Certified Ethical Hacker

Lesson 3
Enumeration and System
Hacking
Lesson 4
Objectives
After reading this lesson you will be able to:
 Understand enumeration
 Become familiar with enumeration tools
 Explain the architecture of Windows systems
 Discuss Windows users and groups
 Understand the steps involved in Windows hacking
 Explain the Linux file structure and basic Linux
commands
 Understand the steps involved in hacking Linux
systems
 Enumeration

 In-depth analysis of targeted computers

– Actively connecting to the target systems to identify
user accounts, system accounts, services, and
other useful information
 Windows Enumeration

 The goal is to identify a user or system account to be

exploited.
 Windows OS is available in client and server versions:
– Windows 7, 8 and 10 are examples of client systems.
– Windows Server 2008, 2012 and 2016 are examples of server
systems .
• Windows Architecture has two basic modes:
– User mode (ring 3):
• Has restrictions.
• Malicious programs can be detected by antivirus tools.
– Kernel mode (ring 0 ):
• Allows full access to all resources.
• Malicious code can hide and is harder to detect.
 Windows Enumeration cont.

• All code runs in a context of an account.

• Security identifiers:
– Security identifiers (SID):
• Identifies users, groups, and computer accounts
– Relative identifiers (RID):
• Portion of SID that identifies a user or group in relation to
the authority the user has
 Windows Security

 User accounts and passwords are stored in

– SAM database on the local machine
• Windows registry – HKLM-SAM
– Active Directory in domain environment
 Local Security Authority subsystem (Lsass)
– User mode process responsible for local security
policy
 NetBIOS
– A vulnerability in Windows legacy system
– Used with Secure Message Blocks (SMB) to
remotely access shared files and directories
 Windows Security cont.

 SMB:
– Enables remote access of shared directories and
files
– Makes it possible for user to create shares
 InterProcess Communication (IPC):
– Offers a default share on Windows system – IPC$
• A hidden share.
• Enables anonymous connection using the net view and net
use command in Windows XP/2003.
• IPC$ can be used to enumerate user details, account
information, and weak passwords.
 NetBIOS Enumeration Tools

 Set up a Null session:

– Set up manually using the net use command.
• Net use \\target\ipc$ “””” /u:””
– The amount of information collected depends on the version of
Windows running and the configuration.
• Older Windows systems reveal more information.
 DumpSec:
– Windows-based GUI tool
– Can connect to a Windows system remotely and obtain user
account information and share permissions
 GetAcct:
– Connect to target by IP or NetBIOS name
– Extract account information such as SID, RID, comments, full
names
 Enumeration Tools
 SID2USER and USER2SID
– Obtain account name from SID and SID from the account name
 SuperScan
– Retrieved information about any known user from a vulnerable system
 Userinfo
– Command line
– Retrieves information for users in XP
 GetAcct
– GUI tool used to enumerate Windows systems
 GetUserInfo
– Command-line toll that extracts user account info from a compute or domain
 Ldp
– Can be used to enumerate all users in built-in groups in AD if port 389 is open
 Nbtstat
– Built-in Windows command tool
– Used to troubleshoot NetBIOS name resolution problems
 Simple Network Management
Protocol (SNMP) Enumeration
 SNMP is a TCP/IP protocol used for remote
management:
– Version 3 offers encryption and authentication.
– Versions 1 and 2 are vulnerable to attacks.
 Tools for SNMP enumeration:
– snmpwalk
– IP Network Browser
– SNScan
 Countermeasures:
– Turn off SNMP if not in use or use version 3.
– Block port 161.
– Change community strings and have different
community string for each network zone.
 Linux and UNIX Enumeration

 Not as vulnerable to enumeration as Windows systems

 Tools
– Rpcclient
– Showmount
– Finger
– Rpfinfo
– Enum4linux
 NTP Enumeration

 NTP – protocol used to synchronize clocks on network

computers
 Uses UDP port 123
 NTP commands:
– Ntpdate
– Ntptrace
– Ntpdc
– Ntpq
 Enumeration tools
– PresenTense Time Server
– NTP Server Scanner
– LAN Time Analyzer
 SMTP Enumeration

