Reading notes-"Hacker Exposure" (2/8)

Source: Internet
Author: User
Tags asn number ftp site snmp snmpget domain server file transfer protocol nslookup command nessus scan

Chapter III Enumeration

enumeration : For known weaknesses, the identified hosts and services are more fully explored.

The key difference between information-gathering techniques and enumeration techniques is the extent to which attackers invade. The enumeration includes the active connection to the target system and the direct query. The information sought through the enumeration includes user account names, misconfigured shared resources, and legacy software with known security vulnerabilities.

The enumeration technique depends to a large extent on the information collected by port scanning and operating system detection. Port scanning and enumeration functions are often bundled into the same tool--superscan.

Banner acquisition is the most common enumeration technique.

3.1 Service Fingerprint analysis technology

1, Service fingerprint analysis technology: is a fast and effective analysis of the entire network system automation technology.

2, the tools involved are: Nmap, Amap.

3.2 Vulnerability Scanner

1, the automated vulnerability scanner to a target or the entire network to adopt a "continuous onslaught", this means to collect vulnerability information is very effective and time-saving. Open vulnerability Assessment System OpenVAS is a good free tool for open source software.

2, the design to the tool has:Nessus, Nmap nse script . B

3, Nessus Scan:
Nessus Features: Convenient user interface, frequently updated vulnerability database, support for all major platforms and optimized performance. Use the NASL that explains the execution to develop a fixed-value plug-in to extend its functionality to meet any conceivable scanning needs.

Home users are free to use Nessus 4 homefeed

Preventive measures for Nessus scanning:

(1) Develop and implement effective patch updates and configuration management policies
(2) Define the use of the Nessus tool to scan your own system to detect the presence of a vulnerability
(3) The Intrusion detection and prevention system is applied and a warning message is sent to the user if necessary.

4. Nmap NSE Script:
The NSE Script Library, which runs the specified script by adding--script, or by adding-SC to run a set of default scripts.

3.3 The most basic slogan crawling technology

1, the most basic enumeration technology is the banner crawl technology . The banner crawl technique can be simply defined as connecting to a remote application and observing its output.

2, the most basic banner crawl technology:telnet and netcat

3. A reliable way to manually crawl application banners and mobile app information is basically based on the Telent program.

4. When using a digital IP address as a target, it is recommended to use the "-n" option on the Netcat command line.

5, for the banner crawl detection of the precautionary measures:

(1) Close all unnecessary services
(2) Strengthen network access control and strictly restrict access to various services
(3) Strengthen the management of the vulnerability software is far better than the prevention of banner crawl detection

3.4 Enumeration of common network services 1, FTP enumeration: TCP 21 Port

Connecting to an FTP site and viewing its content is still one of the simplest and possibly most rewarding activity.
Syntax: FTP ftp.example.com

Countermeasures against FTP enumeration activities:

(1) FTP is a "old enough but no longer good" service, we recommend that you disable this service.
(2) It is recommended to use secure FTP (SFTP with SSH encryption) or FTP secure (FTPS with SSL) protected by a strong password or certificate-based authentication method.

2, Telnet enumeration TCP 23 port

The most deadly flaw with Telnet is that it is transmitted in plaintext.

System enumeration via Telnet banner

The username prompt on the Cisco telnet Server means that the server may lock the user account when multiple user authentications are not passed, simply by providing a password, and the attacker is likely to use brute force attacks that are not locked into the account.

Account enumeration via Telnet

An account enumeration is the process of attempting to log in with a specific user name and observing the returned error message.

Countermeasures against Telnet enumeration activities:
(1) Disable Telnet service, SSH as a replacement for Telnet service has been widely used.
(2) When the Telnet service must be used, the banner information of Telnet can be modified, and it is recommended to modify the system settings to require the user to reestablish the connection if the login fails.

