N I L A D I C شنبه 21 مرداد 1396 04:10 ب.ظ نظرات ()
Hi folks
Let's get back to our business and continue CEH lessons [ Click More ].



- Its proccess to extract info from target system.
information such as usernames , machine name, shares and services...
initiating active connection to target to get information

- some info type that will get in this phase:
¦ Network resources and shares
¦ Users and groups
¦ Routing tables
¦ Auditing and service settings
¦ Machine names
¦ Applications and banners
¦ SNMP and DNS details

- some thecnique and methods:
* Extracting Information from E-mail IDs :
obtain username and domain name information from an e-mail address or ID
An e-mail address contains two parts:
the first part before the @ is the username and what comes after the @ is the domain name.
* Obtaining Information through Default Passwords :
Every device has default settings in place, and default passwords are part of this group.
* Using Brute-force Attacks on Directory Services :
A directory service is a database that contains information used to administer the network
some attack that can use are "inpute vefication"
* Exploiting SNMP(simple network management protocol - bar hasbe client/server) :
can be exploited by who can guess the strings and use them to extract usernames
* Working with DNS Zone Transfers:
A zone transfer is designed to update DNS servers with the correct information; however, the zone
contains information that could map out the network, providing valuable data about the structure of the environment
* Capturing User Groups:
This technique involves extracting user accounts from specified groups,
storing the results, and determining what the session accounts are in the group

* we have some type of OS's (windows, unix is most important)
so we should to know what we have in them:
# WINDOWS:
- windows users:
1) local services:higher than normal access to ocal system but limited access in network
2) network service:normal access to network but limited access to local
3) system:super-user style . unlimited access to local
4) current-user:currently logged-in user

- windows groups:
1) anonymous logon: allow anonymus access to resources --- typicaly when logged-in in web application or web servers
2) batch: allow batch jobs to run schedule tasks such as clean up and delete temp files
3) creator group
4) creator owner
5) everyone
6) interactive
7) network:any user access the system throught network
8) restricted
9) self
10) service:any service accessing the system
11) system: system-level function
12) terminal server user: access terminal server application

* each user account in windows have SID(security identifier) and SID is many important
Windows uses the SID to look up a user account and see password matches
and it used when permissions checked is needed

* Important port and services:
TCP 53 = DNS
TCP 135 = use when client/server communication uses like outlook
TCP 137 = NetBIOS Name Service(NBNS) ... provide name resolution services involving the NetBIOS protocol
TCP 139 = NetBIOS sessian service .. SMB over NetBIOS (SMB = server message block and use for redirector and shares like printer sharing)
TCP 445 = SMB over TCP
UDP 161/162 = SNMP
TCP/UdP 389 = LDAP(Lightweight Directory Access Protocol) ... it use to exchange information between two parties
TCP 25 = SMTP(simple mail tranfer protocl)

*#*#*#*#*#* ATTACKING *#*#*#*#*#*

#### WAY$:

*** WINDOWS - NetBIOS attack:
- how to enable netbios in windows???
control panel -> network and sharing center -> change adapter settings -> right click on wich adapter we want -> properties -> internet protocle version 4
properties -> advanced(General tab) -> WINS(tab) -> enable netbios

- how to use netbios to hack???
it use for remote connection between to PC
nbtstat -a -> table of remote systems
" nbtstat -A ip "            netbios auditing tool bara bat bayad down beshe

- using netbios as NULL session:
nbtstat -a
nbtstat -A ip
net use \\ip\IPC$ "/user:"
net view \\ip
nat ip >esm.txt   ..............   ke userha ro tu un fayle txt minevise bad
nbt scan -v ip
enum -u -m -n -s -p -g ip >file.txt
user2sid \\ip name
sid2user \\ip un adad ke mide bedune - va akharin bakhshesh ham hazf va be jash 500    ............   sepas user admin ro darim

to access share folders list :
net view \\computer name that get in nbstst -a
to view share folder:
net use s: \\computer name that get in nbstst -a\(shared folder name)

WE can use "superscan" for do these or "PsTools Suite"




- SNMP and MIB(Management Information Base)
... MIB is a database that contains descriptions of the network objects that can be managed through SNMP
... MIB elements are recognized using object identifiers. The object identifier
(OID) is the numeric name given to the object and begins with the root of the MIB tree

* Use MIB and SNMP to get info:
-dar linux: snmpget ip -c string(public/private) object ID(masalan .1.3.6.1.2.1.1.1.0)
agar natije dad pas snmp darad bara object haye badi az snmpget next ip -c string(public/private)  object id ghabli bad khodesh object ID badio mide
-bara fahmidane inke ye object ID chie mizanim snmptranslate object ID
-bad snmpwalk ip -c string(public/private) object id
- object id MIB: .1.3.6.1.2.1
-bara darovordane etelaat un snmpwalk ro ba object id MIB mizanim bad zakhire dar yek faile txt ya be yek snmp file ba neveshtane snmp dar akhar bedune format
snmpwalk ip -c string(public/private) .1.3.6.1.2.1 >f.txt
snmpwalk ip -c string(public/private) .1.3.6.1.2.1 >snmp bara snmp file bad ba type more snmp mibinimesh

* what can access with attack to SNMP:
¦ Network resources such as hosts, routers, and devices
¦ File shares
¦ ARP tables
¦ Routing tables
¦ Device-specific information
¦ Traffic statistics

we can use "SNScan" or "solarwinds" for MIB and snmp

----- LINUX:
* finger: designed to return information about a user on a given system
finger <switches> username
Switches that can be used with the finger command include the following:
¦ -b removes the home directory and shell from the user display.
¦ -f removes header information from the display.
¦ -w removes the full name from the display.
¦ -l returns the list of users

* rpcinfo: enumerates information exposed over the Remote Procedure Call (RPC) protocol
rpcinfo <switches> hostname
Switches that can be used with rpcinfo include the following:
¦ -m displays a list of statistics for RPC on a given host.
¦ -s displays a list of registered RPC applications on a given host

* showmount: showmount displays a list of all clients that have remotely mounted a file system
/usr/sbin/showmount [- ade ] [hostname]
Switches that can be used with showmount include the following:
¦ -a prints all remote mounts.
¦ -d lists directories that have been remotely mounted by clients.
¦ -e prints the list of shared file systems

* Enum4linux: which allows for the extraction of information through samba
->samba: its linux version for SMB
->Sharing the file system of the UNIX server to Microsoft clients
->Sharing printer resources from the UNIX environment to Microsoft clients
->Performing authentication and authorization services to Microsoft clients

** SMTP HACK:
(With nslookup)
telnet ip 25
help
helo host-name ..... mifahmim ke yejur ertebat beyne ma hadaf hast
vrfy someusername (for linux "vrfy root" for windows "vrfy administrator")
bejaye helo mizanim ehlo host-name
be jaye "vrfy" mitunim "EXPN" ham bezanim

bad age etelaat dad mifahmim ke ba ma hamkary mikone bad mizanim
"mail  from: ye adres masalan james@whereever.com"
"rcpt to: james@nowhere.com"
bad tu data
ye payam midim ke in yani dadam mail az tarafe yek nafar bedune inke khodesh bekhad
 
* we can use tools for SMTP attack:
"TamoSoft’s Essential NetTools" or "NetScanTools Pro"





****** [nslookup(win for linux use dig) - snmpwalk - netbios]