KEMBAR78
Securities and Vulnerabilities Testing | PDF | File Transfer Protocol | Port (Computer Networking)
Scribd
Upload
4 views43 pages

Securities and Vulnerabilities Testing

The document covers the topic of enumeration in penetration testing, focusing on extracting detailed information from open ports and services. It discusses techniques such as banner grabbing, using tools like Telnet and SMB, and highlights the importance of understanding common IP port numbers. Additionally, it explains the concept of null sessions and how they can be exploited for unauthorized access to information.

Uploaded by

samhitha.p22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
4 views43 pages

Securities and Vulnerabilities Testing

The document covers the topic of enumeration in penetration testing, focusing on extracting detailed information from open ports and services. It discusses techniques such as banner grabbing, using tools like Telnet and SMB, and highlights the importance of understanding common IP port numbers. Additionally, it explains the concept of null sessions and how they can be exploited for unauthorized access to information.

Uploaded by

samhitha.p22
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

CSCM28 – Security Vulnerabilities and Penetration Testing

Week 3 - Enumeration

Jens Blanck

Jens Blanck CSCM28 Pen Testing 1 / 19


Recap and Today

Recap and Today

Recap
Last week we considered scanning:
Network protocols: Today
TCP/UDP/ICMP/IP Enumeration (still part of the scanning
nmap phase, in fact nmap did some of this!)
hping3
Result: Details of IPs/ports/services.

Jens Blanck CSCM28 Pen Testing 2 / 19


Enumeration

ssh
http

We have gained information


on open ports (and likely
services).
smtp

ftp

Jens Blanck CSCM28 Pen Testing 3 / 19


Enumeration

ssh
http

We have gained information


on open ports (and likely
services).
smtp

But now can we extract more


information based on those
services and how they work.

ftp

Jens Blanck CSCM28 Pen Testing 3 / 19


Enumeration

ssh
http

We have gained information


on open ports (and likely
services).
smtp

But now can we extract more


information based on those on
?
rsi
services and how they work. Ve

ftp

Jens Blanck CSCM28 Pen Testing 3 / 19


Enumeration

ssh
http

We have gained information


on open ports (and likely
services).
smtp Make?

But now can we extract more


information based on those on
?
rsi
services and how they work. Ve

ftp

Jens Blanck CSCM28 Pen Testing 3 / 19


Enumeration

Common IP Port Numbers


Port Service
20/21 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
23 Telnet - Remote login service, unencrypted text messages
25 Simple Mail Transfer Protocol (SMTP) E-mail Routing
53 Domain Name System (DNS)
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol (POP3) used by e-mail clients
119 Network News Transfer Protocol (NNTP)
123 Network Time Protocol (NTP)
135–139 Commonly used by MS
143 Internet Message Access Protocol (IMAP) Management of Digital Mail
161 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 HTTP Secure (HTTPS) HTTP over TLS/SSL
445 SMB
548 Apple Filing Protocol (AFP)
1433 MS SQL
8000,8008,8080 Test ports for HTTP

Jens Blanck CSCM28 Pen Testing 4 / 19


Gaining Information Banner Grabbing

Banner Grabbing

Banner refers to a text message received from the host.

Banners usually contain information about a service, such as name and version number.

So how can we gain such banners?

Jens Blanck CSCM28 Pen Testing 5 / 19


Gaining Information Banner Grabbing

Banner Grabbing

Banner refers to a text message received from the host.

Banners usually contain information about a service, such as name and version number.

So how can we gain such banners?

Jens Blanck CSCM28 Pen Testing 5 / 19


Gaining Information Banner Grabbing

Banner Grabbing

Banner refers to a text message received from the host.

Banners usually contain information about a service, such as name and version number.

So how can we gain such banners?

Jens Blanck CSCM28 Pen Testing 5 / 19


Gaining Information Banner Grabbing

Banner Grabbing

Banner refers to a text message received from the host.

Banners usually contain information about a service, such as name and version number.

So how can we gain such banners?

Interact with the services!

Jens Blanck CSCM28 Pen Testing 5 / 19


Gaining Information Banner Grabbing

Telnet

Telnet is one of the oldest protocols for bidirectional text exchange on a network.

