NTP, NFS and SMTP Enumeration


Administrators frequently need to remember the Network Time Protocol (NTP) server when considering security. Nonetheless, an attacker may be able to obtain useful network information from it if it is correctly queried. Remote file access is managed by the Network File System (NFS). Attackers can obtain information by using NFS enumeration, including a list of clients connected to the NFS server, their IP addresses, and exported folders. SMTP is frequently used with POP3 and IMAP in mail systems. Via the telnet prompt, attackers can directly communicate with SMTP and gather a list of authorised users.


NTP Enumeration

Network Time Protocol (NTP) is designed to synchronize the clocks of networked computers. It uses UDP port 123 as its primary means of communication. NTP can maintain time to within 10 milliseconds (1/100 second) over the public internet. It can achieve accuracies of 200 microseconds or better in local area networks under ideal conditions. Attackers query the NTP server to gather valuable information, such as:
  • List of hosts connected to the NTP server.
  • Client's IP addresses in a network, their system names, and OSs.
  • Internal IPs, if the NTP server is in the demilitarized zone (DMZ).

TOOLS

NTP Enumerations tools are used to monitor the working of NTP and SNTP servers in the network and help in the configuration and verification of connectivity from the time client to the NTP servers.
  • ntpdate collects the number of time samples from several time sources.
  • ntptrace traces a chain of NTP servers back to the primary source.
  • ntpdc monitors operations of the NTP daemon, ntpd.
  • ntpd monitors NTP daemon (ntpd) operations and determines performance. 
  • PRTG Network Monitor (paessler.com) monitors all systems, devices, traffic, and applications of IT infrastructure by using various technologies such as SNMP, WMI, and SSH.
  • Nmap (nmap.org)
  • Wireshark (wireshark.org)
  • udp-proto-scanner (labs.portcullis.co.uk)
  • NTP Server Scanner (bytefusion.com)

NFS Enumeration

The NFS system is generally implemented on the computer network, where the centralization of data is required for critical resources. Attackers can determine the exported directories, a list of clients connected to the NFS server along with their IP addresses, and the shared data linked to the IP addresses by counting the number of NFS servers. Once they have this data, the attackers can use their IP address to pretend to be someone else and access all of the shared files on the server.

TOOLS

NFS enumeration tools find the NFS services that are operating on a network by scanning them within a specified range of IP addresses or on a single IP address. These tools also help in getting a list of NFS shares, a list of directories accessible using NFS, and a list of RPC services using portmap.
  • rcpinfo -p <IP> command scans the target IP address for an NFS port (port 2049) and the NFS services running on it. 
  • showmount -e <IP> command shows the list of shared files and directories. 
  • RPC Scan (https://github.com/hegusung/RPCScan)
  • SuperEnum (https://github.com/p4pentest/SuperEnum

COUNTERMEASURES

  • Implement proper permissions (read/write must be restricted to specific users) in exported file systems.
  • Implement firewall rules to block NFS port 2049.
  • Ensure the proper configuration of files such as /etc/smb.conf, /etc/exports, and /etc/hosts.allow protecting the data stored in the server.
  • Log the requests to access the system files on the NFS server.
  • Keep the root_squash option in /etc/exports file turned ON so that no requests made as root on the client are trusted.
  • Implement NFS tunnelling through SSH to encrypt the NFS traffic over the network.

SMTP Enumeration

POP3 and IMAP are frequently used with SMTP mail systems, allowing users to store messages in the server inbox and retrieve them from the server as needed. Mail exchange (MX) servers are used by SMTP to route mail via DNS. TCP ports 25, 2525, or 587 are used to operate it. SMTP provides 3 built-in commands.
  • VRFY - Validate users
  • EXPN - Shows the actual delivery addresses of aliases and mailing lists
  • RCPT TO - Defines the recipients of a message. 
Valid users on the SMTP server can be distinguished from invalid users based on how SMTP servers react to VRFY, EXPN, and RCPT TO commands. Via the telnet prompt, attackers can communicate with SMTP directly and gather a list of authorised users on the SMTP server.

TOOLS

Username enumeration is done using SMTP enumeration tools. The usernames that are retrieved from this enumeration can be used by attackers to initiate additional assaults on other networked computers.
  • NetScanTools Pro
  • smtp-user-enum
  • Nmap
  • Metasploit

COUNTERMEASURES

SMTP servers should be configured in the following manner.
  • Ignore email messages to unknown recipients. 
  • Exclude sensitive information on mail servers and local hosts in mail responses. 
  • Disable the open relay feature. 
  • Limit the number of accepted connections from a source to prevent brute-force attacks.
  • Disable EXPN, VRFY, and RCPT TO commands or restrict them to authentic users. 
  • Ignore emails to unknown recipients by configuring SMTP servers.

You might be interested in,

No comments:

Post a Comment