CEH - Module4 : Enumeration

628 vues

Publié le

CEH - Module 4 : Enumeration Technique (version 7)

Publié dans : Technologie
0 commentaire
1 j’aime
Statistiques
Remarques
  • Soyez le premier à commenter

Aucun téléchargement
Vues
Nombre de vues
628
Sur SlideShare
0
Issues des intégrations
0
Intégrations
8
Actions
Partages
0
Téléchargements
30
Commentaires
0
J’aime
1
Intégrations 0
Aucune incorporation

Aucune remarque pour cette diapositive
  • Security News – Data Breaches of year 2014
    According to the Identity Theft Resource Center, there have already been 395 data breaches in the U.S. this year that have been reported to regulators or covered by media outlets, a 21 percent increase over the same period last year.
    Here are the top five data breaches of the first half of 2014, with an extra entry for eBay. That breach appears to be one of the largest yet, but the exact extent of the problem has not yet been divulged by the company, so it’s difficult to quantify how big it actually was.
    eBay
    The online retailer suffered one of the biggest data breaches yet reported by an online retailer. Attackers compromised a “small number of employee log-in credentials” between late February and early March to gain access to the company’s network and, through it, compromised a database that contained customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth. The breach is thought to have affected the majority of the company’s 145 million members, and many were asked to change their passwords as a result.
    Michaels Stores
    The point-of-sale systems at 54 Michaels and Aaron Brothers stores “were attacked by criminals using highly sophisticated malware” between May 2013 and January 2014. The company said up to 2.6 million payment card numbers and expiration dates at Michaels stores and 400,000 at Aaron Brothers could have been obtained in the attack. The company received confirmation of at least some fraudulent use.
    Montana Department of Public Health and Human Services
    Triggered by suspicious activity, officials conducted an investigation in mid-May that led to the conclusion that a server at the Montana Department of Public Health and Human Services had been hacked. The server held names, addresses, dates of birth and Social Security numbers on roughly 1.3 million people, although the department said it has “no reason to believe that any information contained on the server has been used improperly or even accessed.”
    Variable Annuity Life Insurance Co.
    A former financial adviser at the company was found in possession of a thumb drive that contained details on 774,723 of the company’s customers. The drive was provided to the company by law enforcement as the result of a search warrant served on the former adviser. The thumb drive included full or partial Social Security numbers, but the insurance company said it didn’t believe any of the data had been used to access customer accounts. It’s not the first time the company has lost data on a thumb drive. In 2006, it wrapped up a lawsuit against a former financial adviser for downloading “confidential customer information” onto “a portable flash drive.”
    Spec’s
    A 17-month-long “criminal attack” on the Texas wine retailer’s network resulted in the loss of information of as many as 550,000 customers. The intrusion began in October 2012 and affected 34 of the company’s stores across the state. It continued until as late as March 20 this year, and the company fears hackers got away with customer names, debit or credit card details, card expiration dates, card security codes, bank account information from checks and possibly driver’s license numbers.
    St. Joseph Health System
    A server at the Texas health care provider was attacked between Dec. 16 and 18 last year. It contained “approximately 405,000 former and current patients’, employees’ and some employees’ beneficiaries’ information.” This included names, Social Security numbers, dates of birth, medical information and, in some cases, addresses and bank account information. As with many other hacks, an investigation wasn’t able to determine if the data was accessed or stolen.
  • What is Enumeration?
    Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system.
    Enumeration techniques are conducted in an intranet environment.
    Enumeration involves active connections to systems and directed queries
    Types of Information Enumerated by intruders:
    Network Resources and Shares
    Users and Groups
    Applications and Banners
    Auditing Settings
    Enumeration as listing
    When an enumeration is used in an ordered list context, we impose some sort of ordering structure requirement on the index set. While we can make the requirements on the ordering quite lax in order to allow for great generality, the most natural and common prerequisite is that the index set be well-ordered. According to this characterization, an ordered enumeration is defined to be a surjection (a many-to-one relationship) with a well-ordered domain. This definition is natural in the sense that a given well-ordering on the index set provides a unique way to list the next element given a partial enumeration.
