1. Trang chủ
  2. » Công Nghệ Thông Tin

CEHv8 module 04 enumeration

83 510 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Cấu trúc

  • Enumeration

    • Module 04

  • CEH

    • Security News

      • Hackers Attack US Weather Service

  • Module Objectives

    • Module Objectives

    • Module Flow

      • 4\ Module Flow

      • What Is Enumeration?

      • Techniques for Enumeration CEH

        • Techniques for Enumeration

          • Extract information using the default passwords

          • Brute force Active Directory

          • Extract user names using SNMP

          • Extract user groups from Windows

          • Extract information using DNS Zone Transfer

        • Services and Ports to Enumerate CEH

          • Services and Ports to Enumerate

            • TCP 53: DNS zone transfer

            • TCP 135: Microsoft RPC Endpoint Mapper

            • TCP 137: NetBIOS Name Service (NBNS)

            • TCP 139: NetBIOS Session Service (SMB over NetBIOS)

            • TCP 445: SMB over TCP (Direct Host)

            • UDP 161: Simple Network Management protocol (SNMP)

            • TCP/UDP 389: Lightweight Directory Access Protocol (LDAP)

            • TCP/UDP 3368: Global Catalog Service

            • TCP 25: Simple Mail Transfer Protocol (SMTP)

          • NetBIOS Enumeration

    • NetBIOS Enumeration

      • NetBIOS Enumeration (Cont’d)

      • NetBIOS Enumeration Tool: SuperScan

      • NetBIOS Enumeration Tool: Hyena

        • NetBIOS Enumeration Tool: Hyena

        • NetBIOS Enumeration Tool: WinFingerprint

        • NetBIOS Enumeration Tool: NetBIOS Enumerator

        • NetBIOS Enumeration Tool: NetBIOS Enumerator

      • Enumerating User Accounts CEH

        • Enumerating User Accounts

          • PsExec

          • PsFile

          • PsKill

          • Pslnfo

          • PsList

          • jjpjF PsLoggedOn

          • PsLogList

          • PsPasswd

          • ״ J PsShutdown

        • Enumerate Systems Using Default Passwords

    • Module Flow

  • HP

    • Module Flow

    • SNMP (Simple Network Management Protocol) Enumeration

    • SNMP (Simple Network Management Protocol) Enumeration

    • Working of SNMP

      • Working of SNMP

      • SNMP Enumeration Tool: OpUtils

      • SNMP Enumeration Tool: SolarWind’s IP Network Browser

        • SNMP Enumeration Tool: SolarWind’s IP Network

        • Browser

        • SNMP Enumeration Tools

    • Module Flow

      • Module Flow

      • UNIX/Linux Enumeration Commands

        • UNIX/Linux Enumeration Commands

          • rpcclient

          • showmount

        • Linux Enumeration Tool: Enum41inux

    • Module Flow

      • Module Flow

    • LDAP Enumeration CEH

      • LDAP Enumeration

      • LDAP Enumeration Tool: Softerra LDAP Administrator

    • LDAP Enumeration Tools

      • LDAP Enumeration Tools

    • Module Flow

      • Module Flow

    • NTP Enumeration

      • NTP Enumeration

      • NTP Enumeration Commands CEH

        • NTP Enumeration Commands

          • ntpdc:

          • ntpq:

    • Module Flow

      • Module Flow

    • SMTP Enumeration

      • SMTP Enumeration

      • SMTP Enumeration Tool: NetScanTools Pro

    • Module Flow

      • Module Flow

    • Module Flow

      • Module Flow

      • Enumeration Countermeasures

        • Enumeration Countermeasures

          • SNMP Enumeration Countermeasures:

          • { J DNS Enumeration Countermeasures:

        • Enumeration Countermeasures (Cont’d)

          • (MSS SMTP:

          • LDAP:

        • SMB Enumeration Countermeasures CEH

        • w SMB Enumeration Countermeasures

    • Module Flow

      • Module Flow

    • Enumeration Pen Testing CEH

      • Enumeration Pen Testing

      • Enumeration Pen Testing (Cont’d)

