Tuesday, January 26, 2010

Hacking Tool: NAT

The NetBIOS Auditing Tool (NAT) is designed to explore the NetBIOS file-sharing services offered by the target system.

It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.

If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable".

Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.

Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.

Attempts are then made to connect to all listed file system shares and some potentially unlisted ones. If the server requires passwords for the shares, defaults are attempted as described above for session setup. Any successful connections are then explored for writeability and some known file-naming problems.

If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable" with the remaining question being to what extent.

Information is collected under the appropriate vulnerability at most of these steps, since any point along the way be blocked by the security configurations of the target. Most Microsoft-OS based servers and Unix SAMBA will yield computer names and share lists, but not allow actual file-sharing connections without a valid username and/or password. A remote connection to a share is therefore a possibly serious security problem, and a connection that allows writing to the share almost certainly so. Let's take a look at an output from NAT.exe

[*]--- Checking host:
[*]--- Obtaining list of remote NetBIOS names
[*]-- Remote systems name tables:
[*]--- Attempting to connect with name: JOHN
[*]--- CONNECTED with name: JOHN
[*]--- Attempting to establish session 
[*]--- Obtained server information:

Server= [JOHN] User= [] Workgroup= [WORKGROUP] Domain= [WORKGROUP]
[*]--- Obtained listing of shares:

     Sharename      Type     Comment 
     ---------      ----     ------
     D              Disk:
     IPC$           IPC:     Remote Inter Process Communication
[*]--- Attempting to access share: \\JOHN\D
[*]--- WARNING: Able to access share: \\JOHN\D
[*]--- Checking write access in: \\JOHN\D
[*]--- WARNING: Directory is writeable: \\JOHN\D
[*]--- Attempting to exercise... bug on: \\JOHN\D

ALL NetBIOS Tools Available @ http://www.cotse.com/tools/netbios.htm

Hacking Tool:DumpSec

DumpSec, presently available as freeware from SomarSoft and downloadable at http://www.systemtools.com/somarsoft/, is a security auditing program for Windows systems. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox (text) format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

DumpSec takes advantage of the NetBIOS API and works by establishing NULL session to the target box as the Null user via the [net use \\server "" /user:""] command. It then makes NET* enumeration application program interface (API) calls like NetServerGetInfo (supported by the Netapi32 library).

It allows users to remotely connect to any computer and dump permissions, audit settings, and ownership for the Windows NT/2000 file system into a format that is easily converted to Microsoft Excel for editing. Hackers can choose to dump either NTFS or share permissions. It can also dump permissions for printers and the registry.

The highlight is DumpSec's ability to dump the users and groups in a Windows NT or Active Directory domain. There are several reporting options and the hacker can choose to dump the direct and nested group memberships for every user, as well as the logon scripts, account status such as disabled or locked out, and the 'true' last logon time across all domain controllers. The user can also get password information such as 'Password Last Set Time' and 'Password Expires Time'. To summarize, Dumpsec can pull a list of users, groups, and the NT system's policies and user rights.

NetBIOS Enumeration

---NBTscan is a program for scanning IP networks for NetBIOS name information.

---For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

---The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.

     net view / domain,

     nbstat -A

If an attacker notes a windows OS with port 139 open, he would be interested in checking what resources he can access or view on the remote system. This is shown in the screenshot above. However, to enumerate the NetBIOS names, the remote system must have enabled File and Printer Sharing.

Using these techniques the attacker can launch two types of attack on the remote computer having NetBIOS. He can choose to read/write to a remote computer system depending on the availability of shares. Alternatively he can launch a denial of service.

A recent instance was reported in August 2002 when Microsoft issued an advisory stating that an attacker could seek to exploit an unchecked buffer in network share provider on machines that have anonymous access enabled by sending a malformed SMB request to a target computer and crashing it.

 Attack Methods-  Let us adopt an attacker's perspective to his port scan results.