    Enumeration in countable vs. uncountable context
    The most common use of enumeration in set theory occurs in the context where infinite sets are separated into those that are countable and those that are not. In this case, an enumeration is merely an enumeration with domain ω, the ordinal of the natural numbers. This definition can also be stated as follows:
    As a surjective mapping from (the natural numbers) to S (i.e., every element of S is the image of at least one natural number). This definition is especially suitable to questions of computability and elementary set theory.
    We may also define it differently when working with finite sets. In this case an enumeration may be defined as follows:
    As a bijective mapping from S to an initial segment of the natural numbers. This definition is especially suitable to combinatorial questions and finite sets; then the initial segment is {1,2,...,n} for some n which is the cardinality of S.
    In the first definition it varies whether the mapping is also required to be injective (i.e., every element of S is the image of exactly one natural number), and/or allowed to be partial (i.e., the mapping is defined only for some natural numbers). In some applications (especially those concerned with computability of the set S), these differences are of little importance, because one is concerned only with the mere existence of some enumeration, and an enumeration according to a liberal definition will generally imply that enumerations satisfying stricter requirements also exist.
    Enumeration of finite sets obviously requires that either non-injectivity or partiality is accepted, and in contexts where finite sets may appear one or both of these are inevitably present.
  • Techniques for Enumeration
    Extract user names using email IDs
    Extract user names using SNMP
    Extract user groups from Windows
    Extract information using the default passwords
    Brute force Active Directory
    Extract information using DNS Zone Transfer (TCP/53)
    Hacking Tools
    DumpSec is a NetBIOS enumeration tool. It connects to the target system as a null user with the net use command. It then enumerates users, groups, NTFS permissions, and file ownership information.
    Hyena is a tool that enumerates NetBIOS shares and additionally can exploit the null session vulnerability to connect to the target system and change the share path or edit the Registry.
    The SMB Auditing Tool is a password-auditing tool for the Windows and Server Message Block (SMB) platforms. Windows uses SMB to communicate between the client and server. The SMB Auditing Tool is able to identify usernames and crack passwords on Windows systems.
    The NetBIOS Auditing Tool is another NetBIOS enumeration tool. It’s used to perform various security checks on remote servers running NetBIOS file sharing services.
    The null session is often refereed to as the Holy Grail of Windows hacking. Null sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/Server Messaging Block)
    You can establish a null session with a Windows (NT/2000/XP) host by logging on with a null user name and password
    Using these null connections allows you to gather the following information from the host:
    List of users and groups
    List of machines
    List of shares
    Users and host SIDs (Security Identifiers)
    Anyone with a NetBIOS connection to your computer can easily get a full dump of all your user names, groups, shares, permissions, policies, services, and more using the null user.
    The attacker now has a channel over which to attempt various techniques. The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return rich information about a machine via TCP port 139—even to unauthenticated users. This works on Windows 2000/XP systems, but not on Win 2003
    The following syntax connects to the hidden Inter Process Communication 'share' (IPC$) at IP address 192.34.34.2 with the built-in anonymous user (/u:'''') with a ('''') null password
    net use \\localhost\IPC$ “” /u: “”
  • NetBios Enumeration
    Attackers use the NetBios Enumeration to obtain:
    List of computers that belong to a domain / workgroup
    List of shares on the individual hosts on the network
    Policies and passwords
  • NetBios Enumeration Tool : SuperScan
    Foundstone
    SuperScan is a free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups.
    Superscan 4, which is a completely rewritten update to the other Superscan (version 3, released in 2000), features windows enumeration, which can list a variety of important information dealing with Microsoft Windows such as:
    NetBIOS information
    User and Group Accounts
    Network shares
    Trusted Domains
    Services - which are either running or stopped
    Superscan is a tool used by both system administrators, crackers and script kiddies to evaluate a computer's security. System administrators can use it to test for possible unauthorized open ports on their computer networks, whereas crackers use it to scan for a potentially insecure port in order to gain illegal access to a system.