    • Enumeration Pen Testing

      • Enumeration Pen Testing (Cont’d)

      • Enumeration Pen Testing (Cont’d)

    • Module Summary

      • ^ Module Summary

Nội dung

E num eration M o d u le E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n E n u m e r a t i o n M o d u le Engineered by Hackers Presented by Professionals C E H E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v M o d u le : E n u m e r a tio n E xam -5 M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n s o lu t io n s news O cto b e r 20, 2012 11:28AM w r ite us Hack ers Attack US Weather Service THE US National W eather Service com puter netw ork was hacked w ith a group fro m Kosovo claiming credit and posting sensitive data, security experts said Friday Data released by the Kosovo Hackers Security group includes directory structures, sensitive files o f the Web server and oth er data th a t could enable later access, according to Chrysostomos Daniel o f the security firm Acunetix "The hacker group stated th a t the attack is a protest against the US policies th a t target M uslim countries," Daniel said "Moreover, the attack was a payback fo r hacker attacks against nuclear plants in Muslim countries, according to a member of the hacking group who said, "They hack our nuclear plants using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent — hack to payback the m " h t t p : / / w w w t h e a u s t r a l ia n c o m o u Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited N E W S S e c u r ity N e w s H a c k e r s A tta c k U S W e a th e r S e r v ic e Source: http://www.theaustralian.com.au The US National Weather Service computer network was hacked with a group from Kosovo claiming credit and posting sensitive data, security experts said recently Data released by the Kosovo Hackers Security group includes directory structures, sensitive files from the web server, and other data that could enable later access, according to Chrysostomos Daniel of the security firm Acunetix "The hacker group stated that the attack is a protest against the US policies that target Muslim countries," Daniel said Moreover, the attack was a payback for hacker attacks against nuclear plants in Muslim countries, according to a member of the hacking group who said, "They hack our nuclear plants using STUXNET and FLAME-like malwares, they are bombing us 24-7, we can't sit silent hack to payback them." M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n Paul Roberts, writing on the Sophos Naked Security blog, said the leaked information includes a list of administrative account names, which could open the hacked servers to subsequent "brute force attacks." "Little is known about the group claiming responsibility for the attack," he said "However, they allege that the weather.gov hack was just one of many US government hacks the group had carried out and that more releases are pending." © 2011 CBS In te ctive A ll rig h ts reserved h t t p : / / w w w t h e a u s t r a l i a n c o m a u / a u s t r a l i a n - i t / h a c k e r s - a t t a c k - u s - w e a t h e r - s e r v ic e / s t o r y e fr g a k x - 2 9 2 M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C O U I lC il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n M o d u l e O 'J W h a t Is E n u m e tio n ? J T e c h n iq u e s f o r E n u m e tio n J S e rv ic e s a n d P o rts to E n u m e te J N etB IO S E n u m e tio n J J C E H b j e c t i v e s t J U N IX /L in u x E n u m e tio n ‫׳‬J LDAP E n u m e tio n J NTP E n u m e tio n J S M TP E n u m e tio n J DNS E n u m e tio n P a s s w o rd s J E n u m e tio n C o u n te rm e a s u re s S N M P E n u m e tio n J E n u m e tio n Pen T e stin g E n u m e te S y s te m s U s in g D e fa u lt ‫־‬X ‫־‬ Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited l& S J M o d u le ~ I* O b je c tiv e s — ‫ב‬ = In the previous modules, you learned about foot printing and scanning networks next phase of penetration testing is enumeration As a pen tester, you should know purpose of performing enumeration, techniques used to perform enumeration, where should apply enumeration, what information you get, enumeration tools, and countermeasures that can make network security stronger All these things are covered in module This module will familiarize you with the following: © What Is Enumeration? Q UNIX/Linux Enumeration © Techniques for Enumeration LDAP Enumeration © Services and Ports to Enumerate NTP Enumeration © NetBIOS Enumeration SMTP Enumeration © Enumerate