Sunday, February 7, 2010

Open Service Information Gathering

Implementation of various service enumeration methods such as SNMP, SMTP, DNS etc.

#nslookup
> www.checkpoint.com

Identify mail servers belonging to an organization

> set type=mx
> checkpoint.com

identify all the dns servers authoritative for a domain

> set type=ns
> checkpoint.com

Using backtrack tool

#cd /pentest/enumeration/dnsenum/
./dnsenum.pl

SNMP reconnaissance
SNMP is a management protocol and is often used to monitor and remotely configure servers and network devices.

SNMP is based on UDP, a stateless protocol, and is therefore suspectible to IP spoofing. In addition SNMP has a weak authentication system - private (rw) and public (r) community strings. These community strings are passed unencrypted on the network and are often left in their default state "private" and "public"


Let's examine some information from a Windows host running snmp by using the
following command

snmpwalk -c public -v1 1

Let me demonstrate some interesting commands:
snmpwalk -c public -v1 192.168.0.110 SNMPv2-MIB::sysDescr.0

Enumerating windows users.
snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4

Enumerating running services
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWRunName|cut -d" " -f4

Enumerating open tcp ports

snmpwalk -c public -v1 192.168.0.110 1 |grep tcpConnState |cut -d"." -f6 |sort -nu



Enumerating installed softwares
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWInstalledName


There are lots of other interesting searches we can do. As usual, there are more
specialized tools for this task – I personally like snmpenum.pl and snmpcheck.pl.
You can find them in the /pentest/enumeration/snmpenum

./snmpcheck-1.3.pl -t 192.168.0.110

SMTP reconnaissance

Under certain misconfigurations, mail servers can also be used to gather information about a host / network. SMTP supports several interesting commands such as VRFY and EXPN.
A VRFY request asks the server to verify an email address while EXPN asks the server for the membership of a mailing list. These can often be abused in order to verify existing users on a mail server, which can aid the attacker later.
Let's look at an example:

nc -v 192.168.0.10 25
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)