Cpre 532

1
Cpre 532

• Lecture 5

2
Outline

• Wrap up scanning
• Enumeration

3
Determining Operating System

• Type of Service field, some stacks give back
  non-zero values
• Fragmentation issues
• Overlapping fragments
• Tcp options
• Send packets with options defined, new options
  continue to be defined

4
Tools and Passive Fingerprinting

• Nmap
• Doesnt do fragment test but does most of these
  determining techniques
• Nmap o IP
• Cheops
• Draws picture of network
• Passive finger printing
• More difficult
• Monitor the network with sniffer
• Look for
• TTL
• Window size
• Fragment

5
Enumeration

• Looking for
• Shared resources
• Usernames
• Enumeration is very operating system dependent
• Windows
• Unix

6
Enumeration for Windows

• Windows resource kit
• Software that allows one to manage windows
  domains
• Administration software can also be used for
  hacking

7
Null Session and Net Bios

• Unauthenticated connection
• Possible to obtain information on shares and
  users
• Network information
• Block windows sharing port at firewall
• Netbios
• Protocol that supports printing and messaging in
  windows environment
• Net view allows a user to gather information
  about a domain
• Nbtstat queries individual machines for DNS
  information, very similar to nslookup
• Returns netbios names as well as the user logged
  in and the mac address

8
Windows 2000 DC

• Domain Controller
• User database
• Keeps passwords
• DumpSec
• Gather information from domain controller and
  generates information on shares and users
• Legion
• Give it an IP range and it will find all the
  shares in that IP address range
• Gives tree view of shares
• Tries dictionary attack on the shares
• Brute force

9
SNMP

• Simple network management protocol
• Goal is to allow queries of network elements
• Queries routers, bridges, gateways
• Port 161
• Can have public and private information
• Scanning with SNMP walking programs
• Usually gives back the device type and possibly
  the administrator of that device
• Shares, usernames, domain names
• Get back windows, unix, routers, etc
• As environments become more complicated SNMP will
  be relied on more and more

10
Windows

• Windows can run
• DHCP
• No different then other DHCP implementation
• DNS
• Watch out for zone transfers
• Brute force attacks on shares

11
Unix World

• NFS
• Network file system
• Create directories that people can share
• Can query a machine to find shares
• Sometimes allowed to get listing of password file
• Samba
• Allows UNIX machines to talk to windows

12
Finger

• Finger is a built-in utility in UNIX
• Ask a machine which user is logged in
• Finger 0_at_machine.domain
• Rwho allows to see who is logged into the remote
  system
• Iowa State has a version of finger that allows a
  search like Doug_at_iastate.edu which listed the
  users that had the name Doug in their name
• Includes real name and their ID

13
Others

• Telnet to mail handler at port 25 and use verify
  to see if there is a user with that name
• Usually disallowed
• Trivial File Transfer Protocol (TFTP)
• Unauthenticated service
• Remote Procedure Call (RPC)
• Allows remote access of services
• Portmapper
• Nmap works well here
• Typically use front door defense for these
  services

14
Next Time

• Authentication

15
Questions