service (Sh Proem
ared
)
Service(Sh P cess)
ared ro
h ftp ://w w w . system too ls.co m
Copyright ffi by IC-Cmcil. All Rights Reserved. Reproduction is Strictly Prohibited.
NetBIOS E n u m e ra tio n Tool: H yena
Source: http://www.systemtools.com
Hyena is GUI product for managing and securing any Windows operating system such as
Windows NT, Windows 2000, Windows XP/Vista, Windows 7, or Windows Server 2003/2008
installation. It uses an Explorer-style interface for all operations and to manage users, groups
(both local and global), shares, domains, computers, services, devices, events, files, printers and
print jobs, sessions, open files, disk space, user rights, messaging, exporting, job scheduling,
processes, and printing. It shows shares and user logon names for Windows servers and
domain controllers.
It displays a graphical representation of the web client network, Microsoft terminal services,
and Windows network.
Module 04 Page 454
Ethical Hacking and Countermeasures Copyright © by
EC-COUItCll
All Rights Reserved. Reproduction is Strictly Prohibited.
- 22. Ethical Hacking and Countermeasures
Enumeration
H» h*
Exam 312-50 Certified Ethical Hacker
* m lea■ N*
0
Y -! * ׳X ♦ 5* : : E
O i
T • ^
יי
A J
.2 J 1* Q «
JjU L -
S#rw* |Qm1
P1MM4)
Art•״׳OeodetyWe* Wm(»1
Lfmnci
Service(Own PlCKtlt)
AepUceton layer Gateway Service
**heat*• M «t HaiderService
o
Semcr (Vxred>twml
Seevire(Uu*od Pw m i
W (»hj*«dP«*<m) Mm m I
>X«
i* f« f (Omi hwm)
WvKt (Vx»t<tV»<ml
Service (SheeedProeeM)
» t J J Ifc W i titfw y 1 <o« 0>)W
»
1
g J M M Qmw <QvU 1»oe»< m
1n1
taw • |Wm < N < «)
M y w r ft1H» t1n
<
4V 1 M IX
M
jD ««»»C n N » n
r-
»
3,’v״
,״
8 • j A4*0m C
f4«t.lAuceo* I
M mj 1 M M (CNWWidcan)
SeJC A
SfC J
m
e j afWBU C x .n i il
■■JaCM
9 * j briM ^KUS <CProgramMr 'M ck
■ t j Ckx»M«*x> (C A-iy»» ?in'Ate*
!C-,ttb»«e
i''t
iii iJbi
a O N OO
IU G N
ifS S X jy
YXV r
a•
jl
lO yn F N o
^
lo M ra
a •J S S X(O .d .i'S S d y Q
VM .*• e V V ie ^
Service
C<
e t1f-c*t« Prefa'ater'
MKiOKft X T fra׳r«v.< *N ־W C.XW .tH
■ i(N
UemoD NIT lre<»e»«*NO<N*JC.M7;7.tt4
MkmsA X T f,*r*»*kNCtM viC K M -M
Mirttno* NIT hn1<M«1lrNMN^t.l01n.ll4
COM SyMeraAfffcceUen
•
Crfptoy*phtt icM
tn
KOMS«n«PrMmUyn<N'
DakC a e ce
ef> «m n r
[>i Narweifeee
DfSM m iw
O C CIM
MP M
DNSSorver
DNSCSart
EiKryptan^f 4cSyilem (US)
AmtoMbwilef
COM- tv«׳y Sjnt•
יי׳
Witicwrt fibre ChannelPlatformfegiiticticn S_
tuwebe* 0*cowy Provide*M e
o*
Stooped
Service(SHeredProeen)
Servtcr (Slured Proem!
Service (lKj»«d Proem)
Seme* (Own Picccm)
Service (Omi h t(M |
Service(Own tocot)
Service(Own Pk*m<)
W1X1 (Own Piwcm)
Servicf (UuwdProem)
Service (SfctretfhKM |
5«nx« (Own Preceu)
W«<«(Own Prc««<)
Service (Own Pioceu)
Smite Itawd Proem)
W vki (Own Pieceu)
W>1c* (ViMd Pt« m l
Service l«u*ed P««׳n)
itmcc (ShercdProem)
Wx1 (SkerodProem)
Service(SK4»«dProem)
Service(Uiwd Proem)
Service (SK*»*dProem)
Service(SheiedProem)
Service(SkwedProeew)
Service(SharedProea*)
Service (SharedProem)
NT *UThOWTViIm Mmm
iwrftysiem
NT k* r K t
CAttMtaiH־
lx»K)H>
w
c
!N r iM i
• IM m i M oomUMT
C
caw »«i ■ —
0%
NT AUTMOtfnriMrftortu
NT AUThO
CSTV m
U
rlU
(.M M m 'V « n 1 rK t
O M M M 'M w M t M r
( ', M M ' l l M M l M n
C0fc»*»■ • BoxfcMT•
>!*
c w »M U < «««M r
0
4
( -.H ko <«yOT^<*».
~
C « >7 > •1 .'C
W « 1 ,* * 0 T?
C M M M iy iM U U K lI
C A-4*m
FIGURE 4.4: Hyena Screenshot
Module 04 Page 455
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 23. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
http ://www. winfingerprin t.com
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
NetBIOS E n u m e ra tio n Tool: W in F in g erp rin t
Source: http://www.winfingerprint.com
WinFingerprint is an administrative network resource scanner that allows you to scan machines
on your LAN and returns various details about each host. This includes NetBIOS shares, disk
information, services, users, groups, and more. WinFingerprint is an administrative network
resource scanner that allows you to scan machines on your LAN and returns various details
about each host. This includes NetBIOS shares, disk information, services, users, groups, and
more. You can choose to perform a passive scan or interactively explorer network shares, map
network drives, browse HTTP/FTP sites and more. Scans can be run on a single host or the
entire network neighborhood.
Module 04 Page 456
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 24. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Winfingerprint 0.6.2
Input Options
C IP Range
Scan Options
(• Domain
C IP List
Single Host C Neighborhood
IP Address:
C Active Directory
C WMI API
I 10.0.0.3
W
Win32 OS Version W Users
W
1
“
(•
Null IPC$ Sessions P Services
[7 MAC Address
NetBIOS Shares
W
W
Date and Time
W
Patch Level
P Disks
f7 Sessions
I” Groups
I” Event Log
Ping Host(s)
Show
RPC
Bindings
Help
V ־Traceroute Host
General Options
~
Timeout for TCP/UDP/ICMP/SNMP:
Retries: [3
TCP Portscan Range:
f~ UDP Portscan Range:
”
P
Max Connections:
SNMP Community String:
public
Pinging 10.0.0.3 with 44 bytes of data:
Reply from 10.0.0.3
0 ms (id* 1, seq* 1)
IP Address: 10.0.0.3 WINDOWS8
Computername: WORKGROUPWINDOWS8
MAC Addresses:
00155da86e06
Scan completed in 0.27 seconds
Done.
httD ://w infinQ erprint.s o u rc e fo ra e .n e t
m a1
lto:vacu u m < au sers.s o u rc e fo ro e .n e t
Winfingerprint 0.6.2
S c a n O ptions
In p u t Options
<• I P R a n g e
C
(* D o m ain
I P List
( "־S in g le
Host C N e ighborhood
S ta rtin g I P A d d re s s :
|
192
. 168
. 168
1
192
. 168
. 168
.
4
f7
Null I P C S Se ss io n s W S e r v ic e s
f ? M AC A d d res s
N e tB IO S S h a r e s
W D is k s
p Se ss io n s
f*
D a te and T im e
W G ro u p s
W E v e n t Log
f ” Ping H o s t(s )
f ־N e tm a s k
W U s e rs
C WMI API
W in 3 2 O S V ersio n
[*
!
