Before we can talk about Windows enumeration techniques and tools, we should spend a little time discussing how Windows stores user information and passwords. Windows stores this information in the Security Accounts Manager (SAM) database. If the system is part of a domain, the domain controller stores the critical information. On standalone systems not functioning as domain controllers, the SAM contains the defined local users and groups, along with their passwords and other attributes. The SAM database is stored in a protected area of the registry under HKLM\SAM.
The concept of the Active Directory (AD) domain first came to life with Windows 2000 and heralded a big change from the old NT trust model. AD is really a directory service that contains a database that stores information about objects in a domain. The AD keeps password information and privileges for domain users and groups that were once kept in the domain SAM.
Enumeration of Windows systems can potentially provide the attacker with usernames, account information, network shares, and services offered by spe-cific systems. Much of this information is available because of the way in which parts of Microsoft Windows are designed. One vulnerable area exists because of the way Windows transmits information about its shares and how the Network Basic Input Output System (NetBIOS) protocol operates. Table 5-1 lists ports associated with this technology.
NetBIOS was a creation of IBM. It allows applications on different systems to communicate through the LAN and has become a de facto industry standard.
On LANs using NetBIOS, systems identify themselves by using a 15-character unique name. Because NetBIOS is nonroutable by default, Microsoft adapted it to run over TCP/IP. NetBIOS is used in conjunction with Server Message Blocks (SMB). SMB allows for the remote access of shared directories and files.
This key feature of Windows is what makes file and print sharing and the Network Neighborhood possible.
Table 5-1 Common NetBIOS Ports and Services
PORT PROTOCOL SERVICE
135 TCP MS-RPC endpoint mapper
137 UDP NetBIOS name service
138 UDP NetBIOS datagram service
139 TCP NetBIOS session service
445 TCP SMB over TCP
When attackers target a system, they will always attempt to run their code at the highest possible level because part of the enumeration process is determining which account holders have administrator rights. Two items that Windows uses to help keep track of a user’s security rights and identity are as follows:
Security identifiers Relative identifiers
Security identifiers (SIDs) are a data structure of variable length that iden-tifies user, group, and computer accounts. For example, a SID of S-1-1-0 indicates a group that includes all users. Closely tied to SIDs are relative identifiers (RIDs). A RID SID is a portion of the SID that identifies a user or group in relation to the authority that user has. Let’s look at an example:
S-1-5-21-1607980848-492894223-1202660629-500 S for security id
1 Revision level
5 Identifier Authority (48 bit) 5 = logon id 21 Sub-authority (21 = nt non unique) 1607980848 SA
492894223 SA domain id 1202660629 SA
500 User id
Notice the last line of code. This value is the user ID and specifies a definite user. This value is known as a RID. Table 5-2 lists some common RIDs.
As shown in Table 5-2, the administrator account has a RID of 500 by default, the guest 501, and the first user account has a RID of 1000. Each new user gets the next available RID. What’s important about this is that renaming an account will not prevent someone from discovering key accounts. This is somewhat similar to the way that Linux controls access for users and system processes by use of an assigned user ID (UID) and a group ID (GID) that is found in the/etc/passwdfile.
Table 5-2 User IDs and RIDs
USER ID CODE
Administrator 500
Guest 501
Kerberos 502
1stuser 1000
2nduser 1002
Server Message Block and Interprocess Communication
Server Message Block (SMB) makes it possible for users to share files and folders; interprocess communication (IPC) offers a default share on Windows systems. This share, the IPC, is used to support named pipes that programs used for interprocess (or process-to-process) communication. Because named pipes can be redirected over the network to connect local and remote systems, they also enable remote administration. I hope you can see where this might be a problem.
When the concept of SMB was originally created, security was not at the forefront of everyone’s mind. Some of you might even remember Microsoft’s first GUI operating system, Windows 3.0. Early Microsoft operating systems were of a peer-to-peer design. Although it’s true that Linux and Windows run similar services with the Samba suite of services, Windows remains the primary focus of these vulnerabilities.
The most basic connection possible with IPC is the NULL, or anonymous connection. It achieves this by executing a net command. There’s an entire host of net commands. We’ll look at a few here, but for a more complete list just type net from the command line. Enter the /? syntax after any of the commands that you would like more information about.
Suppose, for example, that you have identified open ports of 135, 139, and 445 on some targeted systems. You may want to start with thenet view /domain command:
Notice how handy the netcommands are. They have identified the engi-neering, marketing, and web groups. To query any specific domain group, just use thenetcommand again in the form ofnet view /domain:domain name, as follows:
We can take a closer look at any one system by using thenet view \system namecommand:
C:\net view \\dwarf
Shared resources at \\DWARF
Sharename Type Comment
---CDRW Disk
D Disk
Payroll Disk Printer Disk
Temp Disk
The command was completed successfully.
