Learn How to Enumerate Hosts and Domains of LAN using Net Commands

1. The net commands are used to enumerate information from the Local Area Network (LAN).
2. Once a NULL session has been established, any shares these hosts will be displayed as well.
3. Create null session first as mentoined in old posts.
4. Run the syntax: net
5. From a DOS prompt, type the syntax: net view
6. This technique only works on the LAN and not on the Internet. Type command syntax: net view /domain

To identify the hosts within each domain, the syntax would be: net view /domain:domain name

To view the nonhidden shares available: net view \\Target IP Address

If you find you are not obtaining the results desired, try initiating a NULL session to the target.

Hacking Tool: DumpSec | How to Establish NULL session with target system

DumpSec, presently available as freeware from SomarSoft and downloadable at http://www.systemtools.com/somarsoft/, is a security auditing program for Windows systems. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable listbox (text) format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.

DumpSec takes advantage of the NetBIOS API and works by establishing NULL session to the target box as the Null user via the [net use \\server "" /user:""] command. It then makes NET* enumeration application program interface (API) calls like NetServerGetInfo (supported by the Netapi32 library).

It allows users to remotely connect to any computer and dump permissions, audit settings, and ownership for the Windows NT/2000 file system into a format that is easily converted to Microsoft Excel for editing. Hackers can choose to dump either NTFS or share permissions. It can also dump permissions for printers and the registry.

The highlight is DumpSec's ability to dump the users and groups in a Windows NT or Active Directory domain. There are several reporting options and the hacker can choose to dump the direct and nested group memberships for every user, as well as the logon scripts, account status such as disabled or locked out, and the 'true' last logon time across all domain controllers. The user can also get password information such as 'Password Last Set Time' and 'Password Expires Time'. To summarize, Dumpsec can pull a list of users, groups, and the NT system's policies and user rights.

---

Amarjit Singh

NetBIOS Enumeration: Attack on the remote computer having NetBIOS

---NBTscan is a program for scanning IP networks for NetBIOS name information.

---For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.

---The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.

     net view / domain,

     nbstat -A

If an attacker notes a windows OS with port 139 open, he would be interested in checking what resources he can access or view on the remote system. This is shown in the screenshot above. However, to enumerate the NetBIOS names, the remote system must have enabled File and Printer Sharing.

Using these techniques the attacker can launch two types of attack on the remote computer having NetBIOS. He can choose to read/write to a remote computer system depending on the availability of shares. Alternatively he can launch a denial of service.

A recent instance was reported in August 2002 when Microsoft issued an advisory stating that an attacker could seek to exploit an unchecked buffer in network share provider on machines that have anonymous access enabled by sending a malformed SMB request to a target computer and crashing it.

 Attack Methods-  Let us adopt an attacker's perspective to his port scan results.

On finding port 139 open, the attacker can first use the nbtstat command

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Note that an attacker will take particular interest in the id <03>. We try to connect to this remote machine using a null session. Usage: net use \\IP\IPC$ "" /user: "" This command connects to the machine using a null user and null password as signified by the empty quotes. The IPC$ is the hidden share on the particular IP that we will try to access in order to list any shared resources. Two main drawbacks of nbtstat are that it is restricted to operating on a single user and its rather inscrutable output. The tool NBTScan addresses these issues.

 Tools  A tool that can be used for such exploits is NBTScan written by Alla Bezroutchko and available at http://www.inetcat.org/software/nbtscan.html. NBTscan is a program for scanning IP networks for NetBIOS name information. It sends NetBIOS status query to each address in supplied range and lists received information in human readable form. For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address. NBTscan uses port 137 UDP for sending queries. If the port is closed on destination host destination will reply with ICMP "Port unreachable" message. See screenshot below.

---

Amarjit Singh

Null Session Countermeasure

--Null sessions require access to TCP 139 and/ or TCP 445 ports.

--You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.

--Edit the registry to restrict the anonymous user.

     -----Open regedt32, navigate to            HKLM\SYSTEM\CurrentControlSet\LSA

     -----Choose edit | add value

          value name: ResticAnonymous

          Data Type: REG WORD

          Value: 2

 "HKLM" refers to the hive "HKEY_LOCAL_MACHINE". If this is set to "1" anonymous connections are restricted. However, an anonymous user can still connect to the IPC$ share, though he is restricted as to which information is obtainable through that connection. A value of "1" restricts anonymous users from enumerating SAM accounts and shares. A Value of "2", added in Windows 2000, restricts all anonymous access unless clearly granted. Therefore, the first registry key to check would be:

HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

The other keys to inspect are:

HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \NullSessionShares

and HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes

These are MULTI_SZ (multi-line string) registry parameters that list the shares and pipes, respectively, that are open to null sessions. These keys should be verified so that no unwarranted shares or pipes are open. Moreover, those open should be secured such that only 'SYSTEM' or "Administrators' have access to modifying these keys.