3. SMTP Checkpoint TCP 23 port

One of the most classic enumeration techniques is the use of the Internet Mail sending mechanism, that is, Simple Mail Transfer Protocol. Built-in commands that you can use to view other user profiles: Vrey, you can confirm the name of a valid user; EXPN, you can display the alias and the actual sending address of the mailing table.

Common tools: vrfy.pl This tool can confirm all users in the manifest against the target server, and then report all valid user names on the target server.

Countermeasures against SMTP checkpoint activity:
Disable this service. SendMail is a popular SMTP server software in which system administrators embed new syntax in MAIL.CF files to disable very and EXPN commands or require authentication before use.

4. DNS TCP/UDP 53 Port

DNS typically uses UDP port 53, and TCP port 53 is used for zone transfer.

Using DNS zone Transfer enumeration

Zone transfer: The contents of a given domain will be completely sent to the requestor, the host name and IP address mapping, HINFO, host information record data and other sensitive information leaked.

The downside is that an attacker can simply perform a simple zone transfer operation.

Execute the nslookup command first, then execute the ls-d < DomainName > Command

Bind enumeration

The BIND domain name server is a widely used DNS server on various variants of UNIX platforms.
To query the version of the BIND program, you need to execute the command:

Dig @10.219.100.1 Version.bind txt chaos

DNS Cache snooping

The DNS server is cache-enabled and can quickly parse hosts that are often accessed, and the server sets the "Answer" flag to 0 if the DNS server has not yet processed requests for specific host access.

Auto-DNS Enumeration

The Dnsenum tool can be used to complete an automatic enumeration.
Features include querying other name records and domains through Google, hacking subdomains, performing reverse lookups, listing domain network scopes, and performing WHOIS queries based on this determined network scope.

fierce.pl Tools
Using a series of techniques to determine the IP address and hostname of the target machine, the techniques used include zone transfer, dictionary list, and brute force reverse lookup enumeration technology.

The Centralops.net site provides a range of free enumeration tools, including Whois enumeration, zone transfer, and service scanning.

Countermeasures against DNS enumeration activities:
(1) Shutting down the DNS service
(2) Use two DNS servers, one for the public network, one for the internal network use.

Blocking DNS zone transfers

Allow zone transfers only to authorized machines

Block bind Version.bind Request action to prevent DNS cache snooping
5, TFTP checkpoint TCP/UDP 69 port

Simple File Transfer Protocol TFTP: is a UDP-based non-certified "fast-food" file Transfer protocol, usually run on UDP port 69, using the TFTP protocol, the premise is that to download files from the server, you must know the name of the file you want to download.

Copy files from a Linux TFTP server

One way to crawl the passwd file is through TFTP.

Obtaining router/switch configuration information via the TFTP server

Network devices such as switches, routers, and VPN concentrators typically provide the ability to remotely configure the TFTP service, and the configuration files obtained from network devices are as follows:

Running-config
Startup-config. config config run

Precautions against TFTP checkpoint activity: (1) do not run TFTP (2) to encapsulate it to restrict the village area, run only access to the/tftpboot directory, and confirm that the boundary firewall has blocked the TFTP protocol.

6, Finger TCP/UDP 79 port

Is the oldest enumeration technique. The relevant information obtained by finger is obtained from the corresponding field in the/etc/passwd.

Users who place a. Plan or. project file in their home directory are likely to be attacked by such probes, causing the contents of such files to appear in the finger detection results.

Countermeasures against Finger enumeration activities:
(1) Do not run finger, block port 79 in the firewall
(2) Use TCP wrappers to restrict the logs that it accesses and log to the host, and to provide limited information with the modified finger daemon.

7, HTTP enumeration TCP 80 port

The HTTP head method is a neat way to reveal a banner message. Some intrusion detection systems may be triggered.

If you encounter a Web site that uses SSL, do not fret because Netcat cannot handle SSL connections, and use the SSL proxy tool to redirect it

OpenSSL S_client-quiet-connect www.example.com:443

The default output information for OpenSSL is often lengthy and requires the-quiet parameter to limit the output content.