    SuperScan v4.1
    Powerful TCP port scanner, pinger, resolver.
    McAfee [http://www.mcafee.com/au/downloads/free-tools/superscan.aspx]SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
    Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and many other network scanning tools. Some functionality can be restored by running the following at the Windows command prompt before starting SuperScan:
    net stop SharedAccess
    Here are some of the new features in this version.
    Superior scanning speed
    Support for unlimited IP ranges
    Improved host detection using multiple ICMP methods
    TCP SYN scanning
    UDP scanning (two methods)
    IP address import supporting ranges and CIDR formats
    Simple HTML report generation
    Source port scanning
    Fast hostname resolving
    Extensive banner grabbing
    Massive built-in port list description database
    IP and port scan order randomization
    A selection of useful tools (ping, traceroute, Whois etc)
    Extensive Windows host enumeration capability
    Note: SuperScan 4 is intended for Windows 2000 and XP only. Administrator privileges are required to run the program. It will not run on Windows 95/98/ME. You may need to try SuperScan v3 if this will not work with your system.
    Hacking ToolsDumpSec is a NetBIOS enumeration tool. It connects to the target system as a null user with the net use command. It then enumerates users, groups, NTFS permissions, and file ownership information.Hyena is a tool that enumerates NetBIOS shares and additionally can exploit the null session vulnerability to connect to the target system and change the share path or edit the Registry.The SMB Auditing Tool is a password-auditing tool for the Windows and Server Message Block (SMB) platforms. Windows uses SMB to communicate between the client and server. The SMB Auditing Tool is able to identify usernames and crack passwords on Windows systems.The NetBIOS Auditing Tool is another NetBIOS enumeration tool. It’s used to perform various security checks on remote servers running NetBIOS file sharing services.
  • NetBios Enumeration Tool : NetBIOS Enumerator
    NetBIOS Enumerator was suggested to show how to use remote network support and how to deal with some other interesting web technics like SMB.
    Download Link:
    http://ihackers.co/downloads/tools/enumeration/netbios-enumeration-tool/
    http://prdownloads.sourceforge.net/nbtenum/nbt_enum_offr_bin2003.03.01-14_22.zip?download
    Net BIOS null Sessions occurs when you connect any remote system without user-name and password. It is usually found in systems with Common Internet File System (CIFS) or Server Message Block (SMB) depending on operating system. Once attacker is in with null session he/she can explore information about groups, shares, permissions, policies and even password hashes.Null session attack uses vulnerability in SMB protocol for creating connection because it uses SMB uses trust for any kind of relationship between devices available in network.
    By default null sessions are enabled in Windows 2000 and Windows NT. Actually it is also enabled by default in Windows XP and Windows 2003 Server but they don't allow enumeration of user accounts. Any of the following port must be open to perform NetBIOS enumeration and null session attacks because they represent SMB and NetBIOS is supported by network.
    Port 135 - Remote Procedure Call (RPC)
    Port 137 - NetBIOS Name Service
    Port 138 - NetBIOS Datagram Service
    Port 139 - NetBIOS Session Service
    Please note that all above services may use any of the TCP or UDP protocol.
    The method to connect to remote system via null session requires you to connect to any device or share. By default in all windows systems Inter Process Communication (IPC$) runs as hidden share($ denotes share on remote system). We can say that IPC is null session share.
    Now to check whether the system is vulnerable to null session or not type following commands.
    C:\>net use \\IP_Address\IPC$
    For example
    C:\>net use \\192.168.56.1\IPC$
    Next type
    C:\>net use \\IP_Address\IPC “”/u:“”
    where “”/u:“” denotes you want to connect without user-name and password. Now explore further information.
    C:\>net view \\IP_Address
    will show you list of shares, computers, devices, etc.
    So here we complete how we can manually perform NetBIOS Enumeration and Null Session attack. In further posts we will cover some tools that are used for the above purpose and then available countermeasures. Till then practice above method of enumerating NetBIOS and tell me if you have any difficulty. You can try your own IP address(127.0.0.1) to enumerate if you want. Please ask if you have any problem using above commands and please practice hacking is practical thing you can never learn without practicing.
