Basic hacking techniques - Attendance - Part III

Assuming that the implementation of steps I and II failed or the information obtained could not be sufficient to launch an instant attack, the hacker would switch to a method of identifying valid user accounts or Unprotected shared resources Enumeration is a way to extract valid accounts or resources from the system. In Part III, I will detail the most common methods, and the basic tools of attendance technology - step one

****** Enumeration *******
=== Author: Fantomas311 ===

Note: The article only helps you understand how an attacker can use to infiltrate the system. The intrusion and attack of websites and systems of other individuals and organizations are acts of violating Vietnamese laws.

Assuming that the implementation of steps I and II failed or the information obtained could not be sufficient to launch an instant attack, the hacker would switch to a method of identifying valid user accounts or shared resources are not well protected.

Enumeration is a way to extract valid accounts or resources from the system. In Part III, I will detail the most common methods, and the basic tools of attendance technology - the third step in basic hacking.

The main difference between the information collection techniques in part I (Foot Printing) and part II (scanning) and the following enumeration techniques are at the intrusion level of hackers. Attendance involves positive routes with systems and oriented queries.

Much of the information gathered through attendance techniques at first glance may seem harmless. However, the leaked information from the hole that follows it can be disastrous. In general, after naming a valid user name or share, the remaining problem is the time before the hacker guesses the corresponding code or finds weaknesses associated with the resource sharing protocols. original.

The information that the attendance record can be temporarily reduced to the following categories:

++ Network resources and shared parts
++ User and groups
++ Applications and banners (banner)

Attendance techniques are also specific to each server operating system, and therefore, also depend on the information gathered from part I and part II. In this section, I will mention the techniques of attendance in the operating systems: WinNT, Novell and Unix.

******* Windows NT ********

Why WinNT ?? For attendance, WinNT can be considered a close friend! Why then . lower the resolution!

+++ Domain zone list (domain) of winNT by netview:

Windows is an operating system designed to facilitate browsing of network resources, so the process of listing NT domains is extremely simple compared to other operating systems. In most cases, just use the built-in tools in the OS (Operating System). The netview command is a typical example. It will list the available domains on the network, then expose the information of all computers in a domain (we can also use information from ping scans in the previous sections to learn domain names from The individual machines just use the IP address instead of the server name, here is an example:
First of all, the point of posting the domain on the network:
C:> netview / domain
List computers in a specific domain:
C:> netview / domain: nindomain

+++ Attendance of NT domain controllers:

To dig a little deeper into the NT network structure, we need to use an NT Resource Kit tool (NTRK - note: this word is pretty much used in this article!), Also considered Windows NT Hacking Kit by the Double-edged sword of many powerful operating utilities it offers! First, briefly introduce this so-called NTRK:
- NTRK is a set of add-ons for WinNT with a CD containing utilities to manage the network. NTRK contains a set of powerful utilities ranging from the popular Perl language to portals of many utilities. Unix, to remote operating tools are not available in odd versions of WinNT. It is an indispensable kit for NT network operators and is also a useful tool for hackers who want to exploit. winNT. Perhaps because of that, the retail price of NTRK is about . 200 USD. But, okay, there is still a free solution for you at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/
Back to the problem of naming domain controllers NT: To do this, we use the tool named nltest in NTRK to identify the PDC (Primary Domain Controllers) and BDC (Backup Domain Controllers).
Statement: C:> nltest / delist: [domain name]
To even go further, we need to use Holy Grail of NT rollout feature, an empty connection, or anonymously (will be introduced later). After setting an empty session for one of the machines on the list of credentials, we can use the nltest / server: [server name] and / trusted_domain syntax to find out more NT domains related to the top domain. First!