Systems Using Default Passwords DNS Enumeration Enumeration Countermeasures © SNMP Enumeration Enumeration Pen Testing M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © The the you the this b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n M \ o d u l e M o d u le F l o w C E H F lo w In order to make you better understand the concept of enumeration, we have divided the module into various sections Each section deals with different services and ports to enumerate Before beginning with the actual enumeration process, first we will discuss enumeration concepts ^ !t_^ Enumeration Concepts NetBios Enumeration ^ NTP Enumeration ‫י׳‬- ^ SMTP Enumeration SNMP Enumertion DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures LDAP Enumeration Enumeration Pen Testing This section briefs you about what enumeration is, enumeration techniques, and services and ports to enumerate M o d u le P a g e E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n W J h a t I s E n u m e r a t i o n ? C E H In t h e e n u m e r a tio n p h a s e , a tta c k e r c re a te s a c tiv e c o n n e c tio n s t o s y s te m a n d p e r fo r m s d ir e c te d q u e r ie s to g a in m o re in fo r m a t io n a b o u t th e ta r g e t a J A tta c k e rs u se e x tr a c te d in fo r m a t io n to id e n t if y s y s te m a tta c k p o in ts a n d p e r f o r m p a s s w o rd a tta c k s to g a in u n a u th o riz e d access to in fo r m a t io n s y s te m re s o u rc e s J E n u m e tio n te c h n iq u e s a re c o n d u c te d in an in t r a n e t e n v ir o n m e n t Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited W h a t I s E n u m e r a tio n ? Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system In the enumeration phase, the attacker creates active connections to the system and performs directed queries to gain more information about the target The attacker uses the gathered information to identify the vulnerabilities or weak points in system security and then tries to exploit them Enumeration techniques are conducted in an intranet environment It involves making active connections to the target system It is possible that the attacker stumbles upon a remote IPC share, such as IPC$ in Windows, that can be probed with a null session allowing shares and accounts to be enumerated The previous modules highlighted how the attacker gathers necessary information about the target without really getting on the wrong side of the legal barrier The type of information enumerated by attackers can be loosely grouped into the following categories: Information Enumerated by Intruders: Network resources and shares Users and groups M o d u le P a g e 4 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C U n C il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n Routing tables Auditing and service settings Machine names Applications and banners SNMP and DNS details M o d u le P a g e 4 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C O U I lC il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n T e c h n iq u e s fo r E n u m e tio n C EH IUkjI NMhM Extract in fo rm a tio n using th e de fa u lt E x tra c t u s e r n a m e s u s in g e m a il IDs passwords E x tra c t u s e r n a m e s u s in g S N M P Extract info rm atio n using DNS Zone Transfer E x tra c t u s e r g r o u p s fr o m W in d o w s T e c h n iq u e s fo r E n u m e r a tio n ^ In the enumeration process, an attacker collects data such as network users and group names, routing tables, and Simple Network Management Protocol (SNMP) information This module explores possible ways an attacker might enumerate a target network, and what countermeasures can be taken The following are the different enumeration techniques that can be used by attackers: E x tr a c t u s e r n a m e s u s in g e m a il ID s In general, every email ID contains two parts; one is user name and the other is domain name The structure of an email address is username@domainname Consider abc@gmail.com; in this email ID "abc" (characters preceding the symbol) is the user name and "gmail.com" (characters proceeding the symbol) is the domain name E x tr a c t in fo r m a tio n u s in g th e d e fa u lt p a s s w o r d s Many online resources provide lists of default passwords assigned by the manufacturer for their products Often users forget to change the default passwords provided by the manufacturer or developer of the product If users don't change their passwords for a long time, then attackers can easily enumerate