Common tools:grendel-scan

The function is to get all the comments of the whole website, so that the attacker can search these comments for more useful information, analyze the robots.txt document of the website, and leave rich information in the content of the Web page comments, which will not be used by the search engine to establish the search index.

Countermeasures against HTTP enumeration activities:
(1) The best way is to modify the banner of the Web server , directly change the IIS banner fire to the DLL containing the IIS banner for hexadecimal editing, The DLL is protected by the Windows system's SFP (System File Protection) mechanism, and the modified file is automatically replaced by the original version unless the SFP is deactivated. (2) Install an ISAPI filter and use the SetHeader function to set the banner. Tools involved: URLScan (can be used to block many popular IIS attacks)

8. MSRPC Enumeration (Msrpc:microsoft RPC port mapper) TCP 135 port

Querying the service can get information about the applications and services available on the target computer, as well as other information that might be helpful to the attacker.
Common tools:
On the Windows platform: epdump

Epdump mail.example.com

On Linux platforms: rpcdump.py

Countermeasures against MSRPC enumeration activities:
(1) The best way is to limit its access to TCP port 135

Use VPN;
Use Outlook Web access to support remote Outlook users;
Use high-intensity authentication mechanisms

(2) If you cannot restrict access to the MSRPC service, you should restrict access to individual RPC applications.

9. NetBIOS Name Service Checkpoint UDP 137 port

The NBNS service is used as a distributed name resolution system for Microsoft Windows-based networks, and the NBNS service is still enabled by default for all releases of Windows.
Common tools: Built-in or brought-in tools from the operating system

Using net view to checkpoint Windows workgroups and domains

NET view requires the ability to access all the NBNS of the network you want to checkpoint, which means that it works only on local network segments. If NBNS is routed through TCP/IP, new view can checkpoint Windows workgroups throughout the enterprise. Using a domain on the net view checkpoint network

NET View/domain
NET View/domain:corleone (Corleone is one of the results queried in the previous step)

Checkpoint Windows domain controller

NLTEST identification of individual domain controllers in the Reskit tool

Nltest/dclist:corleone

The netdom in the Reskit tool can be used to checkpoint key information for Windows domains online, including domain members and the identity of the backup domain controller BDC.

Using NETVIEWX tool to Checkpoint Network Service

The Netviewx tool has a feature that lists a specific set of services on the server that can be used to probe the remote access service to get the number of dial-in servers on a network.

netviews-d corleone-t Dialin_server

Dump the NetBIOS name table with the Netstat and nbtscan tools

Nbtstat can connect to specific computers rather than the entire network.
The two main drawbacks of nbtstat are: only one host can be queried at a time; the output is confusing.
Nbtscan can make fast "nbtstat" queries to the entire network and typeset the output information.

Linux NetBIOS Checkpoint Tool

You can specify the level of detail to display confidence by setting different parameters

Preventive measures against NetBIOS Name Service enumeration activities:
(1) Alerter and Messager services can be disabled on each host
(2) Disabling TCP/IP-based NetBIOS services for each network card
(3) When UDP port 137 is blocked on a cross-network router, Windows name resolution related to this router will not work, and applications that depend on NBNS may not be working.

10. NetBIOS Session Enumeration TCP 139/445

Windows empty answer/anonymous connection attack

Null Session Enumeration

Server Message Block protocol SMB, which is the basis for Windows file and print sharing.
The point of the SMB is to use the so-called "null Session" command to indirectly connect to the service

NET use \192.168.202.33\ipc$ "" \u: "" ipc$: Shared Volumes
"": Empty Password
\u: "": Anonymous User

Checkpoint File Share Volume

An intruder's favorite destination is a Windows file share volume with permissions configured incorrectly. Windows built-in net view commands can checkpoint shared volumes on remote programs.