On finding port 139 open, the attacker can first use the nbtstat command

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Note that an attacker will take particular interest in the id <03>. We try to connect to this remote machine using a null session. Usage: net use \\IP\IPC$ "" /user: "" This command connects to the machine using a null user and null password as signified by the empty quotes. The IPC$ is the hidden share on the particular IP that we will try to access in order to list any shared resources. Two main drawbacks of nbtstat are that it is restricted to operating on a single user and its rather inscrutable output. The tool NBTScan addresses these issues.

 Tools  A tool that can be used for such exploits is NBTScan written by Alla Bezroutchko and available at http://www.inetcat.org/software/nbtscan.html. NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address. NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. See screenshot below.

Null Session Countermeasure

--Null sessions require access to TCP 139 and/ or TCP 445 ports.

--You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

--Edit the registry to restrict the anonymous user.

     -----Open regedt32, navigate to            HKLM\SYSTEM\CurrentControlSet\LSA

     -----Choose edit | add value

          value name: ResticAnonymous

          Data Type: REG WORD

          Value: 2

 "HKLM" refers to the hive "HKEY_LOCAL_MACHINE". If this is set to "1" anonymous connections are restricted. However, an anonymous user can still connect to the IPC$ share, though he is restricted as to which information is obtainable through that connection. A value of "1" restricts anonymous users from enumerating SAM accounts and shares. A Value of "2", added in Windows 2000, restricts all anonymous access unless clearly granted. Therefore, the first registry key to check would be:


The other keys to inspect are:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \NullSessionShares
and HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes

These are MULTI_SZ (multi-line string) registry parameters that list the shares and pipes, respectively, that are open to null sessions. These keys should be verified so that no unwarranted shares or pipes are open. Moreover, those open should be secured such that only 'SYSTEM' or "Administrators' have access to modifying these keys.

In Windows 2000, the domain security policy lays down the protection measures for the domain controller. On systems that are not domain controllers, the 'Local Security Policy' must be configured to restrict anonymous connections. The value "No access without explicit anonymous permission" is the most secure and the equivalent of 2 in the registry value of the key HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous discussed above.

Another step that is advisable is to disallow remote access completely except for specific accounts and groups. It would be prudent to block NetBIOS ports on the firewall or border router to increase network security. Blocking the following ports will prevent against Null Sessions (as well as other attacks that use NetBIOS)

135 TCP DCE/RPC Portmapper

137 TCP/UDP NetBIOS Name Service

138 TCP/UDP NetBIOS Datagram Service

139 TCP NetBIOS Session Service

445 TCP Microsoft-DS (Windows 2000 CIFS/SMB)

A best practice that comes in handy is to stop all services that are not otherwise required for the functioning of the system.

Wednesday, January 20, 2010

NetBIOS connection - So What's the Big Deal?

  • Anyone with a NetBIO S connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.

  • The above syntax connects to the hidden Inter Process Communication 'share' (I PC $) at IP address with the built- in anonymous user (/u:"") with ("") null password.

  • The attacker now has a channel overwhich to attempt various techniques.

  • The CIFS/SMB and NetBIOS standards in Windows 2000 include API s that return rich information about a machine via TCP port 139 - even to unauthenticated users.

    C: \>net use \\ \IPC$ "" /u: ""
    The enumeration of machines and resources in a domain also makes it easier for an attacker to break in. If he is able to anonymously obtain the names of all of the machines in a domain, and then list the resource shares on those machines, it is only a matter of time before he finds a share which is open to "Everyone". Other possibilities include password cracking for a username that was enumerated, planting a backdoor for later access, dumping sensitive information etc.
    Let us see how a null session is established and how a remote computer can be enumerated from the command line prompt of a windows machine. In the example shown below, we can see that establishing a null session on the target host reveals that the system root can be easily compromised as the default setting of 'Everyone' may not have been changed, and the shares are visible to all.

In a NULL session, the TCP/IP connection to port 139 is made first with the following: net use \\\ipc$ "" /user:"". This is followed by using the session layer protocols SMB and NetBIOS to access the hidden remote IPC share IPC$. The IPC$ is a special hidden share which allows communication between two processes on the same system (Inter Process Communication). The IPC$ share is an interface to the 'server' process on the machine. It is also associated with a pipe so it can be accessed remotely. This technique was programmatically written into an old exploit called the Red Button attack. This was addressed and fixed by Microsoft in Service Pack 3 for NT 4.0.

