2.4 Protocol-Dependent Assessment Tools

When assessing the security of specific services, specialist tools can perform assessment in specific areas, such as enumeration and brute-force password grinding. What follows here is an introduction to a number of freely available tools you can use to assess Windows networking, DNS, and web services.

2.4.1 Microsoft NetBIOS, SMB, and CIFS

NetBIOS, Server Message Block (SMB), and Common Internet File System (CIFS) protocols are used primarily within Microsoft Windows networks for user authentication, file sharing, and access to services such as Microsoft Exchange over RPC. CIFS is a relatively new incarnation of SMB over NetBIOS; it's for vendors seeking to move away from NetBIOS and toward CIFS. Windows 2000, for example, runs SMB over NetBIOS on port 139 and CIFS on port 445. CIFS is the native protocol used in Windows 2000 networks, so SMB access through NetBIOS provides backward compatibility.

NetBIOS and CIFS assessment tools fall into two categories: enumeration and information gathering, and brute-force password guessing. Enumeration tools are used to gather system information using anonymous null sessions and other techniques. Brute-force tools are then used to compromise account passwords and gain access to shared files and resources.

2.4.1.1 Enumeration and information gathering tools

enum (http://razor.bindview.com/tools/files/enum.tar.gz)

Jordan Ritter's enum utility is a Windows command-line tool that extensively queries target hosts running NetBIOS through TCP port 139. The tool can list usernames, password policy, shares, and details of other hosts including domain controllers.

epdump (http://www.packetstormsecurity.org/NT/audit/epdump.zip)

The epdump Windows command-line utility queries the RPC end-point mapping service at TCP port 135 to enumerate network interfaces along with details of RPC services and named pipes that are accessible.

nbtstat

The nbtstat command is found within all recent Microsoft Windows systems. nbtstat queries the NetBIOS name service running on UDP port 137, resulting in the NetBIOS name table being returned (including the hostname, domain name, details of logged-in users, shared resources, and the MAC address of the network interface).

usrstat

The usrstat utility is part of the Windows NT 4.0 Resource Kit (http://www.microsoft.com/ntserver/nts/downloads/recommended/netkit/default.asp). It can run against a target NetBIOS session service to enumerate user details (using anonymous null sessions) against the IPC$ administrative share. Information that is returned includes the login name, full name, and last logon date for each user.

2.4.1.2 Brute-force password guessing tools

SMBCrack (http://www.netxeyes.org/smbcrack.exe)

Written by the Chinese group netXeyes, SMBCrack is an extremely fast Windows-based command-line utility that can brute-force a given account password through the NetBIOS session service on TCP port 139. In tests across a LAN segment, I have recorded around 600 attempts per second against a given user account.

WMICracker (http://www.netxeyes.org/WMICracker.exe)

WMICracker is another brute-force tool written by the netXeyes group. Windows Management Instrumentation (WMI) is a Windows NT family (NT, 2000, XP, and 2003) DCOM component accessible through the Windows RPC service running on TCP port 135. A limitation with the tool is that the user password you brute-force must be a member of the Administrators group on the target host.

The SMB Auditing Tool (http://www.cqure.net/tools01.html)

The SMB Auditing Tool (SMB-AT) contains a selection of Unix and Windows command-line utilities that brute-force user passwords through NetBIOS (using TCP port 139) or CIFS (using TCP port 445). CIFS is the native protocol used by Windows 2000, and user passwords can be brute-forced through CIFS at a speed of over 1000 attempts per second in local network environments. SMB-AT can also perform auditing functions much like those of NAT and ADMsmb across TCP ports 139 or 445.

2.4.2 DNS

DNS tools mine data from misconfigured name servers across both TCP and UDP port 53. DNS zone transfers can download entire DNS zone files (containing an abundance of network information relating to a given domain), and reverse sweeps map IP addresses back to hostnames. Here are four useful tools for assessing DNS servers:

nslookup

The nslookup command can be found under Windows NT, 2000 and XP, Unix-based (Linux, FreeBSD, etc.) and MacOS systems. The utility can perform all types of DNS queries manually, including DNS zone transfers and reverse lookups. The tool is useful for testing DNS servers by hand but isn't effective for bulk reverse lookup scanning.

host and dig

The host and dig commands can be found on all recent Unix-based platforms. Both tools can be efficiently used from the command line to perform DNS zone transfers and standard queries (such as MX queries to identify mail exchanger hosts for a given domain).

ghba (http://examples.oreilly.com/networksa/tools/ghba.c)

The ghba utility was written by the hacker group l0ck to perform reverse DNS sweeps of given class-c and class-b address spaces. ghba can be easily run from Unix-based platforms, calling gethostbyaddr( ) for each IP address in a given network and returning any DNS hostnames that are uncovered.

2.4.3 HTTP and HTTPS

As public web farms become more complex and incorporate access to backend SQL databases, HTTP and HTTPS are becoming increasingly popular channels for opportunistic and determined attackers to compromise public hosts. All major e-commerce and online banking sites have large amounts of custom-written ASP or CGI scripts that are heavily run to generate dynamic content and perform user searches or other functions.

At the time of writing, there are only a handful of good tools for testing custom-written web environments and scripts for SQL injection and other common web server vulnerabilities (such as cross-site scripting bugs). Chapter 6 contains good information relating to assessment of custom web applications for SQL and command injection issues, including details of free tools such as web proxies that allow for user-defined values (URL arguments, cookies, etc.) to be modified on the fly.

There are however, plenty of tools to test for standard vulnerabilities and common HTTP problems (including testing of permissions on administrative and test directories), including:

N-Stealth (http://www.nstalker.com/nstealth/)

N-Stealth is an excellent Windows-based tool that can perform initial analysis of all common web services (including Microsoft IIS, Apache, iPlanet, Zeus, along with comprehensive checking of ColdFusion and other subsystems). At the time of writing, the utility checks for over 12,000 web-based security issues.

nikto (http://www.cirt.net/code/nikto.shtml)

nikto is a web server scanner that performs comprehensive tests against web servers for multiple security issues, including over 2,000 potentially dangerous files and CGI scripts on over 130 servers. nikto uses libwhisker as a base for all network functionality and creates an easy to use scanner.

CGIchk (http://sourceforge.net/projects/cgichk/)

CGIchk is a utility that has much improved over the years. Originally starting out as a simple C source file, CGIchk is now a modular CGI scanner that can be run from both Unix and Windows platforms.