Академический Документы
Профессиональный Документы
Культура Документы
Passive Fingerprinting
• Passive fingerprinting is also based on the differential implantation of the stack and the
various ways an OS responds to it.
• However, instead of relying on scanning the target host, passive fingerprinting captures
packets from the target host and study it for tell tale signs that can reveal the OS.
• Passive fingerprinting is less accurate than active fingerprinting.
For Full Article VISIT HERE
SNMP Enumeration
• SNMP is simple. Managers send requests to agents, and the agents send back replies.
• The requests and replies refer to variables accessible to agent software.
• Managers can also send requests to set values for certain variables.
For Full Article VISIT HERE
Countermeasure Do not install the management and monitoring windows component if it is not
going to be used. In case it is required ensure that only legally authorized persons have access to
it else, it might turn into an obvious backdoor. Edit the Registry to permit only approved access to
the SNMP community Name.
Too lazy to say Thanks or comment here? Why not too lazy to read my post?? If you like
this post and want us to post similar articles, Pls give us a feedback and leave a comment
here.
What is Footprinting
Defining Footprinting
There is no single methodology for footprinting, as a hacker can choose several routes to trace
the information. Footprinting therefore, needs to be carried out precisely and in an organized
manner. The information unveiled at various network levels can include details of domain name,
network blocks, network services and applications, system architecture, intrusion detection
systems, specific IP addresses, access control mechanisms and related lists, phone numbers,
contact addresses, authentication mechanisms and system enumeration.
The information gathering activity can be broadly divided into seven phases:
• The attacker would first unearth initial information (such as domain name),
• locate the network range of the target system (using tools such as Nslookup,
whois etc),
• ascertain the active machines (for instance by pinging the machine),
• discover open ports or access points (using tools such as port scanners),
• detect operating systems (for instance querying with telnet),
• uncover services on ports and
• ultimately map the network.
This not only speeds up the real attack process, but also aids in helping the attacker prepare
better for covering his tracks and thereby leave a smaller or minimal footprint.
Initial Information:
Commonly includes:
Information Sources:
• Open source
• Whois
• Nslookup
Hacking Tool:
• Sam Spade
Open Source Footprinting is the easiest and safest way to go about finding information about a
company. Information that is available to the public, such as phone numbers, addresses, etc.
Performing whois requests, searching through DNS tables are other forms of open source
footprinting. Most of this information is fairly easy to get, and within legal limits. One easy way to
check for sensitive information is to check the HTML source code of the website to look for links,
comments, Meta tags etc
• A web page (save it offline, e.g. using offline browser such as Teleport pro
• Yahoo or other directories. (Tifny is a comprehensive search tool for USENET
newsgroups.
• Multiple search engines (All-in-One, Dogpile), groups.google.com is a great resource for
searching large numbers of news group archives without having to use a tool.
• Using advanced search (e.g. AltaVista),
• Search on publicly trade companies (e.g. EDGAR).
• Dumpster diving (To retrieve documents that have been carelessly disposed)
• Physical access (False ID, temporary/contract employees, unauthorized access etc)
There are four RIRs, each maintaining a whois database holding details of IP address
registrations in their regions. The RIR whois databases are located at:
Tools There are tools available to aid a whois lookup. Some of them are Sam Spade
(downloadable from www.samspade.org). Smart Whois (downloadable
from www.tamos.com). Netscan (downloadable
from www.netscantools.com) and GTWhois (Windows XP compatible)
(www.geektools.com) etc.
---
Amarjit Singh
Passive Fingerprinting
• Passive fingerprinting is also based on the differential implantation of the stack and the
various ways an OS responds to it.
• However, instead of relying on scanning the target host, passive fingerprinting captures
packets from the target host and study it for tell tale signs that can reveal the OS.
• Passive fingerprinting is less accurate than active fingerprinting.
Like active fingerprinting, passive fingerprinting is also based on the differential implantation of
the stack and the various ways an OS responds to it. However, instead of relying on scanning the
target host, passive fingerprinting captures packets from the target host and study it for tell tale
signs that can reveal the OS.
Note The four areas that are typically noted to determine the operating system are:
TTL - What the operating system sets the Time To Live on the outbound packet
Window Size - What the operating system sets the Window Size at.