  • Enumerating User Accounts
    PS Tools
    was developed by Mark Russinovich of SysInternals, and contains a collection of enumeration tools.
    Some of the tools require user authentication to the system:
    PsExec - Executes processes remotely
    PsFile - Shows files opened remotely
    PsGetSid - Displays the SID of a computer or a user
    PsKill - Kills processes by name or process ID
    PsInfo - Lists information about a system
    PsList - Lists detailed information about processes
    PsLoggedOn - Shows who's logged on locally and via resource sharing
    PsLogList - Dumps event log records
    PsPasswd - Changes account passwords
    PsService - Views and controls services
    PsShutdown - Shuts down and optionally reboots a computer
    PsSuspend - Suspends processes
    PsUptime - Shows how long a system has been running since its last reboot
    Download Link:
    http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
    Introduction
    The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. It does not contain non-troubleshooting tools like the BSOD Screen Saver or NotMyFault.
    The Suite is a bundling of the following selected Sysinternals Utilities:
    AccessChk
    AccessEnum
    AdExplorer
    AdInsight
    AdRestore
    Autologon
    Autoruns
    BgInfo
    CacheSet
    ClockRes
    Contig
    Coreinfo
    Ctrl2Cap
    DebugView
    Desktops
    Disk2vhd
    DiskExt
    DiskMon
    DiskView
    Disk Usage (DU)
    EFSDump
    FindLinks
    Handle
    Hex2dec
    Junction
    LDMDump
    ListDLLs
    LiveKd
    LoadOrder
    LogonSessions
    MoveFile
    NTFSInfo
    PageDefrag
    PendMoves
    PipeList
    PortMon
    ProcDump
    Process Explorer
    Process Monitor
    PsExec
    PsFile
    PsGetSid
    PsInfo
    PsPing
    PsKill
    PsList
    PsLoggedOn
    PsLogList
    PsPasswd
    PsService
    PsShutdown
    PsSuspend
    RAMMap
    RegDelNull
    Registry Usage (RU)
    RegJump
    RootkitRevealer
    SDelete
    ShareEnum
    ShellRunas
  • Enumerate System Using Default Passwords
    Password hacking is complicated stage in hacking cycle since it is not only the step which allows you access in victim’s PC but it marks origin of real hacking. But before trying anything else an attacker will always try to exploit victim using default password of device used by victim. A unchanged default password is always held as misconfiguration as per hacking is concerned. An attacker at very first stage may try to crack BIOS passwords,router passwords, switch passwords, dial-up passwords, modem passwords and passwords of other networking and communication devices by using their default password. There are several sites available which store huge database of default passwords. Following list shows some of them the list of password they store are more than sufficient, if you have this list you can breach any device with default password.
    http://www.defaultpassword.com/:
    So far as I know http://www.defaultpassword.com/ is biggest database of default passwords available online. You can browse through list of thousands of manufactures and their product. You can also search for specific manufacturer and its device and can also contribute list for newer default passwords.
    http://cirt.net/passwords:
    It is second biggest and much accurately sorted default password database as per my view is concerned. It has listed all vendors in their alphabetical order. When you click on vendors name it shows you device name, its default password and few word description about how to use it for attack.
    http://www.virus.org/default-password:
    Whenever you want to find out default password I will recommended try this site first. You can easily search for passwords using their navigation. Searching for password in their database is so easy you will hardly need any effort to search, since you can search by vendor name, product name and even by model number. Their database includes default password for equipments and software from many vendors including 3Com, Cisco, Nortel, IBM, HP, Compaq, Digital, D-link, Linksys, Oracle, Microsoft and many more.
    http://www.routerpasswords.com/:
    It is special database to search passwords for routers, select router manufacturer and press find password it will list all models along with their numbers, user-names and password.