I hope you are starting to see the power of thenetcommand. Next, we look at how it can really be exploited when used in combination with IPC.
Enumeration and the IPC$ Share
Now that we have completed some basic groundwork, let’s move on to enumerating user details, account information, weak passwords, and so forth.
We’ll be exploiting IPC$ for these activities. Specifically, we need to set up a null session. It is set up manually with thenetcommand:
C:\>net use \\192.168.123.100\ipc$ "" /u:""
I hope you remember some basic Microsoft information you learned in getting your first Microsoft certification (specifically, information about the
$ syntax). In the world of Windows, the $ represents a hidden share. That’s right; although you might not see it, the IPC$ share exists so that commands can be sent back and forth between different computer systems. Accessing it may not give you full administrator rights, but it will enable you to run the tools we are about to discuss. There is a limit as to how far this command will take us, but Table 5-3 shows its capabilities.
Table 5-3 Enumeration and Default Permissions
OPERATING ENUMERATE ENUMERATE ENUMERATE ENUMERATE SYSTEMS SHARES USERNAMES SIDS RUNNING SERIVCES
Windows 2003 Yes Yes Yes No
Windows XP Yes Yes Yes No
Windows 2000 Yes Yes Yes no
While this table may show what is possible, do not start thinking that all this information will always be available. Results of IPC$ enumeration depend on how the administrator has applied specific security controls. If the network was configured with relaxed security, permission compatible with pre–Windows 2000, you will have few restrictions placed on your abilities. If the network is configured in native mode, you will be much more restricted. Just remember:
although the Windows 2003 default installation will not reveal the sensitive information that is normally gathered from the IPC$ share, a Windows 2003 Primary Domain Controller (PDC) may still divulge information such as usernames and domain info. Let’s look at the looser permissions first.
Windows Enumeration Tools
Most attackers are most likely going to want to target the administrator account, but do you really know which one that is? That’s where a nice little set of tools called USER2SID and SID2USER come in handy. You can download these tools fromhttp://evgenii.rudnyi.ru/soft/sid. The goal of these utilities is to obtain a SID from the account name or the account name from a SID. The guest account is a good target for the USER2SID tool:
C:\>user2sid \\192.168.123.10 guest
S-1-5-21-1607980884-492894322-1202660629-501 Number of subauthorities is 5
Domain is Workgroup
Length of SID in memory is 28 bytes Type of SID is SidTypeUser
Notice the second line above? It’s the SID of the system along with the RID.
The RID of 501 tells us we are looking at the guest account. The second tool in this set is SID2USER. The goal of SID2USER is to obtain the account name from SID. Therefore, the SID from the previous command is pasted in with a change of the RID from 501 to 500. Why 500? A RID of 500 should reveal the true administrator. Don’t forget to drop the S-1:
C:\>sid2user \\192.168.123.10 5 21 1607980884 492894322 1202660629 500 Name is Mike
Domain is Workgroup
Type of SID is SidTypeUser
Look closely at the preceding output. Notice that the RID of 500 corresponds to the Mike account. The true administrator has renamed the administrator account to make it a little harder for the attacker to enumerate. That is where you need to have an understanding of RIDs. With this, you can easily pick up on the fact that this account has been renamed.
Not everyone is comfortable with command-line tools, so GUI tools are also available. Many prefer command-line tools because they are typically more versatile. For example, you can script SID2USER and work your way up the user accounts starting at a RID of 1000. Now let’s look at some GUI-based tools that offer the same type of functionality.
DumpSec is a Windows-based GUI enumeration tool from SomarSoft and is available from www.somarsoft.com. It enables you to remotely connect to Windows machines and dump account details, share permissions, and user information. Figure 5-5 shows DumpSec.
DumpSec’s GUI-based format makes it easy to take the results and port them into a spreadsheet so that holes in system security are readily apparent and easily tracked. It can provide you with usernames, SIDs, RIDs, account comments, account policies, and dial-in information.
A host of tools can be used for enumeration. The ones listed here should give you an idea of what this type of tool is capable of. Also listed are some of the other tools that perform the same type of enumeration:
Userinfo— Released by HammerofGod, this command-line tool retrieves all available information about any known user from any NT/Win2k/XP system. TheUserinfocommand displays user informa-tion (for one or all users), adds or deletes users, and updates informainforma-tion associated with a user. Specifically, calling the NetUserGetInfo API call at Level 3, Userinfo returns standard info such as the following:
SID and primary group
Logon restrictions and smart card requirements Special group information
Password expiration information
Figure 5-5 DumpSec.
