This section covered the next phase of enumeration. Enumeration is the phase of gathering information from a system to learn the configuration, services, software, users, etc. This information is beneficial because it will assist the hacker in preparing for the exploitation. They can research into specifics on the system's vulnerabilities. Enumeration can look different on each operating system - Windows vs Linux, both will have very different looking results.
Emails are a great place to start with finding IDs. Usually an email address is composed as username@domain. Another useful start is default passwords. There are websites that detail default passwords for many device. Not everyone knows or thinks of changing the defaults on their newly set up devices, so it is worth the consideration and possible attempt to gain access to the device. The username 'admin' is a common one.
Knowing the configurations on a system is useful. For instance, with Windows OS, the SSID is the ID that is created and left unaltered even as the username changes. The SID of 500 belongs to the administrator account and 501 is the local pre-built guest account.
There are a few tools an ethical hacker can use to enumerate a system. Some of the tools are: nmap, Metasploit, SoftPerfect, netcat, SuperScan, PsTools.
SuperScan is an older application, but it is useful at obtaining many of the basics.
Netcat was demonstrated with listening to a Windows system. This application is downloaded onto the device intended to be accessed. The files are hidden in a location where the user will not notice it and is configured to have port 2222 allow listening from the device you monitor the system with. On the Kali Linux in the demo they entered 'nc -nv 192.168.86.29 2222' in the terminal and were able to proceed gathering information about the windows OS - such as pulling the system information through entering the command systeminfo.
It was noted in the enumeration of the Linux OS that the password files are the most commonly asked question in exams. The passwords for the users on the system are located in the /etc/shadow directory and entering the command 'cat /etc/shadow' the contents in the directory can be output in the terminal session. The finger command can reveal a lot about a user on the Linux system, such as the user's login name, real name, terminal name, write status, idle time, login time, etc.
Some of the countermeasures against enumeration:
- For SNMP -
- Countermeasure 1: Monitoring activity on ports 161 and 162 (or any other ports this is configured for this traffic).
- Countermeasure 2: Removing SNMP/turning SNMP service completely
- Countermeasure 3: Updating SNMP and keeping it to the most current version
- Countermeasure 4: Like with everything, change the default passwords
- DNS - DNS zone restriction (only provide copies of zone files to certain servers), Digital signatures, Split DNS (internal and external groups - this adds a defensive layer
- SMTP - simply ignore messages from unknown recipients, block open SMTP relaying
- LDAP - a little more difficult to set a countermeasure, the best option suggested was, through server software, review and implement security settings and services available.
This week's article found on cybersecuritynews.com was about the ACSC (Australian Cyber Security Centre) suspecting that a threat of a ransomware denial of service attack on Australian businesses, mostly financial and banking companies, came from the hacker group Silence Hacking Group. So far that is only speculation, but the ACSC recommends that businesses prepare for any ransomware attacks. For further reading, refer to this article: Silence Hacking Group Threatens Australian Banks of DoS Attacks if Ransom Not Paid
No comments:
Post a Comment