The Enumeration Stage

Enumeration is nothing more than making a list of things. In this stage, the objective is to attack each target one at a time to gain as much information as possible about its resources. This can include user accounts and groups, patch levels, network shares and reachable processes.

The attacker is focused on the weakest points of the network. From there the attacker will setup and maintain the access phase. The attacker will attempt to use direct communication, but if this is not possible, they will employ techniques such as Trojan Horse applications and/or social engineering to bring the connection to the attacker.

The Story So Far

The story so far shows that the attacker has:

• Performed thorough passive information gathering.
• Scanned the network for live hosts.
• Scanned the live hosts for hosts that are accepting services.
• Fingerprinted the operating system of each host.
• Verified the services on each open port on the live hosts.

The Risks

With enumeration comes noise. Frequent and unusual access to ports could trigger Intrusion Detection Systems (IDS) alarms.

The Approach

With widely available tools, attempt to access the same protocols and services that hosts use to share information with each other. This information can be system calls to directory services. Masquerading as a client is the best means to gather this information.

A NULL session is a method of getting two hosts to communicate with each other in a network where the two hosts had no previous association. A NULL string is used as the account name and password. Once established, the NULL session is established and the hosts can ask each other questions about resources. This is something an attacker can do manually.

Most operating communicate with themselves all the time by the IP loopback address of 127.0.0.1. This is one reason that host-based firewalls are problematic. End users answering "No" to software warnings, "Your computer is attempting to access 127.0.0.1. Do you want to allow this?" Eventually the host cannot hear it's own voices and loses its direction.

The Loopback Design

One advantage of the loopback design is that it becomes easy to teach PCs to send questions to one another if we just change the IP address fromt he loopback to the remote host. This works when the request is coming from another location because the receiver of the question doesn't know the difference between the source 127.0.0.1 and somewhere else.

Red Button was one of the earliest attacks against the Windows SMB protocol. This was a tool that would access administrator privileges and extract large amounts of data. Some worms such as Zotob rely on NULL sessions to propagate.

Portmapper Service

Many services expect to have permanent listening ports available to them, port 80 for HTTP for example. Other distributed applications do not need this type of accessibility. These applications rely on the portmapper service to assist them with establishing connections in the port range of 49151 - 65535. Once a suitable port is placed in the listening state and communicates its status, a single UDP datagram is all that is needed to complete the message.

Having many names, the portmapper is relied on for many things. Windows documentations gives names to port 135 such as "RPC DCOM" or "DCE-Locator". It relies on its services for remote execution of code in a number of services including the resource sharing protocols.

Portmapper is a critical protocol for many networks. Simply firewalling it from access is not a solution as many applications rely on this service. There are tools, such as rcpinfo.exe that can be used to query hosts for what sort of applications the portmapper is assisting. The Microsoft implementation of RPC is widely known for vulnerabilities, even up to its current edition.

Computer And Host Names

NetBIOS is an Application Programming Interface (API) that resource sharing protocols can access in order to refer to computers by unique names. When you use the universal Naming Convention (UNC) path like \\server\share you are using the computer name and a share that it offers. Remember, computer names are not routable. They are expected to exist on a flat LAN and are advertised or discovered through broadcasts. If a computer name needs to be converted to a routable IP address, the Windows Internet Naming Service (WINS) can be provided or a static file called lmhostis used.

You should not confuse the concept of computer names with hosts names. A host name references specifically to TCP/IP related networking. When computer names are discovered, try them as you would host names as they are likely to have the same string value. Host names are resolved to IP addresses through either Domain Name Services (DNS) or the static host file.

Running SMB Over TCP/IP

Using port 445, Microsoft offers to run Server Message Block (SMB) directly over TCP/IP. At times, this port is is referred to as Common Internet File System (CIFS). When a host is making both ports 139 and 445 available, 445 will be preferred and 139 will see a RST. If NetBIOS over TCP/IP (NetBT) is disables then only 445 will be used. The Sasser worm used this port.

NULL Session Risks

Many administrators attempted disabling access to port 139 because of the risk of leaking file share advertisements to public networks. Whether by turning off or filtering file sharing services, this creates additional problems with legacy applications and services.

Non-patched hosts, where these ports are accessible represents targets of denial of service, or worse. Once a NULL session is created, some user accounts are discovered and attackers will look closely at the identifiers of each user account to determine what level of privilege it has.

RestrictAnonymous restricts anonymous users from displaying a list of users and from viewing security permissions. There are three possible values.

When a user is created in Windows, a value called a Secure Identifier (SID) is assigned to the account. The SID represents the resource to the system and the user name is only three for convenience. Certain accounts can get created automatically and can be identified by the SID regardless of what the account name is.