That’s it! Simple but powerful.

Usage:

telnet <ipaddress> <port>

Demo:

Let’s try telnet to a web service on port 80…


Or perhaps a SSH service on port 22…

Jens Blanck CSCM28 Pen Testing 6 / 19


Gaining Information Banner Grabbing

Telnet

Telnet is one of the oldest protocols for bidirectional text exchange on a network.

That’s it! Simple but powerful.

Usage:

telnet <ipaddress> <port>

Demo:

Let’s try telnet to a web service on port 80…


Or perhaps a SSH service on port 22…

Jens Blanck CSCM28 Pen Testing 6 / 19


Gaining Information Banner Grabbing

Telnet

Telnet is one of the oldest protocols for bidirectional text exchange on a network.

That’s it! Simple but powerful.

Usage:

telnet <ipaddress> <port>

Demo:

Let’s try telnet to a web service on port 80…


Or perhaps a SSH service on port 22…

Jens Blanck CSCM28 Pen Testing 6 / 19


Gaining Information Banner Grabbing

Telnet

Telnet is one of the oldest protocols for bidirectional text exchange on a network.

That’s it! Simple but powerful.

Usage:

telnet <ipaddress> <port>

Demo:

Let’s try telnet to a web service on port 80…


Or perhaps a SSH service on port 22…

Jens Blanck CSCM28 Pen Testing 6 / 19


Gaining Information Banner Grabbing

Telnet

Telnet is one of the oldest protocols for bidirectional text exchange on a network.

That’s it! Simple but powerful.

Usage:

telnet <ipaddress> <port>

Demo:

Let’s try telnet to a web service on port 80…


Or perhaps a SSH service on port 22…

Jens Blanck CSCM28 Pen Testing 6 / 19


Gaining Information Banner Grabbing

Telnet Demo Examples

Telnet to web server


$ telnet 10.230.42.9 80
Trying 10.230.42.9...
Connected to 10.230.42.9.
Escape character is '^]'.
get /help
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p>get to /help not supported.<br />
</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80</address>
</body></html>

Jens Blanck CSCM28 Pen Testing 7 / 19


Gaining Information Banner Grabbing

Telnet Demo Examples

Telnet to ssh server


$ telnet 10.230.42.9 22
Trying 10.230.42.9...
Connected to 10.230.42.9.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
hello
Protocol mismatch.
Connection closed by foreign host.

Jens Blanck CSCM28 Pen Testing 8 / 19


Gaining Information SMB

SMB

Server Message Block (SMB), is a protocol


for sharing files, printers, and
communication abstractions such as
named pipes and mail slots between
computers.

Jens Blanck CSCM28 Pen Testing 9 / 19


Gaining Information SMB

SMB

Server Message Block (SMB), is a protocol Two levels of security:


for sharing files, printers, and
communication abstractions such as Share level:
named pipes and mail slots between
Each share can have a password, and a
computers.
client only needs that password to access
all files under that share.

Jens Blanck CSCM28 Pen Testing 9 / 19


Gaining Information SMB

SMB

Server Message Block (SMB), is a protocol Two levels of security:


for sharing files, printers, and
communication abstractions such as Share level:
named pipes and mail slots between
Each share can have a password, and a
computers.
client only needs that password to access
all files under that share.

User Level:
Protection applied to individual files,
based on user access rights. Each user
(client) must be authenticated by the
server.

Jens Blanck CSCM28 Pen Testing 9 / 19


Gaining Information SMB

SMB Tools

There are a number of useful tools for interacting with SMB:


nbtscan – scan for netbios name information
smnmap – enumerate shares
smbclient – interact with shares
enum4linux – do all the above and more!

