Posts
Pentesting Tutorial 2 - Information Gathering part 2 - Service
Enumeration
Prerequisites:
Netcat, Bash Scripting,
Backtrack
In this tutorial we will
continue on from last time. We have 2 target machines 192.168.1.2 and
192.168.1.14 next we will enumerate the different services and accounts running
on each of them. Let's start with ftp enumeration since we know that .12 is
running ftp and a web server. The first thing we are going to do is try
connecting to the ftp server to see if we can grab the actual version and
software information. To do this, we will use netcat. For those of you that do
not know what netcat is, basically it is a tool that can be used to connect to
or from, transfer to, and many other things related to systems.
nc -v 192.168.1.14 21
(UNKNOWN) [192.168.1.14] 21 (ftp) open
vsftpd version 2.0.7Welcome to my ftp server!
vsftpd version 2.0.7Welcome to my ftp server!
Next we will test for an
anonymous ftp account.
ftp 192.168.1.14
ftp 192.168.1.14
Name (192.168.1.14:root): anonymous
331 Please specify the password.
Password:anonymous
230 Login successful.Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
331 Please specify the password.
Password:anonymous
230 Login successful.Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Ok, so we have verified
the service is running, the version, and we know that we have anonymous ftp
enabled. I could tear this system a new one, but I will save that for the an
upcoming tutorial. Next we will look to make sure the previous results for the version
the http server is running are correct. This is performed by issuing the HEAD
/HTTP/1.0 command once the connection is established like so.
nc -v 192.168.1.14 80
(UNKNOWN) [192.168.1.14] 80 (www) open
HEAD /HTTP/1.0
nc -v 192.168.1.14 80
(UNKNOWN) [192.168.1.14] 80 (www) open
HEAD /HTTP/1.0
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Your browser sent a request that this server could not understand.
Apache/2.2.4 (Fedora)
Server at localhost6.localdomain6 Port 80
As you can see, the
server version is apache 2.2.4 and is running on a fedora server. This has just
verified the operating system and the actual version of the apache software. It
is good to know this information so that we know the directory structure of the
web server, it will come in handy later. Since I already know that the VNC
service is not vulnerable, I will not waste time going into this. Next we are
going to see if we can grab any other information about our system. Next, we
will move onto the snmp enumeration techniques to gather some more info about
possible attack vectors. Even though we most likely have a way to get in, it is
good to be as thorough as possible. We will use snmpcheck, and snmpenum to
gather info about our server.
perl snmpenum.pl
192.168.1.14 public linux.txt
----------------------------------------
UPTIME
----------------------------------------
30 Days 21 Hours
----------------------------------------
HOSTNAME
----------------------------------------
GHOST.LOCAL
----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
RUNNING PROCESSES
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
MOUNTPOINTS
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
SYSTEM INFO
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
21
22
80
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
161
UPTIME
----------------------------------------
30 Days 21 Hours
----------------------------------------
HOSTNAME
----------------------------------------
GHOST.LOCAL
----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
RUNNING PROCESSES
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
MOUNTPOINTS
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
SYSTEM INFO
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
21
22
80
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
161
I cut
the amount of info from this scan down. There was a bunch of unneeded garbage.
Next we will run the snmpcheck.pl script to see what we can come up with.
snmpcheck.pl -t 192.168.1.14 -d
----------------------------------------
User Accounts
----------------------------------------
ghost
anonymous
root
games
nobody
proxy
syslog
www-data
root
news
bin
mail
dhcp
daemon
sshd
man
lp
mysql
dovecot
gnats
backup
sys
klog
postfix
list
irc
sync
uucp
The output from this file is pretty much the same and it actually has a bunch of extra stuff that we will not need. So for the sake of keeping this tutorial short, I will leave it out. One thing that I will include is the user accounts section. As you can see, we grabbed some user accounts. This info is very useful and can be used later as a dictionary file for a brute force attack.
Being as I set up this network, I know that snmp is not running on the windows machine, so I will not waste my time here. In fact, the windows machine is secured so I will target only the Linux server for now. Later we will use the information that we have gathered to run brute force attacks, and use pass the hash with Metasploit to exploit the windows box. Next tutorial will be the use of a vulnerability scanner on the server.
Source : soldierx
snmpcheck.pl -t 192.168.1.14 -d
----------------------------------------
User Accounts
----------------------------------------
ghost
anonymous
root
games
nobody
proxy
syslog
www-data
root
news
bin
dhcp
daemon
sshd
man
lp
mysql
dovecot
gnats
backup
sys
klog
postfix
list
irc
sync
uucp
The output from this file is pretty much the same and it actually has a bunch of extra stuff that we will not need. So for the sake of keeping this tutorial short, I will leave it out. One thing that I will include is the user accounts section. As you can see, we grabbed some user accounts. This info is very useful and can be used later as a dictionary file for a brute force attack.
Being as I set up this network, I know that snmp is not running on the windows machine, so I will not waste my time here. In fact, the windows machine is secured so I will target only the Linux server for now. Later we will use the information that we have gathered to run brute force attacks, and use pass the hash with Metasploit to exploit the windows box. Next tutorial will be the use of a vulnerability scanner on the server.
Source : soldierx
0 comments:
Post a Comment