Download - Enumeration Testing
JSIITJSIITSystem Intrusion and Computer Forensic Module
code: (CSM203)
Assignment Presentation
ON
SYSTEM ENUMERATION TCP/UDP PORT
BYBY
YUSIF SULEIMANYUSIF SULEIMAN
2308-0703-02232308-0703-0223
InstructorInstructor:: Mr Mr BashiBashi
In Partial Fulfillment for the Award of IADNCS, 2012 In Partial Fulfillment for the Award of IADNCS, 2012
INTRODUCTIONINTRODUCTION
EnumerationEnumeration
Enumeration is the first attack on Enumeration is the first attack on target network; Enumeration is a target network; Enumeration is a process to gather the information process to gather the information about user names, machine names, about user names, machine names, network resources, shares and network resources, shares and services ; Enumeration makes a fixed services ; Enumeration makes a fixed active connection to a systemactive connection to a system
Although File Transfer Protocol (FTP) is Although File Transfer Protocol (FTP) is becoming less common on the Internet, becoming less common on the Internet, connecting to and examining the content of connecting to and examining the content of FTP repositories remains one of the simplest FTP repositories remains one of the simplest and potentially lucrative enumeration and potentially lucrative enumeration techniques. We’ve seen many public web techniques. We’ve seen many public web servers that used FTP for uploading web servers that used FTP for uploading web content, providing an easy vector for content, providing an easy vector for uploading malicious executables. Typically, uploading malicious executables. Typically, the availability of easily accessible file-sharing the availability of easily accessible file-sharing services quickly becomes widespread services quickly becomes widespread knowledge, and public FTP sites end up knowledge, and public FTP sites end up hosting sensitive and potentially embarrassing hosting sensitive and potentially embarrassing content. Even worse, many such sites are content. Even worse, many such sites are configured for anonymous accessconfigured for anonymous access
Techniques use for Techniques use for EnumerationEnumeration
CMD Command :CMD Command :There are many cmd commands which are more There are many cmd commands which are more EFFECTIVE in local area connections than EFFECTIVE in local area connections than windows OS :)windows OS :)
net use net use : (Works only in xp and 2000) : (Works only in xp and 2000) syntax :syntax : net use \\<ip address>\IPC$ ""/u:"" net use \\<ip address>\IPC$ ""/u:""Example :Example : net use \\192.168.2.2\IPS$ ""/u:"" net use \\192.168.2.2\IPS$ ""/u:""Defn :Defn : It connects to its hidden inner process It connects to its hidden inner process communication (IPS$) of 192.168.2.2 with build in communication (IPS$) of 192.168.2.2 with build in anonymous user (u:) with a null password ("")anonymous user (u:) with a null password ("")
nbtstat nbtstat : (tested and worked ): (tested and worked )Syntax :Syntax : nbtstat -A<ip address> nbtstat -A<ip address>Example Example : nbtstat -A<192.168.2.4>: nbtstat -A<192.168.2.4>Use :Use : Will get the NetBIOS Will get the NetBIOS information and MAC address of the information and MAC address of the systemsystem
FTP Enumeration FTP Enumeration syntax : ftp <ftp servername> syntax : ftp <ftp servername> Example : ftp ftp.gnuplot.infoExample : ftp ftp.gnuplot.info
Techniques (Continue )Techniques (Continue )
telnet telnet Syantax : telnet <URL/IP> <port number>Syantax : telnet <URL/IP> <port number>Example : telnet www.csice.edu.in 80 (http port Example : telnet www.csice.edu.in 80 (http port number)number)Use : connect to a serverUse : connect to a serverPORT NUMBERPORT NUMBERhttp 80http 80ftp 21ftp 21telnet 23telnet 23smtp 25smtp 25dns 53dns 53tftp 69tftp 69finger 79finger 79NetBios 137 NetBios 137
Techniques (Continue )Techniques (Continue )
Tools use for Enumeration Tools use for Enumeration Super ScanSuper Scan
IP Tools IP Tools - It gave information about - It gave information about
local info- examines the local host and shows info about local info- examines the local host and shows info about processor, memory, Winsock data, etc processor, memory, Winsock data, etc Connection Monitor- Connection Monitor- displays information about current TCP and UDP network displays information about current TCP and UDP network connections connections NetBIOS Info- gets NetBIOS information about NetBIOS Info- gets NetBIOS information about network interfaces (local and remote computers) network interfaces (local and remote computers) NB Scanner- shared resources scanner NB Scanner- shared resources scanner SNMP Scanner- scans network(s) for SNMP enabled devices SNMP Scanner- scans network(s) for SNMP enabled devices Name Scanner- scans all hostnames within a range of IP Name Scanner- scans all hostnames within a range of IP addresses addresses Port Scanner- scans network(s) for active TCP based Port Scanner- scans network(s) for active TCP based services services UDP Scanner- scans network(s) for active UDP based UDP Scanner- scans network(s) for active UDP based servicesservices
