- Anyone with a NetBIO S connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.
The above syntax connects to the hidden Inter Process Communication 'share' (I PC $) at IP address 192.34.34.2 with the built- in anonymous user (/u:"") with ("") null password.
The attacker now has a channel overwhich to attempt various techniques.
The CIFS/SMB and NetBIOS standards in Windows 2000 include API s that return rich information about a machine via TCP port 139 - even to unauthenticated users.
C: \>net use \\192.168.104.81 \IPC$ "" /u: ""The enumeration of machines and resources in a domain also makes it easier for an attacker to break in. If he is able to anonymously obtain the names of all of the machines in a domain, and then list the resource shares on those machines, it is only a matter of time before he finds a share which is open to "Everyone". Other possibilities include password cracking for a username that was enumerated, planting a backdoor for later access, dumping sensitive information etc.Let us see how a null session is established and how a remote computer can be enumerated from the command line prompt of a windows machine. In the example shown below, we can see that establishing a null session on the target host reveals that the system root can be easily compromised as the default setting of 'Everyone' may not have been changed, and the shares are visible to all.
Home » Archives for January 2010
Hacking Tool: NAT

Hacking Tool:DumpSec

NetBIOS Enumeration

Null Session Countermeasure

NetBIOS connection - So What's the Big Deal?

Net Bios Null Sessions
The null session is often refereed to as the Holy Grail of Windows hacking. Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/ Server Messaging Block).
You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.
Using these null connections allows you to gather the following information from the host:
List of users and groups
List of machines
List of shares
Users and host SIDs (Security Identifiers)In the enumeration phase, the attacker gathers information such as network user and group names, routing tables, and Simple Network Management Protocol (SNMP) data
However, in addition to the standard user, the OS also supports a unique type of user called the 'null' user, which is basically a pseudo-account that has no username or password, but is allowed to access certain information on the network.
The Null user is capable of enumerating account names and shares on domain controllers, member servers, and workstations. This makes the Null user, a user with no credentials, a potential means of attack by crackers to elicit information and compromise the system.Let us take a look at a typical LANMAN sessions on Windows NT 4.0
The remote machine (or session requestor / client) sends a request to the session server (or session acceptor). This may be within the same domain or across domains.
The session server responds by sending across a random 64-bit challenge question to the client. The client responds to the question with a 24-bit answer which is hashed with the password of the user account that is requesting the session.
The session server accepts the response and verifies with the local security authority regarding the authentication of the user account and password.
The LSA confirms the identity of the requestor by verifying that the response was hashed with the correct password for the user that the requestor purports to be. This confirmation occurs locally if the requestor's account is a local account on the server. However, if the requestor's account is a domain account, the response is forwarded to the concerned domain controller for authentication.
On authenticating the response, an access token is generated by the session server and sent across to the client.
The client then uses this access token to connect to resources on the server till the newly established session is terminated.
Windows 2000 provides three groups whose membership is controlled by the administrator: Users, Power Users, and Administrators. The group whose membership is controlled by the operating system or domain is Authenticated Users. It is the same as the Everyone group, except that it does not contain anonymous users or guests. Unlike the Everyone group in Windows NT 4.0, the Authenticated Users group is not used to assign permissions. Only groups controlled by the administrator, primarily Users, Power Users, and members of the Administrators group, are used to assign permissions.
Here, the client sends a pre-authenticated (hash of user password) request along with a time stamp to the key distribution center (KDC) that resides on the domain controller (DC) of the concerned domain, requesting for a ticket granting ticket (TGT).
The KDC extracts the hash of the user identity from its database and decrypts the request with it, noting the time stamp as well for recentness of request. A valid user account results in successful decryption.
The KDC sends back a TGT, that contains among other information the session key (encrypted with users password) and the security identifiers (SID) identifying the user and the group among other things.
The client uses the ticket to access the required resources.
A null session is an insecure (unauthenticated) connection with no proof of identity. No user and password credentials are supplied in the establishment of the session. No session key is exchanged when establishing a null session, and hence it is impossible for the system to send encrypted or even signed messages on behalf of the user under a null session.When the LSA is asked to create a token for a remote client communicating via a null session, it produces a token with a user SID of S-1-5-7 (the null logon session), and a user name of anonymous logon. We have seen earlier that Everyone is included in all tokens, and the null session is classified as a network logon. This gives the null user access to file system shares and named pipes.
Other areas where null sessions are considered useful is when the LMHOSTS.SAM file uses the "#INCLUDE" tag. The share point that contains the included file must be setup as a null session share. Additionally where a service, running under the local "SYSTEM" account, needs access to some network resource, a null session may be established to access these resources.
An interesting part is that Null sessions can also be established at the API level with languages such as C++. Null sessions can be used to establish connections to 'null session pipes', if it is allowed by the server. A 'pipe' is a facility that allows a process on one system to communicate with a process on another system, while a inter process communication share allows communication between two processes on the same system.
Null sessions can also be used to establish connections to shares, including such system shares as \\servername\IPC$. The IPC$ is a special hidden share. It may be noted that the IPC$ share is an interface to the 'server' process on the machine, also associated with a pipe so it can be accessed remotely. Null sessions make the enumeration of users, machines, and resources easier for administrative purposes especially across domains. This is the lure for the attacker who intends to use a null session to connect to the machine.
During port scanning, the attacker takes note of any response from TCP port 139 and 445. Why would these ports interest an attacker? The answer lies in the SMB protocol.The SMB (Server Message Block) protocol is known for its use in file sharing on Windows NT / 2000 series among other things. Attackers can potentially intercept and modify unsigned SMB packets then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after a legitimate authentication and gain unauthorized access to data.
SMB is the resource sharing protocol supported by many Microsoft operating systems; it is the basis of network basic input/output system (NetBIOS) and many other protocols. SMB signing authenticates both the user and the server hosting the data. In Windows NT it ran on top of NBT (NetBIOS over TCP/IP), making it a bulky protocol with a large header as well as consuming greater time. In Windows NT, it used the ports 137, 138 (UDP) and 139 (TCP). In Windows 2000, SMB was allowed to directly run over TCP/IP, without the extra layer of NBT. Therefore, port 445 started being used for this purpose.
Each SMB session consumes server resources. Establishing numerous null sessions will slow or possibly crash the server even in Windows 2003. An attacker could repeatedly establish SMB sessions until the server stops responding. SMB services will become slow or unresponsive.