    Some other sites that store default password.
    http://dopeman.org/default_passwords.html
    http://www.default-password.info/
    http://www.defaultpassword.us/
    http://www.passwordsdatabase.com/
    http://www.phenoelit-us.org/dpl/dpl.html
    http://www.cyxla.com/passwords/passwords.html
    http://defaultpasswords.in/
  • SNMP (Simple Network Management Protocol) Enumeration
    SNMP (Simple Network Management Protocol) is a protocol that never seems to get the attention it deserves. As a “security expert” I am quite ashamed to say, that I was not fully aware of all the intricate possibilities that lie within SNMP, until quite recently.
    Once you get your hands dirty, SNMP can get quite interesting. Personally it really reminds me of “The Matrix”:Movie with the ability to monitor almost anything, and alert about anomalies.
    A basic term of SNMP
    SNMP – (Simple Network Management Protocol) – an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP).
    MIB – (Management Information Base) – provides a standard representation of the SNMP agent’s available information and where it is stored.
    NMS – (Network Management Station) – A device designed to poll SNMP agents for information.
    SNMP Agent – a device running some software that understands the language of SNMP. Almost any network device could potentially run SNMP, but typically you will find SNMP agents running on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX, Windows NT) can also run SNMP agents.
    The main problem with SNMP is that the authentication method (public and private community strings) is inherently weak, not to mention the fact the SNMP is based on UDP, which is prone to spoofing. So, we’ve got a weak protocol, often forgotten and misconfigured – a disaster just waiting to happen.
    #snmpwalk -c public {hostname | ip address}
  • Management Information Base (MIB)
    A basic term of SNMP
    SNMP – (Simple Network Management Protocol) – an application-layer protocol for managing TCP/IP based networks. SNMP runs over UDP (which runs over IP).
    MIB – (Management Information Base) – provides a standard representation of the SNMP agent’s available information and where it is stored, included formal description of all the network objects that can be managed using SNMP.The MIB database is hierarchical and each managed object in a MIB is addressed through object identifiers (OID)
    NMS – (Network Management Station) – A device designed to poll SNMP agents for information.
    SNMP Agent – a device running some software that understands the language of SNMP. Almost any network device could potentially run SNMP, but typically you will find SNMP agents running on internetworking devices (eg. routers, hubs, switches, bridges). Some operating systems (UNIX, Windows NT) can also run SNMP agents.
    The main problem with SNMP is that the authentication method (public and private community strings) is inherently weak, not to mention the fact the SNMP is based on UDP, which is prone to spoofing. So, we’ve got a weak protocol, often forgotten and misconfigured – a disaster just waiting to happen.
    An object identifier (OID) is an extensively used identification mechanism jointly developed by ITU-T and ISO/IEC for naming any type of object, concept or "thing" with a globaly unambiguous name which requires a persistent name (long life-time). It is not intended to be used for transient naming. OIDs, once allocated, should not be re-used for a different object/thing.It is based on a hierarchical name structure based on the "OID tree". This naming structure uses a sequence of names, of which the first name identifies a top-level "node" in the OID tree, and the next provides further identification of arcs leading to sub-nodes beneath the top-level, and so on to any depth.A critical feature of this identification mechanism is that it makes OIDs available to a great many organizations and specifications for their own use (including countries, ITU-T Recommendations, ISO and IEC International Standards, specifications from national, regional or international organizations, etc.).
    The root of the tree contains the following three arcs:
    0: ITU-T
    1: ISO
    2: joint-iso-itu-t
  • SNMP Enumeration Tool : OpUtils (ManageEngine)
    MIB Viewer – Many a times network engineers are aware of the MIB node (OID name) but not sure of the OID and its properties. In such situations this tool would be of great use. It accepts the node name or the OID as input and provides the complete information on the MIB node including MIB name, parent node name, OID, OID type, status, syntax, access, definition, and the next node. It also provides a snapshot of a given MIB, some general information on the MIB, the defined attributes, total number of nodes, defined TCs, and the defined traps.
    SNMP Walker – A utility to retrieve specified number of MIB objects value using SNMP GET-NEXT operation. Using this tool you can provide any OID value and query a device for the next consecutive OIDs.
