Enumeration is THE phase of the attack that should be detected. It's the most intrusive phase and generate a lot of noise unlike the previous two. The objective of the attacker in this phase are to find and identify all the services and they're version running on the target machines in order to know which vulnerabilities they have in order to exploit them.
The scope of the Enumeration is smaller than the scope of scanning, in the phase the attacker will focus on a subset of the systems analyzed in the previous phase. The reasons why the scope is smaller are different:
- Enumeration can be very time consuming, so focusing on a smaller set of interesting target can be more efficient and effective.
- Enumeration processes are very noise, a bigger scope may bring to easer detection by IDS, firewalls and human operators.
In this phase the attacker wants to collect: user account names, misconfigured shared file and see if vulnerable version of services are used. To obtain all this informations active connections and interactions have to be performed, so all the activities of the attacker should be logged and IDS and humans have to detect it.
It's also important to note that enumeration may bring to further footprinting and scanning; these steps are not sequential but are iterative: the attacker can perform all of them in different parts of the target network.
Like footprinting and scanning, enumeration is composed of different sub-phases:
- Service Fingerprinting
- Vulnerability Scanning
- Basic banner grabbing
- Enumeration of common network services
The objective of the attacker in this moment is to find which version / patch of the software the services are running. It can be done manually or automatically; there are pros and cons:
-
Manual
- pros: stealth
- cons: slow
-
Automatic
- pros: fast
- cons: noisy
nmap is a great tool that can be used also for automatic service footprinting, two modes are available: services mode and services-probe mode. The former output an hypothesis of the service running on a specific port using assumptions like: common port numbers and data taken from internal DB of nmap, it is kind of passive; the latter mode uses an active approach and is much more precise but a lot more noisy, nmap will probe each open port trying to get the specific service, version and vendor running behind that port.
Vulnerability scanning is performed using a database of known vulnerability signatures, some vulnerability scanners are free to use (OpenVAS) and some are not (Nessus). Nessus in particular is a very powerful tool that can perform exhaustive scanning enabling the use of Custom plugins.
Intrusion Detection Systems can detect Nessus behaviors, and in general they can slow down the scan by redirecting the hackers to softer target or honeypots. It's important to note that credible honeypot are really expensive to maintain.
A lot of services put a banner in they're responses at requests. Banner grabbing can be done in a manual or automatic way; using the telnet command it's possible to request a banner from a given service:
telnet www.example.com 80
On the other hand, netcat or nc can be used to perform automatic basic grabbing by putting in an input file multiple requests.
Banners can expose a lot of sensible informations like vendor and version of the software that can be used in combination to a database of known vulnerabilities to perform exploits.
Shut down unnecessary services to limit the amount of vulnerability that an attacker can exploit, and use access control lists. As a measure of prevention do regular audits of the network and try to disable the presentation on vendor and version in the banners.
FTP, File Transfer Protocol, is a protocol used to upload and download files from the Internet. Was very popular before HTTP and today is still used for Web Content Uploading. FTP has some serious security issues, the worst one is the fact that password are sent in clear text.
FTP servers can also enable anonymous accounts, used for serving public content and the ftp command can used to grab the banner of an FTP server.
FTP has to be avoided, better alternatives exists: SFTP and FTPS that are respectively FTP over SSH and FTPS over SSL (little extra: rsync is a very good command that can be used to upload content to a web server over an SSH connection). Of course there are the 80' no more, so serve public content over HTTP(S) and disallow anonymous FTP and unrestricted uploading.
Telnet is the ancestor of SSH, unlikely to SSH however no encryption is used so credentials and data are sent in clear text. Another problem of telnet is the fact that it has banners and permits bruteforce username enumeration allowing:
- System enumeration: telnet displays a banner prior to login that show host's OS and version.
- Account enumeration: error codes on unsuccessful logins can leak informations about the validity of the username used.
Telnet should be disabled if not particularly needed, use SSH instead; however if Telnet is needed restrict it to proper IP addresses using an ACL and use it through a VPN. It's important to modify / disable banner info and configure the service to force the reconnection between failed login attempts.
SMTP, Simple Mail Transfer Protocol, is one of the most common email services used. It can be enumerated easily using telnet and old versions of it contain a lot of vulnerabilities. The VRFY and EXPN commands can be sent via a telnet client to an SMTP server to enumerate user's account informations: the former confirms if a given mail address is valid, and the latter reveals actual delivery addresses of aliases and mailing lists. These two commands are part of the protocol, so they can't be totally disabled, at most the can be restricted only to certain authenticated users. Automatic tools like vrfy.pl can be used to do this kind of enumeration.
Restrict the usage of EXPN and VRFY commands, modern versions of Sendmail and Microsoft Exchange allow this kind of restriction.