En ding I P A d d ress:
|
C" A c tiv e D ire c to ry
I*
W Patch Le v e l
wR C gs r
P
Bin din
Show
E rro rs
Help
G e n e r a l Options
־
31
| B ro a d co m N e tU n k (T M ) G ig a b it E th e rn e t
T im e o u t fo r T C P / U D P / IC M P / S N M P :
R e trie s :
f3
M ax C o n n e c tio n s :
I P A d d re s s : 192.168.168.1
C o m p u te rn a m e :
[5 ”
| 1024
f~ T C P P o rtsca n R a n g e :
U D P P o rtsca n R a n g e :
S N M P C o m m u n ity Strin g :
public
1A
T rac in g rou te to 192.168.168.1
1
0 ms
0 ms
0 m s 192.168.168.1
•׳
X
M A C A d d re s s e s :
5
R P C Bin d in g s:
n c a c n _ip _tc p U U ID A d d re s s 192.168.168.1 E n d P o in t 49158
n c a c n _ ip _ tc p U U ID
A d d re s s 192.168.168.1 E n d P o in t 49219
n c a c n _ 1 _tcp U U ID
p
A d d re s s 192.168.168.1 En d P o in t 49219
n c a c n _ 1 _tcp U U ID
p
A d d re s s 192.168.168.1 E n d P o in t 49219
n c a c n _ 1 _tcp U U ID
p
A d d re s s 192.168.168.1 En d P o in t 49219
n c a c n _ip _tc p U U ID
A d d re s s 192.168.168.1 En d P o in t 49190
n c a c n _ 1 _tcp U U ID
p
A d d re s s 192.168.168.1 En d P o in t 49181
FIGURE 4.5: Winfingerprint Screenshots
Module 04 Page 457
Ethical Hacking and Countermeasures Copyright © by EC-COIillCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 25. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
NetBIOS E n u m e ra tio n Tool: N etBIOS
E n u m e ra to r
־iijjA 1
■ ^.
?
]WORKGROUP[ 10.0.0.7 ?
5
♦
W1N-MSSB.OC4M1J[ 10.0.0.2 ?
ש
i
?
?
£
Scamwo from: 10 .0 0 1
to: 10.0 0 5
0
s?
1)14 (j)
5
SCimrg Von: li.ao 1
to: 10.0X50
$ 131 NetBIOS '<
(
Ra y
e d•
m t X M U -R ־Serve Sowe
WINDOWS8I[ 10.0.0.3
10.0.0.5 [WW-UQr0WR3R9<
1
[
CEH
*•*V
%
%
%
%
WINDOWS® • Watetaton s« ״t a
WORKGROUP •Cwran Kane
WORKGROUP - PotenSa Masto 3r•־
WORKGRCXP - Master frowse
■ ו _6 » 0 מ מ א _וm o S
m
Username: (No one logged on]
=
2 O mn W R G O P
o a : OK R U
! G R0l ״l T T * PTT): 1 - T U
f
rp in
«« T«» o
g
•? 10.0.0.7 [WORKGRCXf]
B
J S NetBIOS Na ״w (3)
( S . vvoRKGROl^ * Doman Name
“
Do ״ ״ ״w «K G ־׳O JP
so rcfo e e
u e rg-nt
http://״btenum
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
NetBIOS E n u m e ra tio n Tool: NetBIOS E n u m e ra to r
, M
Source: http://nbtenum.sourceforge.net
This application is recommended when you want to determine how to use remote
network support and how to deal with some other interesting web techniques, such as SM B.
י
Module 04 Page 458
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 26. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
NetBIOS Enumerator
f!y IP range to scan
from:| 10.0.0.1
Clear
Scan
Settings
10.0.0.7
W
[1...254]
Debug window
10.0.0.4 [WINDOWS8]
?
ם
Your local ip:
to: | 10.0.0.50
S
-
Scanning from: 10.0.0.1
to: 10.0.0.50
Ready!
10.0.0.7 [WORKGROUP]
₪ ?
10.0.0.2 [WIN-MSSELCK4K41]
S
10.0.0.3 [WINDOWS8]
?
₪ ?
10.0.0.5 [WIN-LXQN3WR3R9M]
J
NetBIOS Enumerator
- fs j IP range to scan --from:| 10.0.0.1
Settings
Your local ip:
10.0.0.7
to: 10.0.0.50
W
B ?
Clear
Scan
[1...254]
Debug window
Scanning from: 10.0.0. 1
to: 10.0.0.50
Ready!
10.0.0.4 [WINDOWS8]
B m NetBIOS Names (6)
1 S p WINDOWS8 -File Server Service
•
*I
WINDOWS8 -Workstation Service
| %
WORKGROUP ־Domain Name
I
WORKGROUP - Potential Master Bro
j
WORKGROUP ־Master Browser
%
ך
MSBROWSE
ך
־Master Br!
!Q Username: (No one logged on)
I 3
|
[־
i
B
?
6
Domain: WORKGROUP
Round Trip Time (RTT): 1ms-Time To Li
10.0.0.7 [WORKGROUP]
NetBIOS Names (3)
WORKGROUP -Domain Name
נ
WIN-D39MR 5HL9E4 -Workstation S«
WIN • 39MR 5HL9E4 -File Server Se
O
| J J ; Username: (No one logged on)
j D o m a i n : WORKGROUP
1 Ef Round Trip Time (RTT): 0 ms -Time To Li v
III
I
>
i f
FIGURE 4.6: Enumeration Screenshot
Module 04 Page 459
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 27. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Enumerating User Accounts
PsExec
PsList
h ttp ://technet.m icrosoft.com
CEH
h ttp ://technet.m icrosoft.com
־ ^ ־
^
PsFile
PsLoggedOn
http ://te ch ne t.m icro soft.co m
h ttp ://te ch n e t. microsoft. com
PsGetSid
PsLogList
http ://te ch ne t.m icro soft.co m
h ttp ://te ch n e t. microsoft. com
PsKill
L^V
PsPasswd
h ttp ://technet.m icrosoft.com
http ://te ch ne t.m icro soft.co m
Pslnfo
h ttp ://technet.m icrosoft.com
y/
ל
PsShutdown
h ttp ://te ch n e t. microsoft. com
Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
E n u m e ra tin g U ser A ccounts
PsExec
Source: http://technet.microsoft.com
PsExec is a command-line tool used for telnet-replacement that lets you execute processes on
other systems and console applications, without having to manually install client software.
W hen you use a specific user account, PsExec passes credentials in the clear to the remote
workstation, thus exposing the credentials to anyone who happens to be listening in.
PsFile
Source: http://technet.microsoft.com
PsFile is a command-line utility that shows a list of files on a system that is opened remotely,
and it also allows you to close opened files either by name or by a file identifier. The default
behavior of PsFile is to list the files on the local system that are open by remote systems. Typing
a command followed by " ־ ״displays information on the syntax for the command.
Module 04 Page 460
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 28. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
PsGetSid
Source: http://technet.microsoft.com
f
PsGetsid allows you to translate SIDs to their display name and vice versa. It works on
built-in accounts, domain accounts, and local accounts. It also allows you to see the SIDs of user
accounts and translates a SID into the name that represents it and works across the network so
that you can query SIDs remotely.
PsKill
Source: http://technet.microsoft.com
PsKill is a kill utility that can kill processes on remote systems and terminate processes on the
local computer. You don't need to install any client software on the target computer to use
PsKill to terminate a remote process.
Pslnfo
Source: http://technet.microsoft.com
Pslnfo is a command-line tool that gathers key information about the local or remote Windows
NT/2000 system, including the type of installation, kernel build, registered organization and
owner, number of processors and their type, amount of physical memory, the install date of the
system and, if it is a trial version, the expiration date.
PsList
^
Source: http://technet.microsoft.com
PsList is a command-line tool that administrators use to view information about process CPU
and memory information or thread statistics. The tools in the Resource kits, pstat and pmon,
show you different types of data but display only the information regarding the processes on
the system on which you run the tools.
jjpjF PsLoggedO n
Source: http://technet.microsoft.com
PsLoggedOn is an applet that displays local and remote logged users. If you specify a user name
instead of a computer, the PsLoggedOn tool searches all the computers in the network
neighborhood and tells you if the user is currently logged on PsLoggedOn's definition of a
locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn
determines who is logged on by scanning the keys under the HKEY_USERS key.
o
PsLogList
Source: http://technet.microsoft.com
The default behavior of PsLogList is to show the contents of the System Event Log on the local
computer, with visually-friendly formatting of Event Log records. Command-line options let you
Module 04 Page 461
Ethical Hacking and CountermeasuresCopyright © by EC-C0lMCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 29. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
view logs on different computers, use a different account to view a log, or to have the output
formatted in a string-search friendly way.
