User:Tomchiukc/ComputerSecurity/Enumeration

• OIDTree: Textbook p.625
• Management Information Base Tools (MIBTools)

C:\Documents and Settings\Student>"\\192.168.184.129\c$\Tools\Module 4 - Enumeration\snmputil.exe" get 192.168.184.129  public .1.3.6.1.2.1.1.2.0
Variable = system.sysObjectID.0
Value    = ObjectID 1.3.6.1.4.1.311.1.1.3.1.1

C:\Documents and Settings\Student>"\\192.168.184.129\c$\Tools\Module 4 - Enumeration\snmputil.exe" getnext 192.168.184.129 public interfaces.ifNumber.0
Variable = interfaces.ifTable.ifEntry.ifIndex.1
Value    = Integer32 1

C:\Documents and Settings\Student>"\\192.168.184.129\c$\Tools\Module 4 - Enumeration\snmputil.exe" getnext 192.168.184.129 public 0.0
Variable = system.sysDescr.0
Value    = String Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)

OID number also managed by IANA.

IP Network Browser: by http://www.solarwinds.net

• Not to use (but not so useful)
• change the default 'public' community name to others.
• Control Panel -> Administrative Tools -> Services -> SNMP Service (Manager) / SNMP Trap Service (Agent) -> Security -> Community String

• Use NSLookup, ls -d <domainname>
• Special IP addresses stored in Win2K machines:
  • Global Catalog Service
  • Domain Controller
  • Kerberos Authentication
• DNS Service Record: SRV (other than MX, CNAME, etc.)
• Explicity specify the ip addresses that can do Zone transfer. Otherwise, ignore requests.

I:\Tools>"I:\Tools\Module 4 - Enumeration\sid\user2sid.exe" \\192.168.184.129 administrator

S-1-5-21-1214440339-73586283-725345543-500

Number of subauthorities is 5
Domain is VICTIM
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

I:\Tools>"I:\Tools\Module 4 - Enumeration\sid\sid2user.exe" \\192.168.0.50 5 21 1214440339 73586283 725345543 500

Name is Administrator
Domain is VICTIM
Type of SID is SidTypeUser

• requires Null session connection
• useful commands: -UGd, -L, -P

• requires Null session connection

       UserInfo v1.5 - thor@hammerofgod.com

       Querying Controller \\192.168.184.129

       USER INFO
       Username:       Administrator
       Full Name:
       Comment:        Built-in account for administering the computer/domain
       User Comment:
       User ID:        500
       Primary Grp:    513
       Privs:          Admin Privs
       OperatorPrivs:  No explicit OP Privs

       SYSTEM FLAGS (Flag dword is 66049)
       User's pwd never expires.

       MISC INFO
       Password age:   Sat Jan 10 02:03:25 2004
       LastLogon:      Mon Aug 09 11:17:17 2004
       LastLogoff:     Thu Jan 01 00:00:00 1970
       Acct Expires:   Never
       Max Storage:    Unlimited
       Workstations:
       UnitsperWeek:   168
       Bad pw Count:   0
       Num logons:     19
       Country code:   0
       Code page:      0
       Profile:
       ScriptPath:
       Homedir drive:
       Home Dir:
       PasswordExp:    0

       Logon hours at controller, GMT:
       Hours-          12345678901N12345678901M
       Sunday          111111111111111111111111
       Monday          111111111111111111111111
       Tuesday         111111111111111111111111
       Wednesday       111111111111111111111111
       Thursday        111111111111111111111111
       Friday          111111111111111111111111
       Saturday        111111111111111111111111

       Get hammered at HammerofGod.com!

• GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines.
• Special tools from http://www.securityfriday.com
• UserID info: from 1000 ->
• UserID < 1000 are for special purposes.

• enumerated with a simple LDAP query.
• requires authenticated session via LDAP
• connect to any AD server using ldp.exe TCP port 389
• can authenticate even by Guest account.
• can enumerate all users.
• use dcpromo to promote an NT server into Active Directory server.
• To avoid AD Enum, uses only Win2K machines and make dcpromo only compatible to Win2K.
• Closing port 389 and 3268