Ping Scanner- pings a remote hosts over the network Ping Scanner- pings a remote hosts over the network
Trace- traces the route to a remote host over the networkTrace- traces the route to a remote host over the network
WhoIs- obtains information about a Internet host or WhoIs- obtains information about a Internet host or domain name from the NIC (Network Information Center)domain name from the NIC (Network Information Center)
Finger- retrieves information about user from a remote Finger- retrieves information about user from a remote host host LookUp- looks for domain names according to its IP LookUp- looks for domain names according to its IP address or an IP address from its domain name address or an IP address from its domain name GetTime- gets time from time servers (also it can set GetTime- gets time from time servers (also it can set correct time on local system) correct time on local system) Telnet- telnet client Telnet- telnet client HTTP- HTTP client HTTP- HTTP client IP-Monitor- shows network traffic in real time (as a set of IP-Monitor- shows network traffic in real time (as a set of charts) charts) Host Monitor- monitors up/down status of selected hosts. Host Monitor- monitors up/down status of selected hosts. Trap Watcher- allows you to receive and process SNMP Trap Watcher- allows you to receive and process SNMP Trap messages.Trap messages.
IP Tools (Continue)IP Tools (Continue)
softperfect network scanner toolsoftperfect network scanner tool Features::Features::
>Pings computers and displays those alive.>Pings computers and displays those alive.>Detects hardware MAC-addresses, even across routers.>Detects hardware MAC-addresses, even across routers.>Detects hidden shared folders and writable ones.>Detects hidden shared folders and writable ones.>Detects your internal and external IP addresses.>Detects your internal and external IP addresses.>Scans for listening TCP ports, some UDP and SNMP services.>Scans for listening TCP ports, some UDP and SNMP services.>Retrieves currently logged-on users, configured user >Retrieves currently logged-on users, configured user accounts, uptime, etc.accounts, uptime, etc.>You can mount and explore network resources.>You can mount and explore network resources.>Can launch external third party applications.>Can launch external third party applications.>Exports results to HTML, XML, CSV and TXT>Exports results to HTML, XML, CSV and TXT>Supports Wake-On-LAN, remote shutdown and sending >Supports Wake-On-LAN, remote shutdown and sending network messages.network messages.>Retrieves potentially any information via WMI.>Retrieves potentially any information via WMI.>Retrieves information from remote registry, file system and >Retrieves information from remote registry, file system and service manager.service manager.
Enumeration PortsEnumeration Ports
FTP Enumeration, TCP 21FTP Enumeration, TCP 21 FTP port 21 open Fingerprint server FTP port 21 open Fingerprint server
telnet ip_address 21 (Banner grab) telnet ip_address 21 (Banner grab) Run command ftp ip_address Run command ftp ip_address [email protected] [email protected] Check for anonymous access Check for anonymous access
ftp ip_addressUsername: anonymous OR anonPassword: ftp ip_addressUsername: anonymous OR anonPassword: [email protected] [email protected]
Password guessing Password guessing Hydra brute force medusa Brutus
Examine configuration files Examine configuration files ftpusers , ftpusers , ftp.conf, proftpd.conf , proftpd.conf
MiTM MiTM pasvagg.pl
SMTP TCP 25 – version of popular SMTP server SMTP TCP 25 – version of popular SMTP server softwaresoftware
sendmail greater than 8 offer syntax that can sendmail greater than 8 offer syntax that can bebe
embeded in the mail.cf file to disable or embeded in the mail.cf file to disable or acquireacquire
authentication for VRFY and EXPN commandsauthentication for VRFY and EXPN commands • • Has two comands VRFY and EXPN which Has two comands VRFY and EXPN which
reveals thereveals the actual delivery addresses of aliases and actual delivery addresses of aliases and
mailing listmailing list • • Eg telnet 10.219.100.1 25Eg telnet 10.219.100.1 25
Enumerating SMTP, TCP 25Enumerating SMTP, TCP 25
Sendmail Port 25 open Fingerprint server telnet ip_address 25 (banner grab)
Mail Server Testing Enumerate users
VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts)
Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
Mail Relay Test HELO anything
Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain> Unknown domain - mail from: <user@unknown_domain> Domain not present - mail from: <user@localhost> Domain not supplied - mail from: <user> Source address omission - mail from: <> rcpt to: <nobody@recipient_domain> Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain> Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain"> User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]> Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain> Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
Examine Configuration Files - sendmail.cf, submit.cf
DNS port 53 open Fingerprint server/ service DNS port 53 open Fingerprint server/ service host host
host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
nslookup nslookup nslookup [ -option ... ] [ host-to-find | - [ server ]] nslookup [ -option ... ] [ host-to-find | - [ server ]]
dig dig dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-
y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r
Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup lookup
DNS Enumeration DNS Enumeration Bile Suite
perl BiLE.pl [website] [project_name] perl BiLE.pl [website] [project_name] perl BiLE-weigh.pl [website] [input file] perl BiLE-weigh.pl [website] [input file] perl vet-IPrange.pl [input file] [true domain file] [output file] <range> perl vet-IPrange.pl [input file] [true domain file] [output file] <range> perl vet-mx.pl [input file] [true domain file] [output file] perl vet-mx.pl [input file] [true domain file] [output file] perl exp-tld.pl [input file] [output file] perl exp-tld.pl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl qtrace.pl [ip_address_file] [output_file] perl qtrace.pl [ip_address_file] [output_file] perl jarf-rev [subnetblock] [nameserver] perl jarf-rev [subnetblock] [nameserver]
txdns txdns -rt -t domain_name txdns -rt -t domain_name txdns -x 50 -bb domain_name txdns -x 50 -bb domain_name txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
Examine Configuration Files - Examine Configuration Files - host.conf, resolv.conf , named.conf host.conf, resolv.conf , named.conf
DNS Zone Transfer, TCP 53DNS Zone Transfer, TCP 53
TFTP port 69 open TFTP Enumeration TFTP port 69 open TFTP Enumeration tftp ip_address PUT local_file tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris) tftp – i <IP> GET /etc/passwd (old Solaris)
TFTP Bruteforcing TFTP Bruteforcing TFTP bruteforcer Cisco-Torch
TFTP, TCP/UDP 69 trivial file transfer protocol for TFTP, TCP/UDP 69 trivial file transfer protocol for unauthenticated file transfers using UDP port 69unauthenticated file transfers using UDP port 69
•• Its trivial to copy a poorly secured /etc/passwdIts trivial to copy a poorly secured /etc/passwd
$tftp 192.168.202.34$tftp 192.168.202.34
tftp>get /etc/passwd /tmp/passwd.cracklatertftp>get /etc/passwd /tmp/passwd.cracklater
tftp>quittftp>quit
Enumerating TFTP, TCP/UDP 69Enumerating TFTP, TCP/UDP 69
Finger Port 79 open Finger Port 79 open User enumeration User enumeration
finger 'a b c d e f g h' @example.com finger 'a b c d e f g h' @example.com
finger [email protected] finger [email protected]
finger [email protected] finger [email protected]
finger [email protected] finger [email protected]
finger [email protected] finger [email protected]
finger **@example.com finger **@example.com
finger [email protected] finger [email protected]
finger @example.com finger @example.com Command execution Command execution
finger "|/bin/[email protected]" finger "|/bin/[email protected]"
finger "|/bin/ls -a /@example.com" finger "|/bin/ls -a /@example.com" Finger Bounce Finger Bounce
finger user@host@victim finger user@host@victim
finger @internal@externafinger @internal@externa
Finger, TCP/UDP 79Finger, TCP/UDP 79
Web Ports 80, 8080 etc. open Fingerprint server Web Ports 80, 8080 etc. open Fingerprint server Telnet ip_address port Telnet ip_address port Firefox plugins Firefox plugins
All All firecat
Specific Specific add n edit cookies asnumber header spy live http headers shazou web developer
Crawl website Crawl website lynx [options] startfile/URL Options include -traversal -crawl -dump -lynx [options] startfile/URL Options include -traversal -crawl -dump -
image_links -source image_links -source httprint Metagoofil
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
Web Directory enumeration Web Directory enumeration Nikto
nikto [-h target] [options] , nikto [-h target] [options] , DirBuster, Wikto, Goolag Scanner
Enumerating HTTP, TCP 80Enumerating HTTP, TCP 80
Enumeration Microsoft RPC Port 135Enumeration Microsoft RPC Port 135 Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> ip>
Null Session Null Session net use \\192.168.1.1\ipc$ "" /u:"" net use \\192.168.1.1\ipc$ "" /u:""
net view \\ip_address net view \\ip_address Dumpsec
Smbclient Smbclient smbclient -L //server/share password options smbclient -L //server/share password options
Superscan Enumeration tab. Enumeration tab.