The DNS protocol allow the Zone Transfer for backup reasons: it consists in a dump of the entire content of a given domain zone file; this legit operation can lead to leak of informations that can be further used by an attacker. The nslookup command can be used to perform a DNS zone transfer:
$ nslookup > ls -d logicname.com
also dig command can perform a DNS zone transfer. Misconfigured DNS can also dump the A and HINFO records that may contains a lot of sensible informations like operative system's version and similar.
The most common implementation of DNS is BIND, the command dig can be used to get the version of BIND used on the server.
The cache snooping attack exploits the hierarchical constitution of the DNS protocol. If an host do a DNS request for a name hello.com, and the DNS server has never received a request for the same name it will ask at the root DNS server, then at the Top level DNS server and then to the authoritative DNS server and the it will cache the results in his memory. If the DNS server receives another request for hello.com it will just return the result it has previously cached.
An attacker can use the dig command to check if a given domain name is cahced by a DNS server and use this information to better plan a phishing attack.
Use separate internal and external DNS servers, in such a way to not expose internal targets, restrict zone transfer only to authorized users and limit DNS queries to limit the possibility of cache snooping.
TFTP is inherently an insecure protocol, it runs in cleartext, and no authentication in required. If you know the filename you are good to go, so anyone can grab any file and it's used in routers and VoIP telephones to update their firmware. It's important to check the relative config files to make sure that no misconfiguration it's in place.
Tools such as TCP Wrappers can be used to allow only certain clients to access TFTP, and of course the access to the tftpboot directory has to be restricted and TCP/UDP port 69 have to be blocked by the border firewall.
Finger is a unix utility that was used to show users on a local or remote systems, if enabled. Finger derive most of the info that displays from /etc/passwd device, but it also shows which user is logged in and they're idle time giving the attacker a lot of useful information that could be used for social engineering.
To stop this kind of information leaking do not run finger and block port 79 at the firewall. If finger is needed for legacy reason then make sure to use TCP Wrappers to restrict and log finger use.
Enumerating the make and model of a web server is one of the most common and used enumeration techniques; in fact each time a new vulnerability that affects web servers is discovered the attacker will enumerate HTTP services running searching for a vulnerable system. HTTP HEAD method is a very clean way to elicit banner info.
$ nc -v www.example.com 80 HEAD / HTTP/1.1 <banner infos>
In the example nc tool is used, and the command HEAD is provided to the web server. The output of the command is the banner info of the web server. Today this kind of attack is easily detected by IDS, and do not work if the website we want to enumerate uses SSL. Redirecting nc command to an SSL proxy or just use openssl to perform HTTP enumeration on web servers that use SSL.
$ openssl s_client -quiet -connect www.example.com:443 HEAD / HTTP/1.1 <banner infos>
Another way to gather useful informations from website is to analyze the comments in the HTML source code, there a lot of automatic tools that Crawl sites and reports vulnerabilities, look for comments, robots.txt file and so on; the most common tools user are: grendel-scan and sam spade. This kind of tools are very slow.
Most common web server implementation (like Apache) allow to change the banner to fool automated malware, in closed source web servers like Microsoft Internet Information Services edit of the banner can be tricky but fundamental.
Some windows systems run a remote procedure call endpoint mapper service on TCP 135, an interaction with this service can lead the hacker to acquire useful informations: epdump tool from the windows resource kit can query the MSRPC and show services buond to the ip addresses and port numbers. More powerful tools used to perform MSRPC enumeration are winfingerprint for windows and rpcdump.py for gnu/linux.
The best method to prevent an attacker to enumerate MSRPC is to restrict access to TCP 135, but be aware that this action will lead to problems if a Microsoft Exchange Server is providing mail services to clients on the internet. In fact Outlook clients need to contact an endpoint mapper to connect to the Exchange Server; to solve this problem a VPN must be used to not expose TCP 135 to the internet or, in alternative, Outlook Web Access has to be used.
The NetBIOS Name Service was used by windows machines as the distributed naming system, from Windows 2000 it has been replaced by the DNS protocol, however for retrocompatibility reasons NetBIOS as not been dismissed: it is still active by default and used by all versions of Windows.
NetBIOS Name Service is easy to enumerate because most of the enumeration tools and techniques are literally built-in into the OS.
A basic tool that can be used to enumerate a NBNS is net view, it lists all the domains available on the network and then can be used to enumerate all the machine inside a particular domain.
C:>net view /domain <output all domains> C:>net view /domain:workgroup <output all the machines in the workgroup domain>
Typically net view only works on the local network segment, but it's possible to route NBNS over TCP/IP allowing enumeration from a remote system. To acquire more informations on the Windows network the attacker can use other tool from ResKit. First of all he can use nltests or netdom to find which machine controls a given domain and then use netviewx to find specific services together with nbtstat to collect information from a single system. Sometimes the attacker can also be interested to dump the whole NetBIOS name table using nbtscan.