their data M o d u le P a g e 4 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C O U I t C ll A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s E x a m - C e r t if ie d E th ic a l H a c k e r E n u m e r a tio n B r u te fo r c e A c tiv e D ir e c to r y Microsoft Active Directory is susceptible to a user name enumeration weakness at the time of user-supplied input verification This is the consequence of design error in the application If the "logon hours" feature is enabled, then attempts to the service authentication result in varying error messages Attackers take this advantage and exploit the weakness to enumerate valid user names If an attacker succeeds in revealing valid user names, then he or she can conduct a brute-force attack to reveal respective passwords E x tr a c t u s e r n a m e s u s in g S N M P Attackers can easily guess the "strings" using this SNMP API through which they can extract required user names E x tr a c t u s e r g r o u p s fr o m W in d o w s These extract user accounts from specified groups and store the results and also verify if the session accounts are in the group or not E x tr a c t in fo r m a tio n u s in g D N S Z o n e T r a n s fe r DNS zone transfer reveals a lot of valuable information about the particular zone you request When a DNS zone transfer request is sent to the DNS server, the server transfers its DNS records containing information such as DNS zone transfer An attacker can get valuable topological information about a target's internal network using DNS zone transfer M o d u le P a g e 4 E th ic a l H a c k in g a n d C o u n t e r m e a s u r e s C o p y r ig h t © b y E C - C O U I lC il A l l R i g h t s R e s e r v e d R e p r o d u c t i o n is S t r i c t l y P r o h i b i t e d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker C o m m a n d P ro m p t C :\>nslookup D e f a u l t S e r v e r : n s l e x a m p le com Address: 10.219.100.1 > serv er 192.168.234.110 Default Sarvar: eorp-de.axampla2.org Address: 192.168.234.110 > Set type-any > Is - d e x a m p le o rg t[192.168.234.110‫ננ‬ example2.org SOA corp-dc.example2.org admin example2.org A 192.168.234.110 example2.org NS corp-dc.example2.org _gc._tcp SRV priority=0, weight=100, port=3268, corp-dc.example2.org _kerberos._tcp SRV priority=0, weight=100, port=88, corp-dc.example2.org _kpa.sswd._tcp SKV priority=0, weight=100, port=464, corp-dc.example2.org FIGURE 4.17: DNS zone Transfer Screenshot M o d u le Page 502 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIlCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker M o d u le F lo w Enumeration Concepts NetBIOS Enumeration SNMP Enumeration UNIX/Linux Enumeration DNS Enumeration □ SMTP Enumeration Enumeration Counterm easures Enumeration Pen Testing i s Copyright C by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited M o d u le F lo w So far, we have discussed w hat enum eration is, how to perform various types of enum eration, and w hat type of inform ation an attacker can extract through enum eration N ow it's tim e to examine the counterm easures that can help you to keep attackers away from enum erating sensitive inform ation from your netw ork or host E num e ration Concepts t_1 u ‫גן‬ 4‫ן‬ ‫ ׳‬NTP E num e ration N e tB ios Enum eration S M T P Enum eration S N M P E num ertion DNS Enum eration U n ix/Linux E num eration E n um e ration Counte rm e a su re s LDAP E num eration E num e ration Pen Testing This section focuses on how to avoid in fo rm a tio n leakage through SN M P , DNS, SMTP, LDAP, and SMB M o d u le Page 503 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker E n u m e r a t io n C o u n t e r m e a s u r e s S N M P r ‫־‬ If s h u ttin g o ff SN M P is n o t an e o p tio n , th e n cha nge th e d e fa u lt " p u b lic " c o m m u n ity 's n a m e e Q Im p le m e n t th e G ro u p P olicy public re s tric tio n s fo r a n o n y m o u s c o n n e c tio n s " S Access to n u ll session p ip e s, n u ll session sha res, an d IPSec filte r in g Use prem ium DNS registratio n services th a t hide sensitive info rm atio n such as HINFO fro m s e c u rity o p tio n called " A d d itio n a l e Make sure th a t th e private hosts and th e ir IP addresses are not published into DNS zone files o f public DNS server U p g d e to S N M P 3, w h ic h e n c ry p ts pa ssw o rds an d m essages e Disable the DNS zone transfers to the untrusted hosts o ff th e SN M P service © -V-‘- D N S e R em o ve th e S N M P a g e n t o r tu r n C