Document Sample
null Powered By Docstoc

     Lab “de-brief”
           Finding Systems
• What systems are alive (ping sweeps)?
  – WS Ping Pro
  – NetBrute
  – Foundstone’s SuperScan
• What ports are open (port scans)?
• What O/S is running?
• What applications and versions are running?
Using TTL to determine O/S type
TTL DETECTION – Use to at least differentiate
  between different platforms like Windows or Unix.
For example data packets originating from Windows will
  have a TTL of 128 whereas a data packet originating
  from Linux will have a TTL of 245. Thus from the TTL
  value of a data packet you can have a conception
  about the Operating System running by the target
Note: TTL values may be reduced by 1 at each router.
               O/S Types
•   215 UNIX Type: L8
•   215 UNIX Type: L8 Version: BSD-44
•   215 NetWare system type.
•   215 MACOS Peter's Server
•   215 AmigaOS
Using TTL to determine O/S type
        - Limitations
•   TTL values can be faked easily.
•   TTL values do not give us the correct version of the target
    Operating System. We can only differentiate between different
    platforms using this method, we cannot have any info about the
    version of the target system which is very important cause obviously
    the vulnerabilities of Linux Red-Hat 6.1 is not the same as Linux
    Red-Hat 7.2.
•   The ping method is not applicable against professionals cause
    obviously they will use firewalls, which can easily protect the
    system from echoing back the ping requests. In that case you wont
    be able to know the TTL value of the target Operating System. So
    you need to capture a data packet originating from the target system
    using any sniffer program then study it thoroughly to determine its
    correct TTL. This method is of course not newbie friendly
            Enumerating Apps
• SMTP (Port 25) – what version of email
  service are they using?
    – Telnet x.x.x.x. 25
•   DNS – Port 53
•   HTTP – Port 80
•   Telnet – Port 23
•   FTP – Port 21
         Purpose of Scanning
• Identify open ports that allow us to identify
  the O/S and applications
• Ports 139 and 135 = Windows NT
• Only port 139 = Windows 95/98
• Portmapper (111), Berkeley R services
  ports (512 – 514), NFS (2049) and high #
  ports listening = UNIX
                   Banner Grabbing
• When any services like HTTP, FTP or SMTP are installed on any operating
  system with its default configurations, then by default these services will
  display a welcome banner indicating its version and operating system version
  when somebody uses the service. For example take a look at the following ftp
• c:\> telnet 21
• Connected to
• 220 printshop FTP server ready
  215 UNIX Type: L8
• Here I have used telnet to connect to the target host ftp(21) port. Just
  on connection the ftp server responds with a banner(UNIX Type: L8 )
  indicating that it is running generic UNIX system as the core. Thus it is
  observed that by grabbing the banner of a particular service running on
  the remote host one can easily find out the Operating System.
Detecting mail application by
 through Telent to Port 25
SMTP Commands
        Enumerating Windows
• Port 135 – RPC (Remote Procedure Call
  portmapper service) – look for vulnerabilities (I.e.
  dual-homed boxes) epdump utility from M/S
  Resource Kit
• Port 137 - Net view /domain - provides listing of
  computers in the domain by name
• Registry dumping tools (RegDump free from
  Microsoft’s site) and Somarsoft’s DumpSec
               Null Sessions
• Type of Windows Server Message Block (SMB)
  communication that provides the foundation of
  network file and print sharing services.
• Allows an attacker from across a network -- or the
  Internet -- to connect to an unsecured Windows
  system's IPC$ (interprocess communication)
• Arguably the largest threat to Windows systems
       Creating Null Sessions
• Null sessions can be created by using the
  Windows net utility to map a connection using
  a blank username and password.
• On Windows systems that are vulnerable
  enter: net use \\ip_address\ipc$ "" "/user:"
  at a Windows command prompt
• Some programs do this for you automatically
     What can you do with a null
• Once a null session has been manually established (some
  tools can do this for you automatically), an attacker can use
  programs such as Winfo, Walksam, certain Windows
  Resource Kit tools and even the net program that's built
  into Windows to glean tons of information off a Windows
  system -- all without having to log in. Information that can
  be obtained includes user IDs, share names, security policy
  settings, users currently logged in and more. The Windows
  registry can even be tapped remotely with the right tools.
      Changes in Null Session
• Starting with Windows XP, EVERYONE does not
  contain ANONYMOUS LOGON, because the
  following security option, which sets the
  EveryoneIncludesAnonymous registry value, is
  disabled by default:
• Network access: Let Everyone permissions apply
  to anonymous users (disabled by default)
       Changes in Null Session
• Windows XP and Windows Server 2003 have
  security options that can be used to specify more
  precisely which restrictions are enabled:
• Network access: Allow anonymous SID/Name
  translation (Disabled by default)
• Network access: Do not allow anonymous
  enumeration of SAM accounts (Enabled by
• Network access: Do not allow anonymous
  enumeration of SAM accounts and shares
  (Disabled by default)
           The Whole Enchilada

• Is the
What information have these
    systems given up?

Shared By: