JSIIT

System Intrusion and Computer Forensic Module code: (CSM203)

Assignment Presentation
ON
SYSTEM ENUMERATION TCP/UDP PORT

BY YUSIF SULEIMAN 2308-0703-0223

Instructor:

Mr Bashi

In Partial Fulfillment for the Award of IADNCS, 2012

INTRODUCTION

Enumeration

Enumeration is the first attack on target network; Enumeration is a process to gather the information about user names, machine names, network resources, shares and services ; Enumeration makes a fixed active connection to a system

Although File Transfer Protocol (FTP) is becoming less common on the Internet, connecting to and examining the content of FTP repositories remains one of the simplest and potentially lucrative enumeration techniques. Weve seen many public web servers that used FTP for uploading web content, providing an easy vector for uploading malicious executables. Typically, the availability of easily accessible file-sharing services quickly becomes widespread knowledge, and public FTP sites end up hosting sensitive and potentially embarrassing content. Even worse, many such sites are configured for anonymous access

Techniques use for Enumeration

CMD Command : There are many cmd commands which are more EFFECTIVE in local area connections than windows OS :) net use : (Works only in xp and 2000) syntax : net use \\<ip address>\IPC$ ""/u:"" Example : net use \\192.168.2.2\IPS$ ""/u:"" Defn : It connects to its hidden inner process communication (IPS$) of 192.168.2.2 with build in anonymous user (u:) with a null password ("")

Techniques (Continue )

nbtstat : (tested and worked ) Syntax : nbtstat -A<ip address> Example : nbtstat -A<192.168.2.4> Use : Will get the NetBIOS information and MAC address of the system FTP Enumeration syntax : ftp <ftp servername> Example : ftp ftp.gnuplot.info

Techniques (Continue )

telnet Syantax : telnet <URL/IP> <port number> Example : telnet www.csice.edu.in 80 (http port number) Use : connect to a server PORT NUMBER http 80 ftp 21 telnet 23 smtp 25 dns 53 tftp 69 finger 79 NetBios 137

Tools use for Enumeration

Super Scan

IP Tools - It gave information about local info- examines the local host and shows info about processor, memory, Winsock data, etc Connection Monitor- displays information about current TCP and UDP network connections NetBIOS Info- gets NetBIOS information about network interfaces (local and remote computers) NB Scanner- shared resources scanner SNMP Scanner- scans network(s) for SNMP enabled devices Name Scanner- scans all hostnames within a range of IP addresses Port Scanner- scans network(s) for active TCP based services UDP Scanner- scans network(s) for active UDP based services

IP Tools (Continue)
Ping Scanner- pings a remote hosts over the network Trace- traces the route to a remote host over the network WhoIs- obtains information about a Internet host or domain name from the NIC (Network Information Center) Finger- retrieves information about user from a remote host LookUp- looks for domain names according to its IP address or an IP address from its domain name GetTime- gets time from time servers (also it can set correct time on local system) Telnet- telnet client HTTP- HTTP client IP-Monitor- shows network traffic in real time (as a set of charts) Host Monitor- monitors up/down status of selected hosts. Trap Watcher- allows you to receive and process SNMP Trap messages.

softperfect network scanner tool

Features:: >Pings computers and displays those alive. >Detects hardware MAC-addresses, even across routers. >Detects hidden shared folders and writable ones. >Detects your internal and external IP addresses. >Scans for listening TCP ports, some UDP and SNMP services. >Retrieves currently logged-on users, configured user accounts, uptime, etc. >You can mount and explore network resources. >Can launch external third party applications. >Exports results to HTML, XML, CSV and TXT >Supports Wake-On-LAN, remote shutdown and sending network messages. >Retrieves potentially any information via WMI. >Retrieves information from remote registry, file system and service manager.