Once the attacker has a list of the remote shares, he could then attempt to map to a remote share. An example of the command structure for the attack is shown in the screenshot above. This attack will only work if the share is not password protected or shared out to the 'everyone' group.

Access to the hard drive is a serious security breach. Even if the attacker does not map a drive, he can gather sensitive information such user accounts, password policy and similar data that he can exploit later to continue his attack on the system. This may not be apparent to the victim initially, and the attacker can take the advantage of the time lapse for more information gathering and planting malicious code such as a virus or a Trojan. The open file share attack generally makes Trojan planting extremely easy to do. For instance, an intruder might try to place a key logger batch into the start-up folder to collect further information and perhaps log on later as an authenticated users.

Net Bios Null Sessions

  • The null session is often refereed to as the Holy Grail of Windows hacking. Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/ Server Messaging Block).

  • You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.

  • Using these null connections allows you to gather the following information from the host:

    • List of users and groups

    • List of machines

    • List of shares

    • Users and host SIDs (Security Identifiers)
      In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data
      However, in addition to the standard user, the OS also supports a unique type of user called the 'null' user, which is basically a pseudo-account that has no username or password, but is allowed to access certain information on the network.

      The Null user is capable of enumerating account names and shares on domain controllers, member servers, and workstations. This makes the Null user, a user with no credentials, a potential means of attack by crackers to elicit information and compromise the system.
      Let us take a look at a typical LANMAN sessions on Windows NT 4.0

Remote machines establish a session with the Windows NT server using a challenge response protocol. The security of the information channel is ensured through a sequence of communications as outlined below.

  • The remote machine (or session requestor / client) sends a request to the session server (or session acceptor). This may be within the same domain or across domains.

  • The session server responds by sending across a random 64-bit challenge question to the client. The client responds to the question with a 24-bit answer which is hashed with the password of the user account that is requesting the session.

  • The session server accepts the response and verifies with the local security authority regarding the authentication of the user account and password.

  • The LSA confirms the identity of the requestor by verifying that the response was hashed with the correct password for the user that the requestor purports to be. This confirmation occurs locally if the requestor's account is a local account on the server. However, if the requestor's account is a domain account, the response is forwarded to the concerned domain controller for authentication.

  • On authenticating the response, an access token is generated by the session server and sent across to the client.

  • The client then uses this access token to connect to resources on the server till the newly established session is terminated.

    Windows 2000 provides three groups whose membership is controlled by the administrator: Users, Power Users, and Administrators. The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests. Unlike the Everyone group in Windows NT 4.0, the Authenticated Users group is not used to assign permissions. Only groups controlled by the administrator, primarily Users, Power Users, and members of the Administrators group, are used to assign permissions.

Now, let us take a look at a typical LANMAN sessions on Windows 2000

  • Here, the client sends a pre-authenticated (hash of user password) request along with a time stamp to the key distribution center (KDC) that resides on the domain controller (DC) of the concerned domain, requesting for a ticket granting ticket (TGT).

  • The KDC extracts the hash of the user identity from its database and decrypts the request with it, noting the time stamp as well for recentness of request. A valid user account results in successful decryption.

  • The KDC sends back a TGT, that contains among other information the session key (encrypted with users password) and the security identifiers (SID) identifying the user and the group among other things.

  • The client uses the ticket to access the required resources.

    A null session is an insecure (unauthenticated) connection with no proof of identity. No user and password credentials are supplied in the establishment of the session. No session key is exchanged when establishing a null session, and hence it is impossible for the system to send encrypted or even signed messages on behalf of the user under a null session.
    When the LSA is asked to create a token for a remote client communicating via a null session, it produces a token with a user SID of S-1-5-7 (the null logon session), and a user name of anonymous logon. We have seen earlier that Everyone is included in all tokens, and the null session is classified as a network logon. This gives the null user access to file system shares and named pipes.

