Thursday, 31 March 2011

What is Footprinting?

Defining Foot printing

    *

      Foot printing is the blueprinting of the security profile of an organization, undertaken in a methodological manner.
    *

      Foot printing is one of the three pre-attack phases. The others are scanning and enumeration.
    *

      Foot printing results in a unique organization profile with respect to networks (Internet / Intranet / Extra net / Wireless) and systems involved.

      There is no single methodology for foot printing, as a hacker can choose several routes to trace the information. Foot printing therefore, needs to be carried out precisely and in an organized manner. The information unveiled at various network levels can include details of domain name, network blocks, network services and applications, system architecture, intrusion detection systems, specific IP addresses, access control mechanisms and related lists, phone numbers, contact addresses, authentication mechanisms and system enumeration.

      The information gathering activity can be broadly divided into seven phases:

          o The attacker would first unearth initial information (such as domain name),

          o locate the network range of the target system (using tools such as Nslookup, whois etc),

          o  ascertain the active machines (for instance by pinging the machine),

          o discover open ports or access points (using tools such as port scanners),

          o detect operating systems (for instance querying with telnet),

          o uncover services on ports and

          o ultimately map the network.

      This not only speeds up the real attack process, but also aids in helping the attacker prepare better for covering his tracks and thereby leave a smaller or minimal footprint.

      Initial Information:

      Commonly includes:
          o

            Domain name lookup
          o

            Locations
          o

            Contacts (Telephone / mail)

      Information Sources:
          o

            Open source
          o

            Who is
          o

            Nslookup

      Hacking Tool:
          o

            Sam Spade

            Open Source Foot printing is the easiest and safest way to go about finding information about a company. Information that is available to the public, such as phone numbers, addresses, etc. Performing whois requests, searching through DNS tables are other forms of open source foot printing. Most of this information is fairly easy to get, and within legal limits. One easy way to check for sensitive information is to check the HTML source code of the website to look for links, comments, Meta tags etc

Footprinting - Attack Methods

Attack Methods





The attacker may choose to source the information from:


* A web page (save it offline, e.g. using offline browser such as Teleport pro


* Yahoo or other directories. (Tifny is a comprehensive search tool for USENET newsgroups.


* Multiple search engines (All-in-One, Dogpile), groups.google.com is a great resource for searching large numbers of news group archives without having to use a tool.


* Using advanced search (e.g. AltaVista),


* Search on publicly trade companies (e.g. EDGAR).


* Dumpster diving (To retrieve documents that have been carelessly disposed)


* Physical access (False ID, temporary/contract employees, unauthorized access etc)

There are four RIRs, each maintaining a whois database holding details of IP address registrations in their regions. The RIR whois databases are located at:
*
ARIN (North America and sub-Saharan Africa)
*
APNIC (Asia Pacific region)
*
LACNIC (Southern and Central America and Caribbean)
*
RIPE NCC (Europe and northern Africa)
Tools
There are tools available to aid a whois lookup. Some of them are Sam Spade (downloadable from www.samspade.org). Smart Whois (downloadable from www.tamos.com). Netscan (downloadable from www.netscantools.com) and GTWhois (Windows XP compatible) (www.geektools.com) etc.

What is Enumeration ??

Friends, for next few days, I will introduces the enumeration phase of hacking to you. I will try to explain different aspects of enumeration. After this you will be familiar with the following topics:

    * Understanding Windows 2000 enumeration
    * How to Connect via Null Session
    * How to disguise NetBIOS Enumeration
    * Disguise using SNMP enumeration
    * How to steal Windows 2000 DNS information using zone transfers
    * Learn to enumerate users via CIFS/SMB
    * Active Directory enumerations

This is the basis behind stating that while countermeasures the generic approach of hackers towards a system.

What is Enumeration (PART 2)???

