Certified Ethical Hacker Cert Guide: Enumeration and System Hacking

Date: Dec 18, 2013

Return to the article

This chapter introduces Windows enumeration and system hacking. It gives you the knowledge you need to prepare for the Certified Ethical Hacker exam, and it broadens your knowledge of Windows security controls and weaknesses. However, this chapter addresses only the basic information, as it would require an entire book to cover all Windows hacking issues. If you are seriously considering a career as a penetration tester, this chapter should whet your appetite for greater knowledge.

The chapter begins by introducing enumeration and discusses what kind of information can potentially be uncovered. Enumeration is the final pre-attack phase in which you probe for usernames, system roles, account details, open shares, and weak passwords. This chapter also reviews some basics of Windows architecture. A review of Windows users and groups is discussed. The last topic is system hacking. This section discusses the tools and techniques used for gaining access to computer systems. Although many of the tools introduced are specific to Windows systems, the steps are the same no matter what the platform, as evident in Chapter 5, “Linux and Automated Assessment Tools,” when Linux is discussed.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 4-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 4-1 “Do I Know This Already?” Section-to-Question Mapping

1. Which of the following is considered a nontechnical attack?

   1. Password sniffing
   2. Dumpster diving
   3. Password injection
   4. Software keylogger

2. A RID of 500 is associated with what account?

   1. A user account
   2. The first users account
   3. The guest account
   4. The administrator account

3. During enumeration what ports may specifically indicate SMB on a Windows computer?

   1. 110
   2. 111
   3. 389
   4. 445

4. During enumeration what ports may specifically indicate portmapper on a Linux computer?

   1. 110
   2. 111
   3. 389
   4. 445

5. Which of the following is a tool commonly used for enumeration?

   1. GetAcct
   2. John
   3. LCP
   4. IAM tool kit

6. Which type of password cracking makes use of the space/time memory trade-off?

   1. Dictionary attack
   2. Rainbow table
   3. Rule
   4. Hybrid

7. The second layer of security on the SAM file is known as what?

   1. Encoding
   2. Obscuring
   3. SYSKEY
   4. Salting

8. Windows passwords that are stored in seven-character fields are known as what?

   1. NTLMv2
   2. Kerberos
   3. Salted
   4. LAN Manager

9. Which of the following matches the common padding found on the end of short Windows passwords?

   1. 1404EE
   2. EE4403
   3. EEEEEE
   4. 1902DD

10. If you were going to enumerate DNS, which of the following tools could be used?

    1. Route print
    2. ARP -A
    3. Nslookup
    4. IPconfig

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here; Chapter 14, “Final Preparation”; and the exam simulation questions on the CD-ROM.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 4-6 lists a reference of these key topics and the page numbers on which each is found.

Table 4-6 Key Topics for Chapter 4

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

• Active Directory, brute-force attack, dictionary attack, hybrid attack, InterProcess Communication, kernel, kernel mode, keystroke loggers, local security authority subsystem, NetBIOS, RainbowCrack techniques, relative identifiers, Security Accounts Manager, security identifiers, Server Message Block, Simple Network Management Protocol, and user mode

Command Reference to Check Your Memory

The CEH exam focuses on practical, hands-on skills that are used by a security professional. Therefore, you should be able to identify common net use commands.

Table 4-7 net use Commands

Exercise

4.1 NTFS File Streaming

By using NTFS file streaming, you can effectively hide files in an NTFS environment.

Estimated Time: 15 minutes.

1. Download Sfind and LNS—two good NTFS file streaming programs. Sfind is at www.antiserver.it/Win%20NT/Security/download/ForensicToolkit14.exe, and LNS is at www.ntsecurity.nu/toolbox/lns/.
2. Create a temporary folder on the root of your NTFS drive. Name the folder test, or give it another suitable name.
3. Copy notepad.exe into the test folder and rename it hack.exe. You will use this file to simulate it as the hacking tool.
4. Next, create a text file called readme.txt. Place some text inside the readme file, something like hello world will work.
5. Open a command prompt and change directories to place yourself in the test folder. By performing a directory listing, you should see two files: hack.exe and readme.txt. Record the total free space shown after the directory listing: _______

6. From the command line, issue the following command:

   Type hack.exe > readme.txt:hack.exe

7. Now run a directory listing again and record the free space results: __________________
8. Has anything changed? You should have noticed that free space has been reduced. That is because you streamed hack.exe behind readme.txt.

9. Execute the following from the command line:

   Start c:\ test\ readme.txt:hack.exe

10. Did you notice what happened? Your hacked file, notepad.exe, should have popped open on the screen. The file is completely hidden, as it is streamed behind readme.txt.
11. Finally run both Sfind and LNS from the command line. Both programs should detect the streamed file hack.exe. File streaming is a powerful way to hide information and make it hard to detect.