user2sid/sid2user Winfo
NetBIOS brute force NetBIOS brute force Hydra, Brutus, Cain & Abel, getacctHydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)
Examine Configuration Files Examine Configuration Files Smb.conf Smb.conf lmhosts lmhosts
Enumerating Microsoft RPC Endpoint Mapper(MSRPC) TCP135Enumerating Microsoft RPC Endpoint Mapper(MSRPC) TCP135
Enumeration NetBIOS Open Ports UDP 137Enumeration NetBIOS Open Ports UDP 137 Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> ip>
Null Session Null Session net use \\192.168.1.1\ipc$ "" /u:"" net use \\192.168.1.1\ipc$ "" /u:""
net view \\ip_address net view \\ip_address Dumpsec
Smbclient Smbclient smbclient -L //server/share password options smbclient -L //server/share password options
Superscan Enumeration tab. Enumeration tab.
user2sid/sid2user Winfo
NetBIOS brute force NetBIOS brute force Hydra, Brutus, Cain & Abel, getacctHydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)
Examine Configuration Files Examine Configuration Files Smb.conf Smb.conf lmhosts lmhosts
NetBIOS Name Service Enumeration, UDP 137137
NetBIOS Session Enumeration, TCP 139139
NetBIOS Ports 139NetBIOS Ports 139 Enum
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> ip>
Null Session Null Session net use \\192.168.1.1\ipc$ "" /u:"" net use \\192.168.1.1\ipc$ "" /u:""
net view \\ip_address net view \\ip_address Dumpsec
Smbclient Smbclient smbclient -L //server/share password options smbclient -L //server/share password options
Superscan Enumeration tab. Enumeration tab.
user2sid/sid2user Winfo
NetBIOS brute force NetBIOS brute force Hydra, Brutus, Cain & Abel, getacctHydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)
Examine Configuration Files Examine Configuration Files Smb.conf Smb.conf lmhosts lmhosts
SNMP port 161 open Default Community Strings public private cisco
cable-docsis ILMI
MIB enumeration Windows NT
.1.3.6.1.2.1.1.5 Hostnames , .1.3.6.1.4.1.77.1.4.2 Domain Name , .1.3.6.1.4.1.77.1.2.25 Usernames , .1.3.6.1.4.1.77.1.2.3.1.1 Running Services , .1.3.6.1.4.1.77.1.2.27 Share Information
Solarwinds MIB walk Getif snmpwalk
snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications
ZyXel snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0 snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
SNMP Bruteforce onesixtyone
onesixytone -c SNMP.wordlist <IP> cat
./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp
Examine SNMP Configuration files - snmp.conf, snmpd.conf , snmp-config.xml
SNMP Enumeration, UDP 161161
BGP Enumeration, TCP 179BGP Enumeration, TCP 179
The Border Gateway Protocol (BGP) is the de facto routing The Border Gateway Protocol (BGP) is the de facto routing protocol on the Internet and is used by routers to propagate protocol on the Internet and is used by routers to propagate information necessary to route IP packets to their information necessary to route IP packets to their destinations. By looking at the BGP routing tables, you can destinations. By looking at the BGP routing tables, you can determine the networks associated with a particular determine the networks associated with a particular corporation to add to your target host matrix. All networks corporation to add to your target host matrix. All networks connected to the Internet do not “speak” BGP, and this connected to the Internet do not “speak” BGP, and this method may not work with your corporate network. Only method may not work with your corporate network. Only networks that have more than one uplink use BGP, and networks that have more than one uplink use BGP, and these are typically used by medium-to-large organizations.these are typically used by medium-to-large organizations.
The methodology is simple. Here are the steps to perform The methodology is simple. Here are the steps to perform BGP route enumeration:BGP route enumeration:
1. Determine the Autonomous System Number (ASN) of the 1. Determine the Autonomous System Number (ASN) of the target organization.target organization.