This application works as a null user, even if theRestrictAnonymousvalue in the LSA key is set to 1 to specifically deny anonymous enumeration.
GetAcct— Developed by SecurityFriday, this GUI tool can also enumer-ate vulnerable Windows system.
GetUserInfo— Created by JoeWare, this command-line tool extracts user info from a domain or computer.
Ldp— This executable is what you need if you’re working with AD systems. Once you find port 389 open and authenticate yourself using an account (even guest will work), you can enumerate all the users and built-in groups.
Some additional tools can be found atwww.zoneedit.com/lookup.html?ad=
gotoandhttp://www.infobear.com/cgi-bin/nslookup.cgi.
If you are more comfortable with Linux than Windows, check out some of the Windows enumeration tools that are built in to Linux BackTrack OS. These tools include the following:
RPCDump SMB ServerScan Smb4K
Figure 5-6 shows the output of Smb4K.
Some other tools that can be used to enumerate Windows computers are built in to the operating system. Considernbtstat. Microsoft definesnbtstat as a tool designed to help troubleshoot NetBIOS name resolution problems.
It has options such as local cache lookup, WINS server query, broadcast,
Figure 5-6 Smb4K.
LMHOSTS lookup, hosts lookup, and DNS server query. Entering nbtstat at a Windows command prompt will tell us all about its usage:
C:\nbtstat
Displays protocol statistics and current TCP/IP connections using NBT(NetBIOS over TCP/IP).
NBTSTAT [-a RemoteName] [-A IP address] [-c] [-n]
[-r] [-R] [-s] [S] [interval] ]
One of the best ways to usenbtstatis with the– Aoption. Let’s look at what that returns:
C:\>nbtstat -A 192.168.123.10
NetBIOS Remote Machine Name Table
Name Type Status
What’s returned is a name table that provides specific hex codes and tags ofuniqueorgroup. These codes identify the services running on this specific system. For example, see the code of1D unique? That signifies that this system, Donald, is the master browser for this particular workgroup. Other common codes include the following:
domain 1B U Domain Master Browser
domain 1C G Domain Controllers
domain 1D U Master Browser
domain 1E G Browser Service Elections
You can find a complete list of NetBIOS name codes by searching Google for ‘‘NetBIOS name codes’’ or by looking atwww.cotse.com/nbcodes.htm. Windows Enumeration Countermeasures
Blocking or reducing the amount of information that can be gathered by enumeration should be a prime focus of security professionals. Basic controls that you can apply to reduce this type of information leakage include the following:
Block ports
Disable unnecessary services
Use the Restrict Anonymous setting
Blocking ports 135, 137, 139, 389, and 445 is a good start. The NetBIOS null session uses specific port numbers on the target machine. Null sessions require access to TCP ports 135, 137,139, and/or 445. Closing these ports and disabling SMB services on individual hosts by unbinding the TCP/IP WINS client from the interface in the network connection’s properties can reduce the amount of information that the attacker can gather by means of enumeration. Here are the steps to accomplish this task:
1. Open the properties of the network connection.
2. Click TCP/IP and then the Properties button.
3. Click the Advanced button.
4. On the WINS tab, select disable NetBIOS over TCP/IP.
Another technique is to edit the registry directly to restrict the anonymous user from login. Listed here are the steps to accomplish this task:
1. Open regedt32, and navigate toHKLM\SYSTEM\CurrentControlSet\LSA. 2. Choose Edit ➪Add Value. Enter these values:
Value name: RestrictAnonymous Data Type: REG WORD
Value: 2
Other security controls can reduce the potential damage from enumeration.
Typically, the oldest (or down-level) software is the most vulnerable. Newer versions of Windows are considered more secure from enumeration than older versions, such as Windows NT and Windows 2000. And although not every company has the money to buy the latest operating system, such as Windows 2003 or Vista, the latest Microsoft security patches will also reduce the threat of enumeration.
IN THE LAB
Windows enumeration can provide the attacker with enough information to launch an attack. To prevent this vulnerability, you need to consider tightening the Restrict Anonymous settings and blocking ports associated with the null session, such as 135, 139, and 445. In the lab you will want to explore this by targeting a default Windows 2000 server. From the command prompt of another system, enter the following:
C:\>net use \\192.168.123.100\ipc$ "" /u:""
Be sure to replace the IP address with the actual IP address of your targeted system. Next, you will want to download and install DumpSec, which is available
(continued)
IN THE LAB (continued)
at www.systemtools.com/cgi-bin/download.pl?DumpAcl. After installing DumpSec, start the program, go to Report, and then enter the IP address. Then choose Report ➪ Add Users to Table. This option will allow you to view all current users and associated information in a table format. Take some time to review the amount of information you have obtained without logging on to the system with a username and password.