Example: SMB shares

Jens Blanck CSCM28 Pen Testing 10 / 19


Gaining Information SMB

nbtscan and smbmap

nbtscan
$ nbtscan 10.230.42.9
Doing NBT name scan for addresses from 10.230.42.9

IP address NetBIOS Name Server User MAC address


------------------------------------------------------------------------------
10.230.42.9 METASPLOITABLE <server> METASPLOITABLE 00:00:00:00:00:00

smbmap
$ smbmap -H 10.230.42.9

Disk Permissions Comment


---- ----------- -------
print$ NO ACCESS Printer Drivers
tmp READ, WRITE oh noes!
opt NO ACCESS
IPC$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ NO ACCESS IPC Service (metasploitable server (Samba 3.0.20-Debian))

Jens Blanck CSCM28 Pen Testing 11 / 19


Gaining Information SMB

Null Session

Null Session
A null session basically allows access to information without providing a username (or
password).

This kind of attack is general, but SMB is one example that can be vulnerable.

Note: Old versions of SMB allow null sessions on IPC$ (allows remote procedure calls
without authentication.)

Jens Blanck CSCM28 Pen Testing 12 / 19


Gaining Information SMB

Null Session

Null Session
A null session basically allows access to information without providing a username (or
password).

This kind of attack is general, but SMB is one example that can be vulnerable.

Note: Old versions of SMB allow null sessions on IPC$ (allows remote procedure calls
without authentication.)

Jens Blanck CSCM28 Pen Testing 12 / 19


Gaining Information SMB

Null Session

Null Session
A null session basically allows access to information without providing a username (or
password).

This kind of attack is general, but SMB is one example that can be vulnerable.

Note: Old versions of SMB allow null sessions on IPC$ (allows remote procedure calls
without authentication.)

Jens Blanck CSCM28 Pen Testing 12 / 19


Gaining Information SMB

smbclient Null Session

smbclient
SMB can be vulnerable to null session attacks. If vulnerable, we may list shares and users.
$ smbclient \\\\10.230.42.9\\tmp -N -U ""
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Jan 28 16:29:32 2024
.. DR 0 Sun May 20 20:36:12 2012
.ICE-unix DH 0 Fri Jan 26 14:52:35 2024
5113.jsvc_up R 0 Fri Jan 26 14:56:04 2024
orbit-msfadmin DR 0 Sun Jan 28 11:25:31 2024
.X11-unix DH 0 Fri Jan 26 14:52:45 2024
.X0-lock HR 11 Fri Jan 26 14:52:45 2024
gconfd-msfadmin DR 0 Sun Jan 28 11:25:31 2024

7282168 blocks of size 1024. 5431084 blocks available

Jens Blanck CSCM28 Pen Testing 13 / 19


Gaining Information SMB

enum4linux
$ enum4linux -a 10.230.42.9
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jan 28 16:39:06 2024

=========================================( Target Information )=========================================

Target ........... 10.230.42.9


RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

============================( Enumerating Workgroup/Domain on 10.230.42.9 )============================

[+] Got domain/workgroup name: WORKGROUP

================================( Nbtstat Information for 10.230.42.9 )================================

Looking up status of 10.230.42.9


METASPLOITABLE <00> - B <ACTIVE> Workstation Service
METASPLOITABLE <03> - B <ACTIVE> Messenger Service
METASPLOITABLE <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections

MAC Address = 00-00-00-00-00-00

Jens Blanck CSCM28 Pen Testing 14 / 19


Gaining Information Hardware Access

Gaining MAC Addresses

If we can connect to either a Wifi or Ethernet network, there is a lot to gain.


In particular, a first step would be to gain information on any other connected
machines.
Of course we can use an Nmap scan, but if we can gain MAC addresses, they may be
useful (man-in-the-middle, spoofing, …).

Jens Blanck CSCM28 Pen Testing 15 / 19


Gaining Information Hardware Access

Gaining MAC Addresses

If we can connect to either a Wifi or Ethernet network, there is a lot to gain.


In particular, a first step would be to gain information on any other connected
machines.
Of course we can use an Nmap scan, but if we can gain MAC addresses, they may be
useful (man-in-the-middle, spoofing, …).

Jens Blanck CSCM28 Pen Testing 15 / 19


Gaining Information Hardware Access

Gaining MAC Addresses

If we can connect to either a Wifi or Ethernet network, there is a lot to gain.


In particular, a first step would be to gain information on any other connected
machines.
Of course we can use an Nmap scan, but if we can gain MAC addresses, they may be
useful (man-in-the-middle, spoofing, …).