** Global NT method **

Most of the information gathering techniques I described in this section use a security vulnerability of winNT to allow anonymous users to link pots and name certain resources. without the "permission". This vulnerability is known as "Red Button" (hiii, probably the login or submit button too), the route connects the session to an empty or anonymous login . and it is still a potential place The most devastating on the network that hackers seek. I remember having a very popular article on the internet with a "very bad" title, "a website defragment guide" which explains how to detect anonymous user weaknesses and exploit it!
To make a route that connects the session to an empty session, we use the syntax:
C:> net use IPIPC $ '' '' '' '/ user:' '' '' '
The syntax on the "shared" connection passes hidden processing information (IPC $) at the IP address we provide as an anonymous user [user: '' ''] and an empty password ['' "" "" "]. If successful, we can have an open command to use different techniques to "collect" as much information as possible: network information, shared parts, users, groups, Registry keys . The global anti-NT method will be stated in the "basic security" of fantomas311 - invite you to watch

*** NetBIOS common uses ***

After setting up an empty session, we can also reuse the net view command to roll up the shared parts on the remote system.
Three tools that list other common uses in NTRK are rmtshare, srvcheck and srvinfo
One of the most appropriate tools to roll up NT shared files (and other things is Dump ACL. Download free at http://38.15.19.115 Dump ACL audits everything, from file system licenses to The service is available on remote systems, it can even get basic user information through a harmless empty route, and can be run from the command line, facilitating coding and automation.
Opening empty connections and using the tools above manually is an excellent method for targeted attacks, but most hackers often use a NetBIOS scanner to quickly check the whole network to find shared files. One of the popular tools is the Legion (which can be found on many internet repositories). The Legion can mull over an IP Class C network and reveal all shared files available in its graphical interface. Version 2.1 includes a "coercive tool," which attempts to link to a specific shared file through a list of user-supplied passwords. Forced cracking for Win9x and WinNT will be specified in the following sections
Another popular Windows shared file scanner is NetBIOS Auditing Tool (NAT) that can be found on internet repositories.

**** Other NT attendance forms ****

There are also a number of other NT network information rollers such as: epdump of Microsoft (http://www.ntshop.net/security/tools/def.htm), getmac and netdom in NTRK and netviewx (http:// /www.ibt.ku.dk/jesper/NTtools/) epdump queries the RPC endpoint mapper and states the associated services associated with IP addresses and port numbers. Using an empty session, get mac displays MAC addresses and devices of network interface cards on remote machines. This provides useful information to help hackers shape a system with multiple interfaces on the network. Netdom is even more useful than listing key information about NT domains on the route, including domain membership and the names of Backup Domain Controllers. netviewx is often used to detect NT Remote Access Services (RAS) to get a sense of the number of dial-up servers that exist on the network.
Finally, it is worth blaming if you do not mention SNMP (Simple Network Management Protocol) as an excellent NT information source. NMP will be covered in more detail in the next section: user attendance technique (user) in WinNT

+++ List of users and groups (user and group) in WinNT

Before mentioning the user rollout, talk about the tool that needs to be used for this technique. After identifying a list of users, hackers can use brute force guessing tools. . As is the case with shared files, wrong NT configs easily extract user information
Again, we will use an empty link to provide initial access to known hacking tools. The first and simplest way to identify users on a remote Windows system is to use the nbstat command

C:> nbstat -A [IP]

This technique gives the contents of the remote system's NetBIOS table name, name the system, the domain that it is in, and the logged-in users.

There are several other NTRK tools that can provide information about users (whether they have an empty connection or not) such as usrstat, showgrps, local, global utilities, but the most common tool for getting user information. is still DumpACL. DumpACL can pull a list of NT users, groups, and user rights.

In addition, two other NT attendance tools are quite strong: user2sid and sid2user of Evgenii Rudnyi (see http://www.chem.msu.sn:8080~rudnyi/NT/sid.txt) want to use the two tools well This tool needs time to learn. I can only say it can work even if the network administrator has enabled RestrictAnonymous, just need to access port 139!

**** SNMP (Simple Network Management Protocol) ****

An NT system running NT SNMP agents is accessible by default community strings such as "public". It is easy to list NT users via SNMP using the SNMP snmputil browser in NTRK. However, this tool provides a lot of data that is considered "scary, hard to remember, difficult to understand". Therefore, to avoid trouble (hacking has too many problems to resolve !!!) you can use the SNMP browser of solar wind named IP network browser at http://solarwinds.net. Above is the presentation of fantomas311 about WinNT attendance, followed by attendance with Novell

* ******** NOVELL *********

Although saying WinNT is a friend of "empty sessions" but Novell's netware has similar problems:

+++ Network Neighborhood: Use the Network Neighborhood to learn about the servers and available "trees" on the connection. This step does not directly threaten information, it is just a simple start-up step, what to do is good !!

