Network Security Footprinting And Enumeration Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

LSASS stands for Local Security Authority Subsystem Service. In Microsoft Windows operating systems it is a process that is responsible for enforcing the security policy on the system. The process lsass.exe serves as the Local Security Authentication Server by Microsoft, Inc. It is responsible for the enforcement of the security policy in the operating system. It checks whether a user's identification is valid or not whenever he or she attempting to access the computer system. With the execution of the file lsass.exe, the system acquires security by blocking the access of unwanted users to any private information that have been saved. The file lsass.exe also take the responsible in password modifications done by the user. The process lsass.exe mainly operates in the system through its ability to create access tokens. These tokens will encapsulate the file's security descriptor, which contains the necessary information to process user authentication such as data on which user holds access to the system and whether the access is mandatory or discretionary. It is writes to the Windows Security Log. By the way, forcible termination of lsass.exe will result in the Welcome screen losing its accounts and prompting a restart of the machine.

Microsoft Windows LSASS is most likely to remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful attempt exploitation of this issue may allow a remote attacker to execute malicious code on a vulnerable system and automatically resulting in full system compromise. A remote user can execute arbitrary code with SYSTEM privileges on the target system. This issue mostly be exploited by an remote user on Microsoft Windows 2000 and XP operating systems. The issue reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system. Buffer overflow vulnerability was reported in Microsoft Windows in the LSASS implementation.

The affected function is a logging function in LSASRV.DLL that makes a vsprintf() function call without validating the input. As a result, a long string argument is sent to the logging function can trigger the overflow. Microsoft reports that there are some RPC functions that will accept a long string as a parameter and attempt to write the value to the debug log file. This flaw may affect ports including port 135 (Microsoft End Point Mapper also known as DCE/RPC Locator service, used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM), 137 (NetBIOS NetBIOS Name Service), 138 (NetBIOS NetBIOS Datagram Service), 139 (NetBIOS NetBIOS Session Service), 445 (Microsoft-DS Active Directory, Windows shares), and 593 (HTTP RPC Ep Map, Remote procedure call over Hypertext Transfer Protocol, often used by Distributed Component Object Model services and Microsoft Exchange Server). Microsoft has assigned a 'Critical' severity rating to Windows 2000 and XP and a 'Low' severity rating to Windows Server 2003.

Chapter 2 - Footprinting & Enumeration


Footprinting is one of a hacker's best friends. The process of footprinting is the first step in information gathering of hackers. To perform or thwart a successful attack, one needs to gather information. The hacker's intention is to learn about all aspects of the perspective organization's security posture, profile of their Intranet, remote access capabilities, and intranet/extranet presence.

The systematic and methodical footprinting of an organization enables attackers to create a complete profile of an organization's security posture. By using a combination of tools and techniques coupled with a healthy dose of patience, attackers can take an unknown entity and reduce it to specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the internet, as well as many other details pertaining to its security posture.

Enumeration is the procees that hacker performe after the footprint analysis and generated a map that approximates to their knowledge of the target network. Therefore, hacker are able gather as much data as possible from the targeted system.

If the hackers are able to contact the host on certain ports such as TCP 139 or 445, then they will attempt to anonymously enumerate sensitive information from the system like user names, last logon dates, password change dates and so on

What is Footprinting

In computers, footprinting is the process of accumulating data regarding a specific network environment, usually for the purpose of finding ways to intrude into the environment. Footprinting can reveal system vulnerabilities and improve the ease with which they can be exploited.

Footprinting is the means by which hackers target an organization and use a remote access process to garner proprietary information relevant to organization's Internet and network processors. They also access the organizational profiles for the purpose of mapping out the target organization's security stance. Footprinting employs a "who is" queries technique which produces employee names, phone numbers, and other information upon request from the hacker.

Areas targeted by computer hackers are Domain Name Systems (DNS) and Internet protocols (IP) in order to extract addresses, Firewalls designed to protect systems from external intrusion; and Quick steps normally associated with corporate acquisitions and dispositions and subsequent broadcasting of this acquisition information on the Internet, Intranets, and mass media. When companies acquire other companies or dispose of subsidiaries, several documents are produced which become public information that are of target interest to intruders. These documents are usually created through legal processes secondary to the acquisition process.

How Attacker using Footprinting

Footprinting is the first step that hacker hacking to a network. The attacker first identifies the various domain names that he's interested in exploiting. He then performs a footprint analysis of the target to gather as much information as possible through publicly available sources. The footprint analysis gives the hacker an indication of how large the target might be, how many potential entry points exist, and what, if any, security mechanisms might exist to thwart the attack. During a footprint analysis, the hacker attempts to discover all potentially related information that may be useful during the attack. This information includes:-

Company names

Domain names

Business subsidiaries

Internet Protocol (IP) networks

Administrative Contacts

Problems revealed by administrators

Hackers pay particular attention to potential entry points that might circumvent the "front door." For example, rather than attempting to break through a major corporation's firewall, the attacker identifies a startup company (just acquired by the major corporation) and then attempts to leverage weak security in the smaller company that might provide unrestricted virtual private network (VPN) access to the larger target.

