Footprinting

Footprinting—gathering as much information as you possibly can about your target—is your first step. You are looking for information pertaining to the whole organization—technology, people, policies, facilities, networks, and other useful information. Footprinting helps you create a profile that can be used for later stages of your attack as well as plan a defensive strategy for future use.

Information that you have gathered during this phase may include:

• IP address ranges
• Namespaces
• Employee information
• Phone numbers
• Facility information
• Job information

During your exploration you’ve likely found that a significant amount of data can be acquired from various sources both common and uncommon.

Scanning

The next phase, scanning, is focused on gathering information from a network with the intention of locating active hosts. You identify hosts for the purpose of attack and for making security assessments as needed. You expect to find information about target systems over the Internet by using public IP addresses. In addition to addresses, you try to gather information about services running on each host.

During this phase you use techniques such as:

• Pings
• Ping sweeps
• Port scans
• Tracert

Processes unmask varying levels of detail about services. Inverse scanning techniques allow you to determine which IP addresses from the ranges you uncover in the footprinting phase do not have a corresponding live host “behind” them.

Now you are ready to move into the next phase: enumeration.

Users

In any operating system, the item that is most responsible for controlling access to the system is the user object. In Windows, the fundamental object that is used to determine access is the user account. User accounts are used in Windows for everything from accessing file shares to running services that allow software components to execute with the proper privileges and access.

Processes in Windows are run under one of the following user contexts:

Local Service A user account with higher than normal access to the local system but only limited access to the network.

Network Service A user account with normal access to the network but only limited access to the local system.

System A super-user style account that has nearly unlimited access to the local system.

Current User The currently logged-in user, who can run applications and tasks but is still subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an Administrator account.

Each of these user accounts is used for specific reasons. In a typical Windows session each is running different processes behind the scenes to keep the system performing.

Groups

Groups are used by operating systems such as Windows and Linux to grant access to resources as well as to simplify management. Groups are effective administration tools that enable management of multiple users. A group can contain a large number of users that can then be managed as a unit. This approach allows you to assign access to a resource such as a shared folder to a group instead of each user individually, saving substantial time and effort. You can configure your own groups as you see fit on your network and systems, but most vendors such as Microsoft include a number of predefined groups that you can use or modify as needed. There are several default groups in Windows:

Anonymous Logon Designed to allow anonymous access to resources; typically used when accessing a web server or web applications.

Batch Used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files.

Creator Group Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory.

Creator Owner The person who created the file or directory is a member of this group. Windows 2000, and later, uses this group to automatically grant access permissions to the creator of a file or directory.

Everyone All interactive, network, dial-up, and authenticated users are members of this group. This group is used to give wide access to a system resource.

Interactive Any user logged on to the local system has the Interactive identity, which allows only local users to access a resource.

Network Any user accessing the system through a network has the Network identity, which allows only remote users to access a resource.

Restricted Users and computers with restricted capabilities have the restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.

Self Refers to the object and allows the object to modify itself.

Service Any service accessing the system has the Service identity, which grants access to processes being run by Windows 2000, and later, services.

System The Windows 2000, and later, operating system has the System identity, which is used when the operating system needs to perform a system-level function.

Terminal Server User Allows Terminal Server users to access Terminal Server applications and to perform other necessary tasks with Terminal Services.

Security Identifiers

A very important idea for you to grasp is that of the security identifier (SID). Each user account in Windows has a SID, which is a combination of characters that looks like the following:

S-1-5-32-1045337234-12924708993-5683276719-19000

Even though you use a username to access the system, Windows identifies each user, group, or object by the SID. For example, Windows uses the SID to look up a user account and see whether a password matches. Also, SIDs are used in every situation in which permissions need to be checked—for example, when a user attempts to access a folder or shared resource.

Services and Ports of Interest

When moving into the enumeration phase, you should know those ports and services that are commonly used and what type of information they can offer to you as an attacker. You should expect during your scanning phase to uncover a number of ports. Here are a few that you should make sure you pay close attention to:

TCP 53 This port is used for DNS Zone transfers, the mechanism through which the DNS system keeps servers up to date with the latest zone data.

TCP 135 This port is used during communications between client-server applications, such as allowing Microsoft Outlook to communicate with Microsoft Exchange.

TCP 137 This port associated with NetBIOS Name Service (NBNS) is a mechanism designed to provide name resolution services involving the NetBIOS protocol. The service allows NetBIOS to associate names and IP addresses of individuals systems and services. It is important to note that this service is a natural and easy target for many attackers.

TCP 139 NetBIOS Session Service, also known as SMB over NetBIOS, lets you manage connections between NetBIOS-enabled clients and applications and is associated with port TCP 139. The service is used by NetBIOS to establish connections and tear them down when they are no longer needed.

TCP 445 SMB over TCP, or Direct Host, is a service designed to improve network access and bypass NetBIOS use. This service is available only in versions of Windows starting at Windows 2000 and later. SMB over TCP is closely associated with TCP 445.