Review Questions

1. How can you determine whether an LM hash you extracted contains a password that is fewer than eight characters long?

   1. There is no way to tell because a hash cannot be reversed.
   2. The rightmost portion of the hash is always the same.
   3. The hash always starts with AB923D.
   4. The leftmost portion of the hash is always the same.

2. Which of the following is a well-known password-cracking program?

   1. L0phtcrack
   2. Netcat
   3. Jack the Ripper
   4. NetBus

3. What did the following commands determine?

   C:\  user2sid \ \ truck guest
   S-1-5-21-343818398-789336058-1343024091-501
   C:\ sid2user 5 21 343818398 789336058 1343024091 500
   Name is Joe
   Domain is Truck

   1. These commands demonstrate that the Joe account has a SID of 500.
   2. These commands demonstrate that the guest account has not been disabled.
   3. These commands demonstrate that the guest account has been disabled.
   4. These commands demonstrate that the true administrator is Joe.

4. What is the RID of the true administrator?

   1. 0
   2. 100
   3. 500
   4. 1000

5. What is the best alternative if you discover that a rootkit has been installed on one of your computers?

   1. Copy the system files from a known good system.
   2. Perform a trap and trace.
   3. Delete the files and try to determine the source.
   4. Rebuild from known good media.

6. To increase password security, Microsoft added a second layer of encryption. What is this second later called?

   1. Salt
   2. SYSKEY
   3. SYS32
   4. SAM

7. SNMP is a protocol used to query hosts and other network devices about their network status. One of its key features is its use of network agents to collect and store management information, such as the number of error packets received by a managed device. Which of the following makes it a great target for hackers?

   1. It’s enabled by all network devices by default.
   2. It’s based on TCP.
   3. It sends community strings in cleartext.
   4. It is susceptible to sniffing if the community string is known.

8. Which of the following is the best way to prevent the use of LM authentication of your legacy Windows 2003 servers?

   1. Use the LMShut tool from Microsoft.
   2. Use the NoLMHash Policy by Using Group Policy.
   3. Disable Lsass in Windows 2003.
   4. Use a password that is at least 10 characters long.

9. Which of the following tools can be used to clear the Windows logs?

   1. Auditpol
   2. ELSave
   3. PWdump
   4. Cain and Abel

10. What is one of the disadvantages of using John the Ripper?

    1. It cannot crack NTLM passwords.
    2. It separates the passwords into two separate halves.
    3. It cannot differentiate between uppercase and lowercase passwords.
    4. It cannot perform brute-force cracks.

11. You found the following command on a compromised system:

    Type nc.exe > readme.txt:nc.exe

    What is its purpose?

    1. This command is used to start a Netcat listener on the victim’s system.
    2. This command is used to stream Netcat behind readme.txt.
    3. This command is used to open a command shell on the victim with Netcat.
    4. This command is used to unstream Netcat.exe.

12. Which of the following uses the faster time-memory trade-off technique and works by precomputing all possible passwords in advance?

    1. Rainbow tables
    2. Dictionary cracks
    3. Hybrid cracks
    4. Brute-force crack

13. Why would an attacker scan for port 445?

    1. To attempt to DoS the NetBIOS SMB service on the victim system
    2. To scan for file and print sharing on the victim system
    3. To scan for SMB services and verify that the system is Windows 2000 or greater
    4. To scan for NetBIOS services and verify that the system is truly a Windows NT server

14. You have downloaded a tool called SYSCracker, and you plan to use it to break SYSKEY encryption. The first thing the tool prompts you for is to set the level of SYSKEY encryption. How many bits are used for SYSKEY encryption?

    1. 40 bits
    2. 64 bits
    3. 128 bits
    4. 256 bits

15. You are trying to establish a null session to a target system. Which is the correct syntax?

    1. net use \\ IP_address\ IPC$ "" /u:""
    2. net use //IP_address/IPC$ "" \ u:""
    3. net use \\ IP_address\ IPC$ * /u:""
    4. net use \\ IP_address\ IPC$ * \ u:""

Suggested Reading and Resources

• www.bindview.com/Services//RAZOR/Utilities/Windows/enum_readme.cfm: Enum website
• www.systemtools.com/cgi-bin/download.pl?DumpAcl: DumpSec home page
• http://evgenii.rudnyi.ru/programming.html#overview: SID2USER enumeration tools
• www.securityfocus.com/infocus/1352: Enumerating Windows systems
• www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/cnet/cnbd_trb_gtvp.asp: NBTStat overview and uses
• www.governmentsecurity.org/articles/ExploitingTheIPCShare.php: Exploiting the IPC$ share
• www.netbus.org/keystroke-logger.html: Keystroke loggers
• www.theregister.co.uk/2003/03/07/windows_root_kits_a_stealthy: Windows rootkits
• www.hnc3k.com/hackingtutorials.htm: Hacking Windows
• www.antionline.com/showthread.php?threadid=268572: Privilege/escalation tools

© 2024 Pearson Education, Pearson IT Certification. All rights reserved.

800 East 96th Street, Indianapolis, Indiana 46240