What is Enumeration (PART 2)???
#If acquisition and non intrusive probing have not turned up any results, then an attacker will next turn to identifying valid user accounts or poorly protected resource shares.
#
Enumeration involves active connections to systems and directed queries.
#
The type of information enumerated by intruders:
*
Network resources and shares
*
Users and groups
*
Applications and banners
The objective of the attacker will be to identify valid user accounts or groups where he can remain inconspicuous once he has compromised the system. Enumeration involves active connections being made to the target system, or subjecting it to directed queries made to a system. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public - such as a DNS address. However, it is possible that the attacker stumbles upon a remote IPC share such as the IPC$ in windows, that can be probed with a null session and shares and accounts enumerated.
Concept
On ascertaining the security posture of the target, the attacker can turn this information to this advantage by exploiting some resource sharing protocol or compromising an account. The type of information enumerated by hackers can be loosely grouped into the following categories:
1.
Network resources and shares
2.
Users and Groups
3.
Applications and Banners
---

What is Enumeration ??
Friends, for next few days, I will introduces the enumeration phase of hacking to you. I will try to explain different aspects of enumeration. After this you will be familiar with the following topics:
* Understanding Windows 2000 enumeration
* How to Connect via Null Session
* How to disguise NetBIOS Enumeration
* Disguise using SNMP enumeration
* How to steal Windows 2000 DNS information using zone transfers
* Learn to enumerate users via CIFS/SMB
* Active Directory enumerations
This is the basis behind stating that while countermeasures the generic approach of hackers towards a system.
---

fbview - View pictures on a Linux console
http://www.nocrew.org/software/fbview/
fbview is an image viewer for Linux consoles, using the oFBis library. It uses libjpeg and libmagick to read images, and can handle a lot of different formats. The reason for using libjpeg separately is because it is much faster on decoding jpegs than libmagick is. Note, fbview only works on 8-bit displays.
fbview is released under the terms of GNU General Public License (GPL).