PsPassw d
Source: http://technet.microsoft.com
sPasswd is a tool that enables the administrator to create batch files that run PsPasswd on the
network of computers to change the administrator password as a part of standard security
practice.
״J PsShutdown
|*jc . ך
Source: http://technet.microsoft.com
PsShutdown is a command-line tool that allows you to remotely shut down the PC in
networks. It can log off the console user or lock the console (locking requires Windows 2000 or
higher). It does not require any manual installation of client software.
Module 04 Page 462
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 30. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
E num erate S ystem s U sing
D efault P assw ord s
CE
H
Devices like switches, hubs, routers,
access points might still be enabled
with a "default password"
Attackers gain unauthorized access to
the organization computer network
and information resources by using
default and common passwords
3COM
3COM
3COM
3COM
3COM
3COM
L T te
A'P X
2O
DO
LANpiex
LinkSwitch
NetbuiWer
NetBuider
Ottnc Conncct ISDW
Roiicrs
2500
2000/2700
Ortwg
teen
tech
PASSWORD
Aann
h ttp://www. vims. org/default_passwds
Enterprise
Network
Default Username/Pwd
Ex: admin/synnet
Router
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
E n u m e ra te S ystem s U sing D efault P a ssw o rd s
Source: http://www.defaultpassword.com
Devices such as switches, hubs, routers, and access points usually come with "default
passwords." Not only network devices but also a few local and online applications have built-in
default passwords. These passwords are provided by vendors or application programmers
during development of the product. Most users use these applications or devices without
changing the default passwords provided by the vendor or the programmer. If you do not
change these default passwords, then you might be at risk because lists of default passwords
for
many
products
and
applications
are
available
online.
Once
such
example
is
http://www.virus.org/default_passwds; it provides verified default login/password pairs for
common networked devices. The logins and passwords contained in this database are either set
by default when the hardware or software is first installed or are in some cases hardcoded into
the hardware or software.
Module 04 Page 463
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 31. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
S earch
Sear[■
^
® vendor
O
Product
O
Model
2 | 3 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | 0 | P | Q | R | S | T | U | V | W |X |Z |All
Vendor
2w1re
3COM
3COM
3COM
3COM
3COM
3COM
3COM
3COM
3COM
3COM
Product
W iF i Routers
CellPlex
CoreBuiider
CoreBuilder
HiPerARC
LANptex
LANplex
LinkSwitch
NetBuikler
NetBuilder
Office Connect ISDN
Routers
ModelRev1slon
7000
7000/6000/3500/2500
7000/6000/3500/2500
V4 I X
2500
2500
2000/2700
5x0
Password
Wireless
tech
synnet
tech
(none)
synnet
tech
tech
ANYCOM
ILMI
n/a
A ccess Level
Admin
PASSWORD
Login
(none)
tech
debug
tech
adm
debug
tech
tech
Admin
snmp-read
snmp-read
FIGURE 4.7: Enumeration Screenshot
Attackers take advantage of these default passwords and the online resources that provide
default passwords for various products and application. Attackers gain unauthorized access to
the organization computer network and information resources by using default and common
passwords.
Router
FIGURE 4.8: Enumeration Screenshot
Module 04 Page 464
Ethical Hacking and Countermeasures Copyright © by
EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 32. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
M odule Flow
Enumeration
Concepts
CEH
NetBIOS
Enumeration
HP
UNIX/Linux
Enumeration
DNS
Enumeration
□
SMTP
Enumeration
Enumeration
Counterm easures
Enumeration
Pen Testing
is
Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
This section describes the UNIX/Linux commands that can be used for enumeration
and Linux enumeration tools.
Enumeration Concepts
1
y" NTP Enumeration
NetBios Enumeration
SMTP Enumeration
SN M P Enumertion
DNS Enumeration
Unix/Linux Enumeration
t__J|
Enumeration Countermeasures
LDAP Enumeration
Module 04 Page 465
_^ Enumeration Pen Testing
ן
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 33. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
SNMP (Sim ple N etw ork M an ag em en t
Protocol) E n u m eratio n
J
CEH
SN M P enumeration is a process of enumerating user accounts and devices on
a target system using SN M P
J
SN M P consists of a manager and an agent; agents are embedded on every
network device, and the manager is installed on a separate computer
J
SN M P holds tw o passwords to access and configure the SN M P agent from the
management station
© Read community string: It is public by default, allows to view the device or system
configuration
6
J
Read/write community string: It is private by default, allows to edit or alter
configuration on the device
Attacker uses these default com munity strings to extract information about a
device
= =
J
Attackers enumerate SN M P to extract information about network resources such
as hosts, routers, devices, shares, etc. and network information such as ARP
tables, routing tables, traffic statistics, device specific information, etc.
Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
SNMP (Sim ple N etw ork M a n a g e m e n t Protocol)
E n u m e ra tio n
SNM P (Simple Network Management Protocol) is an application layer protocol that runs on
UDP, and is used to maintain and manage routers, hubs, and switches on an IP network. SN M P
agents run on Windows and UNIX networks on networking devices.
SN M P enumeration is the process of enumerating the user's accounts and devices on a target
computer using SNMP. Two types of software components are employed by SNM P for
communicating. They are the SN M P agent and SNM P management station. The SN M P agent is
located on the networking device whereas the SNM P management station is communicated
with the agent.
Almost all the network infrastructure devices such as routers, switches, etc. contain an SNM P
agent for managing the system or devices. The SNM P management station sends the requests
to the agent; after receiving the request the agent sends back the replies. Both requests and
replies are the configuration variables accessible by the agent software. Requests are also sent
by SN M P management stations for setting values to some variables. Trap let the management
station know if anything has happened at the agent's side such as a reboot or interface failure
or any other abnormal event.
Module 04 Page 466
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 34. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
SNM P contains two passwords that you can use for configuring as well as for accessing the
SNM P agent from the management station.
The two SNM P passwords are:
•
Read community string:
o
o
•
Configuration of the device or system can be viewed with the help of this password
These strings are public
Read/write community string:
o
Configuration on the device can be changed or edited using this password
o
These strings are private
W hen the community strings are left at the default setting, attackers take the opportunity and
find the loopholes in it. Then, the attacker can uses these default passwords for changing or
viewing the configuration of the device or system. Attackers enumerate SN M P to extract
information about network resources such as hosts, routers, devices, shares, etc. and network
information such as ARP tables, routing tables, device specific information, and traffic statistics.
Commonly used SNM P enumeration tools include SN M PU til and IP Network Browser.
Module 04 Page 467
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 35. Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
CEH
Working of SNMP
itktjl H..U1
Active Session Information (No. of sessions: 2,
Comm: Complnfo, IP: 10.10.2.15)
Host X (SN M P M anager)
Host Y (SN M P Agent)
Community String:
If the community string does not
match with the string stored in the
MIB database, host Y will send a
community string to a pre configured
SNMP manager indicating the error
IP: 10.10.2.12
&
Host Z (SN M P Manager)
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W orking of SNMP
MIB
Community String:
Complnfo
Software version
hard drive space
session table
r־
Community String:
Comf
Comm unity String: Alarm
IP: 10.10.2.1
IP: 10.10.2.15
Sends request for active session
(Community String: Complnfo, IP: 10.10.2.15)
Active Session Information (No. of sessions: 2,
Comm: Complnfo, IP: 10.10.2.15)
Host X (SNMP Manager)
Host Y (SNMP Agent)
If the community string does not
match with the string stored in the
M IB database, host Y will send a
community string to a pre-configured I
SNMf^nanagenndicatin^h^rroi^
Host Z (SNMP Manager)
FIGURE 4.9: SNMP Screenshot
Module
04 Page 468
Ethical Hacking and CountermeasuresCopyright © by
EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 36. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
M an agem en t Inform ation
B ase (MIB)
CE
H
M IB is a virtual database containing
can be managed using SNMP
The M IB database is hierarchical and each managed object in
a M IB is addressed through object identifiers (OIDs)
Two types of managed objects exist:
9 Scalar objects that define a single object instance
e Tabular objects that define multiple related object instances that are
grouped in MIB tables
The OID includes the type of M IB object such as counter, string, or
address, access level such as not-accessible, accessible-for-notify,
read-only or read-write, size restrictions, and range information
SNMP uses the MIB's hierarchical namespace containing
object identifiers (OIDs) to translate the OID numbers
into a human-readable display
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
M a n a g e m e n t In fo rm atio n B ase (MIB)
M IB is a virtual database containing a formal description of all the network objects
that can be managed using SNMP. M IB is the collection of hierarchically organized information.
