Security Laboratory

Security Laboratory

Security Laboratory: Methods of Attack Series

These papers introduce you to the most common attack methods against computer systems and networks and the basic strategies used to mitigate those threats.

Other Related Articles in Security Laboratory: Methods of Attack Series

Browsing and Enumeration

By Stephen Northcutt

"A resource enumeration attack is a type of attack in which an attacker is able to make the target host enumerate, or list, the various resources available on said host or network. Examples of these resources include user names and privileges, services, shares, policies, etc."[1] These have been available throughout the history of networking and the problem will probably grow as systems and networks become more complex. As Google continues its quest to index the world's information,[2] "By searching for default server page titles, for example, an attacker can find easily exploitable servers. Applications left in default modes can also be found by searching for error pages generated by the software. And searching for specific file names can pinpoint vulnerable servers connected to the Internet."[3] One tool that does this for web applications is Nikto, as Dr Johannes Ullrich[4] points out in his popular, Web Application Auditing Over Lunch paper.[5]

Web directory enumeration
Pentestmonkey shows "the simplest form of the directory-enumeration attack is to make a request for each directory name in turn from dictionary file of popular directory names. For each request, note the HTTP response code, e.g.

http://host/admin (401)
http://host/cgi-bin (403)
http://host/test (404)
http://host/logs (200)
http://host/awstats (404)
http://host/scripts (404)

The attacker figures out which HTTP response code to ignore (404 in this example). All directories which don't return a 404 can be assumed to exist."[6] In particular, we might be interested in the host/admin and cgi-bin directories.

The rpcinfo -p command determine whether that particular Remote Procedure Call (RPC) program is registered with either a TCP and a UDP port. If "portmapper" is not listed as registered with TCP and UDP port 111, it is possible that a third-party port mapper is installed. To show all of the RPC services registered on the machine named klaxon use:[7]

example% rpcinfo -p klaxon

Sample output might look like:[8]

Program     Version  Protocol  Port
100000 2 udp 111 portmapper
100000 2 tcp 111 portmapper
150001 1 udp 1035 pcnfsd
150001 2 udp 1035 pcnfsd
351455 1 tcp 852 mapsvc
351455 1 udp 857 mapsvc
351455 2 tcp 862 mapsvc
351455 2 udp 867 mapsvc
100004 2 udp 924 ypserv
100009 1 udp 929 yppasswdd
100004 2 tcp 934 ypserv
1073741824 1 udp 939
100005 1 udp 1048 mountd
100005 2 udp 1048 mountd
100005 3 udp 1048 mountd
100005 1 tcp 1048 mountd
100005 2 tcp 1048 mountd
100005 3 tcp 1048 mountd
100021 1 udp 1047 nlockmgr
100021 2 udp 1047 nlockmgr
100021 3 udp 1047 nlockmgr
100021 4 udp 1047 nlockmgr
100021 1 tcp 1047 nlockmgr
100021 2 tcp 1047 nlockmgr
100021 3 tcp 1047 nlockmgr
100021 4 tcp 1047 nlockmgr
100024 1 udp 1039 status
100024 1 tcp 1039 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs

This gives a lot of information about where these programs are registerd on the system. When we did a Google search for mountd vulnerability[9] we found 40,300 results. It just might not be a good idea to let someone execute an rpcinfo -p against your systems.

One of the better sites on the Internet for enumeration attacks is Vulnerability Assessment, here is their description of finger.[10] A bonus when enumerating is finding port 79 open, notably used by the finger service. It may be possible to enumerate a number of valid user accounts and also the OS type by passing the following command against the remote host: finger 'a b c d e f g h'@target

Sample output:
Login Name TTY Idle When Where
root Super-User console <Dec 30 08:47> :0
daemon ??? < . . . . >
bin ??? < . . . . >
sys ??? < . . . . >
adm Admin < . . . . >
lp Line Printer Admin < . . . . >
smtp Mail Daemon User console <Dec 30 08:47> :0
uucp uucp Admin < . . . . >
nobody Nobody < . . . . >
noaccess No Access User < . . . . >
smith.j Dr J Smith - Directorate 7764 <Aug 15, 2005>
andrews.f Mr F Andrews - Accounts - < . . . . >
james.t Mr T James Personnel - pts/1 <Oct 15, 2005>
apache Apache Web Server < . . . . >

The output above would tell you the remote host is Unix based, is probably running a web server, (apache) and there are 5 accounts you might want to try a dictionary or brute force attack against, (root, smith.j, andrews.f, james.t and apache)

Enumeration attacks generally require being able to stimulate a target machine across a network and receive a response. Protections against such include perimeter defense, unix system hardening or windows system hardening to either not accept the stimulus ( or allow it to reach the target machine) or to quench the response. There are a large number of these enumeration methods, they usually account for a good part of a hacker techniques training course.

According to Johnny Long, "Google's ability to record Internet sites' content can be used to pinpoint those with weak security."[15] An intruder perpetrating a browse attack simply uses the access she already has to look around and see what's out there. An attacker might not even need to be a local user, especially in the case where a machine offers information to the world through web, FTP, or other public Internet services. As people become more skilled using search engines, a lot more information is becoming available to browsing.

As an example, the search, "intitle:index.of.config" leads to 463 web servers, a goodly number of them partly vulnerable, and the number one hit is shown below:

Index of /config/files/
Parent Directory/, -, Directory. apache/, 2007-Mar-28 19:14:58, -, Directory. bash/, 2007-Mar-28 19:24:00, -, Directory ... - 10k - Cached - Similar pages

We chose one directory, the Apache directory:

Index of /config/files/apache/

Name Last Modified Size Type
Parent Directory/ - Directory
apachegallery/ 2007-Jan-20 20:58:49 - Directory
block/ 2007-Mar-28 19:20:43 - Directory
htaccess/ 2007-Jan-20 20:58:49 - Directory
logrotate/ 2007-Jan-20 20:58:49 - Directory
apache2-installation.txt 2007-Jan-20 21:41:34 2.7K application/octet-stream

We chose one directory, the htaccess directory:

Index of /config/files/apache/htaccess/

Name Last Modified Size Type
Parent Directory/ - Directory
htaccess 2007-Jan-20 21:41:34 0.1K application/octet-stream
htpasswd 2007-Jan-20 21:41:34 0.1K application/octet-stream

And we think we will stop right here! The best source of these techniques is Johnny Long's web site, "I hack stuff".[16]

You can also find people, the following search, "intitle:"curriculum vitae" filetype:doc kauai", mostly yielded scholarly people that are giving papers at conventions on the island of Kauai, but they all probably have disposable income and most of the files list their contact information.[17]

You may think that browsing doesn't really count as an attack because it doesn't involve much in the way of technical knowledge or skill. We hope to convince you otherwise. There's a lot for an intruder to see on a typical system. If they're really lucky, they might find your company's secret business plans or the name and phone number of the CEO's mistress, but even less obviously critical information can be useful.

Most Windows machines let you browse the network to discover file servers, domain controllers, and printers you might be able to access. Under Unix, normal user accounts usually can get a lot of information about printers, file servers, and NIS servers. An attacker might be able to use all this information to map out possible trust relationships. In fact, the first phase of Mitnick's attack began with some simple enumeration (finger and rpcinfo -p) to see what information Shimomura's systems were willing to give away for free.