Chapter 5: Unix Enumeration Tools
| | ||
Many of the most useful tools you'll ever encounter are included by default on Unix-based operating systems. Others are open source, readily downloadable, and easy to install. We'll cover some common tools that aid in enumerating different aspects of Unix systems. While this chapter won't turn you into a command-line guru overnight, it will help you become more familiar with Unix systems.
SAMBA
Such a clunky description as Server Message Block (SMB) obscures what is really an ubiquitous part of Windows networks. When Windows users browse through the contents of the "My Network Places" servers, printers, and file shares, they are using the SMB protocol. Most users who share public folders on their computers mistakenly believe that only their peers on the Local Area Network have access to the shares. In reality, however, unless your computer is protected by network address translation or a firewall (or Service Pack 2 for Windows XP), anyone in the world might find those public shares and connect to them. Although SMB is uniquely a Windows-centric protocol, Unix-based systems can masquerade as Windows domain controllers, print servers, or file servers. The Samba suite of utilities enables this compatibility.
Samba contains both client and server abilities that enable you to set up file sharing on a Unix box so that a Windows system can access the Unix share as if it were a Windows peer on the network. In this section, we'll focus only on the Samba client tools that enable Unix hosts to access Windows SMB shares.
Smbclient
Think of smbclient as a command-line access to an SMB file share. It functions much like an FTP client but provides some more robust capabilities. For users who are more familiar with Windows command-line tools, think of smbclient as analogous to the net use command. Most distributions contain Samba version 3 by default or as an install option. If not, you can download the source from http://www.samba.org/.
| Tip | Advice for users who wish to compile Samba: There are several options and dependencies, such as Kerberos, that may require additional system libraries. The Configure script will detect the presence or absence of prerequisite libraries. Be sure to pay attention to what you configure and how it compiles; you don't want to accidentally omit some useful functionality. |
Implementation
First we need to see what shares are available. We can use the L hostname option to view the shares on a host. Typically, smbclient won't be able to resolve the hostname via NetBIOS unless the two systems are on a local segment of the network. In such a case, use the I option to supply the IP address associated with the target's hostname. For this first example, we'll try the N option to instruct smbclient to forgo prompting us for a connection password (the host provides more information to authenticated users than to anonymous ones):
[Paris:~] mike% smbclient -L 10.0.1.2 -N Anonymous login successful Domain=[IMPERIAL HOUSESI] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- Error returning browse list: NT_STATUS_ACCESS_DENIED NetBIOS over TCP disabled -- no workgroup available
With the advent of Service Pack 2 for Windows XP and Windows 2003 deployments, the amount of information available to anonymous SMB connections has diminished somewhat from Windows 2000. On less secure systems, you may see the default shares:
[Paris:~] mike% smbclient -L twilight -N Anonymous login successful Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- IPC$ IPC Remote IPC ADMIN$ Disk Remote Admin C$ Disk Default share Anonymous login successful Domain=[WORKGROUP] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Server Comment --------- ------- NTO-3JOKPSBH7KT TWILIGHT Workgroup Master --------- ------- WORKGROUP TWILIGHT
You may have also noticed that the OS reported for Windows XP is Windows 5.1. Windows 2000 is reported as version 5.0. Here's another request made with valid credentials:
[Paris:~] mike% smbclient -L 10.0.1.2 -U administrator Password: Domain=[ATREIDES] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager] Sharename Type Comment --------- ---- ------- E$ Disk Default share IPC$ IPC Remote IPC print$ Disk Printer Drivers SharedDocs Disk vm Disk D Disk downloads Disk ADMIN$ Disk Remote Admin C$ Disk Default share
The output of this command mirrors that of Windows command-line utility net view . There is one subtle difference: smbclient always lists the so-called "hidden" shares (shares whose names ends with the dollar sign).