UDP 161 and 162 SNMP is a protocol used to manage and monitor network devices and hosts. The protocol is designed to facilitate messaging, monitoring, auditing, and other capabilities. SNMP works on two ports: 161 and 162. Listening takes place on 161 and traps are received on 162.

TCP/UDP 389 Lightweight Directory Access Protocol (LDAP) is used by many applications; two of the most common are Active Directory and Exchange. The protocol is used to exchange information between two parties. If the TCP/UDP 389 port is open, it indicates that one of these or a similar product may be present.

TCP/UDP 3268 Global Catalog Service associated with Microsoft’s Active Directory and runs on port 3368, on Windows 2000 systems, and later. Service is used to locate information within Active Directory.

TCP 25 Simple Mail Transfer Protocol (SMTP) is used for the transmission of messages in the form of e-mail across networks. By standard, the SMTP protocol will be accessible on TCP 25.

Commonly Exploited Services

The Windows OS is popular with both users and attackers for various reasons, but for now let’s focus on attackers and what they exploit.

Windows has long been known for running a number of services by default, each of which opens up a can of worms for a defender and a target of opportunity for an attacker. Each service on a system is designed to provide extra features and capabilities to the system such as file sharing, name resolution, and network management, among others. Windows can have around 30 or so services running by default, not including the ones that individual applications may install.

One step in gaining a foothold in a Windows system is exploiting the NetBIOS API. This service was originally intended to assist in the access to resources on a local area network (LAN) only. The service was designed to use 16 character names, with the first 15 characters identifying the machine and the last character representing a service or item on the machine itself. NetBIOS has proven to be a blessing to some and a curse to others. Let’s look at why.

An attacker who is using certain tools and techniques (more on this in a moment) can extract quite a bit of information from NetBIOS. Using scanning techniques, an attacker can sweep a system, find port 139 open, and know that this port is commonly associated with NetBIOS. Once the port has been identified, they can attempt to view or access information such as file shares, printer sharing, usernames, group information, or other goodies that may prove helpful.

One of the many tools that can be used to work with NetBIOS is a command-line utility nbtstat. This utility can display information, including name tables and protocol statistics, for local or remote systems. Included with every version of the Windows operating system, nbtstat can assist in network troubleshooting and maintenance. It is specifically designed to troubleshoot name resolution issues that are a result of the NetBIOS service. During normal operation, a service in Windows known as NetBIOS over TCP/IP will resolve NetBIOS names to IP addresses. nbtstat is designed to locate problems with this service.

In addition, the utility has the ability to return names (if any) registered with the Windows Internet Naming Service (WINS).

nbtstat.exe −a < "netbios name of remote system"

nbtstat -A 192.168.1.10

NULL Sessions

A powerful feature as well as a potential liability is something known as the NULL session. This feature is used to allow clients or endpoints of a connection to access certain types of information across the network. NULL sessions are not anything new and in fact have been part of the Windows operating system for a considerable amount of time for completely legitimate purposes; the problem is that they are also a source of potential abuse as well. As you will soon see, the NULL session can reveal a wealth of information.

Basically a NULL session is something that occurs when a connection is made to a Windows system without credentials being provided. This session is one that can only be made to a special location called the interprocess communication (IPC), which is an administrative share. In normal practice, NULL sessions are designed to facilitate a connection between systems on a network to allow one system to enumerate the process and shares on the other. Information that may be obtained during this process includes:

• List of users and groups
• List of machines
• List of shares
• Users and host SIDs

The NULL session allows access to a system using a special account called a NULL user that can be used to reveal information about system shares or user accounts while not requiring a username or password to do so.

Exploiting a NULL session is a simple task that requires only a short list of commands. For example, assume that a computer has the name “zelda” as the hostname, which would mean you could attach to that system by using the following, where the host is the IP address or name of the system being targeted:

net use \zeldaipc$  " /user:"

To view the shares available on a particular system, after issuing the command to connect to the ipc$ share on the target system issue the following command:

net view \zelda

This command lists the shares on the system. Of course if no other shared resources are available nothing will be displayed.

Once an attacker has this list of shares, the next step is to connect to a share and view the data. This is easy to do at this point by using the net use command:

net use s: \zelda(shared folder name)

You should now be able to view the contents of the folder by browsing the S: drive, which is mapped in this example.

SuperScan

You used SuperScan earlier to do scanning, but this scanner is more than a one-trick pony and can help you with your NetBIOS exploration. In addition to SuperScan’s documented abilities to scan TCP and UDP ports, perform ping scans, and run whois and tracert, it has a formidable suite of features designed to query a system and return useful information.

SuperScan offers a number of useful enumeration utilities designed for extracting information such as the following from a Windows-based host:

• NetBIOS name table
• NULL session
• MAC addresses
• Workstation type
• Users
• Groups
• Remote procedure call (RPC) endpoint dump
• Account policies
• Shares
• Domains
• Logon sessions
• Trusted domains
• Services

The PsTools Suite

Standing tall next to our other tools is a suite of Microsoft tools designed to extract various kinds of information and perform other tasks involving a system. The tools in the PsTools suite allow you to manage remote systems as well as the local system.