What Attackers Look For In SIDs

There are different codes in the SID that can indicate an local administrator account, a domain administrator or a mere user account. These SIDs are:

• S-1-5-21-[...]-500: A built-in Local Administrator
• S-1-5-21-[...]-501: A built-in Local Guest
• S-1-5-21-[...]-512: A built-in Domain Administrator
• S-1-5-21-[...]-1000: Anything above 1000 are created users

So you may be wondering, what goes in the [...] space in the above examples? Here is a clip from PowerShell of what is contained within these brackets. The command to get this list of SIDs is wmic useraccount get name,sid and can be run in either CMD or PowerShell.

Netstat, short for Network and Statistics is a command line, (and can be run from PowerShell as well) TCP/IP networking utility that is available in most versions of Windows, Linux and UNIX. It is also available in other operating systems as well. Netstat is an information and statistical provider providing protocols in use and current TCP/IP connections.

NBTstat, short for NetBios over TCP/IP, is a tool designed to troubleshoot NetBIOS name resolution problems. On normally functioning networks NBTstat will resolve the NetBIOS name to an IP address. NBTstat can be run from the command line and in PowerShell.

Samba

The Samba package is installed to integrate with Windows hosts. If installed, the same principles of enumeration apply to Linux hosts as to Windows. Attackers will be looking for shared resources by utilizing tools such as SMBclient and Showmount. These tools will show which directories have been shared or mounted onto the file system from other hosts. Network File System (NFS) is also a way for Linux hosts to share their directories. The Showmount command will query a host for any directories it has exported.

The Finger Command

The Finger command looks up and displays information about system users. The Finger syntax is: finger [-lmsp] [user ...] [user@host ...]

Linux Privileges

A simple User ID (UID) and Group ID (GID) system is used where UID and GID "0" is always a user with root level privileges. The same UID can be granted to different user names making them the same user as far as the system goes. For logging and auditing purposes however, it is still common practice to use the assigned user name for each account.

Service processes such as "named" run under the ownership of a user account that often has the same name. Should an attacker gain access to a Linux system, they might try to create an account that will not stand out. Such an account could be "dns". Then it could be assigned a UID of 0 ensuring that it has privileges. An attacker might also clear its password using the password -d command hoping that none of this will look conspicuous during an audit.

The SUID Bit

Both the setuid and setgid are needed for tasks that require higher privileges than those which common users have like changing their login password. Some of the tasks that require elevated privileges may not be obvious like the ping command which must send and listen for control packets on a network interface.

The Set owner User ID upon execution (SUID) is a special type of file permissions given to a file. Normally in Linux and in Unix when a program runs it inherits access permissions from the logged in user. SUID is best defined as giving temporary permissions to a user to run a program or a file with the permissions of the file owner rather that the user who runs it

Administrators must baseline the system for utilities that need to have the SUID but turned on so that they can tell when it has happened to a file that it should not have. Using thefind command on a routine basis for this search. It can reveal possibilities that an attack has replaced the find command with a version that will not support the operations needed for such a search.

Simple Network Management Protocol (SNMP) is a protocol for network management. It is used for collecting information from and configuring network devices. Such devices can be servers, printers, routers and switches. It works on an Internet Protocol network.

A commercial tool is usually deployed onto a managed system and Network Management Stations (NMS) then gathers and processes information collected. The Master Information Base (MIB) is then configured with the knowledge of what on the network needs to be monitored. Threshold values are configured and network events and traps are sent to the NMS whenever they are exceeded.

SNMP Risks

The Master Information Base is where the data is stored that describes the resources being monitored. This is what interests the attacker. All the attacker needs to know is the community string, which by default is set to the letters "PUBLIC." This string of characters act as a shared password. The SNMP clients that provide this string are considered trusted and will be able to make read-only queries.

If fortunate, all it will take is a default configuration attack. This means that if the target host has SNMP enabled but the community string has not been changed, then many of the built-in SNMP objects are visible for em=numeration.

The SNMP protocol standard comes with several already mapped items. Along with these comes the flexibility for administrators to create their own. These maps are called Object Identifiers (OIDs).

Based on a client-server model, the Lghtweight Directory Access Protocol (LDAP) is a directory service protocol runs on a layer above the TCP/IP stack. It's mechanism is to connect to, search, and modify Internet directories.

LDAP is a protocol which is used for access Active Directory object, user authentication and authorization. It is also used to store your credentials in a network security system as well as retrieve it with your password and decrypted key giving you access to the services.

LDIF (Lightweight Directory Interchange Format) is an ASCII file format used to exchange data and enable the synchronization of that data between Lightweight Directory Access Protocol server called Directory System Agents (DSAs).