2. Execute a query on the routers to identify all networks 2. Execute a query on the routers to identify all networks where the AS Path terminates with the organization’s ASN.where the AS Path terminates with the organization’s ASN.
The BGP protocol uses IP network addresses and The BGP protocol uses IP network addresses and ASNs exclusively. The ASN is a 16-bit integer that ASNs exclusively. The ASN is a 16-bit integer that an organization purchases from ARIN to identify an organization purchases from ARIN to identify itself on the network. You can think of an ASN as itself on the network. You can think of an ASN as an IP address for an organization. Because you an IP address for an organization. Because you cannot execute commands on a router using a cannot execute commands on a router using a company name, the first step is to determine the company name, the first step is to determine the ASN for an organization. There are two ASN for an organization. There are two techniques to do this, depending on what type of techniques to do this, depending on what type of information you have. One approach, if you have information you have. One approach, if you have the company name, is to perform a whois search the company name, is to perform a whois search with the ASN keywordwith the ASN keyword
Alternatively, if you have an IP address for the Alternatively, if you have an IP address for the organization, you can query a router and use the organization, you can query a router and use the last entry in the AS Path as the ASN. For example, last entry in the AS Path as the ASN. For example, you can telnet to a public router and perform the you can telnet to a public router and perform the following commands:following commands:
C:>C:>telnet route-views.oregon-ix.nettelnet route-views.oregon-ix.net
User Access VerificationUser Access Verification
Username: Username: rviewsrviews
route-views.oregon-ix.net>route-views.oregon-ix.net>show ip bgp show ip bgp 63.79.158.163.79.158.1
BGP routing table entry for 63.79.158.0/24, BGP routing table entry for 63.79.158.0/24, version 7215687version 7215687
Paths: (29 available, best #14)Paths: (29 available, best #14)
Not advertised to any peerNot advertised to any peer
8918 701 16394 163948918 701 16394 16394
212.4.193.253 from 212.4.193.253 212.4.193.253 from 212.4.193.253 (212.4.193.253)(212.4.193.253)
Origin IGP, localpref 100, valid, externalOrigin IGP, localpref 100, valid, external
LDAP Port 389 Open ldap enumeration LDAP Port 389 Open ldap enumeration ldapminer
ldapminer -h ip_address -p port (not required if default) -d ldapminer -h ip_address -p port (not required if default) -d luma
Gui based tool Gui based tool ldp
Gui based tool Gui based tool openldap
ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file]properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn] [dn rdn]
Window Active Director LDAP Enumeration, TCP/UDP 389 & 3268
ldap brute force ldap brute force bf_ldap bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l
passwords list | length of passwords to generate optional: -p port (default 389) -v passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) (verbose mode) -P Ldap user path (default ,CN=Users,)
K0ldS LDAP_Brute.pl Examine Configuration Files General Examine Configuration Files General
containers.ldif containers.ldif ldap.cfg ldap.cfg ldap.conf ldap.conf ldap.xml ldap.xml ldap-config.xml ldap-config.xml ldap-realm.xml ldap-realm.xml slapd.conf slapd.conf
IBM SecureWay V3 server IBM SecureWay V3 server V3.sas.oc V3.sas.oc
Microsoft Active Directory server Microsoft Active Directory server msadClassesAttrs.ldif msadClassesAttrs.ldif
Netscape Directory Server 4 Netscape Directory Server 4 nsslapd.sas_at.conf nsslapd.sas_at.conf nsslapd.sas_oc.conf nsslapd.sas_oc.conf
OpenLDAP directory server OpenLDAP directory server slapd.sas_at.conf slapd.sas_at.conf slapd.sas_oc.conf slapd.sas_oc.conf
Sun ONE Directory Server 5.1 Sun ONE Directory Server 5.1 75sas.ldif 75sas.ldif
Novell NetWare Enumeration, TCP 524 and Novell NetWare Enumeration, TCP 524 and IPXIPX
Microsoft Windows is not alone with its “null Microsoft Windows is not alone with its “null session” holes. Novell’s NetWare has a similar session” holes. Novell’s NetWare has a similar problem—actually it’s worse. Novell practically problem—actually it’s worse. Novell practically gives up the information farm, all without gives up the information farm, all without authenticating to a single server or tree. Old authenticating to a single server or tree. Old NetWare 3.NetWare 3.x and 4.x servers (with Bindery x and 4.x servers (with Bindery Context enabled) have what can be called the Context enabled) have what can be called the “Attach” vulnerability, allowing anyone to “Attach” vulnerability, allowing anyone to discover servers, trees, groups, printers, and discover servers, trees, groups, printers, and usernames without logging into a single server. usernames without logging into a single server.