HTTPort - Bypass an HTTP proxy
http://www.htthost.com/
HTTPort allows you to bypass an HTTP proxy, which is blocking you from the Internet. With HTTPort you may use the following software (just a sample list, not limited to !) from behind an HTTP proxy: e-mail, IRC, ICQ, news, FTP, AIM, any SOCKS capable software, etc. etc.
The basic idea is that you set up your Internet software in such a manner, that it considers your local PC to be a remote server it needs. This is where HTTPort enters. It intercepts connection from this software and runs the connection through the proxy - this is called a tunneling. Your software should use TCP/IP. HTTPort does not work with UDP/IP. There are two ways you can set up your software for use with HTTPort:
1.
If your software uses a single (small range of) fixed server with a single (small range of) fixed port: For instance your software would like to connect to some.server.com:some_port. Create a new HTTPort mapping, with any local port, preferably above 1024, remote server of "some.server.com" and remote port of "some_port". Point your software to 127.0.0.1:mapped_local_port as if it was the original server it needs.
2.
If your software can connect through SOCKS4 proxy: Point your software to 127.0.0.1:1080, which is a built-in HTTPort SOCKS4 server.
---

Bypassing Firewall using Httptunnel
http://www.nocrew.org/software/httptunnel.html
Httptunnel creates a bidirectional virtual data path tunneled in HTTP requests. The requests can be sent via an HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and telnet or PPP to connect to a computer outside the firewall.
Here is how htc sends data to the destination:
1.
Open TCP connection to hts
2.
Send HTTP POST with a large Content-Length
3.
Send TUNNEL_DATA packets until POST Content-Length would be exceeded.
4.
Send TUNNEL_PADDING packets to exactly satisfy Content-Length - 1
5.
Send TUNNEL_DISCONNECT (1 byte)
6.
Close TCP connection
7.
Go to step 1
Here is how htc gets data from the destination.
1.
Open TCP connection to hts
2.
Send HTTP GET
3.
Wait for response from hts
4.
Read TUNNEL_DATA, then TUNNEL_PADDING, TUNNEL_DISCONNECT packets
5.
Close TCP connection
6.
Go to step 1
Tunnel creation and destruction
This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it's possible to use httptunnel and, say, telnet or PPP to connect to a computer outside the firewall.

Tool: eMailTrackerPro
eMailTrackerPro analyzes the e-mail header and provides the IP
Address of the machine that sent the e-mail. This can then be used to track down the sender. This is especially helpful in preventing spamming and spoofing.
An email spoofer may just be trying to cause trouble or discredit the person being spoofed by sending some truly vile message to the recipient. The built-in location database tracks e-mails to a country or region of the world. eMailTrackerPro also provides hyperlink integration with VisualRoute.
Example: Received: from BBB (dns-name [ip-address]) by AAA ...
For tracking purposes, we are most interested in the from and by tokens in the Received header field. Where: name is the name the computer has named itself. dns-name is the reverse dns lookup on the ip-address. ip-address is the ip-address of the computer used to connect to the mail server that generated this Received header line. The ip-address is important for tracking purposes.
Always base tracking decisions based upon the IP Addresses that are in the header information and not on host names (which are a lookup from the IP Address anyway). Because mapping an IP Address into a host name and then back into an IP Address may yield a different IP Address. However, attackers can defeat this by using an 'anonymizer' service for web based emails -- where they can use the IP Address of the 'anonymizer' company, and open mail relay servers for normal emails.
---

Tool: VisualRoute Mail Tracker
E-mail spoofing is a security concern that most organizations face. This is often part of a social engineering tactic employed by attackers. Sometimes, even passwords are easily obtained, if user awareness of the consequences is not there. The reason why this is a sought after information is because SMTP (Simple Mail Transfer Protocol) lacks authentication and hence spoofing is easy.
An Nslookup can reveal a MX server. The attacker can connect to the SMTP port and issue commands (in accordance with that protocol), can breach the security of the firm / user if a vulnerability can be exploited. The attacker can use this to send email that will appear to be from the address of the target user. The attacker can even send a mail asking users to change passwords on behalf of the system administrator.
This is useful when the email address is the only information available at hand.
An attacker might use this to track the user to their e-mail server. An added benefit is that he will be able to see what SMTP software the mail server is running (many times with version information as well). Information about the mail server can help if the attacker knows a vulnerability that can be exploited in order to gain more access to other resources or to cause damage to the system.
Readers who are interested in reading a real scenario may refer to the 'Bunratty Attack' by Vince Gallo. It shows how he created covert channels using valid mapi email. A copy of the presentation is available at http://chi-publishing.com/isb/backissues/ISB 2001/ISB0605/ISB0605VG.pdf
It demonstrates how one can use a valid application (in this case mapi email) to covertly communicate with and even remotely control a system on an otherwise protected network. All traffic appears to be valid email.
The other tool that can analyze email headers is eMailTrackerPro