E H C - s h o u ld also be re s tric te d Use standard n e tw o rk adm in contacts fo r DNS registrations in order to avoid social engineering attacks Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited E n u m e tio n C o u n te rm e a s u re s You can apply the follow ing counterm easures to prevent inform ation leakage through various types of enumeration S N M P E n u m e tio n C o u n te rm e a s u re s : '41 Q Remove the S N M P agent or turn off the S N M P service from you r system If shutting off S N M P is not an option, then change the default "public" com m unity's name © Upgrade to S N M P , which encrypts passwords and messages © Implement the G roup Policy security option called "Additional restrictions for anonym ous connections." Q Restrict access to null session pipes, null session shares, and IPSec filtering Q Block access to T CP/U D P ports 161 S Do not install the m anagem ent and m onitoring W in d o w s co m p o n ent unless it is required M o d u le Page 504 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Q { J Exam 2-50 C ertified Ethical H acker Encrypt or authenticate using IPSEC D N S E n u m e tio n C o u n te rm e a s u r e s : S Configure all name servers not to send DNS zone transfers to unreliable hosts © Check the publicly accessible DNS server's DNS zone files and ensure that the IP addresses in these files are not referenced by non-public hostnames Q M a k e sure that the DNS zone files not contain HINFO or any other records Q Provide standard network adm inistration contact details in N etw ork Information Center Databases This helps to avoid war-dialing or social engineering attacks © Prune DNS zone files to prevent revealing unnecessary information M o d u le Page 505 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIlCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker E n u m e r a t io n C o u n t e r m e a s u r e s E H (C o n t’d) c ItbKtf UrlAH SM TP J Configure SMTP servers to: Q Ig n o re e m a il m essages to u n k n o w n re c ip ie n ts Q N o t in c lu d e se n s itive m a il s e rv e r an d lo ca l h o s t in fo rm a tio n in m a il responses Q D isable o p e n re la y fe a tu re 1 1 1 1 1 1 1 LDAP J tf Use N TLM o r basic a u th e n tic a tio n to lim it access to k n o w n users o n ly By d e fa u lt, LDAP tra ffic is tra n s m itte d u n se cu re d ; use SSL te c h n o lo g y to e n c ry p t th e tra ffic J S elect a u s e r n a m e d iffe r e n t fro m y o u r e m a il address an d en a b le a c c o u n t lo c k o u t Copyright C by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited E n u m e r a t i o n C o u n t e r m e a s u r e s ( C o n t ’d ) (MSS SM TP: Configure SMTP servers to: S Ignore email messages to unknown recipients © Not include sensitive mail relay feature server and local host inform ation in mail responses Q Disable open Ignore emails to unknown recipients by configuring SM TP servers LD AP: — © Use N T LM or basic authentication to limit access to known users only © By default, LDAP traffic is transm itted unsecured; use SSL technology to encrypt the traffic © Select a user name different from your em ail address and enable account lockout M o d u le Page 506 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker C E H S M B E n u m e tio n C o u n te rm e a s u r e s D is a b lin g SM B Ethernet Properties Go to E th e rn e t P ro p e rtie s Networking Connectusng: •j* BroadcomNetbnk(TM)GigattfEthernet ® \ T Select the Client fo r M icro so ft K ' N etw orks and File and P rinter Sharing fo r M icro so ft N etw orks check boxes Configure Thisconnectionusesthefolowngterns: 1* < * | * ‫ר‬ F3c-:e: File and Printer Shanng for Mcrosoft Networks | U ‫^־‬-MicrosoftNetworkAdapterMubptexorProtocol •A-MKTosoftLLDPProtocolDriver Link-LayerTopologyDiscoveryMapper1/0Driver ‫־*־‬Link-LayerTopologyDiscoveryResponder Click U n in s ta ll Description AllowsyourcomputertoaccessresourcesonafAcrosoft F o llo w th e u n in s ta ll steps Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited w S M B E n u m e tio n C o u n te rm e a s u re s C om m on sharing services or other unused services may prove to be d o o rw a y s for attackers to break into your security Therefore, you should disable these services to avoid inform ation leakage or other types of attacks If you don't disable these services, then you can be vulnerable enum eration Server M e ssa ge Block (SMB) is a service intended to provide shared access to files, serial ports, printers, and com m un