Jens Blanck CSCM28 Pen Testing 15 / 19


Gaining Information Hardware Access

Address Resolution Protocol (ARP)

ARP Protocol used for discovery of “link layer” addresses – MAC’s!

IP Address MAC Address


192.168.1.24
192.168.1.68

Jens Blanck CSCM28 Pen Testing 16 / 19


Gaining Information Hardware Access

Address Resolution Protocol (ARP)

ARP Protocol used for discovery of “link layer” addresses – MAC’s!

W
ho 24?
is . 1.
19 68
2. 2.1
16 19
8 .1 is
.2 ho
4?
W

IP Address MAC Address


192.168.1.24
192.168.1.68

Jens Blanck CSCM28 Pen Testing 16 / 19


Gaining Information Hardware Access

Address Resolution Protocol (ARP)

ARP Protocol used for discovery of “link layer” addresses – MAC’s!

W
ho 2 4?
is . 1.
19 68
2. 2.1
16 19 !
8 .1 is m
.2
4? ho Ia
W

IP Address MAC Address


192.168.1.24 AA:BB:CC:DD:EE:FF
192.168.1.68

Jens Blanck CSCM28 Pen Testing 16 / 19


Gaining Information Hardware Access

Address Resolution Protocol (ARP)

ARP Protocol used for discovery of “link layer” addresses – MAC’s!

IP Address MAC Address


192.168.1.24 AA:BB:CC:DD:EE:FF
192.168.1.68

Jens Blanck CSCM28 Pen Testing 16 / 19


Gaining Information Hardware Access

Address Resolution Protocol (ARP)

ARP Protocol used for discovery of “link layer” addresses – MAC’s!

W
ho 68?
is . 1.
19 68
2. 2.1
16 19
8 .1 is
.6 ho
8?
W

IP Address MAC Address


192.168.1.24 AA:BB:CC:DD:EE:FF
192.168.1.68

Jens Blanck CSCM28 Pen Testing 16 / 19


Gaining Information Hardware Access

Address Resolution Protocol (ARP)

ARP Protocol used for discovery of “link layer” addresses – MAC’s!

W
ho 68?
is . 1.
19 68
2. 2.1
Ia 16 19
m 8 .1 is
! .6 ho
8?
W

IP Address MAC Address


192.168.1.24 AA:BB:CC:DD:EE:FF
192.168.1.68 A1:B1:C1:D1:E1:F1

Jens Blanck CSCM28 Pen Testing 16 / 19


Gaining Information Hardware Access

netdiscover

Send ARP requests (just like a router would) and listen for responses.

Notice, we gain vendor information too!

Jens Blanck CSCM28 Pen Testing 17 / 19


Gaining Information Hardware Access

netdiscover

Send ARP requests (just like a router would) and listen for responses.

Notice, we gain vendor information too!

Jens Blanck CSCM28 Pen Testing 17 / 19


Gaining Information Default Passwords

Default Password Lists


Example: http://www.routerpasswords.com

Default passwords are an obvious security vulnerability, but many still exist.
Similarly many tools for cracking passwords.
And from here we enter the next phase of pen testing.
Jens Blanck CSCM28 Pen Testing 18 / 19
Gaining Information Default Passwords

Default Password Lists


Example: http://www.routerpasswords.com

Default passwords are an obvious security vulnerability, but many still exist.
Similarly many tools for cracking passwords.
And from here we enter the next phase of pen testing.
Jens Blanck CSCM28 Pen Testing 18 / 19
Gaining Information Default Passwords

Default Password Lists


Example: http://www.routerpasswords.com

Default passwords are an obvious security vulnerability, but many still exist.
Similarly many tools for cracking passwords.
And from here we enter the next phase of pen testing.
Jens Blanck CSCM28 Pen Testing 18 / 19
Summary

Summary

Enumeration setup: targeted scanning


Example services Lab: Exploring the above tools.
Banner grabbing.
SMB (and null sessions) Next week: Gaining access through
ARP MAC discovery vulnerabilities.
Tools to support.

Jens Blanck CSCM28 Pen Testing 19 / 19

You might also like