820 likes | 1.16k Views
Tools for Auditing and Defending the Hosts. Port Scanner Unix Enumeration Tools Windows E numeration Tools Password cracking/Brute-Force Tools Backdoors and Remote Access Tools Combination System Auditing Tools. Port Scanner. First step in the process of hacking Discovers:
E N D
Port Scanner • Unix Enumeration Tools • WindowsEnumeration Tools • Password cracking/Brute-Force Tools • Backdoors and Remote Access Tools • Combination System Auditing Tools
Port Scanner • First step in the process of hacking • Discovers: • Services running on the machine • version of software • Operating system of the host
Port Scanner • Nmap • THC-Amap • IpEye • WUPS • ScanLine
Nmap Most popular port scanner available It offers many different scanning techniques from which to choose: • Scan for hosts that are up • TCP ports • UDP ports • Other IP Protocols
Identify Hosts on the Network • Ping Scanning method to find out which host is up (-sP) • Nmap can also try timestamp (-PP) or netmask(-PM) requests • TCP Ping: it attempts to make a TCP connection to port 80 on the host.
Scan for TCP Ports The basic method of TCP scanning is to try a TCP connect() call to the port and wait for a response. Nmap simply disconnects by sending an RST packet as soon as the handshake completed.
Examples of TCP port Scan [paris:~] mike% nmap –sT 10.0.1.2 ……..
More TCP port scans • SYN scan –sS • FIN scan –sF • The Xmas tree scan –sX • Null Scan –sN • ACK scan –sA
The FIN Scan -sF • Sends FIN packet before a connection has been established. • Open ports ignore it • Closed port respond with RST packet • Xmas tree scan (-sX) and null scan (-sN) are add-ons for FIN scan • Not very accurate
ACK Scan -sA • The ACK scan tell you exactly what firewall rules are protecting a particular host.
Scan for UDP Ports • The –sU option sends empty UDP packets and waits to receive ICMP “port unreachable” message in return.
Scan for Protocols -sO • All IP packets have protocol field to be used on the transport layer. • It sends a raw IP packet with no transport layer header and a protocol number of 130. • If receive ICMP “protocol unreachable” the protocol is not implemented otherwise we assume it is • If firewall blocking ICMP messages or the protocol itself can give false positive
Determine Service Applications • -sR: Identifies RPC services • -sV: Identifies a much greater number of services
More Services • Camouflage the Scan • Zombie Scan –PO –sI Manage Scan speed Identify a Host’s Operating System -O
THC-AMAP • Amap is a next generation port scanners that attempts to identify the actual service listening on the port rather than assuming a service has been assigned to its default port (this is identical to nmap’s –sV). • Nmap has a greater user base larger group of developers.
More Port scanners • IPEYE : IpEye is a command line port scanner for Windows 2000 and XP That does some of the same TCP stealth scans as nmap, including SYN, FIN, Xmas tree, and null scan. • WUPS :is a companion to IpEye that scans UDP ports where the latter only covered TCP ports. • SCANLINE: is a pure Windows scanner and does not reply on WinPcap.
Unix Enumeration Tools • Samba • Finger • Rpcinfo • Showmount • R-tools • Who,w,and last
Samba • Samba contains both client and server abilities that enable you to set up a file sharing on a Unix box so that a Windows system can access the Unix share as if it were a Windows peer on the network.
Samba Implementation • Smbclient: it is a command line access to an SMB file share. It is not able to resolve a hostname via NetBIOS unless the two systems are on a local segment of a network. • Nmblookup: finds out the NetBIOS name by mapping IP addresses to NetBIOS data • Rpcclient: Provides a method for enumerating system and domain information.
FINGER • On the Unix side the Finger utility lets us discover information about system users. • Systems running a finger daemon, which operate on TCP port 79, will respond to queries about currently logged-in users as well as information requests about specific users. • Many Cisco devices run a finger daemon. While they only reveal the remote IP address of the user accessing the device. Thus you can track down router administrator.
Finger Implementation • Finger @host_name.com: provides a list of all users currently logged into host_name.com • Finger estewart@host_name.com • Finger stewart@host_name.com
RPCINFO • One of the most powerful and dangerous services on Unix system • It is a program that Talks to a portmapper on a system and retrieves a list of all of the RPC services currently running, their names and descriptions, and the port they are using. • Some popular RPC services are NFS (Network File System) and NIS/YP (Network information Service or Sun Yellow Pages).