Now let's see what happens when we try to connect to a share:
[Paris:~] mike% smbclient //10.0.1.6/c$ -U administrator Password: Domain=[TWILIGHT] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \> ls arcldr.exe AHSR 150528 Thu Jun 19 12:05:04 2003 arcsetup.exe AHSR 163840 Thu Jun 19 12:05:04 2003 AUTOEXEC.BAT H 0 Wed Jan 15 23:45:48 2003 bin D 0 Thu Nov 13 00:36:30 2003 boot.ini HS 192 Wed Jan 15 15:36:59 2003 CONFIG.SYS H 0 Wed Jan 15 23:45:48 2003 cygwin D 0 Fri Nov 14 15:47:32 2003 Documents and Settings DA 0 Tue Sep 30 18:07:24 2003 Inetpub DA 0 Mon Oct 13 18:29:16 2003 IO.SYS AHSR 0 Wed Jan 15 23:45:48 2003 smb: \>
Now we can use standard FTP commands ( get , put , ls ) to determine whether we can read and write files to this share.
| Note | We've casually glossed over the fact the password was known before we connected to the share. Check out Chapter 14 for password cracking and brute-force tools. |
So can we use smbclient to establish a null session with the IPC$ share? But it doesn't accomplish much because the IPC$ share is a pipe over which commands are executed and not a true file share; smbclient can't do much with it once we're connected. You'll want to use rpcclient, included with the Samba distribution, to explore the IPC$ share and execute certain commands over this type of connection.
Nmblookup
We talked about the problem of needing to know NetBIOS names when connecting to hosts, especially those that belong to a Windows domain. This tool helps us find out that information by mapping IP addresses to NetBIOS data.
Implementation
Let's see what happens when we run nmblookup against 10.0.1.6:
[Paris:~] mike% nmblookup -A 10.0.1.6 Looking up status of 10.0.1.6 TWILIGHT <00> - M <ACTIVE> TWILIGHT <20> - M <ACTIVE> WORKGROUP <00> - <GROUP> M <ACTIVE> WORKGROUP <1e> - <GROUP> M <ACTIVE> INet~Services <1c> - <GROUP> M <ACTIVE> IS~TWILIGHT <00> - M <ACTIVE> WORKGROUP <1d> - M <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> M <ACTIVE> MAC Address = 00-03-FF-AF-A4-F6
Not exactly what we were hoping for. We got some names, but how do we know what's what? In this particular example, it's pretty easy to guess that the hostname we're looking for is TWILIGHT. The output of this command is nearly identical to the output of the nbtstat A command. We'll break down the <xx> codes in Chapter 6. For now, we can surmise that the hostname is TWILIGHT and that it has IIS installedcheck out the INet~Services entry.
If we need to go the other way and find the IP of a NetBIOS name , we can do that too:
[Paris:~] mike% nmblookup twilight querying twilight on 10.0.1.255 10.0.1.6 twilight<00>
If we add a S flag, nmblookup includes the same information included from the A command earlier.
Nmblookup goes through several different methods to attempt to resolve the name (configurable in the smb.conf file). Available methods are WINS or lmhosts, DNS or hosts, or broadcast (which requires that the target be on the same subnet).
| Tip | The Samba suite includes a utility called findsmb that performs a similar function. Run the command to list the IP address, NetBIOS name, and domain or workgroup association of hosts on the network. |
Rpcclient
Whereas smbclient and nmblookup provide interfaces to the file shares and NetBIOS information of the target, rpcclient provides a method for enumerating system and domain information. It has no Windows command-line parallel, although some Windows-based tools extract the same information.
As with smbclient, this tool provides more useful information when using an authenticated connection rather than an anonymous one. The most common connection string will probably be similar to the following example. Use I to specify the target's IP address (necessary when NetBIOS of TCP/IP is disabled), -U to specify the account name under which you wish to connect, and the target host's IP address or network name.
