Enumeration and

System hacking
Instructional Objectives
Objectives of this chapter are:
®®Explain the concept of Enumeration and techniques used for
Windows enumeration
®®List the tools used for Windows enumeration
®®Explain SNMP enumeration technique
®®Describe the System hacking, particularly by password cracking
method
®®Explain what are Trojans and their goals.
®®Describe Trojan infection mechanism and Trojan tools

3
Learning Outcomes
At the end of this chapter, you are expected to:
®®List four methods that can be used for Windowsenumeration
®®Interpret the result from Net View command from a computer ina
domain
®®Interpret the result of running NBTSTAT on a machine in a localnetwork
®®Research on some more tools that are available on the internet, for
NetBIOS exploiting
®®Describe SNMP Enumeration method, with the help of how it is done
using enumeration tools
®®Explain important countermeasure steps for each type of enumeration
technique for windows discussed in this book

4
Enumeration and its techniques

5
Introduction to Enumeration

6
Windows enumeration Techniques

User mode

Windows
Architecture

Kernel mode
Techniques used by the hacker for Enumeration
are:
1. Establish a null sessions and to enumerate
2. NetBIOS names
3. Enumerating SNMP
4. Querying DNS
5. Retrieving information from Active Directory

8
NetBIOS enumerating
1. Specific protocol and port
2. Name Resolution
3. Datagram Service
NetBIOS service and ports
4. Session Service
Application Protocol Protocol ports
NetBIOS Datagram Service UDP 138
NetBIOS Name Resolution UDP 137
NetBIOS Session Service TCP 139

9
Net View

10
Net View

11
Net View

Resources
like hard
disk Printer
Information

12
Net View

13
 Quiz / Assessment

1) Among the following, which doesn’t belong to the set of information obtained by the hacker in the
Enumeration phase?
a) Users b) Service Settings c) Host names d) DNS Infrastructure

2) An example of a NetBIOS exploiting tool is

a) DumpSec b) SNMP Informant c) Userinfo d) IP Network Browser
SNMP Enumeration
Works on management station and agent
¾¾Polling the network
¾¾SMS alert in case of Failures
¾¾Repeated validation
¾¾Vulnerabilities
¾¾ Default as ‘public’
¾¾ Missing SNMP Community name
¾¾ Unauthorized write access
¾¾ Remote packet capturing

15
Tools in SNMP Enumeration
Tool Source
SNMPutil Command line utility
IP Network Browser [Link]
ip-network-browser/
SNMP Informant [Link]
Getif [Link]
[Link]
Trap Receiver and Trap Generator [Link]

16
SNMPutil

17
IP Network Browser
To identify the SNMP enabled devices Counter Measures
SNMP Informant 1. Turning OFF SNMP
[Link]
Used to monitor Servers restrictions for
Getif anonymous
GUI Feature connections and, null
sessions
Trap Receiver and Trap Generator [Link] with higher
Either sending or receiving SNMP versions
Traps 4. ACN Filtering

18
 Quiz / Assessment
3) Pick the odd man out and state your reasons
a) Querying DNS b) Enumerating SNMP c) Executing Whois d) Retrieving information
Command from the active directory
4) Which of the below is not a tool used for SNMP Enumeration
a)IP Network b) SNMP Informant c) Getif d) None of the above
Browser

19
System Hacking
To acquire You need
Knowledge of Password
Passwords for active user names
cracking techniques and tools
Allow yourself highest level of
access possible by exploiting Know how to escalate privilege
operating system vulnerabilities
Know how to crack passwords
Crack password hashes
using keyloggers and rootkits
Erase evidences of your presence, Hide files, cover tracks.
after the whole process Knowledge of steganography

20
Password Definition
• “a secret word or phrase that must be used to gain access to a computer,
interface or system”
• Sequence of alphabets, numbers and special characters which is used as a secret
key for accessing a computer or a network”
Password Guessing
Power-on password
Net use * \\target_IP \share * u:name
This will generate a password promt as below
Hard drive password C:\net use * \\[Link]\c$ * /u:rusty
Types Type the password for \\[Link]\$:
The command completed successfully
Supervisor (BIOS) password
Automated Password Guessing
Operation System password (Legion, NetBIOS Auditing Tool )

21
Password Sniffing
Password Sniffing
Technique used by hacker to retrieve network
password by monitoring traffic

L0phtCrack KerbCrack

- Widely Used in cracking To Authenticate themselves

windows and Linux in the client system
Password
Password Cracking
• Two kinds of challenge/ response authentication
• LanManager (LM) challenge/response
• NTLM challenge/ response
Techniques

Dictionary Attack Brute Force Attack Hybrid Attack

Fastest of all and uses Randomly generating Combination of
the words of the password applying Dictionary and Brute
dictionary basic logic Force Attacks
Password Cracking Tools

Brutus WebCracker Crack 5

• Performs both • Implicates • Fastest way for UNIX
dictionary and Brute authentication passwords
Force Attack password guessing • Scans the content of
• Applicable for • Can recover the password file
multiple username and
authentication types password
Countermeasures for Password Cracking
Password between 7 to 12 chracters
• Includes lowercase, uppercase, numerical and special characters
Pocily on Password
• Change the password for every 30 days
Physical Safe Location for Servers
SYEKEY utility
• Store Password and hashes