TOS - Does the operating system set the Type of Service, and if so, at what?
Passive fingerprinting need not be fully accurate nor does it have to be limited to these four
signatures. However, by looking at several signatures and combining the information, the
accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by
Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)
TTL: 45
TOS: 0x0
This information is then compared to a database of signatures. Considering the TTL used by the
remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went
through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this
TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system
signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the
remote host.
The next step is to compare the Window size. The Window Size is another effective tool,
specifically what Window Size is used and how often the size changes. In the above signature, it
is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and
Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers
and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more
accurate if measured after the initial three -way handshake (due to TCP slow start).
Most systems use the DF bit set, so this is of limited value. However, this does make it easier to
identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of
limited value. This seems to be more session based then operating system. In other words, it's
not so much the operating system that determines the TOS, but the protocol used. Therefore,
based on the information above, specifically TTL and Window size, one can compare the results
to the database of signatures and with a degree of confidence determine the OS (in this case,
Linux kernel 2.2.x).
Threat Passive fingerprinting can be used for several other purposes. It can be used by
crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a
'potential victim', such as a web server, one only needs to request a webpage from the server,
and then analyze the sniffer traces. This bypasses the need for using an active tool that can be
detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote
proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the
proxy firewalls based on the signatures we have discussed. Organizations can use Passive
Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not
authorized on the network.
---
Amarjit Singh
Like active fingerprinting, passive fingerprinting is also based on the differential implantation of
the stack and the various ways an OS responds to it. However, instead of relying on scanning the
target host, passive fingerprinting captures packets from the target host and study it for tell tale
signs that can reveal the OS.
Note The four areas that are typically noted to determine the operating system are:
TTL - What the operating system sets the Time To Live on the outbound packet
Window Size - What the operating system sets the Window Size at.
TOS - Does the operating system set the Type of Service, and if so, at what?
Passive fingerprinting need not be fully accurate nor does it have to be limited to these four
signatures. However, by looking at several signatures and combining the information, the
accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by
Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)
TTL: 45
TOS: 0x0
This information is then compared to a database of signatures. Considering the TTL used by the
remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went
through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this
TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system
signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the
remote host.
The next step is to compare the Window size. The Window Size is another effective tool,
specifically what Window Size is used and how often the size changes. In the above signature, it
is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and
Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers
and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more
accurate if measured after the initial three -way handshake (due to TCP slow start).
Most systems use the DF bit set, so this is of limited value. However, this does make it easier to
identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of
limited value. This seems to be more session based then operating system. In other words, it's
not so much the operating system that determines the TOS, but the protocol used. Therefore,
based on the information above, specifically TTL and Window size, one can compare the results
to the database of signatures and with a degree of confidence determine the OS (in this case,
Linux kernel 2.2.x).
Threat Passive fingerprinting can be used for several other purposes. It can be used by
crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a
'potential victim', such as a web server, one only needs to request a webpage from the server,
and then analyze the sniffer traces. This bypasses the need for using an active tool that can be
detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote
proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the
proxy firewalls based on the signatures we have discussed. Organizations can use Passive
Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not
authorized on the network.
---
Amarjit Singh
---
Enumeration Tools
Hacking Tool: Enum
Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and
membership lists, password and LSA policy information.
enum is also capable of rudimentary brute force dictionary attack on individual accounts.
enum is a tool written by Jordan Fitter to enumerate, using null and user sessions, Win NT/2000
information. enum is a console-based Win32 information enumeration utility. Using null sessions,
enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists,
password and LSA policy information. enum is also capable of a rudimentary brute force
dictionary attack on individual accounts.
• Userinfo is a little function that retrieves all available information about any known user
from any NT/Win2k system that you can hit 139 on.
• Specifically calling the NetUserGetInfo API call at Level 3, Userinfo returns standard info
like
• SID and Primary group
• logon restrictions and smart card requirements
• special group information
• pw expiration information and pw age
• This application works as a null user, even if the RA set to 1 to specifically deny
anonymous enumeration.