Enumeration Ports

FTP Enumeration, TCP 21

FTP port 21 open Fingerprint server

telnet ip_address 21 (Banner grab) Run command ftp ip_address ftp@example.com Check for anonymous access

ftp ip_addressUsername: anonymous OR anonPassword: any@email.com

Password guessing

Hydra brute force medusa Brutus ftpusers , ftp.conf, proftpd.conf pasvagg.pl

Examine configuration files

MiTM

Enumerating SMTP, TCP 25

SMTP TCP 25 version of popular SMTP server software sendmail greater than 8 offer syntax that can be embeded in the mail.cf file to disable or acquire authentication for VRFY and EXPN commands Has two comands VRFY and EXPN which reveals the actual delivery addresses of aliases and mailing list Eg telnet 10.219.100.1 25

Sendmail Port 25 open Fingerprint server telnet ip_address 25 (banner grab) Mail Server Testing Enumerate users VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts) Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT Mail Relay Test HELO anything Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain> Unknown domain - mail from: <user@unknown_domain> Domain not present - mail from: <user@localhost> Domain not supplied - mail from: <user> Source address omission - mail from: <> rcpt to: <nobody@recipient_domain> Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain> Use double quotes - mail from: <user@domain> rcpt to: <"user@recipentdomain"> User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]> Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain> Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]> Examine Configuration Files - sendmail.cf, submit.cf

DNS Zone Transfer, TCP 53

DNS port 53 open Fingerprint server/ service

host

host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. nslookup [ -option ... ] [ host-to-find | - [ server ]] dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

nslookup

dig

whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup Bile Suite
perl perl perl perl perl perl perl perl

DNS Enumeration

BiLE.pl [website] [project_name] BiLE-weigh.pl [website] [input file] vet-IPrange.pl [input file] [true domain file] [output file] <range> vet-mx.pl [input file] [true domain file] [output file] exp-tld.pl [input file] [output file] jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] qtrace.pl [ip_address_file] [output_file] jarf-rev [subnetblock] [nameserver]

txdns

txdns -rt -t domain_name txdns -x 50 -bb domain_name txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

Examine Configuration Files - host.conf, resolv.conf , named.conf

Enumerating TFTP, TCP/UDP 69

TFTP port 69 open TFTP Enumeration

tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp i <IP> GET /etc/passwd (old Solaris) TFTP bruteforcer Cisco-Torch

TFTP Bruteforcing

TFTP, TCP/UDP 69 trivial file transfer protocol for unauthenticated file transfers using UDP port 69 $tftp 192.168.202.34 tftp>get /etc/passwd /tmp/passwd.cracklater tftp>quit

Its trivial to copy a poorly secured /etc/passwd

Finger, TCP/UDP 79
Finger Port 79 open User enumeration
finger finger finger finger finger finger finger finger

'a b c d e f g h' @example.com admin@example.com user@example.com 0@example.com .@example.com **@example.com test@example.com @example.com

Command execution
finger "|/bin/id@example.com" finger "|/bin/ls -a /@example.com"

Finger Bounce
finger user@host@victim finger @internal@externa

Enumerating HTTP, TCP 80

Web Ports 80, 8080 etc. open Fingerprint server

Telnet ip_address port Firefox plugins

All

firecat

Specific
add n edit cookies asnumber header spy live http headers shazou web developer

Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links source httprint Metagoofil

metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

Web Directory enumeration

Nikto

nikto [-h target] [options] , DirBuster, Wikto, Goolag Scanner

Enumerating Microsoft RPC Endpoint Mapper(MSRPC) TCP135

Enumeration Microsoft RPC Port 135

Enum

enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> net use \\192.168.1.1\ipc$ "" /u:""

Null Session

net view \\ip_address Dumpsec

Smbclient

smbclient -L //server/share password options

Superscan

Enumeration tab.

user2sid/sid2user Winfo

NetBIOS brute force

Hydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)

Examine Configuration Files

Smb.conf lmhosts

NetBIOS Name Service Enumeration, UDP 137

Enumeration NetBIOS Open Ports UDP 137

Enum

enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> net use \\192.168.1.1\ipc$ "" /u:""

Null Session

net view \\ip_address Dumpsec

Smbclient

smbclient -L //server/share password options

Superscan

Enumeration tab.

user2sid/sid2user Winfo

NetBIOS brute force

Hydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)

Examine Configuration Files

Smb.conf lmhosts

NetBIOS Session Enumeration, TCP 139

NetBIOS Ports 139

Enum

enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> net use \\192.168.1.1\ipc$ "" /u:""

