UNIT 4 Simplified notes

Enumeration
Enumeration is an important phase in the penetration testing process, focused on actively gathering
information about the target company's systems and networks. Here's a detailed explanation of
enumeration:

Definition: Enumeration involves aggressive collection tactics to interact with systems and
networking elements, extracting as much information as possible.

Purpose: The main objective of enumeration is to obtain detailed information about the target's
systems, services, and network infrastructure. This information is crucial for building an effective
attack plan and conducting a thorough vulnerability analysis.

ENUMERATION TECHNIQUES
Connection scanning is a technique used in penetration testing to determine the status and
availability of ports on a target system. Here is a detailed explanation of different connection
scanning methods:

1. TCP Connect Scanning: This method involves sending a TCP connect request to a specific port on a
target system. If the port is active and accepting connections, the system will respond, indicating
that the port is open. This technique is commonly used to check if a service is running on a particular
port.

2. SYN Scanning: In SYN scanning, the tester sends a SYN packet to the target port. If the port is open
and accepting connections, the target system responds with a SYN/ACK packet. The tester then
sends an RST packet to terminate the connection. SYN scanning can help identify open ports, but it
may be detected as a potential attack by security devices due to its association with SYN flood
attacks.

3. FIN Scanning: FIN scanning involves sending a FIN packet to a port. If the port is closed and does
not have a corresponding service, the target system will respond with an RST packet. However, if the
port is open or listening, it may not respond at all. This technique can sometimes bypass certain
security controls if not properly configured.

4. Fragment Scanning: Fragment scanning involves fragmenting a scanning packet into smaller
packets to confuse security systems. By sending fragmented packets, the tester attempts to evade
detection or bypass security devices. However, many security systems are configured to detect and
block fragmented packets, making this technique less effective.

5. TCP Reverse IDENT Scanning: The IDENT protocol is used to identify the owner of a connection.
By sending a port pair to the system's IDENT service, the tester can obtain information about the
connection owner. However, most systems do not run IDENT due to security concerns, so this
technique is typically more useful in internal network environments.

6. FTP Bounce Scanning: In FTP bounce scanning, the tester leverages the FTP protocol's control and
data connections to proxy scans on behalf of the tester. By manipulating the control and data
channels, the tester can perform scans on remote systems through an FTP server. This technique
relies on specific configuration vulnerabilities and is not always successful.

7. UDP Scanning: UDP scanning involves sending UDP packets to specific ports to check for
responses. If a target port is open, some systems may respond with an ICMP message stating that
the port is unreachable. This technique can help identify open UDP ports associated with known
vulnerabilities or potential services.

8. ACK Scanning: ACK scanning is used to determine the type of filtering devices (such as firewalls or
routers) between the tester and the target system. By sending packets with the ACK bit set and
specifying the port, the tester can observe the responses. A router will typically forward the packet
and return an RST packet, while a firewall may not provide any response.

Each connection scanning method has its advantages and limitations, and their effectiveness can
vary depending on the target system's configuration and the security measures in place.

SOFT OBJECTIVE
Enumeration is a crucial phase in penetration testing that involves gathering information about the
target's technical elements. It includes interacting with various systems and components to obtain
data that provides insights into the target's security posture. The collected information, combined
with data from the reconnaissance phase, helps the tester develop a comprehensive understanding
of the target's environment. This analysis enables the identification of potential vulnerabilities and
guides subsequent vulnerability analysis. The process relies on the tester's intuition and expertise to
uncover hidden vulnerabilities and assess the overall security of the target.

LOOKING AROUND OR ATTACK?

1. Enumeration is the process of gathering information about a target system.

2. It involves active and interactive scanning techniques.

3. It is important to differentiate enumeration from actual exploitation.

4. Aggressive enumeration tactics can impact systems and networks.

5. Companies often overlook the risks associated with enumeration.

6. Planning a penetration test requires understanding the tools and tactics used.

7. There is a fine line between scanning and attacking a system.

8. All parties involved should understand the purpose of enumeration.

9. Some organizations may mistake scanning for exploitation.

10. Appreciating enumeration is crucial for a successful penetration test.

ELEMENTS OF ENUMERATION
Account Data:

- Applications and services may expose user and system account information.

- Knowing user account names and login status can be valuable for attackers.

- Microsoft shares can be queried to enumerate available shares on a system.

Architecture:

- Tools and techniques used during enumeration can reveal the logical architecture of a network.

- Scanning multiple networks may reveal identical data, indicating a multi-homed server.

- By analyzing responses, it is possible to identify network elements and the type and configuration
of firewalls.

