CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [32]
SNMP has two passwords you can use to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string; it's for changing or editing the configuration on the device. Generally, the default read community string is public and the default read/write community string is private. A common security loophole occurs when the community strings are left at the default settings: A hacker can use these default passwords to view or change the device configuration.
Hacking Tools
SNMPUtil and IP Network Browser are SNMP enumeration tools.
SNMPUtiI gathers Windows user account information via SNMP in Windows systems. Some information such as routing tables, ARP tables, IP addresses, MAC addresses, TCP and UDP open ports, user accounts, and shares can be read from a Windows system that has SNMP enabled using the SNMPUtil tools.
IP Network Browser from the SolarWinds toolset also uses SNMPto gather more information about a device that has an SNMP agent.
If you have any questions about how easy it is to locate the default passwords of devices, look at the website www.defaultpassword.com.
SNMP Enumeration Countermeasures
The simplest way to prevent SNMP enumeration is to remove the SNMP agent on the potential target systems or turn off the SNMP service. If shutting off SNMP isn't an option, then change the default read and read/write community names.
In addition, an administrator can implement the Group Policy security option Additional Restrictions For Anonymous Connections, which restricts SNMP connections.
Windows 2000 DNS Zone Transfer
In a Windows 2000 domain, clients use service (SRV) records to locate Windows 2000 domain services, such as Active Directory and Kerberos. This means every Windows 2000 Active Directory domain must have a DNS server for the network to operate properly.
A simple zone transfer performed with the nsl ookup command can enumerate lots of interesting network information. The command to enumerate using the nsl ookup command is as follows:
nslookup is -d domainname
Within the nsl ookup results, a hacker looks closely at the following records, because they provide additional information about the network services:
■ Global Catalog service (_gc._tcp_)
■ Domain controllers (_ldap._tcp)
■ Kerberos authentication (_kerberos._tcp)
As a countermeasure, zone transfers can be blocked in the properties of the Windows DNS server.
An Active Directory database is a Lightweight Directory Access Protocol (LDAP) based database. This allows the existing users and groups in the database to be enumerated with a simple LDAP query. The only thing required to perform this enumeration is to create an authenticated session via LDAP. A Windows 2000 LDAP client called the Active Directory Administration Tool (1 dp. exe) connects to an Active Directory server and identifies the contents of the database. You can find 1 d p. exe on the Windows 2000 CD-ROM in the Support\Reskit\Netmgmt\Dstoolfolder.
To perform an Active Directory enumeration attack, a hacker performs the following steps:
1. Connect to any Active Directory server using 1 dp. exe on port 389. When the connection is complete, server information is displayed in the right pane.
2. On the Connection Menu, choose to authenticate. Type the username, password, and domain name in the appropriate boxes. You can use the Guest account or any other domain account.
3. Once the authentication is successful,