Windows Security – SMB – Server Message Blocks – Ports and Enumeration of Domain users and Trust relationships within the Domain
Why are these such deadly attack vectors?
– Set up by DEFAULT on all Windows machines.
– Provides a powerful way to enumerate Domain Controllers, Hosts, Users, Groups.
TCP Port 139 = SESSION service
UDP Port 137 = NAME service
UDP Port 138 = DATAGRAM service
Windows 2003/XP also run
TCP & UDP Port 445 – SMB DIRECT HOST LISTENER
Try it on your own computer
1. cmd prompt – right click – run as Administrator
net view /domain
Now imagine how dangerous that is, against a domain controller, where it would reveal all user accounts and trust relationships between domains.
If you are working within a domain, then you can find all the Domain Controllers in the domain:
Nltest /whowill:Domain UserName
This will tell us where a UserName will be authenticated – I have no domain, but the syntax here is looking for the DC for both Administrator and Guest accounts.
This will map out trusted domains for you. It was designed to map the trusts are working, but we are misusing the tool to attack.
How to dump all the User Names known to a system (Domain controller, Computer or even your Router)
nbtstat -A with ip address (-Capital A)
nbtstat -a with computer name (-lowercase a)
nbtstat -A 192.168.1.65
What do the codes mean?
<00> = Workstation Name
<20> Unique = Sharing is enabled.
<1B> = Domain master browswer
<1C> = IIS is running
<03> Unique = this is a user logged onto the machine
Port 445 or Port 139 (SMB – most dangerous ports on the internet)
– Gain a NULL Session
– Enumerate Local Admin
– Enumerate Domain Admin
– Enumerate Shares
– Enumerate Hidden Shares & password Dump
– Enumerate Account and Password policies (how many attempts until user name is locked out)
Port 137 – Attack vector to provide…
– Enumerate Domains
– Enumerate the hosts on the Domain
– Enumerate Domain Controllers (nltest.exe)
– Enumerate Trust relationships within the Domain (netdom.exe)
– Enumerate NETBIOS name tables (nbtstat.exe)
Hopefully this will demonstrate the security issues with Windows products. The default ports used for Windows allow some of the most devastating attacks – and most are related to SMB and ports 139 and ports 445.