ications between nodes on a network If this service is running on your network, then you will be at high risk of getting attacked Therefore, you should disable it if not necessary, to prevent enum eration Steps to disable SMB: Go to Ethernet Properties Select the C lien t for M icro so ft N e tw o r k s and F ile an d P rinter S h a rin g for M icro so ft N e tw o r k s check boxes Click U n in sta ll Follow the uninstall steps M o d u le Page 507 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker Ethernet Properties Networking Connect using: ‫ ■י־י‬Broadcom Net Link (TM) Gigabit Ethernet Configure This connection uses the following items: IH g M [0 ‫ס‬ Client for Microsoft Networks | J H Q S Packet Scheduler _ A File and Printer Sharing for Microsoft Networks Microsoft Network Adapter Multiplexor Protocol Microsoft LLDP Protocol Driver Link-Layer Topology Discovery Mapper I/O Driver Link-Layer Topology Discovery‫ ׳‬Responder Install Uninstall Properties Description Allows your computer to access resources on a Microsoft network OK Cancel FIGURE : E th e r n e t p r o p e r tie s S c re e n s h o t M o d u le Page 508 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIlCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker M o d u le F lo w Enumeration Concepts CEH NetBIOS Enumeration □ SMTP Enumeration UNIX/Linux Enumeration DNS Enumeration SNMP Enumeration Enumeration Counterm easures W k Copyright C by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited M o d u le F lo w This section describes the im portance of enum eration pen testing, the fra m e w ork of pen testing steps, and the tools that can be used to conduct pen testing E num e ration Concepts NTP E n um e ration ‫י׳‬- I i ‫׳‬ N etB ios Enum eration S M T P En um eration _ S N M P E num ertion /A■ ^ DNS Enum eration U n ix/Lin ux E num e ration E num eration Cou nte rm e a sure s is: > LDAP E num eration M o d u le Page 509 E num e ration Pen Testing Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker E n u m e r a tio n P e n T e s tin g CEH Used to identify valid user accounts or poorly protected resource shares using active connections to systems and directed queries The information can be users and groups, netw ork resources and shares, and applications Used in combination with data collected in the reconnaissance phase Copyright © by IC-Council All Rights Reserved Reproduction is Strictly Prohibited E n u m e tio n P e n T e s tin g Through enum eration, an attacker may gather sensitive in fo rm a tio n of organizations if the security is not strong He or she may then use that sensitive inform ation to hack and break into the organization's network If an attacker breaks into the organization, then the organization p o te n tia lly faces huge losses in term s of inform ation, service, or finance Therefore, to avoid these kinds of attacks, every organization must test its own security Testing the security of an organization legally against enum eration is called enum eration pen testing Enum eration pen testing is conducted with the help of the data collected in the reconnaissance phase As a pen tester, conduct enum eration penetration tests to check w h e the r the target netw ork is revealing any sensitive inform ation that may help an attacker to perform a w e ll-p la n n e d attack Apply all types of enum eration techniques to gather sensitive inform ation such as user accounts, IP address, email contacts, DNS, netw ork resources and shares, application inform ation, and much more Try to discover as much inform ation as possible regarding the target This helps you determ ine the vuln e b ilitie s /w e a kn e s s e s in the target organization's security M o d u le Page 510 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker E n u m e r a tio n P e n T e s tin g (C o n t’d) ‫ןן‬ ‘•‫י׳״‬- ‫—י *״“י‬ r n‫ ־‬r ‫נ‬ START y ^ U se tools such as W h o is Lookup v C a lc u la te th e .