    Other areas where null sessions are considered useful is when the LMHOSTS.SAM file uses the "#INCLUDE " tag. The share point that contains the included file must be setup as a null session share. Additionally where a service, running under the local "SYSTEM" account, needs access to some network resource, a null session may be established to access these resources.

    An interesting part is that Null sessions can also be established at the API level with languages such as C++. Null sessions can be used to establish connections to 'null session pipes', if it is allowed by the server. A 'pipe' is a facility that allows a process on one system to communicate with a process on another system, while a inter process communication share allows communication between two processes on the same system.

    Null sessions can also be used to establish connections to shares, including such system shares as \\servername\IPC$. The IPC$ is a special hidden share. It may be noted that the IPC$ share is an interface to the 'server' process on the machine, also associated with a pipe so it can be accessed remotely. Null sessions make the enumeration of users, machines, and resources easier for administrative purposes especially across domains. This is the lure for the attacker who intends to use a null session to connect to the machine.

    During port scanning, the attacker takes note of any response from TCP port 139 and 445. Why would these ports interest an attacker? The answer lies in the SMB protocol.
    The SMB (Server Message Block) protocol is known for its use in file sharing on Windows NT / 2000 series among other things. Attackers can potentially intercept and modify unsigned SMB packets then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data.

    SMB is the resource sharing protocol supported by many Microsoft operating systems; it is the basis of network basic input/output system (NetBIOS) and many other protocols. SMB signing authenticates both the user and the server hosting the data. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), making it a bulky protocol with a large header as well as consuming greater time. In Windows NT, it used the ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, SMB was allowed to directly run over TCP/IP, without the extra layer of NBT. Therefore, port 445 started being used for this purpose.

    Each SMB session consumes server resources. Establishing numerous null sessions will slow or possibly crash the server even in Windows 2003. An attacker could repeatedly establish SMB sessions until the server stops responding. SMB services will become slow or unresponsive.

Monday, January 4, 2010

What is Enumeration (PART 2)???

#If acquisition and non intrusive probing have not turned up any results, then an attacker will next turn to identifying valid user accounts or poorly protected resource shares.

Enumeration involves active connections to systems and directed queries.

The type of information enumerated by intruders:


      Network resources and shares

      Users and groups

      Applications and banners

      The objective of the attacker will be to identify valid user accounts or groups where he can remain inconspicuous once he has compromised the system. Enumeration involves active connections being made to the target system, or subjecting it to directed queries made to a system. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public - such as a DNS address. However, it is possible that the attacker stumbles upon a remote IPC share such as the IPC$ in windows, that can be probed with a null session and shares and accounts enumerated.

      On ascertaining the security posture of the target, the attacker can turn this information to this advantage by exploiting some resource sharing protocol or compromising an account. The type of information enumerated by hackers can be loosely grouped into the following categories:

            Network resources and shares

            Users and Groups

            Applications and Banners


What is Enumeration ??

Friends, for next few days, I will introduces the enumeration phase of hacking to you. I will try to explain different aspects of enumeration. After this you will be familiar with the following topics:

    * Understanding Windows 2000 enumeration
    * How to Connect via Null Session
    * How to disguise NetBIOS Enumeration
    * Disguise using SNMP enumeration
    * How to steal Windows 2000 DNS information using zone transfers
    * Learn to enumerate users via CIFS/SMB
    * Active Directory enumerations

This is the basis behind stating that while countermeasures the generic approach of hackers towards a system.


fbview - View pictures on a Linux console


fbview is an image viewer for Linux consoles, using the oFBis library. It uses libjpeg and libmagick to read images, and can handle a lot of different formats. The reason for using libjpeg separately is because it is much faster on decoding jpegs than libmagick is. Note, fbview only works on 8-bit displays.

fbview is released under the terms of GNU General Public License (GPL).
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... ....................................................  

