Anti-Hacker Tool Kit, Chapter 7, Windows Enumeration Tools Second Edition

Download Report

Transcript Anti-Hacker Tool Kit, Chapter 7, Windows Enumeration Tools Second Edition 

Anti-Hacker Tool Kit,
Second Edition
Chapter 7,
Windows Enumeration Tools
2016/5/23
Information Networking Security and Assurance Lab
National Chung Cheng University
Kai, 2004 insa
1
Outline
Winfingerprint
GetUseInfo
Enum
PsTools
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
2
object
To demonstrate how to collect knowledge
about remote computers for your own, oblique
uses.
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
3
principle
IPC$ share (InterProcess communications)
 a default share on the Windows NT,2000 and XP
It handles communication between applications on a
single system or among remote systems.
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
4
Winfinger
print pulls the most information
This lists the
NetBIOS name of
possible
across
and
IPC$
share.
other
systems
that
A complete
have
connected
to
service
list
tell
you
Deduce
the physical
The
development
builds
support.
SNMP
the
target.
Many
what
programs
are
location
thehelps
server.
timesof
this
installed
and
The
Lists
installed
each
Hotfix
The
server’s
local
enumeration,
accessing
the
event
log
and
narrow
down auser’s
target
time
potentially
acitve
system
ID useful
(SID)
lististoalso
BDCs,
when
you’re
trying
delving
databases,
or to into the Active Directory structure.
schedule remote jobs
administrator sytems
neighborhood
with
the of
ATserver
command
The type
and its
operating system
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
5
 GetUserInfo
Get the account
information of
administrator
Bad passwords might
be an indicator of a
Every userattack.
on the
brute-force
system can be
The
password age
enumerated
with
might
be character
an indicator
the dot
of old, unchanged
passwords.
The number of logons
indicator of how
trafficked the system
is in relation to the
account.
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
6
 ENUM
1.
2.
ToTo
gather
enumerate
user-related
To
thegather
Local
information
serverSecurity
Authority (LSA)
related
information
information
information enumeration
utility.
a console-based Win32
Using null sessions, enum can retrieve userlists, machine lists,
Return a list of
An excellent
target
users, sharelists,
but
alsofor namelists, group and member lists, password and
password
guessing.
LSA
policy information.
reveal
file
shares
The
options
return
information
about
3. infer
enum
is also capable of a rudimentary brute force dictionary
We
also
from
the
the target,
user
list that provided
Internet
attack
the IPC$ Server
share (IIS)
ison individual accounts
Information
(IUSR_ALPHA,IWAM_A
available over port
LPHA)
139 orand
portTerminal
445.
Service
(TsInternetUser)
It established
are installed on
the a
connections
over
system.
NULL share
(anonymous user)
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
7
The administrator
account has no
password
ENUM
Note:
Many organizations
rename the
Administrator account,
and then rename the
Guest account to
“Administrator.” the
impatient hacker who
doesn’t find the true
administrator will be
wasting her time
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
8
 What sets these tools apart is that they all allow you to manage
remote systems as well as the local one.
 The pre-requisites for using these tools
 Proper user credentials
 The “Server” service must be started on the target system. The
“NetLogon” service helps pass credentials across the domain.
 The “RemoteRegistry” service is used for certain function such as
PsInfo’s hotfix enumeration.
 The IPC$ share must be available.
 Make user that your windows 2000 and XP server are using
NTLMv2 to avoid sniffing attacks
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
9
PsFile – shows files opened remotely
see the opening
connection on
remote server
service
Close a
connection
based on the ID
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
10
PsLoggedOn – see who's logged on locally
and via resource sharing
Users Logged
on locally
Users Logged
on via resource
shares
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
11
PsGetSid – display the SID of a computer or a user
Get the account
SID from remote
host
Get another
account SID from
remote host
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
12
PsInfo – list information about a system
List system
information
include hotfix
A batch file makes
this system
enumeration easy
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
13
PsService – view and control services
Useage of
PsService
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
14
PsList – list detailed information about processes
Filter string start
with iexplore
Displays each
process and its
threads in a tree
format
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
15
PsKill – kill processes by name or process ID
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
16
PsSuspend – suspends processes
To Resume a
process
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
17
PsLogList – dump event log records
Any
Retrieve
Filter
of the
events
event
three
After
based
event
and
onlogs,
Before
one of
the
application,
fivesupplied
types:
Warning
security,
data in the
(w),
or
system
Information
mm/dd/yy
can be
(i),
Errors
viewed
format
(e), Audit
Success, and
Audit Failure.
Clear the logfile
Reads
after
it hasthe
been
binary
event log
dumped
file from any
system.
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
18
PsExec – execute processes remotely
By
default,remote
PsExec
Display
works
from the
host network
%SYSTEMROOT%
configuration
\system32 directory.
You must have
access to the
ADMIN$ share
and proper
credentials for this
tool to work
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
19
PsShutdown – shuts down and optionally
reboots a computer
Usage of
Psshutdown
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
20
Reference
 Winfingerprint
http://winfingerprint.sourceforge.net/
 GetUserInfo
http://www.joeware.net/win32/index.html
 enum
http://razor.bindview.com/tools/desc/enum_readme.html
 PsTools
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml
Kai, 2004 insa
Information Networking Security and Assurance Lab
National Chung Cheng University
21