All the tools and techniques used to enumerate NBNS operate over UDP 137, so to stop unauthorized enumeration block UDP 137 or restrict it to only authorized hosts and disable Alerter and Messenger services on each host to prevent user data from appearing in NB name table dumps. Be aware that blocking UDP 137 will disable also NBNS name authentication preventing applications to work.
Windows NT based system suffer of a notorious vulnerability, that leads permit to the attacker to enumerate systems remotely: Null Session. Today Null Sessions are turned off by default. null sessions can provide informations about shares, user accounts and password policies. To access a file, or a printer within a Windows network the Server Message Block (SMB) protocol is used, SMB is accessible via APIs that can return rich informations about Windows even without login. It is very easy to perform a null session:
C:\>net use \\<ip_address_of_target\IPC$ "" /u:""
This command connects to the hidden interprocess communications share with the anonymous user with no password; if successful the attacker can attempt all the various techniques previously explained to obtain as much informations as possible.
Some common targets of this kind of enumeration are misconfigured ACL file shares, in fact, when a null session is established the attacker can enumerate the names of all file shares using a builtin microsoft command net view or using additional tools like srvinfo and srtvcheck from Microsoft or DumpSec.
DumpSec is capable of enumerating everything starting from file-system permissions to services available on a remote system; also it retrieve basic user informations using a null connection. NetBios scanners such as SysInternal and ShareEnum can provide a huge amount of possibilities to scan and check entire network for exposed shares.
It is important to note that a good source of informations about installed application and services on a Win NT machine is the Registry. Registry content can be viewed remotely, but Administrator privileges are needed, for this reason a null session is not enough to enumerate the registry. reg command or DumpSec can be used to enumerate the registry of a remote machine.
Another source of useful information that an attacker would enumerate is the list of User account names and their SID, an SID is a unique and immutable identifier of a particular security principal that can be a single user or a user group. There are command line tools capable of obtain a username form a SID and vice versa (user2sid, sid2user), so if an attacker has obtained SIDs can also obtain all the usernames of the system's users. When an intruder knows the given SID for a machine, the last part of it represent the relative identifier RID, which can assume some standard values, i.e. 500 for the administrator account username (if it has been renamed).
sid2user and user2sid work even if RestricAnonymous is set to 1, as long as port 139 or 445 are accessible. Other tools are: winfingerprint, Winfo, NBTEnum 3.3.
To avoid completely SMB Null Session enumeration block TCP 139 and 445 ports at the network perimeter and set the RestrictAnonymous registry key to 1 or to 2 (windows 2000 or later) and ensure that the Registry is locked down. It's fundamental to audit regularly with dumpsec.
Simple Network Management Protocol, is the de facto standard in network management, and it is used by network administrators to configure and remotely manage routers.
Remove or disable SNMP agents, change the community string to non-default values (in any case it travels in clear text). Also it is important to block TCP and UDP ports 161 at the border of the network, in addition in the intranet restrict the access only to some users.
Of course the use of SNMP version 3, provides enhanced encryption and auth mechanism, however V1 and V2 are the most common version installed. It's possible to adjust Win NT registry to make SNMP less dangerous (in case of Windows server and MIB)
In order to understand BGP, it's important to know how internet is organized.
There are tier 1, tier 2 and tier 3 networks. Tier 1 are internet provider that can sell connectivity all over the world without buying it from anyone, are the owners of the real big backbone infrastructure that connect continents; they are fully connected in a mesh topology. Tier 2 ISP can sell connectivity, but sometimes they also buy connectivity; they have an uplink to a tier 1. Tier 3 ISP, only buy connectivity, like GARR.
The above is very reliable but is also very slow, about 20 years ago IXP (Internet Exchange Point) were introduced, they transform the infrastructure from a Tree-like to a Graph like, IXP can be viewed as enormous layer two switch that produces a lot of improvements on the internet connections. Content producer and Tier 1 ISP are also present in the IXP, causing the need for a way to handle large quantities of traffic. The protocol used in order to switch this huge quantities of data is the BGP. Internet Exchange Points are single point of failure: the internet will work, but extremely slow.
BGP is a protocol executed among Autonomous Systems, which are identified by an integer number, it is the de facto routing protocol among AS, most of the major organizations use BGP in order to allow an efficient traffic routing. Routes traffic using the AS-number in big chunks. It is an open protocol and very vulnerable, it was used to do Hijacking; it has no encryption, no authentication and so can be used to enumerate a network. It has no countermeasures. Given the fact that is a text protocol, telnet can be used to enumerate.
Lightweight Directory Access Protocol, i a directory service for Windows systems, and contains all the information of user, groups and so on on a given Windows domain controller. It is the primary target of an enumeration attack because it has all the information needed. In old version any domain member was capable to enumerate Active Directory.
It is important to filter access to ports 389 and 3268 at the net perimeter to limit the leak of sensible information. There are to different modes of LDAP: Legacy compatible and Native Win 2000, if possible use Native and do not allow Win NT4 Domain Controllers.