HTTPort - Bypass an HTTP proxy


HTTPort allows you to bypass an HTTP proxy, which is blocking you from the Internet. With HTTPort you may use the following software (just a sample list, not limited to !) from behind an HTTP proxy: e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable software, etc. etc.

The basic idea is that you set up your Internet software in such a manner, that it considers your local PC to be a remote server it needs. This is where HTTPort enters. It intercepts connection from this software and runs the connection through the proxy - this is called a tunneling. Your software should use TCP/IP. HTTPort does not work with UDP/IP. There are two ways you can set up your software for use with HTTPort:


      If your software uses a single (small range of) fixed server with a single (small range of) fixed port: For instance your software would like to connect to some.server.com:some_port. Create a new HTTPort mapping, with any local port, preferably above 1024, remote server of "some.server.com" and remote port of "some_port". Point your software to as if it was the original server it needs.

      If your software can connect through SOCKS4 proxy: Point your software to, which is a built-in HTTPort SOCKS4 server.


Bypassing Firewall using Httptunnel


Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and telnet or PPP to connect to a computer outside the firewall.

Here is how htc sends data to the destination:


      Open TCP connection to hts

      Send HTTP POST with a large Content-Length

      Send TUNNEL_DATA packets until POST Content-Length would be exceeded.

      Send TUNNEL_PADDING packets to exactly satisfy Content-Length - 1

      Send TUNNEL_DISCONNECT (1 byte)

      Close TCP connection

      Go to step 1

Here is how htc gets data from the destination.


      Open TCP connection to hts

      Send HTTP GET

      Wait for response from hts


      Close TCP connection

      Go to step 1

Tunnel creation and destruction

This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.

Tool: eMailTrackerPro

eMailTrackerPro analyzes the e-mail header and provides the IP
Address of the machine that sent the e-mail. This can then be used to track down the sender. This is especially helpful in preventing spamming and spoofing.

An email spoofer may just be trying to cause trouble or discredit the person being spoofed by sending some truly vile message to the recipient. The built-in location database tracks e-mails to a country or region of the world. eMailTrackerPro also provides hyperlink integration with VisualRoute.

Example: Received: from BBB (dns-name [ip-address]) by AAA ...

For tracking purposes, we are most interested in the from and by tokens in the Received header field. Where: name is the name the computer has named itself. dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. The ip-address is important for tracking purposes.

Always base tracking decisions based upon the IP Addresses that are in the header information and not on host names (which are a lookup from the IP Address anyway). Because mapping an IP Address into a host name and then back into an IP Address may yield a different IP Address. However, attackers can defeat this by using an 'anonymizer' service for web based emails -- where they can use the IP Address of the 'anonymizer' company, and open mail relay servers for normal emails.


Tool: VisualRoute Mail Tracker

E-mail spoofing is a security concern that most organizations face. This is often part of a social engineering tactic employed by attackers. Sometimes, even passwords are easily obtained, if user awareness of the consequences is not there. The reason why this is a sought after information is because SMTP (Simple Mail Transfer Protocol) lacks authentication and hence spoofing is easy.

An Nslookup can reveal a MX server. The attacker can connect to the SMTP port and issue commands (in accordance with that protocol), can breach the security of the firm / user if a vulnerability can be exploited. The attacker can use this to send email that will appear to be from the address of the target user. The attacker can even send a mail asking users to change passwords on behalf of the system administrator.

This is useful when the email address is the only information available at hand.

An attacker might use this to track the user to their e-mail server. An added benefit is that he will be able to see what SMTP software the mail server is running (many times with version information as well). Information about the mail server can help if the attacker knows a vulnerability that can be exploited in order to gain more access to other resources or to cause damage to the system.

Readers who are interested in reading a real scenario may refer to the 'Bunratty Attack' by Vince Gallo. It shows how he created covert channels using valid mapi email. A copy of the presentation is available at http://chi-publishing.com/isb/backissues/ISB 2001/ISB0605/ISB0605VG.pdf

It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on an otherwise protected network. All traffic appears to be valid email.

The other tool that can analyze email headers is eMailTrackerPro