‫< ״‬ s u b n e t m a sk Use S u bn et M a s k Calculators In ord er to enum erate im portant servers, V find the netw ork range using tools such as Use tools such as Nmap (nmap s P cn e tw o rk range>) U n d e rg o h o s t d is c o v e ry W h o is Lookup Calculate the subnet m ask required for the IP range as an input to m any o f the ping sw eep and port scanning tools by using Subnet M a s k Calculators V P e rfo rm p o r t '•► s c a n n in g Use tools such as Nm ap (nmap sS< networkrange>) Find the servers connected to the Internet using tools such as N m ap Perform port scanning to check for the open ports on the nodes using tools such as N m ap Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited na E n u m e r a t i o n P e n T e s t i n g ( C o n t ’d ) You should conduct all possible enum eration techniques to en um erate as much inform ation as possible about the target To ensure the full scope of the test, enum eration pen testing is divided into steps This p en e tra tio n test includes a series of steps to obtain desired information S t e p l: Find the n e tw o rk range If you w ant to break into an organ ization 's netw ork, you should know the netw ork range first This is because if you know the netw ork range, then you can mask yourself as a user falling within the range and then try to access the network So the first step in enum eration pen testing is to obtain inform ation about netw ork range You can find the netw ork range of target organization with the help of tools such as W h o is Lookup Step 2: Calculate the subnet mask Once you find the netw ork rage of the target network, then calculate the subnet mask required for the IP range using tools such as Subnet M a s k Calculator You can use the calculated subnet mask as an input to many of the ping sweep and port scanning tools for further enum eration, which includes discovering hosts and open ports M o d u le Page 511 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker Step 3: U ndergo host discovery Find the im portant servers connected to the Internet using tools such as Nmap The Nmap syntax to find the servers connected to Internet is as follows: nm ap - s P < n e t w o r k - r a n g e > In place of the netw ork range, enter the netw ork range value obtained in the first step Step 4: Pe rform port scanning It is very im portant to discover the open ports and close them if they are not required This is because open ports are the doorw ays for an attacker to break into a target's security perimeter Therefore, perform port scanning to check for the open ports on the nodes This can be accom plished with the help of tools such as Nmap M o d u le Page 512 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIlCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker E n u m e r a tio n P e n T e s tin g (C o n t’d) J M J Use W in d o w s u tility J J V Perform SNMP enumeration Perform SNMP enum eration using tools such as O pU tils N e tw o rk M o n ito rin g Toolset and SolarW inds IP N e tw o rk Brow ser Use tools such as SuperScan, Hyena, and W infingerprint Perform NetBIOS enum eration using tools such as SuperScan, Hyena, and W in fin g e rp rin t N SLookup V Perform NetBIOS enumeration Perform DNS enum eration using W indow s u tility NSLookup t o Perform DNS enumeration CEH Perform Unix/Linux enum eration using tools such as Enum 4linux Use tools such as O pU tils and S o la rw in d s IP N etw ork Brow ser V Perform Unix/Linux enumeration Use to o ls such as Enum 4linux Copyright © by IC-Council All Rights Reserved Reproduction is Strictly Prohibited E n u m e r a t i o n P e n T e s t i n g ( C o n t ’d ) Step 5: Pe rform DNS e n u m e tio n Perform DNS enum eration to locate all the DNS servers and their records The DNS servers provide inform ation such as system names, user names, IP addresses, etc You can extract all this inform ation with the help of the W in d o w s utility nslookup Step 6: Perform NetBIOS e n u m e tio n Perform NetBIOS enum eration to identify the netw ork devices over TCP/IP and to obtain a list of com puters that belong to a domain, a list of shares on individual hosts, and policies and passwords You can perform NetBIOS enum eration with the help of tools such as SuperScan, Hyena, and WinFingerprint Step 7: Pe rform S N M P en u m e tio n Perform S N M P enum eration by querying the S N M P server in the network The S N M P server may reveal inform ation about user accounts and devices You can perform S N M P enum eration using tools such as O p U tils and S o la rW in d s IP N etw ork Browser M o d u le Page 513 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker Step 8: Perform U n ix/Lin u x en u m e tio n Perform Unix/Linux enum eration using tools such as Enum4linux You can use com m an ds such as showmount, F i n g e r , r p f i n f o (RPC), and r p c c l i e n t etc.to enum erate UNIX netw ork resources M o d u le Page 514 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUIlCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker E n u m e r a tio n P e n T e s tin g CEH (C o n t’d) P e rfo