Null Session

net view \\ip_address Dumpsec

Smbclient

smbclient -L //server/share password options

Superscan

Enumeration tab.

user2sid/sid2user Winfo

NetBIOS brute force

Hydra, Brutus, Cain & Abel, getacct NAT (NetBIOS Auditing Tool)

Examine Configuration Files

Smb.conf lmhosts

SNMP Enumeration, UDP 161

SNMP port 161 open Default Community Strings public private cisco cable-docsis ILMI MIB enumeration Windows NT .1.3.6.1.2.1.1.5 Hostnames , .1.3.6.1.4.1.77.1.4.2 Domain Name , .1.3.6.1.4.1.77.1.2.25 Usernames , .1.3.6.1.4.1.77.1.2.3.1.1 Running Services , .1.3.6.1.4.1.77.1.2.27 Share Information Solarwinds MIB walk Getif snmpwalk snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications ZyXel snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0 snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2 SNMP Bruteforce onesixtyone onesixytone -c SNMP.wordlist <IP> cat ./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp Examine SNMP Configuration files - snmp.conf, snmpd.conf , snmp-config.xml

BGP Enumeration, TCP 179

The Border Gateway Protocol (BGP) is the de facto routing protocol on the Internet and is used by routers to propagate information necessary to route IP packets to their destinations. By looking at the BGP routing tables, you can determine the networks associated with a particular corporation to add to your target host matrix. All networks connected to the Internet do not speak BGP, and this method may not work with your corporate network. Only networks that have more than one uplink use BGP, and these are typically used by medium-to-large organizations. The methodology is simple. Here are the steps to perform BGP route enumeration: 1. Determine the Autonomous System Number (ASN) of the target organization. 2. Execute a query on the routers to identify all networks where the AS Path terminates with the organizations ASN.

The BGP protocol uses IP network addresses and ASNs exclusively. The ASN is a 16-bit integer that an organization purchases from ARIN to identify itself on the network. You can think of an ASN as an IP address for an organization. Because you cannot execute commands on a router using a company name, the first step is to determine the ASN for an organization. There are two techniques to do this, depending on what type of information you have. One approach, if you have the company name, is to perform a whois search with the ASN keyword Alternatively, if you have an IP address for the organization, you can query a router and use the last entry in the AS Path as the ASN. For example, you can telnet to a public router and perform the following commands:

C:>telnet route-views.oregon-ix.net User Access Verification Username: rviews route-views.oregon-ix.net>show ip bgp 63.79.158.1 BGP routing table entry for 63.79.158.0/24, version 7215687 Paths: (29 available, best #14) Not advertised to any peer 8918 701 16394 16394 212.4.193.253 from 212.4.193.253 (212.4.193.253) Origin IGP, localpref 100, valid, external

Window Active Director LDAP Enumeration, TCP/UDP 389 & 3268

LDAP Port 389 Open ldap enumeration

ldapminer

ldapminer -h ip_address -p port (not required if default) -d Gui based tool Gui based tool ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O securityproperties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

luma

ldp

openldap

ldap brute force bf_ldap

bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

K0ldS LDAP_Brute.pl Examine Configuration Files General

containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf IBM SecureWay V3 server

V3.sas.oc msadClassesAttrs.ldif

Microsoft Active Directory server

Netscape Directory Server 4

nsslapd.sas_at.conf nsslapd.sas_oc.conf
slapd.sas_at.conf slapd.sas_oc.conf 75sas.ldif

OpenLDAP directory server

Sun ONE Directory Server 5.1

Novell NetWare Enumeration, TCP 524 and IPX

Microsoft Windows is not alone with its null session holes. Novells NetWare has a similar problemactually its worse. Novell practically gives up the information farm, all without authenticating to a single server or tree. Old NetWare 3.x and 4.x servers (with Bindery Context enabled) have what can be called the Attach vulnerability, allowing anyone to discover servers, trees, groups, printers, and usernames without logging into a single server. See the reference for how easily this is done and recommendations for plugging up these information holes.

