Other Chapter Notes:
[Chapter
One]
[Chapter
Two]
[Chapter
Three]
[Hacking
Exposed Outline]
[Back
to Notes]
[Home]
|
Enumeration
- Windows
NT/2000 Enumeration
- Windows
is well-known for giving away free information.
- Due
to Common Internet File System/Server Message Block (CIFS/SMB)
- The
Windows NT/2000 Hacking Kit
- Microsoft
has provided an administration CD for windows (Windows NT Resource
Kit)
- This
also provides many tools for hackers to use as well.
- Null
Sessions
- Return
information on TCP port 139
- Null
Session Countermeasures
- NT/2000
Enumeration
- Hacker
will try to get a sense of what is on the wire, a.k.a.
“enumerating the NetBIOS wire”
- The
tools and techniques for peering along NetBIOS wire are readily
available and most are built into the OS.
- Enumerating
NT/2000 with net view
- Net
view is a built in tool
- Will
list domains available on the network
- Example:
net
view /domain
- This
will give us users on a particular domain
- Example:
net
view /domain:coreleone
- Most
hackers will use a NetBIOS scanner to check entire sites rather than
use these tools manually.
- NetBIOS
Enumeration Countermeasures
- By
denying access to TCP and UDP ports 135 to 139 the previous
activities mentioned will not work, they will be blocked.
- Best
way to do this is to use a router, firewall, or other network
gatekeeper.
- NT/2000
SNMP Enumeration
- Even
if you have tightly secured access to NetBIOS services, your system
may still cough up similar information if they are running the SNMP
agent.
- The
object identifier (OID) specifies a specific branch of the Microsoft
enterprise Management namespace, so walking “up” the tree will
dump larger and larger amounts of information.
- NT/2000
SNMP Enumeration Countermeasures
- Easy
way to prevent this type of activity is to remove the SNMP agent or
turn it off.
- Be
sure to block access to TCP and UDP ports 161 (SNMP GET/SET) at all
perimeter network access devices
- Allowing
internal SNMP info to leak onto public networks is definite no-no.
- Also
go to the RFC website for
the latest in SNMP RFCs. (http://www.rfc-editor.org)
- Win
2000 Zone Transfers
- A
simple zone transfer can enumerate a lot of interesting network
information.
- Also
see RFC 2052.
- Blocking
Win 2000 zone transfers
- You
should disallow zone transfers entirely by simply unchecking the
allow zone transfers.
- NT/2000
Host Enumeration Countermeasures
- Need
to block access to TCP and UDP ports 135 though 139 and 445
- Without
that you’ll need to disable SMB services or set RestrictAnonymous
to secure them.
|