ERIC BRUHN

Network Applications and Network Applications Lab

Chapter Three Notes

 

Other Chapter Notes:

[Chapter One

[Chapter Two

[Chapter Three]

[Hacking Exposed Outline]

[Back to Notes]

[Home]

Enumeration

  • Windows NT/2000 Enumeration
    • Windows is well-known for giving away free information.
    • Due to Common Internet File System/Server Message Block (CIFS/SMB)
    • The Windows NT/2000 Hacking Kit
      • Microsoft has provided an administration CD for windows (Windows NT Resource Kit)
      • This also provides many tools for hackers to use as well.
    • Null Sessions
      • Return information on TCP port 139
    • Null Session Countermeasures
  • NT/2000 Enumeration
    • Hacker will try to get a sense of what is on the wire, a.k.a. “enumerating the NetBIOS wire”
    • The tools and techniques for peering along NetBIOS wire are readily available and most are built into the OS.
    • Enumerating NT/2000 with net view
      • Net view is a built in tool
      • Will list domains available on the network
        • Example: net view /domain
      • This will give us users on a particular domain
        • Example: net view /domain:coreleone
    • Most hackers will use a NetBIOS scanner to check entire sites rather than use these tools manually.
  • NetBIOS Enumeration Countermeasures
    • By denying access to TCP and UDP ports 135 to 139 the previous activities mentioned will not work, they will be blocked.
    • Best way to do this is to use a router, firewall, or other network gatekeeper.
  • NT/2000 SNMP Enumeration
    • Even if you have tightly secured access to NetBIOS services, your system may still cough up similar information if they are running the SNMP agent.
    • The object identifier (OID) specifies a specific branch of the Microsoft enterprise Management namespace, so walking “up” the tree will dump larger and larger amounts of information.
  • NT/2000 SNMP Enumeration Countermeasures
    • Easy way to prevent this type of activity is to remove the SNMP agent or turn it off.
    • Be sure to block access to TCP and UDP ports 161 (SNMP GET/SET) at all perimeter network access devices
    • Allowing internal SNMP info to leak onto public networks is definite no-no.
    • Also go to the RFC website for the latest in SNMP RFCs. (http://www.rfc-editor.org)
  • Win 2000 Zone Transfers
    • A simple zone transfer can enumerate a lot of interesting network information.
    • Also see RFC 2052.
  • Blocking Win 2000 zone transfers
    • You should disallow zone transfers entirely by simply unchecking the allow zone transfers.
  • NT/2000 Host Enumeration Countermeasures
    • Need to block access to TCP and UDP ports 135 though 139 and 445
    • Without that you’ll need to disable SMB services or set RestrictAnonymous to secure them.

 

[Home] [Procedures] [Reading Notes] [Back to Top]

Questions or Comments? Click here to email me.