It provides a standard representation of the SN M P agent's information and storage. M IB
elements are recognized using object identifiers. Object ID is the numeric name given to the
object and begins with the root of the M IB tree. The object identifier can uniquely identify the
object present in the M IB hierarchy.
MIB-managed objects include scalar objects that define a single object instance and tabular
objects that define group of related object instances. The object identifiers include the object's
type such as counter, string, or address, access level such as read or read/write, size
restrictions, and range information. M IB is used as a codebook by the SNM P manager for
converting the OID numbers into a human-readable display.
The contents of the M IB can be accessed and viewed using a web browser either by entering
the IP address and Lseries.mib or by entering DNS library name and Lseries.mib. For example,
http://IP.Address/Lseries.mib or http://library_name/Lseries.mib.
Microsoft provides the list of MIBs that are installed with the SN M P Service in the Windows
resource kit. The major ones are:
Module 04 Page 469
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 37. Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures
Enumeration
Q
DHCP.MIB: Monitors network traffic between DHCP servers and remote hosts
9
HOSTMIB.MIB: Monitors and manages host resources
9
LNMIB2.MIB: Contains object types for workstation and server services
e
W IN S.M IB: For Windows Internet Name Service
Module 04 Page 470
Ethical Hacking and Countermeasures Copyright © by EC-C0l1ncil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 38. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
SNMP Enum eration Tool:
OpUtils
C EH
U * Itb jl
rtrfi•
K
OpUtils with its integrated set of tools helps network engineers to monitor, diagnose, and
troubleshoot their IT resources
Copyright © by
IC-Council. All
Rights Reserved. Reproduction is Strictly Prohibited.
SNMP Enum eration Tool: OpUtils
Source: http://www.manageer 1Rine.com
OpUtils is a collection of tools using which network engineers can monitor, diagnose, and
troubleshoot their IT resources. You can monitor the availability and other activities of critical
devices, detect unauthorized network access, and manage IP addresses. It allows you to create
a custom SNMP tools through which you can monitor M IB nodes.
Module 04 Page 471
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 39. Ethical Hacking and Countermeasures
Enumeration
Module 04 Page 472
Exam 312-50 Certified Ethical Hacker
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 40. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
SNMP Enumeration Tool:
SolarWind’s IP Network Browser
Sola.Wintls
Oe
Tata
VWw
Oev*n
rterluen
Gadqm
f *ffral Tools
CEH
kspace studio
Help
U4rw 5HMOCr«d«f'I^K Q KUnqt Ttintl'&H Credentials *^Settings9* ^0 . *״S4tup{•‘ .״JN«v»T*b *Hi SaveSeated T»bs
9<
£Tftnft/$SH tg inttrfxt Chart / TnccRoul(
1 216a1 a 3 - —
4
6
•4J-63 1S3S
PC
13216a 168x
י
fc
152.16a168 32 . ~ « ״T
132.168168 35
״**י
mm— ....
WindowsNTWiykSttton
er System M£
J"* System Nam *
*
0 i SystemDescrpBon׳
J1 Location׳
sys0t!ec30 1.181.41311.1.1.1
F J Lasttoo; 8 2 4 1 9.6766AM
1102
0O SI Services•
v Interfaces
—
■2interlaces
© £ US TCP looptacfc 1 t«n c«
n 9
g} 0 Reaitek RTLB16a811 Family Gig
0
to 5
«*׳C*S(60)
Accounts
It ARP Tawe
♦nUor-ttmc'cch
,
SW7c□,♦ » 1
Pass• * 5 נf t «׳
■
1a
Q ״:..־j 5teU״
־
Q v ,♦-*׳P
ODR Routes
I© Snares
It! SMrrt onottfi
feTCmPNtfwo'ts
l±, TCPC0nn«ctl(K*S
3 13 .1 8 6 42 1 2 1 8 6 .4
2 618
3 6 .1 8 2
3 13 .1 8 6 4
2 618 3
•I
3 13 .1 8 6 5 1 2 1 8 6 .5
2 6 1 8 0 3 6 .1 8 0
J
IP Network Browser performs network discovery
on a single subnet or a range of subnets using
ICMP and SNMP
J
It scans a single IP, IP address range, or subnet
and displays network devices discovered in real
time, providing immediate access to detailed
information about the devices on network
iS ^׳יזיי״אי
http://www.solarwinds.com
Copyright ffl by
— £ ° ־j
c.
IC-Ctuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
SNMP Enum eration Tool: SolarW ind’s IP Network
Browser
Source: http://www.solarwinds.com
IP Network Browser from SolarWinds is a network discovery application. It collects information
via ICMP and SNMP locally or on a remote network. It scans a single IP, IP address range, or
subnet and displays network devices as they are discovered in real time, providing you with
immediate access to detailed information about the devices on your network. It is easy for the
attacker to discover information about the target network after performing scanning of the
entire subnet. Using IP Network Browser, an attacker can gather information from a poorly
configured Windows system. The information that can be gathered includes server name,
operating system version, SNMP contact and location information, list of services and network
interfaces, list of all user accounts, machine date/time, etc.
For example, on a Cisco router, Solar Winds IP Network Browser will determine the current IOS
version and release, as well as identify which cards are installed into which slots, the status of
each port, and ARP tables. When the IP Network Browser discovers a Windows server, it
returns information including interface status, bandwidth utilization, services running, and even
details of software that is installed and running.
Module 04 Page 473
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 41. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
SolarWinds
I
I
File
Tab<
V1 w
«
In t d f x K
?Add Nen Device-.
Gadget*
External Tool*
Studio
H#lp
Martagc SNMP Credcrteh Q Manage Telnet/SSHCredential!
Setting j...
Setup...
,jJNewTeb
c jSave SelectedTabs
I 3 Switch Port Mapper ״Trtrwt/SSH *J rtertace Chart / TraeeRoute
I Explorer
1♦
IP Nerwert Growter *
*•" Gadgets
^ g
1 /P3 Monitoring
d;Ca C P Ja ro Mewocy
Ml interface on»r
O ! ׳erfaceGawse
dt 1
rte<face~atoe
* | Respont# TneCnart
fft Response T*»e Gauge
& Ratpoma T « « Telia
- , n Took
* ׳C3 Ad ׳ גess Manatraert
1i> Q C u Tool*
0 ( 1 192163163 5
f
C
ls>g 192163168 30
♦j
... »ץ
192 163 15332
^ 3
♦a5fiW* j3
» * -:T 6
C
3sco^ar> Tccb
> < littAOrc Browser
a =
t.7 W O F ! 3<׳e
■
t ? 'Js gnbo* Wap
Ang Sweep ©
19216316336
!r|h»T«T68:3r
i f WircovisNT Aorujtanon
: SyiUnMlS
.P) S»st«« None.
-**
!♦ | Systan Description:
׳
i
£ Contact־
sysCfcjectC: 1.3.6.1 4.1.311.1.1.31.1
JTj lattboor 3/210012 367-MAM
tt• 0 9 Service*
in rfae
te c s
2interfaces
(£/ % MS TCP Loopback interface
*>9 Raaltefc RTL81SWM10 Fain ly Gigabit Etharret NIC - Packet Scheduler Miniport
RajleYtavef $.
1» Serv cesGC)
Snnp Sweep ^
■יS»rten Port Mapper
Lt. Accounts
*. ARPTaWe
t Routes
» C1 Routes
CR
,♦ Snares
.׳
*. Snared Pr rtacs
1». *CP^P Networks
1* TCPComecaons
T:aceRou:e /
AMI B ro w r +
*, 7־
MonrtoinjTook 2
tZ2 SNVPTools+
i f 15 AetoGedgets
word Generator***®
Q
a
d a Location
♦>r3 ConngTaas
-
192 163 168 1
• ■a 1921631533
3en re Stated
O More Help
^3 126132 126.132
91364 9.136.4
^a 1 - - 4135מו
3613
03 126130:126.130
91355 9.186.5
V u j *•centy Used
*3 .
