User:Tomchiukc/ComputerSecurity/Enumeration
System Information
- OIDTree: Textbook p.625
- Management Information Base Tools (MIBTools)
C:\Documents and Settings\Student>"\\192.168.184.129\c$\Tools\Module 4 - Enumeration\snmputil.exe" get 192.168.184.129 public .1.3.6.1.2.1.1.2.0 Variable = system.sysObjectID.0 Value = ObjectID 1.3.6.1.4.1.311.1.1.3.1.1 C:\Documents and Settings\Student>"\\192.168.184.129\c$\Tools\Module 4 - Enumeration\snmputil.exe" getnext 192.168.184.129 public interfaces.ifNumber.0 Variable = interfaces.ifTable.ifEntry.ifIndex.1 Value = Integer32 1 C:\Documents and Settings\Student>"\\192.168.184.129\c$\Tools\Module 4 - Enumeration\snmputil.exe" getnext 192.168.184.129 public 0.0 Variable = system.sysDescr.0 Value = String Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free) |
OID number also managed by IANA.
IP Network Browser: by http://www.solarwinds.net
Countermeasures
- Not to use (but not so useful)
- change the default 'public' community name to others.
- Control Panel -> Administrative Tools -> Services -> SNMP Service (Manager) / SNMP Trap Service (Agent) -> Security -> Community String
DNS Zone transfer in Win2K
- Use NSLookup, ls -d <domainname>
- Special IP addresses stored in Win2K machines:
- Global Catalog Service
- Domain Controller
- Kerberos Authentication
- DNS Service Record: SRV (other than MX, CNAME, etc.)
- Explicity specify the ip addresses that can do Zone transfer. Otherwise, ignore requests.
UID/SID
I:\Tools>"I:\Tools\Module 4 - Enumeration\sid\user2sid.exe" \\192.168.184.129 administrator S-1-5-21-1214440339-73586283-725345543-500 Number of subauthorities is 5 Domain is VICTIM Length of SID in memory is 28 bytes Type of SID is SidTypeUser |
I:\Tools>"I:\Tools\Module 4 - Enumeration\sid\sid2user.exe" \\192.168.0.50 5 21 1214440339 73586283 725345543 500 Name is Administrator Domain is VICTIM Type of SID is SidTypeUser |
Enum
- requires Null session connection
- useful commands: -UGd, -L, -P
Userinfo
- requires Null session connection
UserInfo v1.5 - [email protected]
Querying Controller \\192.168.184.129
USER INFO
Username: Administrator
Full Name:
Comment: Built-in account for administering the computer/domain
User Comment:
User ID: 500
Primary Grp: 513
Privs: Admin Privs
OperatorPrivs: No explicit OP Privs
SYSTEM FLAGS (Flag dword is 66049)
User's pwd never expires.
MISC INFO
Password age: Sat Jan 10 02:03:25 2004
LastLogon: Mon Aug 09 11:17:17 2004
LastLogoff: Thu Jan 01 00:00:00 1970
Acct Expires: Never
Max Storage: Unlimited
Workstations:
UnitsperWeek: 168
Bad pw Count: 0
Num logons: 19
Country code: 0
Code page: 0
Profile:
ScriptPath:
Homedir drive:
Home Dir:
PasswordExp: 0
Logon hours at controller, GMT:
Hours- 12345678901N12345678901M
Sunday 111111111111111111111111
Monday 111111111111111111111111
Tuesday 111111111111111111111111
Wednesday 111111111111111111111111
Thursday 111111111111111111111111
Friday 111111111111111111111111
Saturday 111111111111111111111111
Get hammered at HammerofGod.com!
Null session restriction
- GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines.
- Special tools from http://www.securityfriday.com
- UserID info: from 1000 ->
- UserID < 1000 are for special purposes.
Active Directory Enumeration
- enumerated with a simple LDAP query.
- requires authenticated session via LDAP
- connect to any AD server using ldp.exe TCP port 389
- can authenticate even by Guest account.
- can enumerate all users.
- use dcpromo to promote an NT server into Active Directory server.
- To avoid AD Enum, uses only Win2K machines and make dcpromo only compatible to Win2K.
- Closing port 389 and 3268