#If acquisition and non intrusive probing have not turned up any results, then an attacker will next turn to identifying valid user accounts or poorly protected resource shares.
#

Enumeration involves active connections to systems and directed queries.
#

The type of information enumerated by intruders:

    *

      Network resources and shares
    *

      Users and groups
    *

      Applications and banners

      The objective of the attacker will be to identify valid user accounts or groups where he can remain inconspicuous once he has compromised the system. Enumeration involves active connections being made to the target system, or subjecting it to directed queries made to a system. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public - such as a DNS address. However, it is possible that the attacker stumbles upon a remote IPC share such as the IPC$ in windows, that can be probed with a null session and shares and accounts enumerated.
          Concept     

      On ascertaining the security posture of the target, the attacker can turn this information to this advantage by exploiting some resource sharing protocol or compromising an account. The type of information enumerated by hackers can be loosely grouped into the following categories:
         1.

            Network resources and shares
         2.

            Users and Groups
         3.

            Applications and Banners


            ---

Net Bios Null Sessions



  • The null session is often refereed to as the Holy Grail of Windows hacking. Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/ Server Messaging Block).



  • You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.



  • Using these null connections allows you to gather the following information from the host:


    • List of users and groups



    • List of machines



    • List of shares



    • Users and host SIDs (Security Identifiers)
      In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data
      However, in addition to the standard user, the OS also supports a unique type of user called the 'null' user, which is basically a pseudo-account that has no username or password, but is allowed to access certain information on the network.

      The Null user is capable of enumerating account names and shares on domain controllers, member servers, and workstations. This makes the Null user, a user with no credentials, a potential means of attack by crackers to elicit information and compromise the system.
      Let us take a look at a typical LANMAN sessions on Windows NT 4.0





Remote machines establish a session with the Windows NT server using a challenge response protocol. The security of the information channel is ensured through a sequence of communications as outlined below.


  • The remote machine (or session requestor / client) sends a request to the session server (or session acceptor). This may be within the same domain or across domains.



  • The session server responds by sending across a random 64-bit challenge question to the client. The client responds to the question with a 24-bit answer which is hashed with the password of the user account that is requesting the session.



  • The session server accepts the response and verifies with the local security authority regarding the authentication of the user account and password.



  • The LSA confirms the identity of the requestor by verifying that the response was hashed with the correct password for the user that the requestor purports to be. This confirmation occurs locally if the requestor's account is a local account on the server. However, if the requestor's account is a domain account, the response is forwarded to the concerned domain controller for authentication.



  • On authenticating the response, an access token is generated by the session server and sent across to the client.



  • The client then uses this access token to connect to resources on the server till the newly established session is terminated.

    Windows 2000 provides three groups whose membership is controlled by the administrator: Users, Power Users, and Administrators. The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests. Unlike the Everyone group in Windows NT 4.0, the Authenticated Users group is not used to assign permissions. Only groups controlled by the administrator, primarily Users, Power Users, and members of the Administrators group, are used to assign permissions.





Now, let us take a look at a typical LANMAN sessions on Windows 2000


  • Here, the client sends a pre-authenticated (hash of user password) request along with a time stamp to the key distribution center (KDC) that resides on the domain controller (DC) of the concerned domain, requesting for a ticket granting ticket (TGT).



  • The KDC extracts the hash of the user identity from its database and decrypts the request with it, noting the time stamp as well for recentness of request. A valid user account results in successful decryption.



  • The KDC sends back a TGT, that contains among other information the session key (encrypted with users password) and the security identifiers (SID) identifying the user and the group among other things.



  • The client uses the ticket to access the required resources.

    A null session is an insecure (unauthenticated) connection with no proof of identity. No user and password credentials are supplied in the establishment of the session. No session key is exchanged when establishing a null session, and hence it is impossible for the system to send encrypted or even signed messages on behalf of the user under a null session.
    When the LSA is asked to create a token for a remote client communicating via a null session, it produces a token with a user SID of S-1-5-7 (the null logon session), and a user name of anonymous logon. We have seen earlier that Everyone is included in all tokens, and the null session is classified as a network logon. This gives the null user access to file system shares and named pipes.

    Other areas where null sessions are considered useful is when the LMHOSTS.SAM file uses the "#INCLUDE " tag. The share point that contains the included file must be setup as a null session share. Additionally where a service, running under the local "SYSTEM" account, needs access to some network resource, a null session may be established to access these resources.