    SNMP Table - A utility to retrieve the data for the specified Table OID from the device. Using this tool you can select any table component of a MIB to view the values.
    Trap Receiver – This tool listens for real-time network traps and displays them. The trap details, such as Trap OID, Source, Received Time, Varbind Descriptions, and so on, are shown. The tool can be configured to send an email alert on receipt of a trap.
    SNMP Graph – This SNMP tool gathers real-time data and draws a graph for any SNMP IP node. It also provides the MIB node information such as OID, syntax, description and MIB node properties.
    MIB Browser – The MIB Browser tool is a utility that enables you to load and browse MIBs and perform SNMP operations. With this tool, you can perform all SNMP-related operations such as GET, GET-NEXT, GET-BULK, and SET. The above SNMP operations can be performed on the specified agent.
    Download Link:
    http://www.manageengine.com/products/oputils/download.html
  • SNMP Enumeration Tool : SolarWinds
    SNMP MIB Browser:Tool Detail
    Query remote devices for software and hardware configurations via SNMP.
    Utilize SolarWinds extensive MIB database of more 250,000 precompiled unique OIDs from hundreds of standard and vendor MIBs – the largest collection in the industry.
    Walk MIB trees to determine which MIBs a particular piece of hardware supports.
    The MIB Browser utilizes SolarWinds extensive MIB (Management Information Base) database of more than a thousand standard and proprietary MIBs. A MIB Browser is a core fundamental tool for network engineers. It allows an engineer to query a remote device for software and hardware configurations via SNMP. It also allows an engineer to make changes to the remote device. The remote device could be a router, switch, hub, server, firewall, or any other device that supports SNMP.
    The most critical part of any MIB Browser is the number of standard and proprietary MIBs it supports. Without the correct MIBs, the data collected from a remote device is difficult to interpret and use. SolarWinds MIB Browser is shipped with over 250,000 precompiled unique OIDs from hundreds of standard and vendor MIBs – the largest collection in the industry. SolarWinds engineers continually update the MIB database with the latest MIBs. Updates to the MIB database are available periodically to SolarWinds customers who purchase maintenance.
    Another common use for a MIB Browser is to find out what MIBs and OIDs are supported on a particular device. The SolarWinds MIB Browser allows an engineer to easily walk any MIB tree (even if the MIB tree is not in the SolarWinds database) and determine what MIBs a particular piece of hardware supports. This is important when determining the SNMP OIDs from which to collect statistics or to monitor. The SolarWinds MIB Browser automatically analyzes the results from each SNMP query and displays the information in a readable form.
    SNMP Enabler For Windows
    To remotely install and enable SNMP on multiple Windows servers and workstations.
  • SNMP Enumeration Tools
    Getif is a free multi-functional Windows GUI based Network Tool written by Philippe Simonet.  It is amongst other things, an excellent SNMP tool that allows you to collect and graph information from SNMP devices.  These devices include (but are by no means limited to) Windows 2000 (using the SNMP4NT or SNMP4W2K or SNMP-Informant extension agents, of course!), and other OS's as well as devices manufactured by most major network companies (i.e. Cisco, 3COM, Dlink, Nokia, etc., etc.).
    the ability to graph OID values over time, display the device's interface information, routing and ARP tables, as well as do basic port scans, Traceroutes, NSLookups, and IP Scans.
    There are now two versions of Getif available for download here at SNMP4tPC.  Version 2.2 is arguably the most prevalent version, however version 2.3.1 is now also available for those who wish to try it.   Some of the features of v 2.3.1 include sliding scrollbars (yippee!).  Many of you have asked for this.  Be advised however, that the familiar Set/Walk and Add to graph buttons have changed.  I would suggest you keep version 2.2 around in addition to installing version 2.3.1.  Together they make a great team!
    Download Getif v2.2 now by clicking here!
    Download Getif v2.3.1 now by clicking here! 
    LoriotPro
    uses an internal host data base named LDS for LoriotPro Directory Service. The LoriotPro LDS uses the IP address of the host to create indexes.