In Windows 2000, the domain security policy lays down the protection measures for the domain controller. On systems that are not domain controllers, the 'Local Security Policy' must be configured to restrict anonymous connections. The value "No access without explicit anonymous permission" is the most secure and the equivalent of 2 in the registry value of the key HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous discussed above.

Another step that is advisable is to disallow remote access completely except for specific accounts and groups. It would be prudent to block NetBIOS ports on the firewall or border router to increase network security. Blocking the following ports will prevent against Null Sessions (as well as other attacks that use NetBIOS)

135 TCP DCE/RPC Portmapper

137 TCP/UDP NetBIOS Name Service

138 TCP/UDP NetBIOS Datagram Service

139 TCP NetBIOS Session Service

445 TCP Microsoft-DS (Windows 2000 CIFS/SMB)

A best practice that comes in handy is to stop all services that are not otherwise required for the functioning of the system.

---

Amarjit Singh

Two new tools exploit router security setup problem

IDG News Service - Researchers have released two tools that can take advantage of a weakness in a system designed to let people easily secure their wireless routers.

One of the tools comes from security researcher Stefan Viehbock, who publicly released information this week on the vulnerability in the Wi-Fi Protected Setup (WPS) wireless standard.

The standard is intended to make it easier for non-technical people to password protect their routers to prevent unauthorized use and encrypt wireless traffic.

Most major router manufacturers use WPS, including products from Belkin, D-Link Systems, Cisco's Linksys, Netgear and others. It allows a user to enter an eight-digit random number often printed on the router by a device manufacturer to enable security. Another method supported by WPS involves pushing a physical button in the router.

The vulnerability, which was also uncovered by Craig Heffner of Tactical Network Solutions, involves how the router responds to incorrect PINs. When a PIN is entered, the router using WPS will indicate whether the first or second halves of the PIN are correct or not.

The problem means it is easier for attackers to try lots of combinations of PINs in order to find the right one, known as a brute-force attack. While determining an eight-digit PIN would normally take some 100 million tries, the vulnerability reduces the needed attempts to 11,000, according to Viehbock's research paper.

If an attacker has the PIN, it can then be used to figure out the router's password. Viehbock wrote on Thursday that his proof-of-concept tool is a bit faster than Reaver, a tool released by Heffner and Tactical Network Solutions. Both of the tools enable brute-force attacks.

Reaver is hosted on Google Code. Its authors say that it can recover a router's plain-text WPA or WPA2 password in four to 10 hours, depending on the access point. "In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase," according to a release note.

Many routers also do not limit the number of guesses for a PIN, which makes brute-force attack feasible, according to an advisory from the U.S. Computer Emergency Readiness Team (CERT). The organization wrote that it was unaware of a practical solution to the issue.

Heffner wrote that his company has been perfecting Reaver for nearly a year. Tactical Network Solutions decided to release the tool after the vulnerability was made public. It is also selling a commercial version with more features.

Users can disable WPS to prevent an attack, but Heffner wrote that most people do not turn it off.

"In our experience even security experts with otherwise secure configurations neglect to disable WPS," he wrote. "Further, some access points don't provide an option to disable WPS or don't actually disable WPS when the owner tells it to."

Facebook Shower Curtain : Social Shower Curtain

Your favorite social network offers another type of privacy! This Facebook Shower Curtain has a transparent square in the screen that lets you create a profile image while you suds up. No drama, no “complicated status.” Just good ol’ bathtub jokes and tagged photos with the shower head.

We found this shower curtain on the website Spinning Hat, along with other playful bathroom items like red shower gel in a blood bag and toilet paper printed with comics.

Being inside a living Facebook profile reminds us of the Facebook costume that was popular a few years ago.

There are a bevy of oddball items available on the web for Facebook fans — earrings, bras with the “like” icon, T-shirts, baby onesies.

What’s the wackiest Facebook product you’ve seen? Post it in the comments.

Source: http://mashable.com

How To Install Junos In GNS3 : Juniper Virtual Simulator

Click here to see the Qemu Installation

After spending 3 continuous late nights; Finally I am able to install JUNOS on my PC. The procedure is bit cumbersome but not impossible. I had faced lot of issues during installation but where there is will there is way. Now next step is to integrate with GNS3. I am preparing document for the installation process with all the snap shots. Sooner will upload it.

People who read this post also read :

Juniper

• Juniper Over Promises Under Delivers
• Ready Made Junos For Laptop
• Integrate JUNOS with GNS3
• Installing QEMU for JUNOS Integration