    An interesting part is that Null sessions can also be established at the API level with languages such as C++. Null sessions can be used to establish connections to 'null session pipes', if it is allowed by the server. A 'pipe' is a facility that allows a process on one system to communicate with a process on another system, while a inter process communication share allows communication between two processes on the same system.

    Null sessions can also be used to establish connections to shares, including such system shares as \\servername\IPC$. The IPC$ is a special hidden share. It may be noted that the IPC$ share is an interface to the 'server' process on the machine, also associated with a pipe so it can be accessed remotely. Null sessions make the enumeration of users, machines, and resources easier for administrative purposes especially across domains. This is the lure for the attacker who intends to use a null session to connect to the machine.

    During port scanning, the attacker takes note of any response from TCP port 139 and 445. Why would these ports interest an attacker? The answer lies in the SMB protocol.
    The SMB (Server Message Block) protocol is known for its use in file sharing on Windows NT / 2000 series among other things. Attackers can potentially intercept and modify unsigned SMB packets then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data.

    SMB is the resource sharing protocol supported by many Microsoft operating systems; it is the basis of network basic input/output system (NetBIOS) and many other protocols. SMB signing authenticates both the user and the server hosting the data. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), making it a bulky protocol with a large header as well as consuming greater time. In Windows NT, it used the ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, SMB was allowed to directly run over TCP/IP, without the extra layer of NBT. Therefore, port 445 started being used for this purpose.

    Each SMB session consumes server resources. Establishing numerous null sessions will slow or possibly crash the server even in Windows 2003. An attacker could repeatedly establish SMB sessions until the server stops responding. SMB services will become slow or unresponsive.

NetBIOS connection - So What's the Big Deal?

  • Anyone with a NetBIO S connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.



  • The above syntax connects to the hidden Inter Process Communication 'share' (I PC $) at IP address 192.34.34.2 with the built- in anonymous user (/u:"") with ("") null password.



  • The attacker now has a channel overwhich to attempt various techniques.



  • The CIFS/SMB and NetBIOS standards in Windows 2000 include API s that return rich information about a machine via TCP port 139 - even to unauthenticated users.

    C: \>net use \\192.168.104.81 \IPC$ "" /u: ""
    The enumeration of machines and resources in a domain also makes it easier for an attacker to break in. If he is able to anonymously obtain the names of all of the machines in a domain, and then list the resource shares on those machines, it is only a matter of time before he finds a share which is open to "Everyone". Other possibilities include password cracking for a username that was enumerated, planting a backdoor for later access, dumping sensitive information etc.
    Let us see how a null session is established and how a remote computer can be enumerated from the command line prompt of a windows machine. In the example shown below, we can see that establishing a null session on the target host reveals that the system root can be easily compromised as the default setting of 'Everyone' may not have been changed, and the shares are visible to all.


In a NULL session, the TCP/IP connection to port 139 is made first with the following: net use \\127.0.0.1.i\ipc$ "" /user:"". This is followed by using the session layer protocols SMB and NetBIOS to access the hidden remote IPC share IPC$. The IPC$ is a special hidden share which allows communication between two processes on the same system (Inter Process Communication). The IPC$ share is an interface to the 'server' process on the machine. It is also associated with a pipe so it can be accessed remotely. This technique was programmatically written into an old exploit called the Red Button attack. This was addressed and fixed by Microsoft in Service Pack 3 for NT 4.0.

Once the attacker has a list of the remote shares, he could then attempt to map to a remote share. An example of the command structure for the attack is shown in the screenshot above. This attack will only work if the share is not password protected or shared out to the 'everyone' group.

Access to the hard drive is a serious security breach. Even if the attacker does not map a drive, he can gather sensitive information such user accounts, password policy and similar data that he can exploit later to continue his attack on the system. This may not be apparent to the victim initially, and the attacker can take the advantage of the time lapse for more information gathering and planting malicious code such as a virus or a Trojan. The open file share attack generally makes Trojan planting extremely easy to do. For instance, an intruder might try to place a key logger batch into the start-up folder to collect further information and perhaps log on later as an authenticated users.

NetBIOS Enumeration

---NBTscan is a program for scanning IP networks for NetBIOS name information.