Operating Systems:

- Tools like NMap can identify the type and version of an operating system.

- Manual information collection from services running on a system can help determine the OS
version.

- Identifying the operating system is more challenging for UNIX systems compared to Microsoft
systems.

Wireless Networks:

- Open wireless networks allow anyone with a wireless adapter to join.

- Accessing a wireless network can provide insights into the target's internal network.

- If wireless access falls within the engagement scope, it can be used to launch attacks or gather
information for internet-based attacks.

Applications:

- Applications can provide valuable information about the target company, preferred systems, and
critical data.
- Knowledge of specific applications can guide the search for vulnerabilities.

- Custom applications developed internally often lack proper security measures, making them
potential targets for exploitation.

Custom Applications:

- Internally developed applications are often insecure and lack proper documentation.

- Supporting and securing custom applications can be challenging, increasing the risk of
vulnerabilities.

- Custom applications offer opportunities for testing various attack vectors and techniques.

- Interacting with the application during enumeration helps collect data and identify potential
vulnerabilities.

PREPARING FOR THE NEXT PHASE

In summary, the data collected during the enumeration phase needs to be divided into two
elements: technical information and conclusions based on the combination of technical details and
reconnaissance information. This combined data helps identify additional systems and networks that
may have been missed by traditional scans. After the analysis, the technical components of the
enumeration data are separated again and used as inputs for the vulnerability analysis phase. This
technical information includes details like listening ports, services, operating systems, versions,
applications, patch levels, code versions, and firmware versions.
Exploitation
- Exploitation differentiates penetration testing from vulnerability scanning.

- It involves actively testing and exploiting identified vulnerabilities.

- Exploitation helps determine the actual impact and consequences of vulnerabilities.

- Some vulnerabilities pose significant security risks to core system components.

- The severity and potential impact of vulnerabilities may vary depending on the specific
environment and architecture.

- Exploitation involves gaining unauthorized access, acquiring information, or establishing a

foundation for further attacks.

- Common targets for exploitation include tools, protocols, and services.

- Timing and types of exploitation are important considerations.

- Ethical hacking aims to test and validate theories through the exploration of different perspectives
on exploitation.

Intuitive testing in penetration testing raises the question of whether every vulnerability needs
to be exploited to demonstrate its value. While some vulnerabilities can be quickly identified as high-
risk without exploitation, the true impact and exposure can only be determined through
exploitation. By focusing on sampling specific systems that represent the majority, it becomes
possible to draw logical conclusions about the overall vulnerability of the network. Intuitive testing
aims to expose and rate as many vulnerabilities as possible, providing a comprehensive view of the
risk landscape. It avoids excessive exploitation of a single vulnerability and promotes the search for
other avenues of access. This approach acknowledges that not all hackers possess the same skills as
testers and that alternative vulnerabilities may be used by attackers. When critical information, such
as passwords, is obtained, leveraging it to access other systems may not provide additional value to
the client. Therefore, the tester may decide to conclude an attack thread and explore other potential
vulnerabilities. By taking a comprehensive approach and demonstrating value even without full
exploitation, intuitive testing adds value to the customer.

Evasion
In penetration testing, evasion techniques are employed to avoid detection and remain anonymous,
similar to the goals of real hackers. While evading detection is often a priority for testers, it is not
always mandatory. However, prioritizing stealth may limit the discovery of vulnerabilities and
decrease the overall success of the attack. The time-consuming nature of remaining undetected can
reduce the tester's effectiveness and result in fewer identified and exploited vulnerabilities
compared to a more open and aggressive approach.

The provided text discusses various aspects related to intrusion detection systems (IDS) and evasion
techniques used by hackers. Here are the key points for each subtopic:

- Intrusion Detection System (IDS): IDS can be a network device or a server-based system that
monitors network traffic or host activities to identify potential attacks. IDS can detect attacks
through signature analysis, protocol analysis, and anomaly detection.
- Signature Analysis: IDS uses predefined signatures to identify known attack patterns based on the
format, timing, and structure of communications. When a communication matches a signature, the
IDS can generate alerts or log the event.

- Protocol Analysis: IDS examines the behavior of network protocols to detect suspicious activities. It
can identify attacks that exploit vulnerabilities in protocols, such as malformed packets or
unauthorized behaviors.

- Anomaly Detection: IDS can employ anomaly detection techniques to identify deviations from
normal network behavior. This includes anomaly signatures, which define standard operating
procedures, and statistical modeling, which compares traffic patterns to detect abnormal
communication.

- Observation: Monitoring system activity, log files, and system status can help detect hackers based
on their impact on the environment and system reactions to typical interference.

