Administrators frequently need to remember the Network Time Protocol (NTP) server when considering security. Nonetheless, an attacker may be able to obtain useful network information from it if it is correctly queried. Remote file access is managed by the Network File System (NFS). Attackers can obtain information by using NFS enumeration, including a list of clients connected to the NFS server, their IP addresses, and exported folders. SMTP is frequently used with POP3 and IMAP in mail systems. Via the telnet prompt, attackers can directly communicate with SMTP and gather a list of authorised users.
NTP Enumeration
Network Time Protocol (NTP) is designed to
synchronize the clocks of networked computers. It uses
UDP port 123 as its primary means of communication. NTP can
maintain time to within 10 milliseconds (1/100 second) over the public
internet. It can achieve accuracies of 200 microseconds or better
in local area networks under ideal conditions. Attackers query the NTP
server to gather valuable information, such as:
- List of hosts connected to the NTP server.
- Client's IP addresses in a network, their system names, and OSs.
- Internal IPs, if the NTP server is in the demilitarized zone (DMZ).
TOOLS
NTP Enumerations tools are used to monitor the working of NTP and SNTP
servers in the network and help in the configuration and verification of
connectivity from the time client to the NTP servers.
- ntpdate collects the number of time samples from several time sources.
- ntptrace traces a chain of NTP servers back to the primary source.
- ntpdc monitors operations of the NTP daemon, ntpd.
- ntpd monitors NTP daemon (ntpd) operations and determines performance.
- PRTG Network Monitor (paessler.com) monitors all systems, devices, traffic, and applications of IT infrastructure by using various technologies such as SNMP, WMI, and SSH.
- Nmap (nmap.org)
- Wireshark (wireshark.org)
- udp-proto-scanner (labs.portcullis.co.uk)
- NTP Server Scanner (bytefusion.com)
NFS Enumeration
The NFS system is generally implemented on the computer network, where the
centralization of data is required for critical resources.
Attackers can determine the
exported directories, a list of clients connected to the NFS server
along with their IP addresses, and the shared data linked to
the IP addresses by counting the number of NFS servers. Once they have this
data, the attackers can use their IP address to pretend to be someone else
and access all of the shared files on the server.
TOOLS
NFS enumeration tools find the NFS services that are operating on a network
by scanning them within a specified range of IP addresses or on a single IP
address. These tools also help in getting a list of NFS shares, a list of
directories accessible using NFS, and a list of RPC services using
portmap.
- rcpinfo -p <IP> command scans the target IP address for an NFS port (port 2049) and the NFS services running on it.
- showmount -e <IP> command shows the list of shared files and directories.
- RPC Scan (https://github.com/hegusung/RPCScan)
- SuperEnum (https://github.com/p4pentest/SuperEnum)
COUNTERMEASURES
- Implement proper permissions (read/write must be restricted to specific users) in exported file systems.
- Implement firewall rules to block NFS port 2049.
- Ensure the proper configuration of files such as /etc/smb.conf, /etc/exports, and /etc/hosts.allow protecting the data stored in the server.
- Log the requests to access the system files on the NFS server.
- Keep the root_squash option in /etc/exports file turned ON so that no requests made as root on the client are trusted.
- Implement NFS tunnelling through SSH to encrypt the NFS traffic over the network.
SMTP Enumeration
POP3 and IMAP are frequently used with SMTP mail systems, allowing users to
store messages in the server inbox and retrieve them from the server as
needed. Mail exchange (MX) servers are used by SMTP to route mail via DNS.
TCP ports 25, 2525, or 587 are used to operate it. SMTP provides 3 built-in
commands.
- VRFY - Validate users
- EXPN - Shows the actual delivery addresses of aliases and mailing lists
- RCPT TO - Defines the recipients of a message.
Valid users on the SMTP server can be distinguished from invalid users
based on how SMTP servers react to VRFY, EXPN, and RCPT TO commands. Via
the telnet prompt, attackers can communicate with SMTP directly and gather
a list of authorised users on the SMTP server.
TOOLS
Username enumeration is done using SMTP enumeration tools. The usernames that are retrieved from this enumeration can be used by attackers to initiate additional assaults on other networked computers.- NetScanTools Pro
- smtp-user-enum
- Nmap
- Metasploit
COUNTERMEASURES
SMTP servers should be configured in the following manner.
- Ignore email messages to unknown recipients.
- Exclude sensitive information on mail servers and local hosts in mail responses.
- Disable the open relay feature.
- Limit the number of accepted connections from a source to prevent brute-force attacks.
- Disable EXPN, VRFY, and RCPT TO commands or restrict them to authentic users.
- Ignore emails to unknown recipients by configuring SMTP servers.
You might be interested in,
- Phases of Hacking
- Introduction to Enumeration
- NetBIOS Enumeration
- SNMP Enumeration
- LDAP Enumeration
- DNS Enumeration
- Telnet, SMB, FTP and TFTP Enumeration
- Other Enumeration Techniques (IPSec, VoIP, RPC, Unix/Linux, IPv6, and BGP)
We hope this helps. If you have any suggestions or doubts you can add a
comment and we will reply as soon as possible.
No comments:
Post a Comment