GetAcct shows the information that leaks by opening an anonymous login and showing the
following information:
---
Amarjit Singh
SNMP Enumeration
SNMP is simple. Managers send requests to agents, and the agents send back replies.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
---a reboot
SNMP consists primarily of two objects: a manager and an agent. An agent consists of a piece of
software embedded in a machine. SNMP agents exist for almost any piece of equipment.
However, the installed agent doesn't do anything for the machine until queried by the manager.
This is separate program that a network manager runs on their own computer that queries the
agent (across the network) for information.
The default community string that provides the monitoring or read capability is often "public". The
default management or write community string is often "private". The SNMP exploit takes
advantage of these default community strings to allow an attacker to gain information about a
device using the read community string "public", and the attacker can change a systems
configuration using the write community string "private".
SNMPutil example
The security threat comes from Windows 2000 servers and workstations having SNMP support
enabled and failing to change the default read-only community string 'Public'. However, changing
this does not exempt it from attackers sniffing it from the network or to subjecting it to a dictionary
or brute force attack. This may not seem troublesome but the Windows 2000 SNMP variables
contain a wealth of information for the sniffing cracker. Some of the tables that are available when
one has READ access to the SNMP tree in a Windows 2000 box are listed below:
Interface Table - This table identifies all boxes with multiple interfaces, plus useful details like
their IP and MAC addresses.
Route Table and ARP Table - With access to these tables, a cracker can quickly build an
accurate picture of a network and continue its search for vulnerabilities.
TCP Table and UDP Table - These will show which TCP and UDP ports are actively used, and
on which ports services are listening for new clients.
Device Table and Storage Table - Knowing what hardware is attached to a Windows 2000
machine gives crackers clues about what kind of machine it is dealing with.
Process Table and Software Table - Knowing what software are installed and what software is
running (DNS server, DHCP server) gives away details about how to attack the system. They
even show which service packs have been installed (and missing patches)
User Table - Knowing which user names are valid on a machine makes it much easier to guess
passwords and gain access to a system.
Share Table - If the cracker knows what shares are exported and used by a Windows machine, it
can lead to a serious security compromise.
Here, we will look at an SNMP utility called SNMPutil.exe which is a part of the Windows 2000
resource kit. Let us take a look at what we can discover with it from the command line prompt.
In this output, the variable is called 1.3.6.1.2.1.1.2.0, and we 'get' its value, which turns out to be
1. The variable name (1.3.6.1.2.1.1.2.0) is called an object identifier or OID. An alternative to this
is found in the second line of the output shown here. The 'interfaces.ifNumber.o' is the same OID,
but is more easily readable. The second and third arguments to SNMPUTIL designate the host to
which the SNMP request will be sent (210.212.69.129), and community (authentication string or
password) to use (public). The 'public' community is the default when SNMP support is installed
on a Windows 2000 host, and it allows the user to read all variables present. Since even the
number of interfaces in a host is sensitive data, the threat is evident. Let us look at some of the
other variables that might be of interest to an attacker and a security professional.
IpForwarding (1.3.6.1.2.1.4.1.0) - Is the host forwarding? This is not a good sign for a
workstation.
TcpOutRsts (1.3.6.1.2.1.6.15) - A counter indicating the number of RSTs send by the box. This
counter will increase rapidly when port-scanned.
UdpNoPorts (1.3.6.1.2.1.7.2) - A counter indicating traffic to ports where no service was present.
Also a possible port-scan signal.
SNMP walk automates the whole process of getting the variables and can be redirected to an
output file. To summarize, Snmputil can reveal details about services that are running, share
names, share paths, any comments on shares, usernames and domain names etc.
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous
connections.
Access to null session pipes and null session shares, and IPSec filtering should also be
restricted.
---
Amarjit Singh
Countermeasure Authenticate/Encrypt using IPSEC - SNMP (V1) may not have adequate
authentication and encryption facilities built in but this is where IPSec can come to the rescue.
IPSec policies can be defined in the monitored systems and management stations so that all
SNMP traffic is authenticated and/or encrypted.
Coutermeasure Collect Traps - If SNMP is enabled, monitor the Windows 2000 event logs.
Effective auditing can actually raise the level of security
---
Amarjitn Singh