---For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

---The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.

     net view / domain,

     nbstat -A



If an attacker notes a windows OS with port 139 open, he would be interested in checking what resources he can access or view on the remote system. This is shown in the screenshot above. However, to enumerate the NetBIOS names, the remote system must have enabled File and Printer Sharing.

Using these techniques the attacker can launch two types of attack on the remote computer having NetBIOS. He can choose to read/write to a remote computer system depending on the availability of shares. Alternatively he can launch a denial of service.

A recent instance was reported in August 2002 when Microsoft issued an advisory stating that an attacker could seek to exploit an unchecked buffer in network share provider on machines that have anonymous access enabled by sending a malformed SMB request to a target computer and crashing it.

 Attack Methods-  Let us adopt an attacker's perspective to his port scan results.


On finding port 139 open, the attacker can first use the nbtstat command

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]


Note that an attacker will take particular interest in the id <03>. We try to connect to this remote machine using a null session. Usage: net use \\IP\IPC$ "" /user: "" This command connects to the machine using a null user and null password as signified by the empty quotes. The IPC$ is the hidden share on the particular IP that we will try to access in order to list any shared resources. Two main drawbacks of nbtstat are that it is restricted to operating on a single user and its rather inscrutable output. The tool NBTScan addresses these issues.

 Tools  A tool that can be used for such exploits is NBTScan written by Alla Bezroutchko and available at http://www.inetcat.org/software/nbtscan.html. NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address. NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. See screenshot below.

Hacking Tool: NAT

The NetBIOS Auditing Tool (NAT) is designed to explore the NetBIOS file-sharing services offered by the target system.

It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.

If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable".

Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.

Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.

Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some known file-naming problems.

If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable" with the remaining question being to what extent.

Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without a valid username and/or password. A remote connection to a share is therefore a possibly serious security problem, and a connection that allows writing to the share almost certainly so. Let's take a look at an output from NAT.exe

C:\nat>nat 192.168.2.176
[*]--- Checking host: 192.168.2.176
[*]--- Obtaining list of remote NetBIOS names
[*]-- Remote systems name tables:
                                         JOHN
                                         WORKGROUP
                                         JOHN
                                         JOHN
                                         WORKGROUP
.................
[*]--- Attempting to connect with name: JOHN
[*]--- CONNECTED with name: JOHN
.................
[*]--- Attempting to establish session 
[*]--- Obtained server information:

Server= [JOHN] User= [] Workgroup= [WORKGROUP] Domain= [WORKGROUP]
[*]--- Obtained listing of shares:

     Sharename      Type     Comment 
     ---------      ----     ------
     D              Disk:
     IPC$           IPC:     Remote Inter Process Communication
[*]--- Attempting to access share: \\JOHN\D
[*]--- WARNING: Able to access share: \\JOHN\D
[*]--- Checking write access in: \\JOHN\D
[*]--- WARNING: Directory is writeable: \\JOHN\D
[*]--- Attempting to exercise... bug on: \\JOHN\D

ALL NetBIOS Tools Available @ http://www.cotse.com/tools/netbios.htm



Hacking Tool:DumpSec

DumpSec, presently available as freeware from SomarSoft and downloadable at http://www.systemtools.com/somarsoft/, is a security auditing program for Windows systems. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox (text) format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

DumpSec takes advantage of the NetBIOS API and works by establishing NULL session to the target box as the Null user via the [net use \\server "" /user:""] command. It then makes NET* enumeration application program interface (API) calls like NetServerGetInfo (supported by the Netapi32 library).

It allows users to remotely connect to any computer and dump permissions, audit settings, and ownership for the Windows NT/2000 file system into a format that is easily converted to Microsoft Excel for editing. Hackers can choose to dump either NTFS or share permissions. It can also dump permissions for printers and the registry.

The highlight is DumpSec's ability to dump the users and groups in a Windows NT or Active Directory domain. There are several reporting options and the hacker can choose to dump the direct and nested group memberships for every user, as well as the logon scripts, account status such as disabled or locked out, and the 'true' last logon time across all domain controllers. The user can also get password information such as 'Password Last Set Time' and 'Password Expires Time'. To summarize, Dumpsec can pull a list of users, groups, and the NT system's policies and user rights.

SNMP Enumeration

SNMP is simple. Managers send requests to agents, and the agents send back replies. The requests and replies refer to variables accessible to agent software.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
---a reboot
---an interface failure,
---or that something else that is potentially bad has happened.
Enumerating NT users via SNMP protocol is easy using snmputil
SNMP consists primarily of two objects: a manager and an agent. An agent consists of a piece of software embedded in a machine. SNMP agents exist for almost any piece of equipment. However, the installed agent doesn't do anything for the machine until queried by the manager. This is separate program that a network manager runs on their own computer that queries the agent (across the network) for information.
The default community string that provides the monitoring or read capability is often "public". The default management or write community string is often "private". The SNMP exploit takes advantage of these default community strings to allow an attacker to gain information about a device using the read community string "public", and the attacker can change a systems configuration using the write community string "private".
SNMPutil example


The security threat comes from Windows 2000 servers and workstations having SNMP support enabled and failing to change the default read-only community string 'Public'. However, changing this does not exempt it from attackers sniffing it from the network or to subjecting it to a dictionary or brute force attack. This may not seem troublesome but the Windows 2000 SNMP variables contain a wealth of information for the sniffing cracker. Some of the tables that are available when one has READ access to the SNMP tree in a Windows 2000 box are listed below:
Interface Table - This table identifies all boxes with multiple interfaces, plus useful details like their IP and MAC addresses.
Route Table and ARP Table - With access to these tables, a cracker can quickly build an accurate picture of a network and continue its search for vulnerabilities.
TCP Table and UDP Table - These will show which TCP and UDP ports are actively used, and on which ports services are listening for new clients.
Device Table and Storage Table - Knowing what hardware is attached to a Windows 2000 machine gives crackers clues about what kind of machine it is dealing with.
Process Table and Software Table - Knowing what software are installed and what software is running (DNS server, DHCP server) gives away details about how to attack the system. They even show which service packs have been installed (and missing patches)
User Table - Knowing which user names are valid on a machine makes it much easier to guess passwords and gain access to a system.
Share Table - If the cracker knows what shares are exported and used by a Windows machine, it can lead to a serious security compromise.
Here, we will look at an SNMP utility called SNMPutil.exe which is a part of the Windows 2000 resource kit. Let us take a look at what we can discover with it from the command line prompt.
In this output, the variable is called 1.3.6.1.2.1.1.2.0, and we 'get' its value, which turns out to be 1. The variable name (1.3.6.1.2.1.1.2.0) is called an object identifier or OID. An alternative to this is found in the second line of the output shown here. The 'interfaces.ifNumber.o' is the same OID, but is more easily readable. The second and third arguments to SNMPUTIL designate the host to which the SNMP request will be sent (210.212.69.129), and community (authentication string or password) to use (public). The 'public' community is the default when SNMP support is installed on a Windows 2000 host, and it allows the user to read all variables present. Since even the number of interfaces in a host is sensitive data, the threat is evident. Let us look at some of the other variables that might be of interest to an attacker and a security professional.
IpForwarding (1.3.6.1.2.1.4.1.0) - Is the host forwarding? This is not a good sign for a workstation.
IcmpInRedirects (1.3.6.1.2.1.5.7) - Is the host redirecting icmp messages?
TcpOutRsts (1.3.6.1.2.1.6.15) - A counter indicating the number of RSTs send by the box. This counter will increase rapidly when port-scanned.
UdpNoPorts (1.3.6.1.2.1.7.2) - A counter indicating traffic to ports where no service was present. Also a possible port-scan signal.
SNMP walk automates the whole process of getting the variables and can be redirected to an output file. To summarize, Snmputil can reveal details about services that are running, share names, share paths, any comments on shares, usernames and domain names etc.
SNMP Enumeration Countermeasures
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous connections.
Access to null session pipes and null session shares, and IPSec filtering should also be restricted.

Identifying Accounts

Two powerful NT/2000 enumeration tools are:
sid2user
user2sid
They can be downloaded at (www.chem.msu.su/^rudnyi/NT/)
These are command line tools that look up NT SIDs from username input and vice versa.


user2sid and sid2user are two small utilities for Windows NT/2000 that allows the user to query SAM and to find out a SID value for a given account name and vice versa. These utilities are actually command line interfaces to WIN32 functions, LookupAccountName and LookupAccountSid. It happens that to use these functions a user have just to be EVERYONE. It means that an ordinary user can find without a problem a built-in domain administrator name, which MS recommends us to rename from administrator to something else.
User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. Windows NT/2000 keeps track of User accounts and groups with Security Identifiers or SIDs. All SIDs are unique within a given system and are issued by what is known as an "Authority" such as a domain. There are five authorities:
SECURITY_NULL_SID_AUTHORITY (null user)
SECURITY_WORLD_SID_AUTHORITY (everyone)
SECURITY_LOCAL_SID_AUTHORITY (local user)
SECURITY_CREATOR_SID_AUTHORITY (creator owner /group)
SECURITY_NT_AUTHORITY
Note the default SIDs that captures a cracker's interest.


Administrator S-1-5-21-<........................>-500 and Guest S-1-5-21-<........................>-501


Domain Admins S-1-5-21-<........................>-512


Domain Users S-1-5-21-<........................>-513

Domain Guest S-1-5-21-<........................>-514
Let us take a look at the attack.
Here we try for the default built-in Administrator account - and we get access to more information such as domain and number of sub authorities.
Had we found the default guest account, we could escalate it to the Administrators group by changing the RID using the sid2user.
c:\>sid2user \\196.xxx.xxx.xx 5 21 1123561549 1788223846 725345447 500
This will change the guest account to that of an administrator account. The last three digits (here 500) is the registered ID. Once a RID has been issued it will never be used again. Any group or user that is not created by default will have a RID of 1000 or greater.
Net use, user2sid and sid2user all operate over TCP port 139 - NetBIOS session. The reason why these utilities work despite having ACLs in place is that LookupAccountName and LookupAccountSID don't have ACL on them.

SNMP Enumeration Countermeasures

Countermeasure Do not install the management and monitoring windows component if it is not going to be used. In case it is required ensure that only legally authorized persons have access to it else, it might turn into an obvious backdoor. Edit the Registry to permit only approved access to the SNMP community Name.
Countermeasure Change 'community' to properly configured ones - preferably with private community names (not the default "public"). Where possible, restrict access to SNMP agent. By restriction, we mean allowing SNMP requests from only specific addresses. Additionally, these requests should be restricted to read-only wherever possible. All these configurations can be done by changing the properties of the 'SNMP Service' (Start/Administrative Tools/Services).
Countermeasure Authenticate/Encrypt using IPSEC - SNMP (V1) may not have adequate authentication and encryption facilities built in but this is where IPSec can come to the rescue. IPSec policies can be defined in the monitored systems and management stations so that all SNMP traffic is authenticated and/or encrypted.
Coutermeasure Collect Traps - If SNMP is enabled, monitor the Windows 2000 event logs. Effective auditing can actually raise the level of security

Enumeration Tools

Hacking Tool: Enum

Enum is a console-based Win32 information enumeration utility.
Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and membership lists, password and LSA policy information.
enum is also capable of rudimentary brute force dictionary attack on individual accounts.
enum is a tool written by Jordan Fitter to enumerate, using null and user sessions, Win NT/2000 information. enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts.

Hacking tool: Userinfo

•Userinfo is a little function that retrieves all available information about any known user from any NT/Win2k system that you can hit 139 on.
•Specifically calling the NetUserGetInfo API call at Level 3, Userinfo returns standard info like
◦SID and Primary group
◦logon restrictions and smart card requirements
◦special group information
◦pw expiration information and pw age
•This application works as a null user, even if the RA set to 1 to specifically deny anonymous enumeration.

Hacking Tool: GetAcct

GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines. Input the IP address or NetBIOS name of a target computer in the "Remote Computer" column. Input the number of 1000 or more in the "End of RID" column. The RID is user's relative identifier by which the Security Account Manager gives it when the user is created. Therefore, it is input as 1100, if there are 100 users.
GetAcct shows the information that leaks by opening an anonymous login and showing the following information:
◦An enumeration of user IDs,
◦account names and full names
◦Password age
◦User groups the user is a member of
◦Account type
◦Whether the account is disabled or locked
◦Password policies
◦Last logon time, Number of logons
◦Bad password count
◦Quotas

Top20 Scan Method : Hacking Web Servers

This method will scan the web server for the top 20 vulnerabilities list published by SANS/FBI (www.sans.org)

Hacking Tool: WebInspect


  • WebInspect is an impressive Web server and application-level vulnerability scanner which scans over 1500 known attacks.

