Telnet, SMB, FTP and TFTP Enumeration


The process of obtaining usernames, machine names, shares, network resources, and services from a system or network is known as enumeration. During this phase, the attacker establishes active connections with the system to learn more about the target and sends targeted requests. The attacker uses the information gathered by enumeration to find security flaws, allowing them to exploit the target system. 


TELNET Enumeration

Through the Internet, users can access remote computers or servers using the Telnet network terminal protocol. Computers on LANs and the Internet can interact with each other in both directions thanks to this protocol. Port scanning is a technique used by attackers to learn about open ports and services on the target server. Attackers can obtain shared data, such as the target's hardware and software if they discover that the Telnet port is open.

Through Telnet enumeration, attackers can take advantage of vulnerabilities that have been found and use brute-force attacks to enter the target without authorisation and conduct additional attacks. 

COMMAND:

nmap -p 23 <target domain>
  • Attackers can further use the following script to enumerate information from remote MS Telnet Services with NTLM authentication enabled:
nmap -p 23 --script telnet-ntlm-info <target IP>
  • Once the information is obtained, an attacker can perform a brute-force attack against the Telnet server:
nmap -p 23 -script telnet-brute.nse -script-args userdb=<location_for_username_wordlist>,passdb=<location_for_password_wordlist> <target IP>

SMB Enumeration

Windows systems typically employ the Server Message Block (SMB) transport protocol to enable remote access to Windows services and shared access to files, printers, and serial ports. SMB enumeration enables OS banner grabbing for attackers. An attacker can use the information to carry out a variety of attacks, including brute-force and SMB relay attacks. Attackers do a guided scan on the SMB service operating on port 445 using SMB enumeration tools like Nmap, SMBMap, enum4linux, and nulllinux. Command: nmap -p 445 -A <target_ip>.

COUNTERMEASURES

  • Disable SMB protocol on Web and DNS Servers. Disable Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks in Network and Dial-up Connections.
  • Disable SMB protocol on Internet-facing servers. Disable the same two properties under TCP/IP properties
  • Disable ports TCP 139 and TCP 45 used by the SMB protocol.
  • Restrict anonymous access through the RestrictNullSessAccess parameter from the Windows Registry. Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. Value 1 denotes enabled and 0 denotes disabled.
  • Ensure the Windows Firewall or similar endpoint protection systems are enabled on the system. 
  • Install the latest security patches for Windows and third-party software. 
  • Implement strong permissions to keep the stored information safe. 
  • Perform a regular audit of system logs.
  • Perform active system monitoring to monitor the systems for any malicious incident. 

FTP Enumeration

With FTP, data is transferred in clear text between the sender and the recipient, which increases the risk of sensitive data—like usernames and passwords—being discovered by hackers. Using FTP services, attackers use Nmap to scan and enumerate open ports 21. They then use the information to conduct a variety of attacks, including packet sniffing, FTP bounce, and FTP brute force. Command: nmap -p 21 <target_domain>. In Metasploit: use auxiliary/scanner/ftp/ftp_version. Set RHOSTS to target IP and then type exploit

COUNTERMEASURES:

  • Implement secure FTP (SFTP, which uses SSH) for FTP secure (FTPS, which uses SSL) to encrypt the FTP traffic over the network. 
  • Implement strong passwords or a certification-based authentication policy. 
  • Ensure that the unrestricted uploading of files on the FTP server is not allowed. 
  • Disable anonymous FTP accounts. If this is not possible, monitor anonymous FTP accounts regularly. 
  • Restrict access by IP or domain name to the FTP server.
  • Configure access controls on authenticated FTP accounts with the help of access control lists (ACLs)
  • Restrict login attempts and time. 
  • Configure filtering rules for the FTP services.
  • Use SSL/FTPS for authenticated FTP accounts. 

TFTP Enumeration

The Trivial File Transfer Protocol (TFTP) is a simplified version of FTP and is used for transferring files between network devices. By default, the TFTP service listens on UDP port 69. Using programs like PortQry (GUI and command line utility available by Microsoft) and Nmap, attackers carry out TFTP enumeration to retrieve data from the remote server, including files and TFTP services that are active. With this data, attackers can enter the target system without authorisation, take critical files, and upload malicious scripts to initiate more attacks.

You might be interested in,

No comments:

Post a Comment