review Some special IP addresses localhost 127001 loopback address Internal networks Class A 10000 Class B 1721600 to 1723100 Class C 19216800 to 1921682550 Machines behind a firewall can use these internal IP numbers to communicate among them ID: 645026
Download Presentation The PPT/PDF document "Enumeration Local IP addresses" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
EnumerationSlide2
Local IP addresses
(review)Some special IP addresses
localhost 127.0.0.1 (loopback address)Internal networks
Class A 10.0.0.0
Class B 172.16.0.0 to 172.31.0.0
Class C 192.168.0.0 to 192.168.255.0
Machines behind a firewall can use these internal IP numbers to communicate among them.
Only the firewall machine/device (host) needs to have an IP address valid in the Internet.Slide3
What is enumeration?
Categories network resources and sharesusers and groups
applications and bannersTechniques (OS specific)
Windows
UNIX/Linux
Obtain information about accounts, network
resources and shares.Slide4
Windows
applications and banner enumerationTelnet and netcat
: same in Windows and UNIX. Telnet: Connect to a known port and see the software it is running, as in this
example
.
Netcat
: similar to telnet but provides
more information
.
Countermeasures: log remotely in your applications and edit banners.
FTP (TCP 21), SMTP (TCP 25) : close ftp, use
ssh
(we will see it later). Disable telnet in mail servers, use
ssh
.
Registry enumeration: default in
Windows. Server
is Administrators only.
Tools:
regdmp.exe
,
DumpSec
see an
example
and
limitations
(more later).
Countermeasures: be sure the registry is set for Administrators only and no command prompt is accessible remotely (telnet,
etc
).
.Slide5
Windows
sources of informationProtocols
providing information: CIFS/SMB and NetBIOS, through TCP port 139, and another SMB port, 445.Banner enumeration is not the main issue. (UDP 137),
Null session command: net use \\19x.16x.11x.xx\IPC$ “” /u:””
countermeasures:
filter out NetBIOS related TCP, UDP ports 135-139 (firewall).
disable NetBIOS over TCP/IP see
ShieldsUp
!
page on
binding.
restrict anonymous using the
Local Security Policy applet
. More
here
.
GetAcct
bypasses these
actions (download the
GetAcct
tool
).
.Slide6
Windows
network resources
NetBIOS enumeration (if port closed, none work)NetBIOS Domain hosts: net view
NetBios
Name Table:
nbtstat
use
and
example
and
nbtscan
(
download
).
NetBIOS shares:
DumpSec
,
NetBIOS Auditing Tool (
NAT
),
NBTdump
(
use
,
output
).
ShareEnum
(
download
,
example
).
Countermeasures: as discussed previously
=>
close ports 135-139, disable NetBIOS over TCP/IP
SNMP enumeration:
SolarWinds
IP Network Browser (
commercial).
Countermeasures:
close
port 445.
Windows DNS Zone Transfers: Active Directory is based on DNS and create new vulnerability, but provides tool -- “
Computer Management
” Microsoft Management Console (MMC) -- to restrict zone transfers to certain IP numbers.Slide7
Windows:
user and group enumerationEnumerating Users via NetBIOS: usernames and (
common) passwords. Enum(NBTEnum): use
and
output
.
DumpSec
:
output
.
Countermeasures: as before (close ports, no NetBIOS over TCP/IP
)
Using
sid2user and u
ser2sid
and download them
here
.
Using Cain and Abel for both network resources and user and group enumeration. See
manual
and
download
. We will use it again in future classes for more involved uses.
Enumerating Users using SNMP:
SolarWinds
IP Network Browser
. See also
snmputil
.
Windows Active Directory enumeration using
ldp
: Win 2k on added LDAP through the active directory -- you login once (the good) and have access to all resources (the security problem).
close
ports 389 and
3268. You will not practice this in the course.