rm LDAP Use tools such as Softerra e n u m e tio n LDAP A dm in istrator © Pe rfo rm LDAP e n u m e tio n using to o ls such as S ofte rra LDAP A d m in is tra to r V Pe rfo rm NTP e n u m e tio n using co m m a n d s such as n tra ce, n tpd c, P e rfo rm NTP Use com m ands such as ntptrace, ntpdc, and ntpq e n u m e tio n and n tpq e P erform S M T P e n u m e tio n using to o ls such as N etS ca n T ools Pro V 1m P e rfo rm SMTP ^ e n u m e tio n m i ■— t tw t a Use tools such as NetScanTools Pro \ Copyright © by IC-Ccuncil All Rights Reserved Reproduction is Strictly Prohibited E n u m e r a t i o n P e n T e s t i n g ( C o n t ’d ) Step 9: Perform LDAP en u m e tio n Perform LDAP enum eration by querying the LDAP service By querying the LDAP service you can en um erate valid user names, departm ental details, and address details You can use this inform ation to perform social engineering and other kinds of attacks You can perform LDAP enum eration using tools such as Softerra LDAP Adm inistrator Step 10: Pe rform NTP en u m e tio n Perform NTP enum eration to extract inform ation such as host connected to NTP server, client IP address, OS running of client systems, etc You can obtain this inform ation with the help of com m ands such as ntptrace, ntpdc, and ntpq Step 11: Pe rform S M T P en u m e tio n Perform SMTP enum eration to determ ine valid users on the SM TP server You can use tools such as NetScanTools Pro to query the SM TP server for this inform ation Step 12: D o c u m e n t all the findings The last step in every pen test is docum enting all the findings obtained during the test You should analyze and suggest counterm easures for your client to im prove their security M o d u le Page 515 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-COUItCll All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d Ethical Hacking a n d C o u n te rm e a s u re s E n u m e tio n Exam 2-50 C ertified Ethical H acker M o d u le S u m m a r y C E H □ Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system □ Simple Network Management Protocol (SNMP) is a TCP/IP protocol used for remote monitoring and managing hosts, routers, and other devices on a network ‫ב‬ MIB is a virtual database containing formal description of all the network objects that can be managed using SNMP □ Devices like switches, hubs, and routers might still be enabled with a "default password" that enables an attacker to gain unauthorized access to the organization computer network □ Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc that can be further used to perform attacks □ Network Time Protocol (NTP) is designed to synchronize clocks of networked computers Copyright ffi by IC-C»uncil All Rights Reserved Reproduction is Strictly Prohibited y' ^ M o d u le S u m m a ry X Q Enum eration is defined as the process of extracting usernames, m achine names, netw ork resources, shares, and services from a system © Simple N etw ork M a n a g em e n t Protocol (SNMP) is a TCP/IP protocol used for rem ote m onitoring and managing hosts, routers, and other devices on a network MIB is a virtual database containing form al description of all the netw ork objects that can be managed using S N M P Q Devices like switches, hubs, and routers might still be enabled with a "de fa ult p a ssw o rd" that enables an attacker to gain unauthorized access to the organization c om pute r network Q Attacker queries LDAP service to gather inform ation such as valid usernames, addresses, departm ental details, etc that can be further used to perform attacks Q N e tw o rk Tim e Protocol (NTP) is designed to synchronize clocks of netw orked computers M o d u le Page 516 Ethical H acking a n d C o u n te rm e a s u re s C opyright © by EC-C0UnCil All Rights R eserved R ep ro d u ctio n is S trictly P ro h ib ite d ... possible Enumeration Concepts |£3| NTP Enumeration NetBios Enumeration SMTP Enumeration SNMP Enumertion DNS Enumeration Unix/Linux Enumeration Enumeration Countermeasures LDAP Enumeration Enumeration... will discuss enumeration concepts ^ !t_^ Enumeration Concepts NetBios Enumeration ^ NTP Enumeration ‫י׳‬- ^ SMTP Enumeration SNMP Enumertion DNS Enumeration Unix/Linux Enumeration Enumeration... This module will familiarize you with the following: © What Is Enumeration? Q UNIX/Linux Enumeration © Techniques for Enumeration LDAP Enumeration © Services and Ports to Enumerate NTP Enumeration

Ngày đăng: 14/04/2017, 09:06

Xem thêm

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN