Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Looking at the basics of network testing, user enumeration is critical. If we can get usernames, access is only a hop skip and a jump away. Well, perhaps only a decent dictionary brute-force away. The thing is how do we get these usernames A few basic network pentesting tricks are listed here. Also, as a lot of user names are predictable combinations such as a combination of first and last names, and initials it can be fun to find amusing user names on a network. Simple User Name Enumeration Time to start with some of the simple stuff, SNMP Simple Network Management Protocol . Some interesting MIBs Management Information Base that result in user enumeration are Solaris PROCESS USERNAMES 1.3.6.1.4.1.42.3.12.1.1.8 nix in general MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 Windows Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 Windows USERS 1.3.6.1.4.1.77.1.2.25 Windows SHARES 1.3.6.1.4.1.77.1.2.27 The MIBs listed above give away usernames. Some are obvious. The ones that are less obvious are RUNNING SOFTWARE PATHS and in Windows INSTALLED SOFTWARE these may disclose information in the path names as shown below .1.3.6.1.2.1.25.4.2.1.4.739 STRING usr bin login .1.3.6.1.2.1.25.4.2.1.4.740 STRING bin bash .1.3.6.1.2.1.25.4.2.1.4.749 STRING home auser tail As we can see, the user name auser is disclosed if the full path of the running binary is used. Remember this works only if the user has used the full path to run the process. The snmpwalk tool is a good place to start for enumerating SNMP data out of a host. There is also the small matter of the community string you ll also need, however in many cases you can go with the defaults and get information back. Changing these from the default is often overlooked when SNMP is enabled on servers. Print My User Name Web and telnet interfaces on printers are often unauthenticated, unencrypted or use default or weak passwords. It is often possible to connect to these repositories of information leakage and grab document names, share locations, and most importantly user names. As a lot of printers have no lockout controls, even if admin account passwords have been changed you can often brute force passwords on these safely. If we can gain admin access to the printer, there may be other interesting options available as well. In one case, we came across an option to fax a copy of every document printed to a number of our choice. Old Problems Never Die Username enumeration on a Windows domain can be easy or a pain. On a box that accepts null connections we win. We can get the users and also the password policy, shares etc, and tools like enum and enum4linux still have a valuable place in the tool kit. But in a modern Windows AD domain don t forget the use of LDAP. If it is possible to use null binds via LDAP, tools like ldapenum.pl, ldp.exe and nmap script ldap-search are a good starting point to give you that user list. However, if you don t have null shares or anonymous bind then you may need to make authenticated connections to the domain to get the same data. This means that one bad password on the network is a foothold to accessing the rest of the domain. Research, Research, Research In a lot of Exchange environments the user s email address will contain their username. Robert Smith, for example, is rsmith pentestcompany.com - it s likely that rsmith is his login. But do remember that with common names this may not be the case. A lot of this kind of data can be gathered from company web pages or Intranet sites . or even bouncing a couple of emails into the organisation can work for this. If the company has an internal anonymously accessible wiki this can be a nice resource as well. Listen, Did You Smell That Sniffing network traffic can also help out with delivering those user names. You may even get those passwords you re looking for - never discount the amount of clear text protocols that are still in use. Also many companies will use TLS SSL on their public web sites, but not encrypt internally. I Never Metadata I Didn t Like In Office documents the metadata will contain, amongst other things, the name of the user who created that document. If we know the schema, this can give you the username. Also if the company writes Silverlight or .NET applications, then decompilation can give you pathnames, again with valid usernames. Now Pay Attention 007 There is a reason to wear headphones with no music playing. If you are sitting onsite amongst IT Staff or developers you may hear the phrase What user should I log on as around you. If you are lucky they may even shout out passwords. Also there is the old tried and true method of just asking. Some call it social engineering but that s a topic for another post. Sharing Your Toys So you find a file share. Now there are lots of awesome things you can do SMB relay attacks, trojan documents, DLL injection if some one is dumb enough to share the wrong thing . But one of the other things you can do when a domain user visits the share is have a file there that points back to us. This could be an image in the document, a second embedded document in our Excel sheet that we host , or a malicious shortcut file with an icon on our machine. When they access this, a bit of metasploit SMB sniffing and we can get the username as well as NTHASH and if they are using it the LMHASH. Guess Who - Are You bin On smtp, ftp, and ssh there have been ways to brute force out usernames. This is ok, but is really dependant on the list of usernames you start with. In the spirit of recycling, never throw anything away - every time you gather a name, put it in a file. Next time you have a chance to brute-force out names on an SMTP server via RCPT EXPN and VRFY you will have a good starting point. Go Wide So you ve got your big list of users Now we take a big dictionary and hit go - lock out the accounts and get asked to leave OR perhaps there is a better way Time to chose a common password and wide-band it across all the accounts. A usual rule is to assume they lock the accounts after 3 failed attempts. So we could choose 2 candidate passwords and try those. If you haven t found anything at all about the password policy before this stage, now would be a good time to do it. When we know what we can risk, we can make the call and do some brute forcing. For me, Medusa is my brute forcer of choice. A nice feature is that Medusa that will let you look for Joe Logins as well as blank passwords. The nice thing about this one is the tool is modular and supports a large list of protocols. So now from a big list of users we send out 2 passwords per user per hour day week. Eventually we get a hit. Next we can use this authenticated access to get more user names and start the brute force loop again. Voila

Les mots clés de la revue de presse pour cet article : network
Les videos sur SecuObs pour les mots clés : network
Les mots clés pour les articles publiés sur SecuObs : network
Les éléments de la revue Twitter pour les mots clé : network





Les derniers articles du site "GDS Blog" :

- When Domain Admin Is Not Enough
- AlienVault OSSIM 4.2 - Enabling Custom Install
- Porting Existing Security Tools to IronWASP Modules
- Avoiding Residual SSH Keys on Ubuntu AMIs
- Using Nessus to Audit VMware vSphere Configurations
- Retrofitting Code for Content Security Policy
- Writing an XSS Worm
- Network Testing 101 If Your Name's Not Down, You're Not Getting In
- Retrieving Crypto Keys via iOS Runtime Hooking
- Exploiting the Pizza Thief

---

S'abonner au fil RSS global de la revue de presse

---