- Evasion: Hackers often use evasion techniques to bypass detection systems. Examples include
sending packets with limited Time to Live (TTL), injecting malicious data through undetectable URLs,
or using invalid characters. While these tactics may raise suspicion, they can also expose the attacker
if the system is configured to identify such activities.

It is important for organizations to be aware of evasion techniques and configure their systems to
effectively detect and respond to suspicious activities, considering both the risk of false alarms and
the potential security threats.

Thread
- Thread: A related set of actions in a penetration test leading to a conclusion, which can be either
an exploited vulnerability or a hard stop.

- Example threads: Threads 3, 4, and 5 focus on gaining information from systems in the DMZ, while
thread 2 targets the firewall and explores the Internet-facing infrastructure. Threads 1, 6, and 7 aim
to interact with servers behind the inner firewalls and penetrate the internal network.

- Tactics: Each thread may require different tactics to bypass security measures and progress further
into the network.

- Penetrating the internal network: Thread 7 represents a successful attack reaching the internal
network, utilizing various tactics such as false packets, exploiting vulnerabilities, or taking advantage
of weak security practices.

- Advantages of threads: Threads allow for focused and rapid attacks, enabling the tester to gather
information, identify vulnerabilities, and plan the next steps while remaining relatively unnoticed.
They can also involve different tools and spread the attack across multiple sources, enhancing
stealth and evasion.

GROUPS

Groups in penetration testing refer to the combination of successful threads to form a

comprehensive attack strategy. Each thread represents a set of actions that may leverage aspects of
previous threads to progress further into the target network. Threads can diverge and branch off to
target different layers or systems, using a mixture of tactics and information learned from other
threads.

When threads are combined, they form groups that represent a full-on assault on the target
network. These groups incorporate the knowledge and tools gained from multiple threads to
maximize the attack's effectiveness. Think of threads as a beachhead and groups as the final assault,
moving towards the ultimate goal of accessing sensitive data or compromising critical systems.
Hackers often use a similar approach, using multiple systems as launching pads to work their way
closer to the target. Each compromised system becomes a thread, with a specific attack goal, and
the combined use of all commandeered systems forms a group to launch the final wave of the
attack.

The advantage of utilizing threads and groups in a penetration test is that they provide valuable
insights into the success and impact of each attack. By analyzing the results of each thread and
group, organizations can assess the likelihood of such threats becoming a reality and prioritize the
mitigation of vulnerabilities accordingly. The evaluation of threads and groups helps determine the
order in which system repairs should be implemented to have the greatest impact on reducing
overall risk.

It is important for testers and organizations to consider the combination of threads and groups in
their analysis of threats and risk, as it provides a more comprehensive understanding of the
vulnerabilities and their potential impact.

Operating Systems:
Attempting to attack the operating system is a common tactic used by both penetration testers and
hackers. Despite hosting sensitive information, operating systems often remain vulnerable due to
the need to provide numerous options to users, services, and applications. Patching vulnerabilities in
all the different versions and types of operating systems is a challenging task, often leading to delays
in implementing necessary security measures.

Windows:

Microsoft's Windows operating system prioritizes user-friendliness, but this can compromise
security. While Windows XP can be secured to a higher level, its default settings lack necessary
controls, such as automatic participation in wireless networks without user confirmation. In
contrast, Windows 2003 takes a more secure approach by executing potentially exploitable services
under a nonprivileged account. Administrators must ensure Windows systems are properly secured
before deployment, but older versions may struggle to reach higher levels of security. Windows
systems are commonly identified as the most vulnerable during penetration tests, given their
prevalence and the frequent emergence of new vulnerabilities. Timely application of security
patches can help reduce risks, but compatibility issues with custom applications and limited
resources can hinder the patching process.

UNIX:

UNIX operating systems, including flavors like Solaris, HP-UX, and AIX, prioritize security over user-
friendliness. Understanding the inner workings of a UNIX system is crucial for effective
administration. While UNIX systems were historically less prone to vulnerabilities due to their focus
on security, recent years have seen an increase in identified vulnerabilities across different flavors.
Poor implementation practices and the failure to disable unnecessary services after installation often
leave Solaris systems vulnerable to exploitation. Common exploits on Solaris involve taking
advantage of enabled but unneeded services, making it relatively easy for testers to identify and
exploit them.

Password crackers are tools used in penetration testing to decrypt passwords or bypass
password protection. They operate by attempting various combinations, including words, phrases,
numbers, and symbols, until the correct password is identified. These tools are not limited to a
specific operating system and can be used on various platforms and applications.