NET view \vito

Common tools:

SrvCheck

can detect shared volumes and authorized users

Srvinfo

The-s option is able to list shared volumes and many other leaked information

DumpSec

It checks everything on the remote system, from the authorization of the file system to the various services available.

Popular scanners:

shareenuum

The optional configuration parameter is relatively small, but its default output information is quite detailed and can be compared to the scan results at different times

Network Scanner

In addition to the default settings, more configuration options are available.

The popular Windows shared volume scanner is the NetBIOS Auditing Tool

Not only can you find shared volumes, but you can also try to forcibly log in using a user-defined user name and password list.

Registry Enumeration

Method: The Windows registry content of the target machine is directed out.
Common tools:

Reg

is a rough tool that simply dumps the entire registry into the console window. Check which line the program will run when Windows starts reg query \10.219.1.207\hklm\software\microsoft\

DumpSec

Identify and enumerate each WIN32 service and kernel driver on the remote system, and their operational status, which requires an empty reply connection.

Enumeration Trust domain

Server: < server name>
/trusted domains

Enumeration user

Tools:

DumpSec

You can get a list of information including users, groups, NT system policies, and user rights.

Sid2user and User2sid

are command-line tools that perform an enumeration of NT systems, obtain the corresponding SID from the input user name, and vice versa, and the SID is the security identifier.

The first account created on any NT system or domain, the assigned RID is 1000.

Multi-in-the-air Session enumeration tool
Winfingerprint

The goal of a single host is to target multiple hosts on a list or network segment, and to target all hosts visible within a specific segment, and the window system can be inventoried through null sessions and active directories and WMI.

Nbtenum

can generate beautiful HTML reports, cleverly implement brute force hacking, and use empty sessions or a specific user account to checkpoint a wealth of information.

Enum4linux tools under the Enum tool Linux

is the toolkit for repackaging various common commands in the Samba toolkit.

Nete

A large amount of valuable information can be extracted through a null session connection, and all checks are performed using the "/" switch.

Other NULL Session enumeration tools
Getmac

Use a null session to display the MAC address and device name of the remote computer card.

Winfo Tools

Can get user account, shared volume, inter-domain server and Workstation trusted account

Countermeasures against SMB NULL sessions:
(1) Filtering TCP and UDP ports 139 and 445 on all peripheral network access devices
(2) completely disable SMB service on each NT host

Bypass the Restrictanonymous=1 restrictions

By calling the NetUserGetInfo API at LEVEL3, you can bypass the RestrictAnonymous = 1 limit.

Make sure the registry is locked

The key associated with remote access in the registry is Hklm\system\currentcontrolset\control\securepipeserver\winreg and its subkeys. If the key is in the registry, access to the registry remotely is restricted to system administrators.
Use the DumpSec tool regularly for self-censorship to ensure that the system does not have any loopholes.

11, SNMP checkpoint UDP 161 port

Simple Network Management Protocol SNMP is a network management and monitoring service that can provide detailed information about network devices, software, and systems.
The SNMP browser's snmputil makes it very easy to checkpoint Windows users through the SNMP service:

Snmputil Walk 192.168.202.33 public. 1.3.6.1.4.1.77.1.2.25

Unix\linux in the NET-SNMP Toolkit in the Snmpget tool to query SNMP

Snmpget-c public-v 2c 192.168.1.60 Public system.sysname.0
If the default write access word "Private" is enabled, it is easy to cause denial of service or compromise the security of the system.

SNMP Scanner
is an automated scanning tool based on the Windows platform that is used to query SNMP scanning tools. All queries to the host name and the operating system output that the host uses, and the second is that all the results can be exported to CSV.

Onesixtyone Tools
is a command-line tool based on a Linux system.

Countermeasures against SNMP checkpoint activity:
(1) Remove or disable the SNMP agent
(2) To ensure the use of more difficult to guess the management group name
(3) using SNMP to manage the network, blocking access to TCP and UDP port 161
(4) The SNMP agent should be accessible only to the appropriate management console IP address
(5) You can only allow approved requests to access the SNMP management group name by editing the registry and prevent the sending of Microsoft MIB information.

12. BGP Checkpoint TCP 139 Port

Border Gateway Protocol BGP is a routing protocol on the Internet, and routers use the protocol to propagate the necessary information. Only medium-to-large organizations will use such networks.
Steps for BGP routing checkpoint:
1, determine the target organization's ASN number
2, query the router to find all such networks, their as path is the target organization's ASN number as the end.

BGP enumeration on the Internet

The BGP protocol uses only the IP network address and the ASN number.
How to determine the ASN for the target organization:
(1) The first method: If you already know the name of the target company, you can use the ASN keyword to arin a whois query.
(2) The second method: If you already know the IP address of the target organization, you can query the router and use the last item in the as path as the ASN.

Summarize:
(1) Many organization organizations run BGP, which is not valid for organisations that do not run BGP because the search ARIN database is not available for ASN;
(2) using the second method, the ASN returned may be the ASN of the service provider that issued the BGP message on behalf of the customer.

Internal routing Protocol Enumeration

Autonomous System scanner: BGP is not supported and is a component of the Internet Routing protocol Attack Suite Irpas, which can eavesdrop on the local network's communication data and scan the local network directly.

Countermeasures against BGP routing checkpoint activity: There is no good response to BGP checkpoint activity, and the first technology cannot be prevented from identifying the ASN, but the risk of BGP enumeration is low.

13. Windows Active Directory LDAP checkpoint tcp\udp 389 and 3268 ports

Service LDAP based on the Lightweight Directory Access Protocol, called Active Directory AD.
Common tools:

Windows XP Support Tools

Contains an LDAP client named Active Directory Management tool Lsp.exe, which connects to the Ad Server and browses the contents of the directory.
The premise of this enumeration is that only an attacker is required to establish an authentication session through LDAP.

Luma software based on Linux platform software ldapenum tools for Windows and Linux systems

Countermeasures against Active Directory enumeration activities:
(1) Filter out access to ports 389 and 3268 at the network boundary
(2) Restricting access to Active Directory

14. UNIX RPC Checkpoint TCP\UDP 111 and 32771 ports

One of the most popular ways to communicate between applications is the remote procedure call protocol. The RPC protocol uses a service called Portmapper to match the client's request to the port that RPC dynamically assigns to the listener.
Common tools:

Rpcinfo

Basic tool used to detect which RPC is listening for foreign requests on the remote host

The SFU tool used in Windows is known as the best RPC scan tool: Nmap

With the-SR option, you don't have to guess the specific program number.

Countermeasures against RPC checkpoint activity:
(1) Use some form of identity authentication, such as secure RPC, based on the public key encryption mechanism for identity authentication
(2) Make sure the firewall filters ports 111 and 32771 and all other RPC ports, or disable them in the Unix\linux system.

15, rwho (UDP 513 ports) and Rusers (RPC program 100002)

If the rwho daemon (rwhod) is running on the host, we can use the rwho command to see the current logged-in user there.

Rwho 192.168.202.34

The-l option of the Ruser command returns a slightly more similar message than rwho, including the time the user last tapped the keyboard.

Countermeasures against rwho and rusers tools:
In the startup script, look for references to Rpc.rwhod and RPC.RUSERSD, and use the # character to comment out the related lines.

16, NIS checkpoint RPC program number 100004

The main problems of NIS in Network Information System are:
Once the server's NIS domain name is obtained, any information in the server's NIS map can be obtained using a simple RPC query.
NIS mappings are distributed mappings of critical information for each host in the same domain, such as the contents of a passwd file.