>
D ray 2
: second'
FIGURE 4.11: SNMP Enumeration Tool Screenshot
Module 04 Page 474
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 42. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
S N M P E n u m e r a tio n T o o ls
C EH
Getif
SoftPerfect Network Scanner
h tt p :/ / w w w . wtcs. org
h tt p :/ / w w w . softperfect.com
OiDViEW SN M P M IB Browser
SN M P Informant
h tt p :/ / w w w . oidvie w . com
h ttp ://w w w .s n m p -in fo rm a n t.c o m
iReasoning M IB Browser
Net-SNMP
h ttp ://tll.ire a so n in g .c o m
http ://ne t-sn m p .sou rce fo rge.n et
SNScan
Nsauditor Network Security
Auditor
h ttp ://w w w .m c a fe e .c o m
h tt p :/ / w w w . nsauditor. com
Spiceworks
SN M P Scanner
h ttp ://w w w .se cu re -b yte s.co m
- ■
י
Copyright © by
h tt p :/ / w w w .soice
ttD ://w w . spiceworks.com
IC-Ccuncil. All
Rights Reserved. Reproduction is Strictly Prohibited.
SNMP Enum eration Tools
In addition to OpUtils and SolarWind's
are listed as follows:
IP Network Browser, a few more SNMP tools
Q
Getif available at http://www.wtcs.org
Q
OiDViEW SNMP MIB Browser available at http://www.oidview.com
Q
iReasoning MIB Browser available at http://tll.ireasoning.com
e
SNScan available at http://www.mcafee.com
Q
SNMP Scanner available at http://www.secure-bytes.com
Q
SoftPerfect Network Scanner available at http://www.softperfect.com
e
SNMP Informant available at http://www.snmp-informant.com
e
Net-SNMP available at http://net-snmp.sourceforge.net
9
Nsauditor Network Security Auditor available at http://www.nsauditor.com
6
Spiceworks available at http://www.spiceworks.com
Module 04 Page 475
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 43. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Module Flow
Enumeration
Concepts
SNMP
Enumeration
NetBIOS
Enumeration
□
SMTP
Enumeration
DNS
Enumeration
Enumeration
Countermeasures
Enumeration
Pen Testing
i s
Copyright C by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
This section describes the UNIX/Linux commands that can be used for enumeration
and Linux enumeration tools.
Enumeration Concepts
1
y" NTP Enumeration
^
NetBios Enumeration
SMTP Enumeration
SNMP Enumertion
t__J|
DNS Enumeration
Unix/Linux Enumeration
Enumeration Countermeasures
LDAP Enumeration
Module 04 Page 476
_^ Enumeration Pen Testing
ן
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 44. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
UNIX/Linux Enum eration
C om m ands
EH
o Enumerates the user and the host
« Enables you to view the user's home directory, login time, idle times,
office location, and the last time they both received or read mail
[root$] finger -1 0target.hackme.com
«
Helps to enumerate Remote Procedure Call protocol
e
RPC protocol allows applications to communicate over the
network
[root] rpcinfo -p 19x.16x.xxx.xx
6
Using rpcclient we can enumerate user names on Linux and
OSX
[root $] rpcclient $> netshareenum
9
Finds the shared directories on the machine
[root $] showmount -e 19x.l6x. xxx.xx
Copyright © by
IC-Ccuncil. All
Rights Reserved. Reproduction is Strictly Prohibited.
U N IX /Linux E n u m e ra tio n C o m m a n d s
Commands used to enumerate UNIX network resources are as follows: showmount,
finger, rpcinfo (RPC), and rpcclient.
O
Finger:
The finder command is used for enumerating the users on the remote machine. It
finger
enables you to view the user's home directory, login time, idle times, office location, and the
last time they both received or read mail.
The syntax for finger is:
finger [-b] [-f] [-h] [-i] [- ] [-m] [-p] [-q] [-s] [־w] [username]
1
O p tio n s:
-b
Suppresses printing the user's home directory and shell in a long format printout.
-f
Suppresses printing the header that is normally printed in a non-long format printout.___________ I
h
Suppresses printing of the .project file in a long format printout.
-I
Forces "idle" output format, which is similar to short format except that only the login name,
terminal, login time, and idle time are printed.
Module 04 Page 477
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 45. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
ו
Forces long output format.
ווו
Matches arguments only on the user's name.
Suppresses printing of the .plan file in a long format printout.
P
q
Forces quick output format, which is similar to short format except that only the login name,
terminal, and login time are printed.
-s
Forces short output format.
-w
Suppresses printing the full name in a short format printout.
For example, if the command root$] finger-1 (®target.hackme.com is executed, then you can
get the list of users on the target host.
IfS
^
rpcinfo (R PC )
1
rpcinfo (RPC) helps you to enumerate Remote Procedure Call protocol. This in turn
allows the applications to communicate over the network.
The syntax for rpcinfo follows:
rpcinfo
[-m | -s ] [ host ]
rpcinfo ־P [ host ]
rpcinfo -T transport host prognum [ versnum ]
rpcinfo -1 [ -T transport ] host prognum versnum
rpcinfo
] ־n portnum ] -u host prognum [ versnum ]
rpcinfo
] ־n portnum ] -t host prognum [ versnum ]
rpcinfo -a serv address
? transport prognum [ versnum
rpcinfo -b [ -T transport ] prognum versnum
rpcinfo -d [ -T transport ] prognum versnum
O p tio n s:
-m
Displays a table of statistics of rpcbind operations 011 the given host. The table shows
statistics for each version of rpcbind (versions 2, 3 and 4), giving the number of times each
procedure was requested and successfully serviced, the number and type of remote call
requests that were made, and information about RPC address lookups that were handled.
This is useful for monitoring RPC activities 011 the host.
-s
Displays a concise list of all registered RPC programs on host. If host is not specified, it defaults
to the local host.
-P
Probes rpcbind on host using version 2 of the rpcbind protocol, and display a list of all
registered RPC programs. If host is not specified, it defaults to the local host. Note that version
2 of the rpcbind protocol was previously known as the portmapper protocol.
-t
Makes a RPC call to procedure 0 of prognum on the specified host using TCP, and report
whether or not a response was received. This option is made obsolete by the -T option as
shown in the third synopsis.
Module
04 Page 478
Ethical Hacking and CountermeasuresCopyright © by EC-C0IM
Cil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 46. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
1
־
Displays a list of entries with a given prognum and versnum 011 the specified host. Entries
are returned for all transports in the same protocol family as that used to contact the
remote rpcbind.
-b
Makes a RPC broadcast to procedure 0 of the specified prognum and versnum and report all
hosts that respond. If transport is specified, it broadcasts its request only on the specified
transport. If broadcasting is not supported by any transport, an error message is printed. Use
of broadcasting should be limited because of the potential for adverse effect on other systems.
-d
Deletes registration for the RPC service of the specified prognum and versnum. If transport is
specified, unregister the service on only that transport; otherwise, unregister the service on all
the transports on which it was registered. Only the owner of a service can delete a registration,
except the superuser, who can delete any service.
-u
Makes an RPC call to procedure 0 of prognum on the specified host using UDP, and report
whether or not a response was received. This option is made obsolete by the -T option as
shown in the third synopsis.
-a serv_address
Uses serv_address as the (universal) address for the service on transport to ping procedure 0
of the specified prognum and report whether or not a response was received. The -T option is
required with the -a option.
If versnum is not specified, rpcinfo tries to ping all available version numbers for that program
number. This option avoids calls to remote rpcbind to find the address of the service. The
serv_address is specified in universal address format of the given transport.
-n p o rtn u m
Uses portnum as the port number for the -t and -u options instead of the port number given by
rpcbind. Use of this option avoids a call to the remote rpcbind to find out the address of the
service. This option is made obsolete by the -a option.
-T tra nsp o rt
Specifies the transport on which the service is required. If this option is not specified, rpcinfo
uses the transport specified in the NETPATH environment variable, or if that is unset or NULL,
the transport in the netconfig database is used. This is a generic option, and can be used in
conjunction with other options as shown in the SYNOPSIS.
Host
Specifies host of rpc information required.