 Simple Mail Transfer Protocol (SMTP)

– Used to transfer email messages
– Operates on port 25
 Enumeration tools
– NetScan Tool Pro
– Nmap
– Telnet
 DNS Enumeration

 Locating information about DNS servers, DNS records,

usernames, computer names, and IP addresses
 Tools
– Nslookup
– Digdug
– WhereIsIp
– NetInspector
– Mice and Men Management Console
 Windows Hacking

 Methods:
– Nontechnical password attacks:
• Dumpster diving
• Social engineering
• Shoulder surfing
– Technical password attacks:
• Password guessing
• Automated password guessing
• Password sniffing
• Keyloggers
– Exploit a vulnerability.
 Password Guessing

 You should have collected the user account

names during the enumeration step.
 Use a password dictionary file with the net
use command:
– Make sure there is no password lockout policy.
 Used automated tools:
– NetBIOS Auditing Tool (NAT)
• Command-line password guessing tool
– Brutus
– THC Hydra
Password Sniffing and Keystroke
Loggers
 Sniffing tool:
– Requires physical or logical access to the device
– Pass-The-Hash
– ScoopLM
– KerbCrack
• Used to attack the Kerberos protocol
• Two tools in one:
– Sniffer
– Password cracking program
 Keystroke logger:
– Software or hardware device that records keystrokes
– Can be configured to email the results to the attacker
– ISpyNow
– PC Activity Monitor
– Spector
 Privilege Escalation and
Exploiting Vulnerabilities
 When the attacker has access, the next goal is to escalate the
privilege to an administrator or full control access.
 Common techniques:
– Trick user into executing the program.
– Copy the privilege escalation tool to the target system and schedule
to execute it with AT command.
– Exploit an application.
– Gain interactive access using PC Anywhere, Terminal Server
 Tools:
– Billybastard.c
– ANI Exploit
– Getad
– ERunAs2X
 Owning the Box

 When attackers have access to the computer, they can

compromise other user accounts:
– Obtaining SAM:
• Stores user passwords in hashed form
• Encrypted
• Could reset passwords if they have physical
access to the machine.
 Authentication Types

 LM authentication:
– Used by Windows 95/98/Me
– Based on DES
– Easy to crack
– Could still be used for backward compatibility
 NTLM authentication:
– Used by Windows NT before service pack 3
– Based on DES and MD4
 NTLM v2:
– Based on MD5 and MD5
 Kerberos:
– Windows 2000 and later
 Password Cracking

 L0phtcrack:
– Can extract hashes from local or remote machines
– Can sniff passwords from local network if used with
an admin account
 Pwdump:
– Command-line tool that can bypass SYSKEY
encryption
– Needs admin rights
 Three basic types of password cracks:
– Dictionary attack
– Hybrid attack
– Brute force attack
 Covering Tracks

 Disable logging:
– Auditpol command-line tool
 Clear the log file:
– Winzapper, Evidence Eliminator, and Elsave
 Use rootkits:
– FU and Vanquish
 File Hiding
– Locate hidden attribute.
– Use Alternative Data Streams (ADS).
– Hide in slack space.
 Linux File Structure

 All information is stored within the file system.