Portmap/rpcbind • Is a utility that listens on TCP and UDP port 111. Any programs that wants to receive RPCs need to register with the portmapper. During registration, portmap records the name/number, version, description and port on which the program is listening.
Rpcinfo Implementation • Rpcinfo –p hostname : lists all the RPC services that have registered with the portmapper. • Rpcinfo –u hostname programid [version]: make the RPC call and report on a response. • Rpcinfo –bprogramid version:to find out any other machines on the network are running a vulnerable RPC service. • Rpcinfo –dprogramid version: un-register the programid/version with portmap • Rpcinfo –m hostname: similar to –p except it displays a table of statistics.
SHOWMOUNT The showmount command let us see what file systems are available on a particular NFS server.
Showmount Implementation • Showmount –a hostname: shows all the currently mounted directories on the NFS server as well as the hostnames of the clients that have mounted them • Showmount –d hostname: Does not list the client hostnames • Showmount –e hostname: shows the mount point that are exported and available for mounting over NFS
R-TOOLS • Most unsecure utilities on Unix system • They use basic Unix authentication, which is based on trusting username and hostname.
R-Tools • Rlogin, Rsh, and Rcp • R-tools insecurity • Rwho • Rexec
WHO, W AND LAST • Provides great information about the users currently logged in as well as their past login habits
Who, W and Last • Who : lists the username, terminal/tty, and login dates of all currently logged in users • W: it shows what the user is currently running from his command shell as well as uptime statistics about the system • Last: shows who is logged into the system, where they came from, and how long they stayed on.
Windows enumeration Tools • Net Tools • NBTStat • Winfingerprint • GetUserInfo • Enum • PsTools • MBSA Version2
Net Tools • It is a very useful tool to monitor and scan the network • The two most important net commands are • Net view : specifies the domain or workgroup name of the target and all the other computers that belong to that domain or workgroup. • Net use
NBTStat • Nbtstat is a Windows command line tool that can be used to display information about a computers NetBIOS connections and name tables. • The nbtstat command can gather information such as a system MAC address, NetBIOS name, domain name and any active users.
NBTStat Implementation • Typing nbtstat at the Windows command prompt will show all about its usage. • nbtstat –S 2 will monitor the current open NetBIOS sessions between the local system and others on the network, and it will update that listing every two seconds. • nbtstat –A 134.7.50.71 : Netstat returns a name table containing NetBIOS services active on the host. By using –A flag we can run nbtstat against any system that is connected to the internet and it’s allowing NBT traffic that passes over ports 137,138, and 139.
Retrieving a MAC Address • nbtstat provides the system’s MAC address. • The MAC hardware address is 48 bits and expressed as 12 hexadecimal digits, or six octets. • The first (left) 6 digits (three octets) represents the vendor of the network interface, and the last (right) 6 digits (three octets) represents the interface serial number for that particular vendor • The first 6 digits are referred as the Organizationally Unique Identifier (OUI) • Some examples of common OUIs: • Sun Microsystems Inc. (08-00-20) • The Linksys Group, Inc. (00-06-25) • 3COM Corporation (00-50-DA) • VMWare, Inc. (00-50-56)
Winfingerprint • This utility is an active development, has readily available source code, and pulls the most information possible across an IPC$ share. • The development builds support Simple Network Management Protocols (SNMP) enumeration, accessing the event log and delving into the Active Directory structure.
Winfingerprint Implementation • It is a GUI-based tool. • Scan Options • Domain: Use the WIN32 API that has evolved from Windows NT 4.0. It will gather shares, users, password policies and system information. • Active Directory: Use the Active Directory Service Interface (ADSI) API to enumerate system information. This will not work correctly against Windows 2000 systems. It work well against Windows XP and Windows 2003 systems. • WMI: Use the Windows Management Instrumentation API to enumerate system information. This may also be able to report service packs, hotfixes, and running services.
GetUserInfo • Is one of the “joeware” utilities created by Joe Richard. The joeware collection includes several utilities that fits a resource kit for administrators who really needs to get into the Windows chassis. • Results are similar to “net user” with some more information.
Enum • Enum culls a target Windows NT, 2000, or XP system for information about users, groups, shares, and basic system information. • Enum comes with source code. So if you find a bit functionality missing you can add it using C++.