For example, if the command [root] rpcinfo -p 19x.16x.xxx.xx is executed, then you can get the
rpc information of the host you are currently connected to.
rpcclient
rpcclient is used to enumerate usernames on Linux and OS X.
The syntax for rpcclient follows:
rpcclient [-A authfile] [-c ccommand string>] [-d debuglevel] [-h] [- logdir] [-N] [-s <smb config
1
file>] [-U username[%password]] [-W workgroup] [- destinationIP] {server}
1
O p tio n s:
■c
Module 04 Page 479
Execute semicolon-separated commands.
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 47. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
-I
IP address is the address of the server to connect to. It should be specified in
standard "a.b.c.d" notation.
Z'-p
This number is the TCP port number used when making connections to the
server. The standard TCP port number for an SMB/CIFS server is 139, which
is the default.
-d
debuglevel is an integer from 0 to 10. The default value if this parameter is not
specified is 0 .
-V
Prints the program version number.
-s
The file specified contains the configuration details required by the server.
1
Base directory name for log/debug files. The extension ".progname" will be
appended (e.g. log.smbdient, log.smbd, etc...). The log file is never removed by
the client.
-N
If specified, this parameter suppresses the normal password prompt from the
client to the user. This is useful when accessing a service that does not require a
password.
-A
This option allows you to specify a file from which to read the username and
password used in the connection.
-U
Sets the SMB user name or user name and password.
-W
Set the SMB domain of the use rname.
h
Print a summary of command-line options.
For example, if the command root $] rpcclient $> netshareenum is executed, then it displays all
the user names.
showmount
showmount identifies and lists the shared directories available on a system. The clients that are
remotely mounted on a file system from a host are listed by showmount. mountd is an RPC
server that replies to the NFS access information and file system mount requests. The mountd
server on the host maintains the obtained information. The file /etc/rmtab saves the
information from crashing. The default value for the host is the value returned by hostname
( 1).
The syntax for the mountd:/usr/lib/nfs/mountd [-v]
[-r]
The syntax for Showmount: /usr/sbin/showmount [-ade]
Module 04 Page 480
[hostname]
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 48. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
O p tio n s:
-a
Print all remote mounts in the format.
-d
List directories that have been remotely mounted by clients.
-e
Print the list of shared file systems.
For example, if the command [root $] showmount -e 19x.l6x. xxx.xx is executed, then it
displays the list of all shared directories that are mounted by a host.
Module 04 Page 481
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 49. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Linux Enum eration Tool:
Enum41inux
sh-3.2S enum41inux.pl •r 192.168.2.55
Starting enum41inux vO.8.2 ( http://labs.portcullis.co.uk/applic11tion/enura41inux/ ) on Wed Apr 2 14:14:35 20(
---- Target information ----Target ................. 192.168.2.55
RID Range ............ 500-550.1000-1050
Uscmane ............. *י
Password.............. *י
Known Usernames .. adm inistrator, guest, krbtgt, domain admins, root, bin, none
Enuraerating Workgroup/Domain on 192.168.2.55
[ ־־Got domain/workgroup name: W
*]
ORKGRO
UP
---- Getting domain SID for 192.168.2.55 ---Donain Nane: W RKG UP
O RO
Donain Sid: S-0-0
[+] Host is part of a workgroup (not a domain)
Session Check on 192.168.2.55
[ ] ־Server 192.168.2.55 allows sessions using username , י יpassword יי
►
Users on 192.168.2.55 via RID cycling (RIDS: 500-550,1000-1050)
[ I] Assuming that user "adm inistrator" exists
Got SID: S - l - 5 - 2 1 7 2 5 3 4 5 5 4 3 ־1056742841 ־1354761081 ־using username " , password
S-l-5-21-1801674531-1482476501-725345543-500 W2KSQLAdministrator (Local User)
S-l-5-21-1801674531-1482476501-725345543-501 W2KSQLGuest (Local User)
S-l-5-21-18016745311482476501-725345543-513 ־W2KSQLN0ne (Domain Group)
S-l-51801674531-1482476501-725345543-1000 ־12 ־W2KSQLTsInternetUser (Local User)
S-l-5-21-1801674531-1482476501-725345543-1001 W2KSQLIUSR_PORTCULLIS (Local User)
S-1-5-21-1801674531-1482476501-725345543-1002 W2KSQLIWAM_P0RTCULLIS (Local User)
S-1-5-21-1801674531-1482476501-725345543-1004 W2KSQLmark (Local User)
S-l-5-21-1801674531-1482476501-725345543-1005 W2KSQLblah (Local User)
S-l-5-21-1801674531-1482476501-725345543-1006 W2KSQLbasic (Local User)
[♦j
cnun411nux complete on Wed Apr 2 14:14:40 2008
http://labs,portcullis,co.uk
Copyright C by
IC-Ccuncil. All
Rights Reserved. Reproduction is Strictly Prohibited.
Linux Enum eration Tool: Enum41inux
I
Source: http://labs.portcullis.co.uk
Enum4linux is a tool that allows you to enumerate information from samba, as well as
Windows systems.
Features:
Q RID Cycling (When RestrictAnonymous is set to 1 on Windows 2000)
e
User Listing (When RestrictAnonymous is set to 0 on Windows 2000)
Q Listing of Group Membership Information
9 Share Enumeration
e
Detecting if host is in a Workgroup or a Domain
e
Identifying the remote Operating System
9 Password Policy Retrieval (using polenum)
Module 04 Page 482
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 50. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
s h -3 .2 J e riu M Iin u x :p r • r :1 9 2 .1 6 8 .2 .5 V : ־
S ta r t in g enum41inux v0.8.;2 ( h t t p : / / l a b s . p o r t c u l l l s . c o u k /a p p lic a tio n /e n u m 4 1 in u x / ) on Ned Apr
2 14:14:35 2(X
--------- . T a rg e t in fo rm a tio n -------T arg et ........................................................................................ SS. 1 9 2 .1 6 8 .2
RID Range ;................ 500-550.1000-1050
U sernaae J ........................................................................................ י י
m woM ................. : .......׳:.׳.׳.;.׳.׳.;׳
Known Usernames . . a d m in is tr a to r , g u e st
k r b tg t , domain adm ins, ro o t, b in . none
------- Enum erating Workgrciup/Domain on 1 9 2 .1 6 8 .2 .5 5
(♦] Got dom ain/w orkgroup name: W
ORKGROUP
------- G e ttin g domain SID ■tor 1 9 2 .1 6 8 .2 .$ S --------D e ta in ׳Name: W
ORKGROUP ;
D oaain S id : S -0 -0
[+] Host i s p a r t o f a workgroup (n o t a domain)
.......... S e ssio n Check on 1 S 2 .1 6 8 .2 .5 S — —
[♦] S e rv e r 1 9 2 .1 6 8 .2 .SS a llo w s s e s s io n s u sin g username ' ' . passw ord *
U sers on 192:168.2.;S5 ־viar RID c y c lin g (RIDS: SO0-SSO;1000-1050)
[X] Assuming t h a t u s e r " a d m in is tra to r" e x i s t s
[♦ ] Cot SID: S - l- 5 - 2 1 - 1801674531-14824765O1-725345543 vising username f . ׳passw ord
S-1-S-21-I801674S31-1482476SO1-72534S543-S00 W 2KSQLAdrtinistrator (L o ta l U ser)
S-1-S-21-1801674531-1482476501-72534SS43-501 W2KSQLGuest (L ocal U ser)
S-1-S-21-1801674S31-1482476S01-72S34SS43-S13 W2KSQLNone (Domain Group)
S-1-S-21-I801674531-1482476501-72S345543-1000 W2KSQLTsInternetUser ( lo c a l U ser)
■ S -l-S -2 1 -l8 0 ־i674531j 1432476501-72S345543j 1001 #2KSQLIUSR_PORTCULLIS (L ocal U ser)
S - l - 5-21-1801674531-1482476501-725345543-1002 W2KSQLIWAM_PORTCULLIS (L ocal U ser)
S-1-S-21-1801674S31-1482476S01-725345543-1004 W2KSQLmark (L ocal U ser)
S-1-S-21-1801674531-1482476501-72S34S543-100S W2KSQLblah (L ocal U ser)
S -l-S -2 1 -1 8 0 1 6 7 4 S 3 1 -1482476501-725345543-1006 W2KSQLbasic (L ocal U ser)
enum-JlinuX com plete on W<d Apr
2 1 4 :1 4 '4 0 2008
FIGURE 4.11: Enum4linux Tool Screenshot
Module 04 Page 483
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 51. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Module Flow
Enumeration
Concepts
CEH
SNMP
Enumeration
NetBIOS
Enumeration
UNIX/Linux
Enumeration
DNS
Enumeration
□
SMTP
Enumeration
Enumeration
Countermeasures
Enumeration
Pen Testing
Copyright © by
IC-Ccuncil. All
i s
Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
To enable communication and manage data transfer between network resources,
various protocols are employed. All these protocols carry valuable information about
network resources along with the data to be transferred. If any external user is able to
enumerate that information by manipulating the protocols, then he or she can break into the
network and may misuse the network resources. LDAP is one such protocol intended to access
the directory listings.
