So--- let me output the result of some ICMP, TCP, and UDP scans of my victim. I am using Nmap here, but you can use whichever scanning tool you are comfortable with.
If you just type nmap on the console you will get a pretty detailed help with all the switched nmap can run. Lets first start with a ICMP Echo scan... -PE, we are adding -sn , which disables port scanning for now.
So we scan our network and discover ourselves (192.168.0.5) and another host 192.168.0.10. We have to be wary of ICMP scans, and ICMP is generally quite restricted on networks, especially when scanning from outside the network. Let's see if we can do a TCP port scan to see what TCP ports are open on our potential victim. Let's go with the TCP Syn Scan (-sS).
Oh wow what a find! Nmap says we have FTP, SMTP (mail), web, SMB (port 445) AND an MSSQL server! Apparently this user never though of breaking up server functions onto different machines... lucky for us :-)
So now we should figure out what versions those services are running if we can. This was we can research and determine if they are running exploitable versions. So before I show you a way with nmap, I am going to quickly go to an old friend of mine, netcat. So netcat is a great tool which I highly recommend having in your arsenal, it can be used to scan for hosts, set up connections (valid and not so valid) between two machines, allows a remote shell to be shoveled to you from your victim, and even grabs banners for you :) If you want to do all this over a encrypted connection, well there is cryptcat.
Ok so lets do a banner grab for port 25, the SMTP mail service.
So the command is quite easy here... the '-v' stands for verbose (I am being EXTRA verbose, using double v's). Then I enter the IP and the port I am querying. As you can see, we found a Microsoft ESMTP MAIL service, Version 6.0.2600.5512, which according to wikipedia, is Exchange 2000. A quick google search takes me to a Securiteam wepage, showing the exploits in Version 6 of ESMTP.
Lets see what wireshark says:
So we see out three way handshake being established and then our potential victim responding with an SMTP packet and what version it is running. You can actually set this up so the version is not displayed, giving you a little buffer protection from script kiddies. I should also point out that not every port will respond with things like this when you establish a connection, it is only certain protocols and software.
One more for fun, lets try port 80. For this one we need to interact with the prompt to get output, but its quite easy. So first we connect:
As you can see, we have a prompt waiting for input, so we type in 'GET HTTP', which should get us the information we are looking for.
So this gives us our Web Server, IIS 5.1. Again, a quick google search reveals a few candidates we could try against this web server. This is looking promising!
Ok now onto something a tad more automated,nmap again has a switch for service detection (-sV). Lets run that on our host and see what it returns:
So, as you can see, life is just a tad easier with that little command, here is our banner grabs done automatically for us! Hooray! It even guessed based on responses what OS we are running! If you want nmap to cull deeper in OS detection, try -O on your command line. Nmap uses a lot of the header packet fields to make a guess as to the OS, for more information, check out the namp website.
So, thats all well and good, but what if you have multiple hosts (read more than 3 or 4)? Then what shall we do? Never fear for metasploit has thought of that too :) I will actually make this part a video. Sorry, I can't be asked to type anymore! I am currently trying to get Dradis to play nicely so it will be posted later!
If you just type nmap on the console you will get a pretty detailed help with all the switched nmap can run. Lets first start with a ICMP Echo scan... -PE, we are adding -sn , which disables port scanning for now.
 |
| ICMP Echo Scans |
So we scan our network and discover ourselves (192.168.0.5) and another host 192.168.0.10. We have to be wary of ICMP scans, and ICMP is generally quite restricted on networks, especially when scanning from outside the network. Let's see if we can do a TCP port scan to see what TCP ports are open on our potential victim. Let's go with the TCP Syn Scan (-sS).
 |
| TCP SYN Scan |
Oh wow what a find! Nmap says we have FTP, SMTP (mail), web, SMB (port 445) AND an MSSQL server! Apparently this user never though of breaking up server functions onto different machines... lucky for us :-)
So now we should figure out what versions those services are running if we can. This was we can research and determine if they are running exploitable versions. So before I show you a way with nmap, I am going to quickly go to an old friend of mine, netcat. So netcat is a great tool which I highly recommend having in your arsenal, it can be used to scan for hosts, set up connections (valid and not so valid) between two machines, allows a remote shell to be shoveled to you from your victim, and even grabs banners for you :) If you want to do all this over a encrypted connection, well there is cryptcat.
Ok so lets do a banner grab for port 25, the SMTP mail service.
 |
| NetCat |
So the command is quite easy here... the '-v' stands for verbose (I am being EXTRA verbose, using double v's). Then I enter the IP and the port I am querying. As you can see, we found a Microsoft ESMTP MAIL service, Version 6.0.2600.5512, which according to wikipedia, is Exchange 2000. A quick google search takes me to a Securiteam wepage, showing the exploits in Version 6 of ESMTP.
Lets see what wireshark says:
 |
| Wireshark Output of Netcat Banner Grab |
So we see out three way handshake being established and then our potential victim responding with an SMTP packet and what version it is running. You can actually set this up so the version is not displayed, giving you a little buffer protection from script kiddies. I should also point out that not every port will respond with things like this when you establish a connection, it is only certain protocols and software.
One more for fun, lets try port 80. For this one we need to interact with the prompt to get output, but its quite easy. So first we connect:
 |
| NetCat - Port 80 |
 |
| NetCat - Querying Port 80 |
So this gives us our Web Server, IIS 5.1. Again, a quick google search reveals a few candidates we could try against this web server. This is looking promising!
Ok now onto something a tad more automated,nmap again has a switch for service detection (-sV). Lets run that on our host and see what it returns:
 |
| Nmap -sV parameter |
So, as you can see, life is just a tad easier with that little command, here is our banner grabs done automatically for us! Hooray! It even guessed based on responses what OS we are running! If you want nmap to cull deeper in OS detection, try -O on your command line. Nmap uses a lot of the header packet fields to make a guess as to the OS, for more information, check out the namp website.
So, thats all well and good, but what if you have multiple hosts (read more than 3 or 4)? Then what shall we do? Never fear for metasploit has thought of that too :) I will actually make this part a video. Sorry, I can't be asked to type anymore! I am currently trying to get Dradis to play nicely so it will be posted later!
2 comments:
Thanks very much for this post! I am not a pentester, but working on an NFAT demo and this information was very useful :)
Post a Comment