The tools included in the suite, downloadable as a package, are as follows:

PsExec Executes processes remotely

PsFile Displays files opened remotely

PsGetSid Displays the SID of a computer or a user

PsInfo Lists information about a system

PsPing Measures network performance

PsKill Kills processes by name or process ID

PsList Lists detailed information about processes

PsLoggedOn Lets you see who’s logged on locally and via resource sharing (full source is included)

PsLogList Dumps event log records

PsPasswd Changes account passwords

PsService Views and controls services

PsShutdown Shuts down and optionally reboots a computer

PsSuspend Suspends processes

PsUptime Shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo)

Management Information Base

Management Information Base (MIB) is a database that contains descriptions of the network objects that can be managed through SNMP. MIB is the collection of hierarchically organized information. It provides a standard representation of the SNMP agent’s information and storage. MIB elements are recognized using object identifiers. The object identifier (OID) is the numeric name given to the object and begins with the root of the MIB tree. It can uniquely identify the object present in the MIB hierarchy.

MIB-managed objects include scalar objects that define a single object instance and tabular objects that define groups of related object instances. The object identifiers include the object’s type, such as counter, string, or address; access level such as read or read/write; size restrictions; and range information. MIB is used as a codebook by the SNMP manager for converting the OID numbers into a human-readable display.

By default the SNMP protocol tends to contain two passwords used to both configure and read the information from an agent:

• Read community string
  • Configuration of the device or system can be viewed with the help of this password.
  • These strings are public.
• Read/write community string
  • Configuration on the device can be changed or edited using this password.
  • These strings are private.

Although these strings can be changed, they can also be left at the defaults noted here. Attackers can and will take the opportunity to leverage this mistake. An attacker can use the default passwords for changing or viewing information for a device or system. As an attacker you will attempt to use the service to enumerate the information from the device for later attacks.

The following can be extracted through SNMP:

• Network resources such as hosts, routers, and devices
• File shares
• ARP tables
• Routing tables
• Device-specific information
• Traffic statistics

Commonly used SNMP enumeration tools include SNMPUtil and SolarWinds’ IP Network Browser.

SNScan

SNScan is a utility designed to detect devices on a network enabled for SNMP. The utility helps you locate and identify devices that are vulnerable to SNMP attacks. SNScan scans specific ports (for example, UDP 161, 193, 391, and 1993) and looks for the use of standard (public and private) and user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP-enabled devices in complex networks.

finger

The finger command is designed to return information about a user on a given system. When executed it returns information such as the user’s home directory, login time, idle times, office location, and the last time they both received or read mail.

The command line for the finger command looks like this:

finger <switches> username

Switches that can be used with the finger command include the following:

• -b removes the home directory and shell from the user display.
• -f removes header information from the display.
• -w removes the full name from the display.
• -l returns the list of users.

rpcinfo

The rpcinfo command enumerates information exposed over the Remote Procedure Call (RPC) protocol.

The command line for rpcinfo looks like this:

rpcinfo <switches> hostname

Switches that can be used with rpcinfo include the following:

• -m displays a list of statistics for RPC on a given host.
• -s displays a list of registered RPC applications on a given host.

showmount

The showmount command lists and identifies the shared directories present on a given system. showmount displays a list of all clients that have remotely mounted a file system.

The command line for showmount looks like this:

/usr/sbin/showmount [- ade ] [hostname]

Switches that can be used with showmount include the following:

• -a prints all remote mounts.
• -d lists directories that have been remotely mounted by clients.
• -e prints the list of shared file systems.

Enum4linux

One tool worth looking at is enum4linux, which allows for the extraction of information through samba.

So first, what is samba? Per samba.org, the software is described as:

...software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.

Enum4linux allows for extraction of information where samba is in use. Information that can be returned includes the following:

• Group membership information
• Share information
• Workgroup or domain membership
• Remote operating system identification
• Password policy retrieval

Using VRFY

One easy way to verify the existence of e-mail accounts on a server is by using the telnet command to attach to the target and extract the information. The VRFY command is used within the protocol to check whether a specific user ID is present. However, this same command can be used by an attacker to locate valid accounts for attack, and if scripted, it could also be used to extract multiple accounts in a short time, as shown here:

telnet 10.0.0.1 25 (where 10.0.0.1 is the server IP and 25 is the port for SMTP)
220 server1 ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
 250 server1 Hello [10.0.0.72], pleased to meet you
 VRFY chell
 250 Super-User <link@server1>
 VRFY glados
 550 glados... User unknown

The previous code used VRFY to validate the user accounts for linking and zelda. The server responded with information that indicates chell is a valid user whereas a “User unknown” response for glados indicates the opposite.