Introduction
Enumeration is nothing more than making a list of things. In this stage, the objective is to attack each target
one at a time to gain as much information as possible about its resources. This can include user accounts and
groups, patch levels, network shares and reachable processes.
The attacker is focused on the weakest points of the network. From there the attacker will setup and maintain the
access phase. The attacker will attempt to use direct communication, but if this is not possible, they will employ
techniques such as Trojan Horse applications and/or social engineering to bring the connection to the attacker.
The Value of the Enumeration Step
The Story So Far
The story so far shows that the attacker has:
- Performed thorough passive information gathering.
- Scanned the network for live hosts.
- Scanned the live hosts for hosts that are accepting services.
- Fingerprinted the operating system of each host.
- Verified the services on each open port on the live hosts.
The Risks
With enumeration comes noise. Frequent and unusual access to ports could trigger Intrusion Detection Systems (IDS)
alarms.
The Approach
With widely available tools, attempt to access the same protocols and services that hosts use to share information
with each other. This information can be system calls to directory services. Masquerading as a client is the
best means to gather this information.
The NULL Session
A NULL session is a method of getting two hosts to communicate with each other in a network where the two hosts
had no previous association. A NULL string is used as the account name and password. Once established, the NULL
session is established and the hosts can ask each other questions about resources. This is something an attacker
can do manually.
Most operating communicate with themselves all the time by the IP loopback address of 127.0.0.1. This is one
reason that host-based firewalls are problematic. End users answering "No" to software warnings, "Your computer
is attempting to access 127.0.0.1. Do you want to allow this?" Eventually the host cannot hear it's own voices
and loses its direction.
The Loopback Design
One advantage of the loopback design is that it becomes easy to teach PCs to send questions to one another if we
just change the IP address fromt he loopback to the remote host. This works when the request is coming from
another location because the receiver of the question doesn't know the difference between the source 127.0.0.1
and somewhere else.
Red Button was one of the earliest attacks against the Windows SMB protocol. This was a tool that would
access administrator privileges and extract large amounts of data. Some worms such as Zotob rely on NULL
sessions to propagate.
File Sharing Ports
Portmapper Service
Many services expect to have permanent listening ports available to them, port 80 for HTTP for example. Other
distributed applications do not need this type of accessibility. These applications rely on the portmapper
service to assist them with establishing connections in the port range of 49151 - 65535. Once a suitable port is
placed in the listening state and communicates its status, a single UDP datagram is all that is needed to complete
the message.
Having many names, the portmapper is relied on for many things. Windows documentations gives names to port 135
such as "RPC DCOM" or "DCE-Locator". It relies on its services for remote execution of code in a number of services
including the resource sharing protocols.
Portmapper is a critical protocol for many networks. Simply firewalling it from access is not a solution as many
applications rely on this service. There are tools, such as rcpinfo.exe that can be used to query hosts
for what sort of applications the portmapper is assisting. The Microsoft implementation of RPC is widely known
for vulnerabilities, even up to its current edition.
Computer And Host Names
NetBIOS is an Application Programming Interface (API) that resource sharing protocols can access in order to refer
to computers by unique names. When you use the universal Naming Convention (UNC) path like \\server\share
you are using the computer name and a share that it offers. Remember, computer names are not routable. They are
expected to exist on a flat LAN and are advertised or discovered through broadcasts. If a computer name needs
to be converted to a routable IP address, the Windows Internet Naming Service (WINS) can be provided or a static
file called lmhostis used.
You should not confuse the concept of computer names with hosts names. A host name references specifically to
TCP/IP related networking. When computer names are discovered, try them as you would host names as they are likely
to have the same string value. Host names are resolved to IP addresses through either Domain Name Services (DNS) or
the static host file.
Running SMB Over TCP/IP
Using port 445, Microsoft offers to run Server Message Block (SMB) directly over TCP/IP. At times, this port is
is referred to as Common Internet File System (CIFS). When a host is making both ports 139 and 445 available,
445 will be preferred and 139 will see a RST. If NetBIOS over TCP/IP (NetBT) is disables then only 445 will be
used. The Sasser worm used this port.
NULL Session Risks
Many administrators attempted disabling access to port 139 because of the risk of leaking file share advertisements
to public networks. Whether by turning off or filtering file sharing services, this creates additional problems
with legacy applications and services.
Non-patched hosts, where these ports are accessible represents targets of denial of service, or worse. Once a NULL
session is created, some user accounts are discovered and attackers will look closely at the identifiers of each
user account to determine what level of privilege it has.
The RestrictAnonymous Key
RestrictAnonymous restricts anonymous users from displaying a list of users and from viewing security permissions.
There are three possible values.
Value |
Action |
0 |
Disabled. Anonymous users are not restricted. (default) |
1 |
Enabled. Anonymous users cannot display user domain names or share names, security permissions and cannot
use all of the features of Windows Explorer, local users and groups as well as other programs that enumerate
users or shares.
|
2 |
Without explicit anonymous permissions, anonymous users have no access. |
Windows SIDs
When a user is created in Windows, a value called a Secure Identifier (SID) is assigned to the account. The SID
represents the resource to the system and the user name is only three for convenience. Certain accounts can get
created automatically and can be identified by the SID regardless of what the account name is.