  • It checks site contents and analyzes for rudimentary application-issues like smart guesswork checks, password guessing, parameter passing, and hidden parameter checks.

  • It can analyze a basic Webserver in 4 minutes cataloging over 1500 HTML pages
WebInspect enables application and web services developers to automate the discovery of security vulnerabilities as they build applications, access detailed steps for remediation of those vulnerabilities and deliver secure code for final quality assurance testing.
With WebInspect, the developer can find and correct vulnerabilities at their source, before attackers can exploit them. WebInspect provides the technology necessary to identify vulnerabilities at the next level, the Web application.
Network Tool: Shadow Security Scanner


  • Security scanner is designed to identify known and unknown vulnerabilities, suggest fixes to identified vulnerabilities, and report possible security holes within a network's internet, intranet and extranet environments.

  • Shadow Security Scanner includes vulnerability auditing modules for many systems and services.
    These include NetBIOS, HTTP, CGI and WinCGI, FTP, DNS, DoS vulnerabilities, POP3, SMTP,LDAP,TCP/IP, UDP, Registry, Services, Users and accounts, Password vulnerabilities, publishing extensions, MSSQL,IBM DB2, Oracle, MySQL, PostgressSQL, Interbase, MiniSQL and
These include NetBIOS, HTTP, CGI and WinCGI, FTP, DNS, DoS vulnerabilities, POP3, SMTP, LDAP, TCP/IP, UDP, Registry, Services, Users and accounts, Password vulnerabilities, publishing extensions, MSSQL, IBM DB2, Oracle, MySQL, PostgressSQL, Interbase, MiniSQL and more.
Running on its native Windows platform, SSS also scans servers built practically on any platform, successfully revealing vulnerabilities in Unix, Linux, FreeBSD, OpenBSD, Net BSD, Solaris and, of course, Windows 95/98/ME/NT/2000/XP/.NET. Because of its unique architecture, SSS is the able to detect faults with CISCO, HP, and other network equipment. It is also capable of tracking more than 2,000 audits per system.
The Rules and Settings Editor will be essential for the users willing only to scan the desired ports and services without wasting time and resources on scanning other services. Flexible tuning lets system administrators manage scanning depth and other options to make benefit of speed - optimized network scanning without any loss in scanning quality.
Countermeasures


  • IISLockdown:

    • IISLockdown restricts anonymous access to system utilities as well as the ability to write to Web content directories.

    • It disables Web Distributed Authoring and Versioning (WebDAV).

    • It installs the URLScan ISAPI filter.

  • URLScan:

    • URLScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator.
UrlScan is a security tool that screens all incoming requests to the server by filtering the requests based on rules that are set by the administrator. Filtering requests helps secure the server by ensuring that only valid requests are processed. UrlScan helps protect Web servers because most malicious attacks share a common characteristic they involve the use of a request that is unusual in some way. For instance, the request might be extremely long, request an unusual action, be encoded using an alternate character set, or include character sequences that are rarely seen in legitimate requests. By filtering unusual requests, UrlScan helps prevent such requests from reaching the server and potentially causing damage.

Summary


  • Web servers assume critical importance in the realm of Internet security.

  • Vulnerabilities exist in different releases of popular web servers and respective vendors patch these often.

  • The inherent security risks owing to compromised web servers have impact on the local area networks that host these web sites, even the normal users of web browsers.

  • Looking through the long list of vulnerabilities that had been discovered and patched over the past few years provide an attacker ample scope to plan attacks to unpatched servers.

  • Different tools/exploit codes aids an attacker perpetrate web server hacking.

  • Countermeasures include scanning, for existing vulnerabilities and patching them immediately, anonymous access restriction, incoming traffic request screening and filtering.
Powered by Blogger.