See the reference for how easily this is done and See the reference for how easily this is done and recommendations for plugging up these recommendations for plugging up these information holes.information holes.
NetWare Enumeration via Network NetWare Enumeration via Network NeighborhoodNeighborhood
The first step to enumerating a Novell network is to The first step to enumerating a Novell network is to learn about the servers and trees available on the learn about the servers and trees available on the wire. This can be done a number of ways, but none wire. This can be done a number of ways, but none more simply than through the Windows Network more simply than through the Windows Network Neighborhood. This handy network-browsing utility Neighborhood. This handy network-browsing utility will query for all Novell servers and NDS trees on the will query for all Novell servers and NDS trees on the wire. This enumeration occurs over IPX on traditional wire. This enumeration occurs over IPX on traditional NetWare networks, or via NetWare Core Protocol NetWare networks, or via NetWare Core Protocol (NCP, TCP 524) for NetWare 5 or greater servers (NCP, TCP 524) for NetWare 5 or greater servers running “pure” TCP/IP (the NetWare client software running “pure” TCP/IP (the NetWare client software essentially wraps IPX in an IP packet with destination essentially wraps IPX in an IP packet with destination port TCP 524). Although you cannot drill down into port TCP 524). Although you cannot drill down into the Novell NDS tree without logging into the tree the Novell NDS tree without logging into the tree itself, this capability represents the initial baby steps itself, this capability represents the initial baby steps leading to more serious attacks.leading to more serious attacks.
UNIX RPC Enumeration, TCP/UDP 111 and UNIX RPC Enumeration, TCP/UDP 111 and 3277132771
Like any network resource, applications need to Like any network resource, applications need to have a way to talk to each other over the wires. have a way to talk to each other over the wires. One of the most popular protocols for doing just One of the most popular protocols for doing just that is Remote Procedure Call (RPC). RPC employs a that is Remote Procedure Call (RPC). RPC employs a service called the portmapper (now known as service called the portmapper (now known as rpcbind) to arbitrate between client requests and rpcbind) to arbitrate between client requests and ports that it dynamically assigns to listening ports that it dynamically assigns to listening applications. Despite the pain it has historically applications. Despite the pain it has historically caused firewall administrators, RPC remains caused firewall administrators, RPC remains extremely popular. The rpcinfo tool is the extremely popular. The rpcinfo tool is the equivalent of finger for enumerating RPC equivalent of finger for enumerating RPC applications listening on remote hosts and can be applications listening on remote hosts and can be targeted at servers found listening on port 111 targeted at servers found listening on port 111 (rpcbind) or 32771 (Sun’s alternate ortmapper) in (rpcbind) or 32771 (Sun’s alternate ortmapper) in previous scans:previous scans:
[root$]rpcinfo –p 192.168.202.34[root$]rpcinfo –p 192.168.202.34
program vers proto portprogram vers proto port
100000 100000 22 tdp tdp 111 111 rusersdrusersd
100002 100002 3 3 udp udp 712 712 rusersdrusersd
100011 100011 2 2 udp udp 754 754 rquotadrquotad
100005 100005 1 1 udp udp 635 635 mountdmountd
100003 100003 2 2 udp udp 2049 2049 nfsnfs
100004 100004 2 2 tcp tcp 778 778 ypservypserv This tells attackers that this host is running rusersd, This tells attackers that this host is running rusersd,
NFS, and NIS (ypserv is the NIS server). Therefore, NFS, and NIS (ypserv is the NIS server). Therefore, rusers, showmount -e, and pscan –n will produce rusers, showmount -e, and pscan –n will produce further information (see reference for more tools further information (see reference for more tools and discussion). The pscan tool can also be used to and discussion). The pscan tool can also be used to enumerate this info by use of the -r switch.enumerate this info by use of the -r switch.