[Paris:~] mike% rpcclient -I 10.0.1.6 -U administrator 10.0.1.6 Password: rpcclient $> lsaenumsid found 10 SIDs S-1-5-6 S-1-5-32-551 S-1-5-32-547 S-1-5-32-545 S-1-5-32-544 S-1-5-21-602162358-706699826-854245398-501 S-1-5-21-602162358-706699826-854245398-1004 S-1-5-21-602162358-706699826-854245398-1001 S-1-5-21-602162358-706699826-854245398-1000 S-1-1-0 rpcclient $> lookupdomain twilight SAMR_LOOKUP_DOMAIN: Domain Name: twilight Domain SID: S-1-5-21-602162358-706699826-854245398 rpcclient $> lookupsids S-1-5-21-602162358-706699826-854245398-500 S-1-5-21-602162358-706699826-854245398-500 TWILIGHT\Administrator (1) rpcclient $> samlookuprids 500 rid 0x1f4: Administrator (1)
The lsaenumsid command is one of many RPC-based enumeration functions. Table 5-1 describes some of the other commands that can help you profile a server and retrieve useful account information.
| Command | Description |
|---|---|
| lsaenumsid | This lists the security identifiers (SIDs) within the local security authority (LSA). |
| lookupsids | Resolve one or more SIDs to their username. This will work against local and domain accounts. It is also an easy way to identify the true administrator account if it has been renamed because the true administrator account maps to SID 500. |
| lookupnames | Resolve one or more usernames to their associated SID. |
| shutdowninit | Remote shutdown (over shutdown pipe). You can also specify a message, the time before shutdown, and whether to reboot or halt the system. |
| shutdownabort | Abort shutdown (over shutdown pipe). |
| shutdown | Remote shutdown (via registry pipe). |
| abortshutdown | Abort shutdown (via registry pipe). |
| dfsenum | Enumerate distributed file system (DFS) shares. |
| srvinfo | Server information including platform ID, operating system version, and server type. The server type is a three-letter abbreviation that could indicate whether it is a domain controller, Unix (Samba) server, SQL, dial-in, etc. |
| netshareenum | Enumerate shares. |
| netfileenum | Enumerate open files. |
| netremotetod | Display the local time of the server. |
| getdcname | Get trusted DC name. |
| enumdomusers | Enumerate domain users. |
| enumdomgroups | Enumerate domain groups. |
| enumalsgroups | Enumerate alias groups. |
| samlookuprids | Look up names based on the relative identifier (RID) of the user ; for example, the local administrator account always has RID 500. |
| lookupdomain | Look up domain name. |
| dsenumdomtrusts | Enumerate all trusted domains in an active directory (AD) forest. |
| enumtrust | Enumerate trusted domains. |
| lsaenumacctrights | Enumerate the rights of an SID. |
| lsaaddacctrights | Add rights to an account. |
The lsaenumacctrights command can be useful for identifying particular accounts, and with the lsaaddacctrights command, even modify users. Accounts which are usually considered users (the account represents some person with access to the system) have the SeInteractiveLogonRight and SeNetworkLogonRight privileges. These permit the account to be logged into via a shell or GUI (interactive) and that the account may be accessed across the network rather than just the localhost.
rpcclient $> lsaenumacctrights S-1-5-21-602162358-706699826-854245398-1000 found 3 privileges for SID S-1-5-21-602162358-706699826-854245398-1000 SeInteractiveLogonRight SeNetworkLogonRight SeBatchLogonRight rpcclient $> lsaenumacctrights S-1-5-21-602162358-706699826-854245398-1001 found 2 privileges for SID S-1-5-21-602162358-706699826-854245398-1001 SeNetworkLogonRight SeBatchLogonRight rpcclient $> lsaenumacctrights S-1-5-21-602162358-706699826-854245398-1004 found 5 privileges for SID S-1-5-21-602162358-706699826-854245398-1004 SeImpersonatePrivilege SeNetworkLogonRight SeServiceLogonRight SeBatchLogonRight SeDenyInteractiveLogonRight
| | ||
EAN: 2147483647
Pages: 175