We have covered the requisite tools and techniques to perform ping sweeps ; TCP, UDP, and ICMP port scanning; and operating system detection. By using ping sweep tools, you can identify systems that are alive and pinpoint potential targets. By using a myriad of TCP and UDP scanning tools and techniques, you can identify potential services that are listening and make some assumptions about the level of exposure associated with each system. Finally, we demonstrated how attackers could use operating system detection software to determine with fine precision the specific operating system used by the target system. As we continue, you will see that the information collected thus far is critical to mounting a focused attack.
Chapter 3: Enumeration
Now that an attacker has successfully identified live hosts and running services using the techniques discussed in Chapter 2, they will typically turn next to probing the identified services more fully for known weaknesses, a process we call enumeration.
The key difference between previously discussed information-gathering techniques and enumeration is in the level of intrusiveness . Enumeration involves active connections to systems and directed queries. As such, they may (should!) be logged or otherwise noticed. We will show you what to look for and how to block it, if possible.
Much of the information garnered through enumeration may appear harmless at first glance. However, the information that leaks from the following holes can be your undoing, as we will try to illustrate throughout this chapter. In general, the information attackers will seek via enumeration includes user account names (to inform subsequent password-guessing attacks), oft-misconfigured shared resources (for example, unsecured file shares), and older software versions with known security vulnerabilities (such as web servers with remote buffer overflows). Once one of these openings is enumerated, it's usually only a matter of time before the intruder compromises the system in question to some degree, if not completely. By closing these easily fixed loopholes, you eliminate the first foothold of the hacker.
Enumeration techniques tend to be platform-specific and are therefore heavily dependent on information gathered in Chapter 2 (port scans and OS detection). In fact, port scanning and enumeration functionality are often bundled into the same tool, as you saw in Chapter 2 with programs such as SuperScan, which can scan a network for open ports and simultaneously grab banners from any it discovers listening. This chapter will begin with a brief discussion of banner grabbing , the most generic of enumeration techniques, and will then delve into more platform-specific mechanisms that may require more specialized tools.
We've also reorganized our platform-specific discussion according to service type rather than operating systema new approach implemented in the fourth edition and continued with the fifth. This was done primarily due to reader feedback, in an effort to more clearly show the tight link between port scanning and enumeration. After all, at this point in the Hacking Exposed methodology, one might not yet know the operating system of the target machine.
Services will be discussed in numeric order according to the port on which they traditionally listen, whether TCP or UDPfor example, TCP 25 (SMTP) will be discussed first, UDP 69 (TFTP) will be discussed next, TCP 79 (finger) after that, and so on. This chapter will not exhaustively cover every conceivable enumeration technique against all 65,535 TCP and UDP ports; we will focus only on those services that have traditionally given up the lion's share of information about target systems, based on our experiences as professional security testers. We hope this more clearly illustrates how enumeration is designed to help provide a more concise understanding of the target, along the way to advancing the attacker's main agenda of unauthorized system access.
Throughout this chapter, we will use the phrase "NT Family" to refer to all systems based on Microsoft's "New Technology" (NT) platform, including Window NT 3. x -4. x, Windows 2000, Windows XP, and Windows Server 2003. Where necessary, we will differentiate between desktop and server versions. In contrast, we will refer to the Microsoft DOS/Windows 1. x /3. x /9 x /Me lineage as the "DOS Family."