Monitoring of event logs

Log all the failed login attempts
Block access to TCP and UDP ports
 Quiz / Assessment
5) Which among the options is not a password sniffing tool?
a) KerbCrack b) ScoopLM c) Ethereal d) ISpyNow
6) Which one of the below options is not a password cracking technique?
a) Brute force attack b) Dictionary attack c) Rootkits d) Hybrid attack

26
Keystroke loggers
Hardware • When connect to the system it
records and stores the user
Key logger identity

Software • It comprises of DLL and EXE to

generate Troian files and costs
Key logger much lesser

• Refogkeylogger
Key logging • PC Activity Monitor
tools • IKS Software Keylogger
• KeyCaptor
 Quiz/Assessment
3) Normally, a software keylogger consists of two files
a) TXT and EXE b) TXT and DLL c) DLL and EXE d) DOC and EXE
4) Which of the below options is not a keylogger tool

a) Remote Spy b) PC Activity Monitor c) Snort d) ISpyNow

Rootkits
collection of software tools used by the cracker to obtain as well maintain
administrative level access to the computer or network
Ntrootkit Some other Rootkits:
Most commonly used ROOTKIT functions are
Hack Defender
monitors traffic and keystrokes
¾¾ Machiavelli
## creates a backdoor into the system ¾¾ Greek wiretapping
## modify log files ¾¾ Zeus
## attack other machines ¾¾ Stuxnet
## modify system tools ¾¾ Flame
Countermeasures
1. backup information 2. Guanine Software 3. monitoring event viewer logs
Trojans
malicious piece of code used to install hacking software on target system, thereby
helping the hacker to gain as well maintain access to that system

Trojan may manifest itself on the target by

Most common way the Trojan horse is entered is by e-mail

attachments and works on the register entries
Trojans types
Remote Access Trojans or RATS
¾¾Keystroke loggers or password sending
Trojans
¾¾Software detection killers
¾¾Purely destructive or service denying Trojans
¾¾FTP Trojans
Goals
Data modification like deletion, modification, blocking and copying and
leading to disruptions like performance of the computer and personal
data collection
Trojans Injection Mechanism
Attachment Vectors
An e-mail
attachment
• Email attachment
• Deception and Social Engineering
• Web bugs and drive -by downloads
Trojans Injection • NetBIOS remote plants
Downloaded worms
Mechanism
• Physical access
• Attacks due to Windows and IE
The hacker installing vulnerabilities
the Trojan directly
on the target
• Fake Executables and freeware
• Web pages that urge the users to
install Spyware and adware
Trojans and its Countermeasures
• Programs that secretly allow • Counseling the Trojan
access to a computers
• Wrappers
• It comprises of both server and
client components
Remote Access Trojans
(RATS) Distributing Trojans

Countermeasures
• Unknown Source usage to be stooped
• e-mails from the unknown source need to be blocked
 Quiz/Assessment
7) You may become the victim of a Trojan attack when you just visit a website, without even downloading
anything from it. This is referred to as
a) Freeware b) NetBIOS remote plants c) Drive-by downloads d) backdoor
8) What is the attack vector used by counterfeit websites?

a) Physical access b) Web bugs c) Deception d) Social Engineering

Summary
 In Enumeration, hacker will attempts to retrieve user account information, system groups and roles,
password and any unprotected shares.
 Establishing null sessions and enumerating NetBIOS names, SNMP enumeration, DNS Querying and
gathering Active Directory information are four techniques used for Windows enumeration
 Dumpsec and The NetBIOS Auditing Tool are two enumerating tools
 Value of default SNMP community string being PUBLIC, Missing SNMP Community name and
Unauthorized write access are some of the SNMP vulnerabilities
 Disabling TCP 139 or TCP 445 ports, SMB Services and by restricting the anonymous user by modifying
the registry entry are some of the means by which we can avoid NetBIOS null sessions
 Removing SNMP agent or turning off SNMP Services, maintaining guess community strings values that
are not easy to guess. And restricting access to null session pipes and null session shares are
recommended practices for preventing SNMP hacking
 Automated password guessing and Password sniffing are the two methods used for guessing a password
 Hardware keylogger and Software keylogger are the two types of keystroke loggers available
 Dictionary attack, brute force attack and Hybrid attack are the three types of password cracking
techniques
 e-References & External Resources
1. Read about ‘vulnerabilities of SNMP here. [Link]
vulnerabilities-of-snmp/
2. A useful website to read all about rootkits is[Link]
how-to-combat-them/
3. Different password types [Link]
the-various-types-of-computer-passwords/ta-p/1166371
4. Differences between a hardware keylogger and a software keylogger
[Link]
[Link]

1. The CEH Prep Guide, the comprehensive guide to Certified Ethical Hacking by Ronald L. Krutz and Russell
Dean Vines
2. Official Certified Ethical Hacker Review Guide by Kimberly Graves
3. Unofficial Guide to Ethical Hacking by Ankit Fadia
 Activity

Brief description of activity

Description:
Explain the working of Net View, NBTSTAT and Nbtscan by
Online Activity practically running these utilities on your computer and
(20min) take the screen shots of the output result to make a
report of the same.