    In this database, only one host profile (configuration) is available per host, each host from the point of view of LoriotPro has only one IP address (multihoming server or router are seen as multiple hosts). If a host has more than one SNMP agent, LoriotPro do not have the capacity to handle it.
    Examples :
    1- A host @IP:10.33.10.121 has a standard snmp agent linked to the udp port 161 and another one linked to the no standard udp port 1515.
    2 - A host @IP:10.33.10.121 has a standard snmp agent linked to the udp port 161 using the snmpv1 protocol and a snmp V2c profile linked to the same udp port 161 used for specific queries.
    3 - A host @IP:10.33.10.121 has a standard snmp agent linked to the udp port 161 using different community to access the differents management processes.
    Solution
    LoriotPro uses an alias stategy to solve this problem. An alias host is a host with a dummy IP address used to index it in the LDS. A secondary IP address is set in the profile and is used in all modules of LoriotPro in replacement of the dummy address
  • UNIX/Linux Enumeration
    Commands used to enumerate Unix network resources are as follows:
    showmount:
    – Finds the shared directories on the machine
    – [root $] showmount –e 19x.16x. xxx.xx
    Finger:
    – Enumerates the user and host
    – Enables you to view the user’s home directory, login time, idle times, office location, and the last time they both received or read mail
    – [root$] finger –1 @target.hackme.com
    rpcinfo:
    – Helps to enumerate Remote Procedure Call protocol
    – RPC protocol allows applications to talk to one another over the network
    – [root] rpcinfo –p 19x.16x.xxx.xx
    rpcclient:
    – Using rpcclient, we can enumerate usernames on Linux and OS X
    – [root $] rpcclient $> netshareenum
  • Linux Enumeration Tool : Enum4linux
    Sample Script:
    #!/bin/bash for i in {129..164} do (cd /pentest/web/nikto/ ; ./nikto.pl -host 172.16.222.$i - output /pentest/web/nikto/student_remix/172_16_222_$i.txt)Done
    And a similar script for enum4linux
    #!/bin/bash for i in {129..164} do /root/enum4linux-0.8.8/enum4linux.pl -M 172.16.222.$iDone
  • LDAP Enumeration
    The Lightweight Directory Access Protocol (LDAP) is a protocol used to access the directory listings within Active Directory (or any X.500 Standard) which form of directory services
    A directory is compiled in a hierarchical and logical format, like the levels of management and employees in a company.
    It tends to be tied into the Domain Name System to allow the integrated quick lookups and fast resolution of queries.
    It runs on port TCP/389 and tends to confirm to a distinct set of rules Request for comments (RFC’s) like other protocols.
  • LDAP Enumeration Tool : Jxplorer
    JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface.
    It is highly flexible and can be extended and customised in a number of ways. JXplorer is written in java, and the source code and Ant build system are available via svn or as a packaged build for users who want to experiment or further develop the program.
    JX is is available in two versions; the free open source version under an OSI Apache 2 style licence, or in the JXWorkBench Enterprise bundle with built in reporting, administrative and security tools.
    JX has been through a number of different versions since its creation in 1999; the most recent stable release is version 3.3.1, the August 2013 release.
    It could run on any java supporting operating system.
    LDAP add/delete/copy/modify
    tree copy, move and delete
    Drag-n-drop editing
    Complex searching
    UI for search filter construction
    SSL/TLS support
    SASL Authentication
    Full i18n support
    Hungarian, French and German
    Traditional and Simplified Chinese
    Unicode Support
    UTF8 allowed in DNs
    Schema support
    Supports complex DNs
    Paged results
    Extensive Help System
    LDIF import/export
    Offline LDIF file editing
    DSML support
    version 2 LDAP support
    Configurable HTML templates/forms
    Themes / Skinning
    Pluggale Editors
    Pluggable Security Providers
    Multi Valued RDNs
    Binary Attributes
    Certificate keystore
    Supports Client keys and Certs
    GSSAPI support
    Multiple Browser Windows
    Data copy between windows
    An Admin Guide
  • CEH - Module4 : Enumeration

    1. 1. s

    ×