Thursday, February 18, 2010

Certified Ethical Hacker 2

Scanning is the process of creating the blueprint of the network.
A war dialer is a tool use dot scan a large pool of telephone numbers to detect vulnerable modems to provide access to the system. Systems with poorly configured remote access products provide entry to larger networks. Good war dialers include, THC-Scan, ToneLoc, TBA. War dialing is illegal as of now.

Pinging is the process of sending out an ICPM Echo Request packet and awaiting an ICMP Echo Reply from a live system. If Ping is blocked, then TCP/UDP packets are sent. Ping helps in assessing network traffic by time-stamping each packet. Ping can also be used for resolving host names. Good ping tools include: Pinger, WS_Ping ProPack, NetScan Tools, HPing, icmpenum, Cain and Abel, NMap. Typically ping tools allow specification of a range and timeout, and it does it automatically. Ping tools are usually detected by IDS. You can detect ping sweep through software like SNORT IDS, BlackICE and Scanlogd.

The TCP Three-Way Handshake (Refresher):
H1 --SYN--> H2
H2 --<SYN,ACK--> H1
H1 --> ACK

Port scanning manipulates the three-way handshake to find out what ports are available. Port scanning is the most effective way to determine what services/applications are available for exploitation. Most targets are running services found on well-known ports (<1023 br="">
These are the different scan techniques:
-FTP Bounce
-Fragmented Packets
-UDP Scans

Tools like SuperScan scans for both live targets and open ports. If hosts don't reply, it doesn't mean that they don't exist. Reasons for not replying include blocking of ICMP packets and lack of route back.

Good sites like mile2.com provide white papers describing scanning techniques.

Stealth scan allows to trick some IDS systems. NMapWin is a front-end for NMap that allows specification of port range.

Each vendor implements TCP/IP in their own way. Depending on the reply from a host, we can easily tell what vendor it's from. The best exploits are the zero-day or 0day exploits.

When a method is passive, it means that you're trying to stay under the radar. The activities that are passive are generally used for reconnaissance (e.g. Reading Newspapers, doing whois).

Cheops (pronounced kee-ops) allow to do a visual description of a network. It categorizes the systems into their respective operating systems.

SocksChain allows to get through HTTP proxies. It allows to craft traffic to match those allowed to go through.

A proxy server acts as the man-in-the-middle. It allows control of allowed behaviors. A proxy server also caches sites so they load faster for end-users. Proxy servers can be used to anonymize web surfing. Proxy servers can also protect the local network from outside access.

Anonymizers are intermediary which prevents web sites from seeing a user's IP address. They make web surfing anonymous. The first anonymizer was developed by Anonymizer.com. An anonymizer removes all identifying information from a user's computer while the user surfs the internet.

We can bypass firewalls through Httptunnel. Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy.

HTTPPort allows to bypass an HTTP proxy. It serves as a kind of port translation. We just have to find the rules of the security device, then craft the packets to match those rules.

Distributions of Linux like BackTrack (previously known as auditor) allows Live booting and provides a plethora of security tools for footprinting, cracking and so on.

NMap allows different kind of scans. The most basic is the Connect Scan. Connect Scan does the three-way handshake and is very noisy. There are a few stealth modes like the FIN Stealth Scan which alters the way TCP behaves. Right after the SYN/ACK reply from a host, the system would reply with a FIN, which terminates the connection.

Enumeration is the ability to convince a machine to give information that would help in the attack. Enumeration can help find accounts, and other hosts on the network.

NetBIOS Null Sessions is the most basic way to do enumeration. This is a flaw in the CIFS/SMB found on Windows Systems. A Null Session is established with a Windows host by logging on with a null user name and password. These null connections allow you to gather the following information from the host:
-List of users and groups (local or active directory, and the SIDs)
-List of hosts
-List of shares or processes

To test for Null Session, use the syntax:
net use \\\IPC$ "" /u:""

Null Sessions will be possible if you see the following message:
The command completed successfully.

The Null Session is required by older systems to do authentication.

NBTscan scans for any NetBIOS name information in the network. For each found host, it lists its IP address, NetBIOS computer name, logged-in user name, and MAC address.

Use the following command to list the users attached to the wire:
net view /domain

To find the users logged into a system, use the following command:
nbstat -A

DumpSec uses the Null Session to enumerate shares, logon scripts, printers, access control lists and accounts. NetBIOS Auditing Tool explores the NetBIOS file-sharing services. NetBIOS sessions can be established via TCP port 139.

SNMP managers send requests to agents and agents send replies back. The requests and replies refer to variables called MIBs. Managers can also send write requests to modify certain variables. Traps set thresholds to alert managers that something significant has happened, like reboots and failures. Any SNMP utility can easily enumerate this information. SNMP v3 allows encryption but is not widely adopted. SNMPutil, MIB Walk and IP Network Browser can enumerate SNMP too. Countermeasures to SNMP is removing SNMP, or changing the community strings. Group policies can also restrict anonymous connections.

We can do a DNS Zone Transfer to steal the DNS records. Active Directory makes its services available through the DNS "srv" records. Simple zone transfers such as nslookup can enumerate a lot of interesting network information:
ls -d domainname

The following "srv" records are of most interest:
1) Global Catalog Service (_gc._tcp)
2) Domain Controllers (_ldap._tcp)
3) Kerberos Authentication (_kerberos._tcp)

You can block Windows 2K DNS Zone transfers in the DNS properties.

You can determine which account is the Administrator by looking at its SID (it is 500-1000). Enum is a DOS Win32 enumeration utility that makes use of Null Sessions. Enum can also perform basic brute force or dictionary attacks on individual accounts.

Userinfo is a function that retrieves all available information about a user from any NT/Win2k system listening to port 139. Userinfo calls the NetUserGetInfo API at Level 3, which returns SIDs, Group Memberships, Account Restrictions, Smart Card Requirements, Password Age and Expiration.

GetAcct works well for Windows 2000 and below. It retrieves information similar to Userinfo.

Active Directory Enumeration is the easiest through an LDAP Query. You can download Microsoft's ldp.exe and try to authenticate as a Guest on port 389. When doing DCPromo, choose permissions that are not compatible with pre-Win2k if not required.

Cain and Abel can be used for enumeration. The Cain part does the enumeration, while Abel does the cracking. To enumerate the network, click on the Network tab. Add a device into the Quick List, and connect with no user name and password (Null Session). Click on the Users tab. You may get an Access Denied message. Just click OK and scan for the RID (remember, the built-in accounts are in the range of 500+. User-created accounts are 1000 or more).

ACK scans are blocked by stateful firewalls. If a host matches too many signatures and cannot be reliably identified by NMap, the host is not properly patched. The proper response for a NULL scan if the port is closed is RST, and no response for an open port. The proper response for a closed port in an X-Mas Tree scan is RST. To prevent NetBIOS traffic from coming in, ports 135, 139 and 445 should be blocked. The process of sending SYN packets with the exact TTL of the target system starting at port 1 to 1024 through a firewall is known as Firewalking.

No comments :

Post a Comment