KEMBAR78
Pen Testing: Enumeration Basics | PDF | Port (Computer Networking) | File Transfer Protocol
Scribd
Upload
75 views20 pages

Pen Testing: Enumeration Basics

Uploaded by

rotedi4150
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views20 pages

Pen Testing: Enumeration Basics

Uploaded by

rotedi4150
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Security

vulnerabilities
and penetration
testing
Dr Phillip James
Last week we considered scanning:
Recap and • Network protocols: TCP/UDP/ICMP/IP.
today • nmap.
• hping.

Result: Details of IPs/ports/services.

Today: Enumeration (still part of the scanning


phase, in fact nmap did some of this!)
Enumeration
Targeted information retrieval.
We have gained information on open ports (and
Enumeration, likely services).

the idea But now can we extract more information based on


those services and how they work.

ssh
http Version?

ftp

Make?

smtp
Port Service

Common 20/21 FTP


22 SSH
services 23 Telnet
25 SMTP
80 HTTP
110 POP
123 NTP
135-139 Commonly used by MS (e.g. SMB)
443 HTTP2
447/548 AFP
1433 MSSQL
8080 Test port for HTTP
Example services:
gaining
information
Banner “Banner” refers to a text message received from the
host.
grabbing

Banners usually contain information about a


service, such as the version number.

So how can we gain such banners?

-> Interact with the services!


Telnet is one of the oldest protocols for
Telnet bidirectional text exchange on a network.

That’s it! Simple but powerful.


and the telnet client too, called
telnet.
Usage:
telnet <ipaddress> <port>

Demo:
Let’s try telnet to a web service on port 80…
Or perhaps a SSH service on port 22…
Demo: Telnet
to web server
Demo: Telnet
to ssh server
Server Message Block, is a protocol for sharing files, printers,
and communication abstractions such as named pipes and mail
slots between computers.
SMB

Two levels of security:

Share level: Each share can have a password, and a client only
needs that password to access all files under that share.

User Level: Protection applied to individual files, based on


user access rights. Each user (client) must be authenticated by
the server.
There are a number of useful tools for interacting
with SMB:
SMB tools • nbtscan – scan for netbios name information
• smnmap – enumerate shares
• smbclient – interact with shares
• enum4linux – do all the above and more!

Example - enumerate shares:


smbmap –H <ipaddress>
A null session basically allows access to information
without providing a username (or password).
Null sessions
Example (on linux):
<null>, <null> everywhere
smbclient –I // 137.44.2.59 -N -U ""

If vulnerable, lists shares and users.

Note:
Old versions of SMB allow null sessions on IPC$
(allows remote procedure calls without
authentication.)
Enumerate shares:
Demo: smbmap –H <ipadress>
smbclient +
smbmap

smbclient connect with no username/password:


smbclient \\\\10.230.42.9\\tmp –N –U “”
Run all options on a particular machine:
Demo: enum4linux –a 10.230.42.9
enum4linux
Gaining MAC
addresses
If we can connect to either a Wifi or ethernet
network, there is a lot to gain… In particular, step
one would be to gain information on any other
connected machines…Of course we can Nmap
scan, but if we can gain MAC addresses, they may
be useful (man-in-the-middle, spoofing, …)
Protocol used for discovery of “link layer”
addresses -- MAC’s!
ARP

Address resolution protocol

IP Address Mac Address


192.168.1.24 AA:BB:CC:DD:EE:FF
192.168.1.68 A1:B1:C1:D1:E1:F1

Who is Who is
192.168.1.24?
192.168.1.68? 192.168.1.24?
192.168.1.68?
I am! I am!
Send ARP requests (just like a router would), listen
Demo: for responses:

netdiscover

Notice, we gain vendor information too!


Example: http://www.routerpasswords.com

Next... Default
password lists
Username: admin
Password: password

Default passwords are an obvious security vulnerability, but


many still exist.

Similarly many tools for cracking passwords.

And from here we enter the next phase of pen testing.


• Enumeration setup: targeted scanning
Summary • Example services
• Banner grabbing.
Noun: a brief statement or account
• SMB (and null sessions)
of the main points of something. • ARP MAC discovery
• Tools to support.

Lab: Exploring the above tools.

Next week: Gaining access through vulnerabilities.

You might also like