While password crackers can be useful for administrators to recover lost passwords or assess the
effectiveness of password policies, they can also be misused for malicious purposes. Algorithmic-
based attacks have emerged, where the system's algorithm is reverse-engineered to quickly crack
passwords.

Although password cracking tools often focus on Microsoft Windows and its applications, any
system can be vulnerable. During penetration tests, password crackers are commonly used to assess
the strength of password security across an organization. If successful, a hacker could gain
unauthorized access to critical systems and potentially cause significant damage.

Rootkits are malicious tools or programs installed by hackers on a compromised system. They
pose a significant threat to system administrators due to their ability to remain undetected and
provide unauthorized access to the system.

A rootkit allows hackers to maintain remote access, run services covertly, and hide their activities. It
typically includes components like backdoor daemons, network sniffers, and log cleanup scripts. By
replacing system binaries, rootkits make it difficult for monitoring tools and administrators to detect
their presence.

During a penetration test, testers may install rootkits to assess their ability to infiltrate systems and
evade detection. They may also utilize password cracking tools to gain initial access before installing
the rootkit.

Linux rootkits, such as the T0rn rootkit and the lion worm, have been prevalent in the past. File
integrity checkers like Tripwire are commonly used to identify system changes caused by rootkits.
Detecting and removing rootkits is crucial to maintaining system security.

APPLICATIONS
Applications play a crucial role in penetration testing as they can introduce vulnerabilities to a
system. There are three main types of applications assessed during penetration tests: web
applications, distributed applications, and customer applications.
Web Applications:

1. CGI Script Vulnerabilities: Exploiting vulnerabilities in CGI scripts to gain unauthorized access or
execute malicious commands.

2. Configuration Analysis: Assessing the configuration of web applications, including user

permissions and directory structures.

3. ActiveX Concerns: Addressing security concerns related to ActiveX and ensuring secure browser
settings.

Distributed Applications:

1. Database Server Exploitation: Assessing vulnerabilities in database servers that store sensitive
data, such as HR or financial information.

2. Access Control Testing: Ensuring proper access controls between departments and preventing
unauthorized access to sensitive information.

Customer Applications:

1. Secure Web-Database Communication: Separating web servers and database servers, typically
using a firewall, and implementing secure communication protocols.

2. Database Server Exploitation: Targeting vulnerabilities in database servers that store customer
information to gain unauthorized access.

Wardialing is an attack method that involves dialing phone numbers to find systems that can be
exploited for unauthorized access. It was particularly effective before the widespread use of VPNs.
Modems used for remote access, including those owned by customers and provided by service
providers, can be vulnerable to attacks if not properly secured. For example, printers with modems
may have default usernames and passwords that remain unchanged, providing an entry point for
hackers. Employees who install modems for personal remote access can also create vulnerabilities if
not configured correctly. Conducting a wardialing test requires software, a modem, a phone line,
and a list of numbers to dial. However, precautions should be taken to avoid generating alarms or
causing disruptions. It is essential to recognize the ongoing risk posed by modems and ensure they
are properly managed and secured.

To conduct a wardialing test effectively, the following precautions should be taken:

1. Randomize: Sequential dialing of numbers should be avoided to prevent detection. Phreakers and
phone companies are aware of this practice, so it's important to use software that can randomize
the numbers dialed.

2. After Hours: Wardialing should be conducted during off-peak hours or overnight to minimize
disruptions to people using the phone lines and to avoid causing any inconvenience.
3. Take Your Time: Even though wardialing software can dial multiple numbers quickly, it's advisable
to spread the test over several days to avoid raising suspicion from the target organization or the
phone company. Rapidly dialing a large number of numbers from a single line can trigger alarms.

By following these precautions, wardialing tests can be conducted more effectively and reduce the
chances of detection or causing unnecessary disruptions.

During a wardialing session, the following steps are typically involved:

1. Number Scanning: The wardialing tool dials a range of phone numbers and logs those connected
to computers, fax machines, or modems. Busy signals are retried until a connection is established or
a predetermined number of attempts is reached.

2. System Type Scanning: Identified systems are categorized based on their type, such as fax
machines or fax modems that may provide terminal access. The investigative process focuses on
specific numbers based on their potential for exploitation.

3. Banner Collection: When a connection is established with a modem tone, the system may provide
a banner indicating its type and status. This information helps in further assessing the target system.

4. Default Access: In some cases, systems may be configured to allow access without requiring a
password, often for maintenance purposes or due to poor configurations. The wardialing tool checks
for such instances of default access.