Enumeration Concepts
!
— NTP Enumeration
״ג
%
NetBios Enumeration
SMTP Enumeration
SNMP Enumertion
!t__5
DNS Enumeration
Unix/Linux Enumeration
Enumeration Countermeasures
IfF
LDAP Enumeration
v
Enumeration Pen Testing
This section focuses on LDAP enumeration and LDAP enumeration tools
Module 04 Page 484
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 52. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
LDAP E num eration
CEH
Itfc l N w
tu «k
Lightweight Directory Access Protocol (LDAP) is an Internet protocol for
accessing distributed directory services
t t
-*־*־
Directory services may provide any organized set of records, often in a
hierarchical and logical structure, such as a corporate email directory
A client starts an LDAP session by connecting to a Directory System Agent (DSA)
on TCP port 389 and sends an operation request to the DSA
Information is transmitted between the client and the server
using Basic Encoding Rules (BER)
Attacker queries LDAP service to gather information such as valid user names,
addresses, departmental details, etc. that can be further used to perform attacks
Copyright © by
n>
IC-Ccuncil. All
Rights Reserved. Reproduction is Strictly Prohibited.
LDAP Enum eration
The Lightweight Directory Access Protocol (LDAP) is used to access directory listings
within an Active Directory or from other directory services. A directory is compiled in
hierarchical or logical form, slightly like the levels of management and employees in a company.
It is suitable to attach with the Domain Name System (DNS) to allow quick lookups and fast
resolution of queries. It usually runs on the port 389 and other similar protocols. You can
anonymously query the LDAP service. The query will disclose sensitive information such as user
names, addresses, departmental details, server names, etc., which can be used by the attacker
for launching the attack.
Module 04 Page 485
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 53. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
LDAP Enumeration Tool: Softerra
LDAP Administrator
EH
c1
UrlA H
ItbKJl HMkM
LDAP Adrn»'nistrator
HT ML V i e w
hf(P'' '1
Copyright C by
IC-Ccuncil. All
Rights Reserved. Reproduction is Strictly Prohibited.
LDAP Enum eration Tool: Softerra LDAP
Adm inistrator
Source: http://www.ldapadministrator.com
Softerra LDAP Administrator is a LDAP administration tool that allows you to work with LDAP
servers such as Active Directory, Novell Directory Services, Netscape/iPlanet, etc. It generates
customizable directory reports with information necessary for effective monitoring and audit.
Features:
•
It provides directory search facilities,
management facilities, etc.
bulk update operations, group membership
It supports LDAP-SQL, which allows you to manage LDAP entries using SQL-like syntax
Module 04 Page 486
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 54. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
CN=Franko Barucci.OU =HR Department.DC=example,DC=
com -Softerra LDAP Administrator 2011.1
£11*
£drt
¥'*w
Fjvontes
Sf£»er
* J s i -JM» - ׳X
Entry
Schema
Refiorts
X -u4 '* 3
dtf
3 S i OU -HR Department
I E 2 CN - Aaron Dorben
| S) £ CN-Alexander Lemming
I IS £ CN-Alexander McDoughal
I E £ CN-Andrew Anderson
: S £ CN-Andrew Wfe
! f i £ CN ־Andrew Wfcon
:
E
E
$
$
ft
E
B
ft
ft
ft
ft
(S
£
£
£
£
£
£?
£
£
£
£
£
£5
Hf lP
■» 2
£
£
£
£
CN ־Cordon Summer
CN ־Gregory Murrey
CN ־Henry Richards
CN-HR Managers
C N -IT Department
CN ־James Garfield
CN*Jason Guard
CN -le e dark
Franko Barucci
*331 587 268 45
U F.Barucci(j>Example.com
Planning Manager
CN=Ann Doe
CN-Anny Hobbs
CN-Aron Piersoi
CN ־Aurora Namuia
CN ־Clarence Bulwmkei
CN ־C0ns1dting Department
CN ־David Morris
CN=Oavid Smith
CN ־David Watson
CN=Oerrxs Martin
CN-Szabeth Johnson
CN=EMEA Group
ft
ft
ft
E
!
j
j
Window
• 9
w
Scope Pane
|
!ools
.'־iff i '"JJ' -J i; K?-2JIM-EfI
J
-331 587 268 48
Paris
Organization
|
Telephones
Address
Account
Franko
Barucci
Franko Barucci
ft £
a £
E £
.:; ך
Planning Manager
Paris
Telephone Number
+
331 587 268 45
I
examples [example.com:389] -Softerra LDAP Administrator 2011.1
Entry
I - ־ *‘ ־J ; !
*■
jtlew- 3 ^ x
Scope Pane
▼ ? x
Softerra LDAP Admr»trator
ajJ Internet Pubk Servers
$ 0 ־־Adressen der Bundesverwaltu
f f l - y Came^e Melon University
₪
Colorado State University
♦ J Debian
® 0
ffl 0
Deutsche Telekom AG
D־TrustCAs
New York University
± 0 Trust Center
£ h 0 University of MKhigan
ft ״VeriSign
g
Local Servers
$ ufj Mcrosoft Exchange Servers
-j 0 ^ Testing Servers
Schema
Iools
Recorts
Window
tjelp
± a) K? ; ־
| - I J
ג
^
O
k
Name
Value
Type
13CN
L3CN
5JDC
3׳
DC
£3DC
Configuration
Entry
unknown
Schema
Entry
unknown
DomatnDnsZones
Entry
unknown
example
Entry
unknown
ForestDnsZones
Entry
unknown
H currentTme
20110620130837.0Z
Attribute
17
l*J dsServiceName
CN-NTDS Settings,CN *SERVER 1,CN...
Attnbute
109
S
DC ־example,DC ־com
Attribute
17
CN ■Schema,CN •Configuration,DC*...
Attribute
44
defaultNamingContext
&J schemaNamingContext
S
configurabonNamingContext CN Configuration,DC =example,DC=...
Size
Attribute
34
& J rootDomainNamingContext
DC ־example ,DC ■com
Attribute
17
S supportedLDAPPobaes
MaxPoolThreads
Attnbute
14
E supportedLDAPPoliaes
MaxDatagramRecv
Attribute
15
® £3״
CN=Config1ration
& ־S 3 CN ־Schema
f t § 3 DC=DomainDnsZones
j ft־SJ DC ־example
f t |»3 DC ־ForestDnsZones
f t - 0 rainbow
f t - Q umbrella
E 0 AD
i - 0 CA Directory
4 9 Planet
(=J supportedLDAPPobaes
MaxReceiveBuffer
Attnbute
16
S supportedLDAPPobaes
i . .־j
InitRecvTimeout
Attribute
15
(=J supportedLDAPPobaes
MaxConnections
Attribute
14
® supportedLDAPPobaes
MaxConnldleTime
Attribute
15
C J supportedLDAPPobaes
=
MaxPageSize
Attribute
11
(=] supportedLDAPPobaes
MaxQueryDuration
Attribute
16
C J supportedLDAPPobaes
*
MaxTempTableSize
Attribute
16
(=J supportedLDAPPobaes
MaxResultSetSize
Attnbute
16
H supportedLDAPPobaes
MaxNotficationPerConn
Attribute
22
(=J supportedLDAPPobaes
MaxValRange
Attnbute
11
® highestCommittedUSN
28907
Attribute
5
(*J dnsHostName
server 1 .example.com
Attnbute
____________19
d H List View
X
₪ HTML View
B Output C Basket
S subnodes
FIGURE 4.12: Softerra LDAP Administrator tool Screenshot
Module 04 Page 487
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
"
- 55. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
LDAP E num eration Tools
CEH
JXplorer
Active Directory Explorer
h ttp ://w w w .jx p lo re r.o rg
h ttp ://technet.m icrosoft.com
LDAP Admin Tool
(
h tt p :/ / w w w . Idapsoft. com
LDAP Administration Tool
http ://sou rce fo rge.n et
LDAP Account Manager
fi ^
LDAP Search
h ttp ://w w w .ld a p -a cco u n t-m a n a g e r.o rg
http ://secu rityxp lo de d .com
LEX-The LDAP Explorer
m
n-
h ttp ://w w w .ld a p e x p lo re r.co m
Active Directory Domain
Services Management Pack
h ttp ://w w w .m icro so ft.co m
LDAP Admin
©
h ttp ://w w w .ld a p a d m in .o rg
LDAP Browser/Editor
h ttp ://w w w .n o v e ll.c o m
Copyright © by IC-Ccuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
LDAP Enum eration Tools
There are many LDAP enumeration tools that can be used to access the directory
listings within Active Directory or from other directory services. Using these tools attackers can
enumerate information such as valid user names, addresses, departmental details, etc. from
different LDAP servers.