 Files are stored within the hierarchy of directories.
 Directory names are separated by / (forward slash).
 User accounts are used to identify users, and different
permissions could be assigned to different users and
groups.
 ls – l command is used to display the current
permissions.
 Chmod command is used to change permissions.
 Linux File Structure

 Common Linux directories:

– /
– /bin
– /dev
– /etc
– /home
– /mnt
– /sbin
– /usr
 Linux Basics

 Open the Terminal Windows to execute Linux

commands:
– Similar to the command prompt in Windows.
– The # means you are logged in as root.
– The root account is similar to the Administrator
account in Windows environment.
 Basic Linux Commands
 cat
 cd
 chmod
 cp
 history
 ifconfig
 kill
 ls
 man
 mv
 passwd
 ps
 pwd
 rm
 rm – r
 Basic Linux Commands

 User and groups are assigned User ID (UID) and

Group ID (GID) respectively.
 Information about users and group IDs is stored in
/etc/passwd file.
 The root account always has UID 0 and GID 0.
 Use useradd command to add users.
 Use su <username> to perform actions as a different
user than the one you are logged in as.
 Passwords and Shadow File
 Passwords are required for user accounts, but a blank password
can be used by default.
 Password encryption can be selected during the installation.
 MD5 is default encryption used by most versions, but DES can be
used as well.
 DES limits passwords to eight characters.
 /etc/shadow file is used for additional password security:
– Only root user has access to the file.
– Use more /etc/shadow command to see the file while logged in as
root.
 Passwords in Linux use salts:
– One of 4096 values that help further scramble the password when
encrypted
 Linux Passwords

 Passwords are one of the weakest forms of

authentication.
 Additional authentication mechanisms should be
added for stronger security:
– Biometrics – something you are
– Tokens – something you have
 Pluggable Authentication Modules (PAM):
– Controls interaction between user and application
 Password cracking tools:
– John the Ripper
 Compressing, Installing, and
Compiling Linux
 Tar is one of the most commonly used compression
formats in Linux:
– Collects several files into one
– Does not do file compression
 Gzip is used for file compression.
 To compile a program in Linux, the following three
commands are used:
– ./configure
– make
– make install
 Hacking Linux

 Follow the basic ethical hacking methodology

 Divided into six steps:
– Reconnaissance
– Scanning and enumeration
– Gaining access
– Escalation of privilege
– Maintaining access
– Cover tracks and place backdoors
 Hacking Linux cont.
 Reconnaissance
– Active and passive information gathering
 Scanning
– Find the open ports and applications.
– Linux ports are different compared to Windows.
• 21 (ftp), 37 (time) , 79 (finger), 111 (sunrpc), and 6000 (X11)
– Nmap can be used for port scanning.
 Enumeration
– Banner grabbing
– Finger
• Recover the name associated with an email address.
– SMTP vrfy and expn commands
• To guess users on the system
– Rwho and rusers
• Information about various users on the system
 Hacking Linux cont.

 Gaining access
– Remote attacks
• Exploit a process or program.
• Exploit a TCP or UDP listening service.
• Exploit vulnerabilities in a system providing routing or
security services.
• Exploit the user.
– Local attacks
 Privilege escalation
– Usually a local attack is used.
– Objective is to gain full control over the application or system.
 Hacking Linux cont.

 Maintaining access and covering tracks:

– Rootkits:
• Hide the attacker’s presence and provide him with a
backdoor to the system.
• Require root access.
• Categories
– Hypervisor
– Hardware/Firmware
– Boot Loader
– Library Level
– Application Level
– Kernel Level
 Hacking Linux cont.

 Traditional rootkits replaced binaries, such as ipconfig and netstat with

trojaned versions
– Easy to detect
– Detection tools – MD5sum and Tripwire
 Rootkits targeting Loadable kernel module (LKM)
– The rootkit is loaded as a driver or kernel extension.
– Can corrupt the kernel and avoid detection.
– Example rootkits
• Flea
• T0rm
• Adorm
• TDSS/Alureon
 Rootkit detection tools
– Chkrootkit
– McAfee Rootkit Detective
– TrendMicro RootkitBuster
Chapter 3
Summary
 Be familiar with basic Windows enumeration
techniques.
 Know the architecture of Windows computers
 Explain how IPC$ can be exploited.
 Describe system hacking.
 Describe keystroke loggers.
 Describe data hiding techniques.
 Understand basic Linux commands.
 Understand how Linux passwords are stored.
 Describe Linux hacking techniques.