5. Brute Force: If a username and password combination is required, the tool performs a brute force
attack by testing a collection of commonly used passwords sequentially until one works. It may also
iterate through character sets and password lengths to crack the password.

Wardialing tools can identify different tones received during a call, such as fax machines, modems,
or modems acting as fax machines. The tool may attempt to switch a fax modem to terminal mode
to facilitate access. Once a connection is established and a suitable protocol is determined (e.g.,
telnet, terminal emulators, remote desktop), the remote system is identified, and the attack process
begins.

These steps allow the tester to identify potential vulnerabilities and gain access to systems during a
wardialing session.

NETWORK
In a penetration test, it is crucial to assess and exploit network devices that play a critical role in the
organization's overall security. This includes routers and gateways that control communication
between different networks, such as the Internet, intranet, and extranet.

PERIMETER

The perimeter of a network, which protects it from external entities, is typically secured using
firewalls. During a penetration test, the configuration of firewalls is closely examined to ensure they
are properly configured. Compartmentalization of firewall interfaces is essential, with separate
segments for the DMZ (hosting Internet applications) and internal network. Prohibiting unnecessary
services through the firewall is another important aspect, as allowing vulnerable services can pose a
high-level threat to the organization.

NETWORK NODES

Routers are key network devices used for network access. During a penetration test, several
characteristics of routers need to be evaluated. These include inspecting traffic on the TCP/IP layer
with packet filters, dropping malformed or fragmented packets, implementing Network Address
Translation (NAT) to hide IP addresses, and disabling source routing of packets to prevent attacks
from the Internet. Access to routers should also be secured, preferably using username/password or
two-factor authentication methods.

Additionally, the presence of modems attached to routers should be identified and assessed during a
wardialing exercise, as they can potentially provide unauthorized access to the network.

By thoroughly evaluating and testing network devices, potential vulnerabilities and security
weaknesses can be identified, enabling organizations to enhance their network security and mitigate
risks.

Out of syllabus

SERVICES AND AREAS OF CONCERN

In a penetration test, various areas of concern related to applications, operating systems, and
services are targeted by hackers to exploit weaknesses. It is important to address these
vulnerabilities to ensure the security of networks and systems. Here are some key areas of concern:

SERVICES

Almost every service available to administrators has vulnerabilities associated with it. It is crucial to
identify and assess these services during a penetration test. Proper understanding of the system's
functionality helps avoid testing unnecessary services. Tools like NMAP, Nessus, and ISS scanner can
be used to identify the services running on systems.

Services Started by Default

Many operating systems install and start unnecessary services by default. These services may not be
required for the system to function properly. It is recommended to create a standard base build for
both UNIX and Windows systems, disabling unnecessary services. This helps simplify security tasks
and identify systems running vulnerable services.

WINDOWS PORTS

Windows network shares, facilitated by the Server Message Block (SMB) and Common Internet File
System (CIFS) protocols, allow file sharing across networks. It is important to assess whether file
sharing is necessary and configure it securely. Blocking ports used for Windows sharing (TCP/UDP
137-139 and TCP/UDP 445) at the network perimeter is recommended.

Null Connection

Windows products have a default "null" connection called IPC$, which allows any Microsoft
computer to access the "C:" drive. This poses a security risk as it can provide unauthorized access to
the system. Disabling this null connection is recommended.

REMOTE PROCEDURE CALLS (RPC)

Remote Procedure Calls (RPC) is a service that allows programs on one system to execute
procedures on another system. Exploiting RPC services can provide a hacker with root access to the
system. Checking that RPC ports (TCP 111 and loopback TCP/UDP 32770-32789) are blocked at the
network perimeter helps prevent exploitation.

SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)

SNMP is extensively used for remote monitoring and configuration of TCP/IP-enabled devices.
However, SNMP communication is often unencrypted, allowing hackers to gather valuable
information. It is crucial to configure SNMP properly, changing default community strings and
implementing secure access controls.

BERKELEY INTERNET NAME DOMAIN (BIND)

BIND is a commonly targeted application used for domain name service. Vulnerabilities in BIND can
lead to system compromise or information extraction. Keeping BIND up to date with the latest
versions and patches, running it as a nonprivileged account, and configuring it in a secure
environment are recommended.
COMMON GATEWAY INTERFACE (CGI)

CGI scripts used by web servers for various purposes can pose security risks if not configured
correctly. Improper permissions or execution of CGI programs can be exploited by hackers. Ensuring
proper configuration and security of CGI scripts is important to prevent unauthorized access and
execution.

By addressing vulnerabilities in these areas, organizations can enhance their network and system
security and protect against potential attacks.