A few LDAP enumeration tools are listed as follows:
Q JXplorer available at http://www.ixplorer.org
Q LDAP Admin Tool available at http://www.ldapsoft.com
Q LDAP Account Manager available at http://www.ldap-account-manager.org
Q LEX - The LDAP Explorer available at http://www.ldapexplorer.com
e
LDAP Admin available at http://www.ldapadmin.org
e
Active Directory Explorer available at http://technet.microsoft.com
e
LDAP Administration Tool available at http://sourceforge.net
9
LDAP Search available at http://securitvxploded.com
t?
Active Directory Domain Services Management Pack available at
http://www.microsoft.com
9
LDAP Browser/Editor available at http://www.novell.com
Module 04 Page 488
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 56. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
Module Flow
C EH
M odule Flow
Often, the NTP server is overlooked in terms of security. But, if queried properly, it can
also provide a lot of valuable network information to the attackers. Therefore, it is
necessary to test what information an attacker can enumerate about your network through
NTP enumeration.
Enumeration Concepts
t__5
NetBios Enumeration
^j£r^ ׳־NTP Enumeration
^
SMTP Enumeration
SNMP Enumertion
DNS Enumeration
Unix/Linux Enumeration
Enumeration Countermeasures
If* >
-
LDAP Enumeration
Enumeration Pen Testing
This section describes what is NTP, what information can be extracted through NTP
enumeration, and NTP enumeration commands
Module 04 Page 489
Ethical Hacking and CountermeasuresCopyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 57. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
NTP E num eration
Network Time Protocol (NTP)
is designed to synchronize
clocks of networked
computers
a
ggi
Rip
y
It uses
as
its primary means of
communication
It can achieve accuracies of
or better
in local area networks under
ideal conditions
CEH
NTP can maintain time to
within 1 0 milliseconds
( 1 / 1 0 0 seconds)over the
public Internet
Attacker queries NTP server to gather valuable information such as:
S
List of hosts connected to NTP server
S
Clients IP addresses in a network, their system names and OSs
»
Internal IPs can also be obtained if NTP server is in the DMZ
Cbpyright C by I - c n i . All RightsJteServfci Reproduction is Strictly Prohibited.
CCucl
NTP Enumeration
Before beginning with NTP enumeration, let's first discuss what NTP is. NTP is a
network protocol designed to synchronize clocks of networked computer systems. NTP is
important when using Directory Services. It uses UDP port 123 as its primary means for
communication. NTP can maintain time to within 10 milliseconds (1/100 seconds) over the
public Internet. It can achieve accuracies of 200 microseconds or better in local area networks
under ideal conditions.
Through NTP enumeration, you can gather information such as lists of hosts connected to NTP
server, IP addresses, system names, and OSs running on the client systems in a network. All this
information can be enumerated by querying the NTP server. If the NTP server is in the DMZ,
then it can also be possible to obtain internal IPs.
Module 04 Page 490
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 58. Ethical Hacking and Countermeasures
Enumeration
Exam 312-50 Certified Ethical Hacker
CEH
NTP E n u m era tio n C o m m a n d s
CeflrfWd
ntptrace
6 • <0
4
• יזvlrt jal-marMnt- •
•
• vlrtM l* 1w c M M :־S ntpdc
ntpdc* /
ntpdc connands:
aridp«*1״r
control key
fudge
aridrefcloefc ctls ta ts
help
addtorvof
debug
host
add זrap
delay
hostnanes
outhlnfo
deW estrlct Ifrrloed
broadcast
disable
U s u is
elkbug
dnpeers
lostats
clockstat
enable
kerplnfo
clrtrap
exit
keyld
ntpdc* nonlist
renote address
port local *44
& Traces a chain of NTP servers back to the
primary source
5 ntptrace [ -vdn ] [ -r retries ] [ t timeout ] [ server ]
ntpdc
© Monitors operation of the NTP daemon, ntpd
keytype
lt«K*r*
looplnfo
"* * ״H t *
m llit
passed
peers
preset
pstets
curoplun.canonical.ton
123 J9J.1C0
125.02.193.121
123 ]92.168.
1 2 0 1 0 *46 . ׳38 ׳sni tZl . hn123 192.168.
se0«ent119-226. ־s lfy.n 123 192.168.
ns3.nel - .con
123 192.168.
ntpdc* |
6 /usr/bin/ntpdc t־n] [-v] hostl I
IPaddressl...
IU k j I N a•
a*h
ntpq
r**A»y(
tlnerstats
trap!
r«qv*1 tk«y
־׳es«t
r n llt t
r e s tric t
shMpter
systnfo
t y t U it s
W T M trU t
untrastedkey
versto*
׳
25
28
27
26
4
4
4
4
lit t n t
4
4
4
4
ntpdc: monlist query
9 Monitors NTP daemon ntpd operations and
determines performance
e ntpq [-inp]
[-c
co m m and ]
m
-vlr tual-nachlne:-J ntpq
1tpq> .
׳
itpq connands:
[host]
[• •■
I
:learvara
:lo ckllst
keyld
keytype
passoclatlons
passwd
save<onfl9
showers
.onflg-fron-rile lopeeis
poll
version
:ooked
ipassoclatlons
pstatus
w rite lls t
:v
Ipeers
quit
•rltevar
lebug
nreadllst
raw _
»tpq> readllst
■
issoctdaO status>061S leap none. sync_ntp. 1 event, clock sync,
rerston-’ntpd 4 7 ftpigi
Tue lun « ?•:17:11 UTC ?81? (1 )*.
.
irocettor-"1696 , ׳syctem-*llnux/3.2.• 23 generic-pae*, leap,•♦־
itratun-3, precision• 22, rootdelay-141.734, rootdlsp-1•!.•34,
cr1d-120.0e.46.10,
eftlne«d3cl9d3d.elOcM7B r r l , Aug 24 2012 11:37:09.MO,
;locked3el9e4r.ac34l2cc r r l . Aug 24 2012 12:91:43.072, peer•304 ,ללtc*o.
iln tc O , orrset«04.020, frequency80.008 .־sys Jlt t e r a r s .179,
:Ik )ltter-83.672, elk wander-9.28d
ntptrace
ntpq: readlist query
Copyright C by IC-Ctuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
EB NTP Enum eration C om m ands
NTP enumeration can be performed using the NTP suite command-line tool. NTP
Suite is used for querying the NTP server to get desired information from the NTP. This
command-line tool includes the following commands:
Q
ntptrace
©
ntpdc
©
ntpq
These commands will help you extract the data from the NTP protocol used in the target
network.
ntptrace:
This command helps you determine from where the NTP server updates its time and traces the
chain of NTP servers from a given host back to the prime source.
Syntax: ntptrace
[-vdn]
[-r retries ] [-t timeout]
[servername/IP_address]
Example:
# ntptrace
localhost:
Module 04 Page 491
stratum 4, offset 0.0019529,
synch distance 0.143235
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.