+++ Links to Novell Client32

Novell's Netware Services program runs in the system tray and allows managing your Netware connections through the Netware Connections option, which can be extremely valuable in managing bindings and logins. However, more importantly, after creating an attachment, you can retrieve the NDS containing the server, the connection number, and the complete network address. This can be useful for connect to the server later and gain operator priority (admin).

+ ++ On-site Admin: See the Novell server

If there is no authentication process under a single server, you can use Novell's On-site Admin product (ftp://ftp.cdrom.com) to see the status of all servers on the way. transmission. Instead of sending private broadcast requests, On-Site Admin seems to display the servers that the Neighborhood Network has set up, sending separate periodic advertisements about Novell servers on the network.

+++ On-site Admin browse trees:

We can browse most Novell trees with On-site Admin. In this case, Client32 actually binds to the selected server inside the tree. The reason is that by default, Netware 4.x allows people to browse trees. You can minimize this by adding the inheritance filtering feature to the tree. Information obtained from On-Site Admin can help us move to active system raid. NT rollout ends here !!!!

******* UNIX *******

Most modern Unix entities are based on standard TCP / IP networking features and therefore it is not easy to disclose comfortable information like NT through NetBIOS or NetWare interfaces. Of course, that does not mean that Unix is ​​not attacked by the techniques of attendance, but which technique will produce the best results ??? That depends on how the system is configured. Examples include Sun Microsystems' Remote Procedure Call (RPC), Network Information System (NIS) and Network File System (NFS) for many years. We will mention some classic techniques soon.

Before moving on, it is important to remember that most of the techniques described in Part III use the information gathered from the technical and port scans that list OS mentioned in "basic hacking Part I and II." ".

+++ Shared file names and Unix network resources

The best source of Unix network information is the TCP / IP techniques described in Part II, but a better tool for deepening is the Unix showmount utility, which is useful in naming exported file systems. Export NFS on a network. For example, suppose a previous scan indicates port 2049 (NFS) is waiting on a potential destination. So, we can use showmount to see exactly how the folders are being shared:

showmount -e 192.168.202.34
export list for 192.168.202.34
/ pub (everyone)
/ var (everyone)
/ usr (user)

The switch -e lists the export list of the NFS server, unfortunately for security houses, and is happy for the hacker that the leak of this information cannot be sealed, because this is the default behavior of NFS.

NFS is not the only file sharing software you find on Unix, thanks to the growing popularity of open source sampa software, providing file services and smooth printing for SMB clients ( Server Message Block) forms the foundation of the windows networking feature. Samba can be downloaded at http://samba.org and distributed with many Linux suites. Although the Samba server configuration file (/etc/smb.conf) has some easy-to-understand security parameters, misconfiguration can still lead to unprotected network shared files.

Another potential source of Unix network information is NIS. The main problem with NIS is that once you know the NIS domain name of a server, you can use a simple batch of RPC queries to collect any version. Its NIS mapping. NIS mappings are mappings that distribute important information of each domain host system such as the passwd file content. Traditional NIS attacks often use NIS client tools to try to guess the domain name.

In addition, there are also quite a few useful exploiting tools that are psean and snmpwalk.

+++ User names and Unix groups:

This technique does not get valuable information, it can only tell you which user is root in the destination server. Tools: finger, rusers, rwho

****** Basic hacking Part III pauses here, after three basic steps, you already have a lot of specific information and tools that will guide you later . Hope through three articles , fantomas311 has brought you the basics of hacking! Be happy! For more details on the article contact fantomas311@yahoo.com *

See more:

  1. The most basic insights to becoming a Hacker - Part 1
  2. Classify hackers, the main job for hackers
5 ★ | 1 Vote