What Attackers Look For In SIDs
There are different codes in the SID that can indicate an local administrator account, a domain administrator or
a mere user account. These SIDs are:
- S-1-5-21-[...]-500: A built-in Local Administrator
- S-1-5-21-[...]-501: A built-in Local Guest
- S-1-5-21-[...]-512: A built-in Domain Administrator
- S-1-5-21-[...]-1000: Anything above 1000 are created users
So you may be wondering, what goes in the [...] space in the above examples? Here is a clip from PowerShell of what is
contained within these brackets. The command to get this list of SIDs is wmic useraccount get name,sid
and can be run in either CMD or PowerShell.
Netstat and NBTstat
Netstat, short for Network and Statistics is a command line, (and can be run from PowerShell
as well) TCP/IP networking utility that is available in most versions of Windows, Linux and UNIX. It is also available
in other operating systems as well. Netstat is an information and statistical provider providing protocols in use and
current TCP/IP connections.
NBTstat, short for NetBios over TCP/IP, is a tool designed to troubleshoot NetBIOS name resolution
problems. On normally functioning networks NBTstat will resolve the NetBIOS name to an IP address. NBTstat can be run
from the command line and in PowerShell.
Enumerate A Linux Host
Samba
The Samba package is installed to integrate with Windows hosts. If installed, the same principles of enumeration
apply to Linux hosts as to Windows. Attackers will be looking for shared resources by utilizing tools such as
SMBclient and Showmount. These tools will show which directories have been shared or mounted onto the file system
from other hosts. Network File System (NFS) is also a way for Linux hosts to share their directories. The Showmount
command will query a host for any directories it has exported.
The Finger Command
The Finger command looks up and displays information about system users. The Finger syntax is:
finger [-lmsp] [user ...] [user@host ...]
Linux Privileges
A simple User ID (UID) and Group ID (GID) system is used where UID and GID "0" is always a user with root level
privileges. The same UID can be granted to different user names making them the same user as far as the system goes.
For logging and auditing purposes however, it is still common practice to use the assigned user name for each account.
Service processes such as "named" run under the ownership of a user account that often has the same name. Should an
attacker gain access to a Linux system, they might try to create an account that will not stand out. Such an account
could be "dns". Then it could be assigned a UID of 0 ensuring that it has privileges. An attacker might also clear
its password using the password -d command hoping that none of this will look conspicuous during an audit.
The SUID Bit
Both the setuid and setgid are needed for tasks that require higher privileges than those which common users have
like changing their login password. Some of the tasks that require elevated privileges may not be obvious like the
ping command which must send and listen for control packets on a network interface.
The Set owner User ID upon execution (SUID) is a special type of file permissions given to a file. Normally in Linux
and in Unix when a program runs it inherits access permissions from the logged in user. SUID is best defined as giving
temporary permissions to a user to run a program or a file with the permissions of the file owner rather that the user
who runs it
Administrators must baseline the system for utilities that need to have the SUID but turned on so that they can tell
when it has happened to a file that it should not have. Using thefind command on a routine basis for this
search. It can reveal possibilities that an attack has replaced the find command with a version that will not support
the operations needed for such a search.
SNMP
Simple Network Management Protocol (SNMP) is a protocol for network management. It is used for collecting
information from and configuring network devices. Such devices can be servers, printers, routers and switches. It
works on an Internet Protocol network.
A commercial tool is usually deployed onto a managed system and Network Management Stations (NMS) then gathers and
processes information collected. The Master Information Base (MIB) is then configured with the knowledge of what
on the network needs to be monitored. Threshold values are configured and network events and traps are sent to
the NMS whenever they are exceeded.
SNMP Risks
The Master Information Base is where the data is stored that describes the resources being monitored. This is what
interests the attacker. All the attacker needs to know is the community string, which by default is set
to the letters "PUBLIC." This string of characters act as a shared password. The SNMP clients that provide this
string are considered trusted and will be able to make read-only queries.
If fortunate, all it will take is a default configuration attack. This means that if the target host has SNMP enabled
but the community string has not been changed, then many of the built-in SNMP objects are visible for em=numeration.
The SNMP protocol standard comes with several already mapped items. Along with these comes the flexibility for
administrators to create their own. These maps are called Object Identifiers (OIDs).
LDAP
Based on a client-server model, the Lghtweight Directory Access Protocol (LDAP) is a directory service protocol runs
on a layer above the TCP/IP stack. It's mechanism is to connect to, search, and modify Internet directories.
LDAP is a protocol which is used for access Active Directory object, user authentication and authorization. It is also
used to store your credentials in a network security system as well as retrieve it with your password and decrypted key
giving you access to the services.
LDIF
LDIF (Lightweight Directory Interchange Format) is an ASCII file format used to exchange data and enable the
synchronization of that data between Lightweight Directory Access Protocol server called Directory System Agents (DSAs).