Port scanners are used to determine which hosts are alive on the Internet, which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are listening on each system, and the operating system that is installed on each host. Traceroutes are performed to help identify the relationship of each host to every other and to identify potential security mechanisms between the attacker and the target. Unfortunately, humans are often the weakest security link in a corporation. A clever phone call to the technical support department can often compromise critical information:

"Hi-this is Bill and I forgot my password. Can you remind me what it is?"

Attacker commonly used this tool for footprinting:-

Nslookup Command line tool in Windows NT 4.0, Windows 2000, and Windows XP that can be used to perform DNS queries and zone transfers.

Tracert Command line tool used by hackers to create network maps of the target's network presence.

SamSpade. The Web interface that performs Whois lookups, forward and reverse DNS searches, and traceroutes.

What is Enumeration

Enumeration is the process to identify domain names and associated networks. This process performed by hacker after footprinting process. The main objective of the attacker is to identify valid user accounts or groups where he can remain inconspicuous once he has compromised the system. The end result of performing enumeration is the hacker has the information they need to attack your system.

Enumeration involves active connections being made to the target system, or subjecting it to directed queries made to a system. Normally, an alert and secure system will log such attempts. Often the information gathered is what the target might have made public - such as a DNS address. However, it is possible that the attacker stumbles upon a remote IPC share such as the IPC$ in windows, that can be probed with a null session and shares and accounts enumerated.

Concept On ascertaining the security posture of the target, the attacker can turn this information to this advantage by exploiting some resource sharing protocol or compromising an account. The type of information enumerated by hackers can be loosely grouped into the following categories:

1. Network resources and shares

2. Users and Groups

3. Applications and Banners

How Attacker using Enumeration

After the attacker have learned enough basic information about their target, they will attempt to gain access to the target system by masquerading as authorized users. This means that they need a password for a user account that they have discovered through some steps.

Therefore, two common ways to get that password by using social engineering or by using a brute force attack.

The process of attack is performing various queries on the many whois databases on the Internet. So the hacker would simply query the registrar to obtain the information they are looking for. The hacker simply needs to know which registrar the company is listed with. There are five types of queries which are as follows:

Registrar Query: This query gives information on potential domains matching the target.

Organizational Query: This is searching a specific registrar to obtain all instances of the target's name. The results show many different domains associatwith the company.

Domain Query: A domain query is based off of results found in an organizational query. (company's address, domain name, administrator and his/her phone number, and the system's domain servers).

Network Query: The fourth method one could use the American Registry for Internet

Numbers is to discover certain blocks owned by a company. It's good to use a broad search here, as well as in the registrar query.

POC Query: This query finds the many IP adresses a machine may have

Enumeration commonly used tools

Netcat (listed under Network Utility Tools) The hacker's Swiss army knife. Used for

banner grabbing and port scanning, among other things.

Epdump/Rpcdump Tools to gain information about remote procedure call (RPC)

services on a server.

Getmac (Windows NT resource kit) Windows NT command to obtaining the media access control (MAC) Ethernet layer address and binding order for a computer running Windows NT 4.0, Windows 2000, or Windows XP.

DumpSec Security auditing program for Windows NT systems. It enumerates user and group details from a chosen system. This is the audit and enumeration tool of choice for Big Five auditors (PricewaterhouseCoopers, Ernst & Young, KPMG, Arthur Andersen, and Deloitte & Touche) and hackers alike.

SDKs Many software development kits (SDKs) provide hackers with the basic tools that they need to learn more about systems.

Chapter 3 - Solution about Footprinting & Enumeration

Based on our research, the solution that we found, keep patches up to date by installing weekly or daily if possible. Buffer overflow and privilege escalation attacks can usually be prevented by keeping patches up-to-date. Shut down unnecessary services/ports. Review your installation requirements by eliminating unnecessary services and applications.

After that, change default passwords by choosing strong passwords that utilize uppercase/ lowercase/ numbers/special characters. Some database applications create a database administrator account with no password. Control physical access to systems. Protecting physical access to computer systems is as important as protecting computer access and be sure employees lock down consoles when not in use-an unlocked desktop screen can instantly allow a hacker access to the network as a privileged user.

On the other hand, curtail unexpected input. Some Web pages allow users to enter usernames and passwords. These Web pages can be used maliciously by allowing the user to enter in more than just a username. Perform backups and test them on a regular basis and educate employees about the risks of social engineering and develop strategies to validate identities over the phone, via e-mail, or in person.

The most important, encrypt and password-protect sensitive data. Data such as Web accessible e-mail should be considered sensitive data and should be encrypted, and implement security hardware and software. Firewalls and intrusion detection systems should be installed at all perimeters of the network. Viruses, Java, and ActiveX can potentially harm a system. Anti-virus software and content filtering should be utilized to minimize this threat.


As conclusion, all users should have installed proper antivirus and firewall in their system or server. lsass.exe is a process which is registered as a trojan can be removed in order to prevent from exploiting your system or server. This process is a security risk and should be in your system. All unwanted port also can be block to make sure there is no way for this problem can be happened. Plus, Microsoft already spread their working patches to avoid all these circumstances. Just download from trusted source and patch in your system.

As for footprinting, all company must aware of attack. They need to think like a hacker to prevent their company information stolen or an attack to harm their system. Defending the network against attack requires constant vigilance and education. Although there is no recipe for guaranteeing the absolute security of your network.