NetWare Enumeration via Network Neighborhood

The first step to enumerating a Novell network is to learn about the servers and trees available on the wire. This can be done a number of ways, but none more simply than through the Windows Network Neighborhood. This handy network-browsing utility will query for all Novell servers and NDS trees on the wire. This enumeration occurs over IPX on traditional NetWare networks, or via NetWare Core Protocol (NCP, TCP 524) for NetWare 5 or greater servers running pure TCP/IP (the NetWare client software essentially wraps IPX in an IP packet with destination port TCP 524). Although you cannot drill down into the Novell NDS tree without logging into the tree itself, this capability represents the initial baby steps leading to more serious attacks.

UNIX RPC Enumeration, TCP/UDP 111 and 32771

Like any network resource, applications need to have a way to talk to each other over the wires. One of the most popular protocols for doing just that is Remote Procedure Call (RPC). RPC employs a service called the portmapper (now known as rpcbind) to arbitrate between client requests and ports that it dynamically assigns to listening applications. Despite the pain it has historically caused firewall administrators, RPC remains extremely popular. The rpcinfo tool is the equivalent of finger for enumerating RPC applications listening on remote hosts and can be targeted at servers found listening on port 111 (rpcbind) or 32771 (Suns alternate ortmapper) in previous scans:

[root$]rpcinfo p 192.168.202.34 program vers proto port 100000 2 tdp 111 rusersd 100002 3 udp 712 rusersd 100011 2 udp 754 rquotad 100005 1 udp 635 mountd 100003 2 udp 2049 nfs 100004 2 tcp 778 ypserv

This tells attackers that this host is running rusersd, NFS, and NIS (ypserv is the NIS server). Therefore, rusers, showmount -e, and pscan n will produce further information (see reference for more tools and discussion). The pscan tool can also be used to enumerate this info by use of the -r switch.

SQL Resolution Service Enumeration, UDP 1434

SQL Server Port 1433 1434 open SQL Enumeration

piggy SQLPing

sqlping ip_address/hostname

SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver SQLPAT

sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

SQL Brute Force

SQL Dict SQLAT Hydra SQLlhf ForceSQL

NFS Enumeration, TCP/UDP 2049

NFS Port 2049 open NFS Enumeration

showmount

-e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point

NFS Brute Force

Interact

with NFS share and try to add/delete Exploit and Confuse Unix

Examine Configuration Files

/etc/exports /etc/lib/nfs/xtab

4.0 REFERENCES Harry Newton, Newtons Telecom Dictionary, CMP Books, New York, NY, 2002. http://www.phenoelit-us.org/dpl/dpl.html

Postel, John. "RFC 793". Retrieved 29 June 2012. "Port Numbers". Internet Assigned Numbers Authority (IANA).

http://en.wikipedia.org/wiki/List_of_TCP_a nd_UDP_port_numbers

Ieee xplore digital library, Cavendish, D. C&C Res. Communications Magazine, Labs., USA Volume: 38, Issue: 6, Pages: 164 172 http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber =846090&url=http%3A%2F%2Fieeexplore.ieee.org% 2Fiel5%2F35%2F18353%2F00846090.pdf%3Farnum ber%3D846090 Gigabit Ethernet for Metro Area Networks, Paul Bedell. 2003. Page 329. Dale Barr, JR., Peter M. Fonash: Internet Protocol over Optical Transport Networks; National Communication Technologies, Inc. Dec 2003. Page 9, 43 to 47.

G.7712, Vertel Supports, Latest Optical Network Management Standard, Embedded Stars, last accessed 23 September 2006. http://www.embeddedstar.com/press/content/2003/3/e mbedded7896.html, ECI Lightsoft Network Management Solutions General Description Handbook, 2nd Edition, ECI, June 2006. Page 64. Making Ethernet over SONET, D. Frey, F. Moore, A Transport Network Operations Model, Proceedings NFOEC, 2003. Page 29.

Useful INTERNET ADDRESSES OF STANDARDS

BODIES AND FORUMS

Interne: http://www.phenoelitus.org/dpl/dpl.html

Telecommunications Industry Association (TIA): www.tiaonline.org International Electrical Electronic Engineers (IEEE) www.ieee.org

THANK YOU