Countermeasures against RPC checkpoint activity:
(1) Edit the file/var/yp/securents to restrict access to the specified host or network
(2) You can also recompile ypserv with the option to select a configuration that supports TCP wrappers
(3) Do not include root and other system account information in the NIS table

17. SQL Parsing Service checkpoint UDP 1434 Port

Sqlping Tools for Windows systems
The tool queries UDP port 1434 and returns the service instance that is heard on the target computer

Countermeasures against SQL Instance enumeration activities:
(1) Standard practice: Use a firewall to restrict access to the service. (2) Use the Server Network tool to remove all network communication libraries
(3) In the Server Network Utility, select the "Hide Server" option in the TCP/IP netlib key and remove all other netlib.

18. Oracle TNS Checkpoint TCP 1521/2483

The transparent network underlying Oracle TNS Listener is responsible for managing communication between the Oracle database and the client, and the TNS listener consists of Tnslsnr and Lsnrctl, Tnslsnr mainly manages the database and client communication, and LSNRCTL is the Listener control program. Used to manage listener Tnslsnr.
Common tools:

appsentry Listener Security Check

Is the simplest tool to view the Oracle TNS Listener

tnscmd.pl

A TNS checkpoint tool for non-graphical interfaces

Oracle Evaluation Tools Oak and audit tools Getsids tools

is now the simplest SID-enumeration tool

Countermeasures against Oracle TNS Checkpoint:
Oracle Security Protection Project: Designed to address issues with TNS enumeration and to make it more secure for Oracle databases to be installed in the default mode at a step-by-step.

19, NFS checkpoint TCP/UDP 2049 Port

Common tools:
The Showmount tool can query through port 2049 for those directories that are shared, and the command-line switch "-e" is used to display the export table for Server for NFS.

Countermeasures against NFS enumeration:
It is a good way to capture an attacker to confirm that the shared export file system has reasonable permissions and that the Nfs,showmount request can be logged when the firewall is blocked.

20, Ipsec/ike checkpoint UDP 500 port

The attacker's highest goal is to gain access to the target internal network.
Internet Key Exchange Ike: Counts the parts of IPSec that are responsible for managing key negotiation in order to determine the exact location of IPSec and where it is being probed.

Common tools:

Ike-scan

The IPSec checkpoint tool, which can create a packet for a host in the format expected by IPSec, can be created in such a way as to conceal evidence of its existence and provide useful configuration information.
Discovering a VPN with pre-shared keys and aggressive mode usually means querying the VPN server's ability to further obtain a hash of the preshared key.

Countermeasures against Ipsec/ike enumeration:
(1) Source IP address VPN limit
(2) Use main mode as much as possible

Summary

Potentially vulnerable software on the network includes:

The underlying architecture of the operating system
Snmp
Operating system-level services that can leak sensitive information
Custom applications
Firewall

About the practice of Nmap tools 1, download and install Nmapgui tools, began to Blog Park (http://www.cnblogs.com/) enumeration.

found that the server only opened 80 and 443 ports and scanned the details of the SSL protocol, including the public key encryption algorithm is RSA, and the session key and other cryptographic algorithms information. The HTTP protocol used is version 1.1.

You can see that the operating system used by the server is the Wyse Thinos system.

2, a network segment of the IP scan (192.168.1.0/24)

You can see that the host has 80 and 1900 ports open.
1900 Ports:

SSDP Discovery Service
An attacker who sends a bogus UDP packet to a network with more than one win XP system may cause these win XP hosts to attack the specified host (DDoS). In addition, if a UDP packet is sent to the system 1900 port, the address of the "location" domain points to the Chargen port of the other system, it is possible to put the system into a dead loop, which consumes all the resources of the system (it needs to be opened manually when hardware is installed).

You can use port 1900 to try a subsequent attack.

You can see that the operating system used by the host is a vkworks system.

VxWorks is a real-time operating system.

Specific Description: http://baike.baidu.com/view/17288.htm

Reading notes-"Hacker Exposure" (2/8)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.