SQL Server Port 1433 1434 open SQL Enumeration SQL Server Port 1433 1434 open SQL Enumeration piggy SQLPing
sqlping ip_address/hostname sqlping ip_address/hostname SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver
SQL Brute Force SQL Brute Force SQLPAT
sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
SQL Dict SQLAT Hydra SQLlhf ForceSQL
SQL Resolution Service Enumeration, UDP 1434
NFS Port 2049 open NFS Enumeration NFS Port 2049 open NFS Enumeration showmount -e hostname/ip_address showmount -e hostname/ip_address mount -t nfs mount -t nfs
ip_address:/directory_found_exported ip_address:/directory_found_exported /local_mount_point /local_mount_point
NFS Brute Force NFS Brute Force Interact with NFS share and try to Interact with NFS share and try to
add/delete add/delete Exploit and Confuse Unix Exploit and Confuse Unix
Examine Configuration Files Examine Configuration Files /etc/exports /etc/exports /etc/lib/nfs/xtab /etc/lib/nfs/xtab
NFS Enumeration, TCP/UDP 2049
4.0 4.0 REFERENCESREFERENCES Harry Newton, “Newton’s Telecom Dictionary,” CMP Harry Newton, “Newton’s Telecom Dictionary,” CMP
Books, New York, NY, 2002.Books, New York, NY, 2002.
http://www.phenoelit-us.org/dpl/dpl.htmlhttp://www.phenoelit-us.org/dpl/dpl.html
Postel, John. "RFC 793". Retrieved 29 June Postel, John. "RFC 793". Retrieved 29 June 2012.2012.
"Port Numbers". Internet Assigned "Port Numbers". Internet Assigned Numbers Authority (IANA)Numbers Authority (IANA)..
http://en.wikipedia.org/wiki/http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers List_of_TCP_and_UDP_port_numbers
Ieee xplore digital library, Cavendish, D. C&C Res. Ieee xplore digital library, Cavendish, D. C&C Res. Communications Magazine, Labs., USA Volume: 38, Communications Magazine, Labs., USA Volume: 38, Issue: 6, Pages: 164 – 172 Issue: 6, Pages: 164 – 172 http://ieeexplore.ieee.org/xpl/login.jsp?http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=846090&url=http%3A%2Ftp=&arnumber=846090&url=http%3A%2F%2Fieeexplore.ieee.org%2Fieeexplore.ieee.org%2Fiel5%2F35%2F18353%2F00846090.pdf%2Fiel5%2F35%2F18353%2F00846090.pdf%3Farnumber%3D846090%3Farnumber%3D846090
Gigabit Ethernet for Metro Area Networks, Paul Gigabit Ethernet for Metro Area Networks, Paul Bedell. 2003. Page 329.Bedell. 2003. Page 329.
Dale Barr, JR., Peter M. Fonash: Internet Protocol Dale Barr, JR., Peter M. Fonash: Internet Protocol over Optical Transport Networks; National over Optical Transport Networks; National Communication Technologies, Inc. Dec 2003. Page 9, Communication Technologies, Inc. Dec 2003. Page 9, 43 to 47.43 to 47.
G.7712, “Vertel Supports, Latest Optical Network G.7712, “Vertel Supports, Latest Optical Network Management Standard”,Management Standard”,
Embedded Stars, last accessed 23 September 2006.Embedded Stars, last accessed 23 September 2006. http://www.embeddedstar.com/press/content/http://www.embeddedstar.com/press/content/
2003/3/embedded7896.html,2003/3/embedded7896.html, ECI Lightsoft Network Management Solutions ECI Lightsoft Network Management Solutions
General DescriptionGeneral Description Handbook, 2nd Edition, ECI, June 2006. Page 64.Handbook, 2nd Edition, ECI, June 2006. Page 64. MakingMaking EthernetEthernet overover SONET, D. Frey, F. Moore,SONET, D. Frey, F. Moore,
“A Transport Network Operations Model”“A Transport Network Operations Model”, , Proceedings NFOEC, 2003. Page 29.Proceedings NFOEC, 2003. Page 29.
Useful INTERNET ADDRESSES OF Useful INTERNET ADDRESSES OF STANDARDS STANDARDS BODIES AND FORUMSBODIES AND FORUMS
Interne: Interne: http://www.phenoelit-us.org/dpl/dpl.htmlhttp://www.phenoelit-us.org/dpl/dpl.html
Telecommunications Industry Association (TIA): Telecommunications Industry Association (TIA): www.tiaonline.orgwww.tiaonline.org
International Electrical Electronic Engineers (IEEE) International Electrical Electronic Engineers (IEEE) www.ieee.orgwww.ieee.org
THANK YOUTHANK YOU