Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Monday, April 21, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 22
Members Online: 1

Registered Members: 82854
Newest Member: Dyno890
Latest Articles

Banner Grabbing: Enumeration & Exploitation

Arrow Image Enumeration & Exploitation



=============================
Banner Grabbing: Enumeration & Exploitation
=============================

Most of the time an attackers, wants to find out a remote service\'s version, so that he can exploit it with an exploit/vulnerability, duh.

As a general rule method, a nice tool such as amap can be used to determine the running services, their versions, and also the port(s) they\'re running on. For all lazy bum, use it in rhis format:

[$bash]$ amap -sT intranet.example.com 1234

But, that\'s too lazy, and it\'s not 1337 at all!
Why use tools, when you can learn a lot more by doing it manually. So, let me take the people who do NOT know how to enumerate or exploit, through the rabbit hole. Let\'s go by example.. and do the easiest one first,


1. FTP Enumeration & Exploitation, for beginners:

a) For a server running an FTP server. To find it\'s version, all we do is connect to the server, and wait like good boys and girls. Hopefully, the admin is a dummy, and he didn\'t fake the banner info. So, go ahead and ftp to the server:

[$bash]$ ftp 192.168.1.1
connected to 192.168.1.1 (192.168.1.1)
220 192.168.1.1 FTP Server (version wu-2.6.2+Sun) ready.

We, could have done the same thing with Telnet... remember?
[$bash]$ telnet 192.168.1.1 21
connected to 192.168.1.1 (192.168.1.1)
220 192.168.1.1 FTP Server (version wu-2.6.2+Sun) ready.

You\'ve just grabbed their banner (how Schwetty!)

Now, we know the version from the result of the established connection.
Logically, Since you\'re a bad boy/girl you think first and foremost about getting into the server.
In order to get in, you go to google and type in \"wu-2.6.2 exploit\". Hopefully, you get a code in c (.c) or perl (.pl) already coded for you.. Or go to securityfocus, or milw0rm and find the exploit.

b) Go ahead, download the C or Perl exploit. For this example, the I found the exploit in C by using google: http://marc.theaimsgroup.com/?l=bugtraq&m=106001702232325&w=2

c) Compile it, with GCC:
[$bash]$ gcc wu262.c -o wu262

d) Point it to your victim (lol):
[$bash]$ ./wu262.c 192.168.1.100

[If you don\'t know how to make exploits right now, learn how to make your own! It won\'t always be this EASY, and most of the time it\'s not! Learn C, Perl, Ruby, or C++. I\'m only using this as an example, since I can\'t cover how to to make exploits in the same tutorial. Time willing, I will make something on that topic later.]


2. SSH Enumeration & Exploitation, for beginners:

The same concepts and techniques apply also for the SSH deamon or service. So go ahead and telnet to it, but this time to port 22, instead of port 21.

[$bash]$ telnet 192.168.1.1 22
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape Character is \'^]\'.
SSH-1.99-OpenSSH_3.4pl

You\'ve just grabbed their banner (how Schwetty!)

So, use google (\'Tis really an amazing Engine!\").
Download, Compile, and \"point\" your exploit to the target. If all went well, then your payload should be whatever the shellcode is set to do.

[Shellcoding is also something I recommend getting into. Microprocessor Architecture, Assembly Programming, and Hex knowledge helps a LOT in coding your exploits.]

HOPEFULLY, since you understood the above examples work, you can apply it to other services, like:

3. SNMP (Simple Mail Transfer Protocol) on Port 25
4. POP3 (Post Office Protocol 3) on Port 110


5. DNS (Domain Name System) on Port 53
The most widely used DNS server software on Linux is Bind, so to find it\'s version, we use a different method:

[$bash]$ dig -t tct -c chaos VERSION.BIND @192.168.1.1
... (look for something like this, but there\'s a lot of output)
;; ANSWER SECTION:
;VERSION.BIND 0 CH TXT \"8.3.3-REL\"
;; Query Time: 30 msec
;; SERVER: 192.168.1.1#53 (192.168.1.1)
;; WHEN: SAT Jan 18 03:30:30 2007
;; MSG SIZE rcvd: 64

We can see the version is: Bind 8.3.3 (so, you know what to do from here).


6. HTTP (HyperText Transfer Protocol) on Port 80

[$bash]$ telnet 192.168.1.1 80
trying 192.168.1.1...
connected to www.example.com.
Escape Character is \'^]\'.

and query the server for the following info:

HEAD / HTTP/1.0
[ENTER][ENTER]

you should get a response resembling the following:

HTTP/1.1 200 OK
Date: SAT Jan 18 03:30:30 2007
Server: Apache/1.3.27 (Unix) PHP/4.2.1 mod_jk/1.2.0 mod_ssl/2.8.12 OpenSSL/0.9.6h
...

WOW, what a bunch of information.. There\'s so much we can do with this. But it\'s up to you to decided what you want to attack, because we have such a plethora of choices.

7. MySQL on Port 3306 (TCP)
[$bash]$ telnet 192.168.1.1 3306
trying 192.168.1.1...
connected to www.example.com.
Escape Character is \'^]\'.
(3.23.49&r/3Nod*Connection closed by foreign Host.

Hmmm... Beautiful! We see the version, here, is 3.23.49

8. Obtaining the Victim\'s Telnet Server Banner (which, hopefully, reveals the OS Version...)

[$bash]$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape Character is \'^]\'.
SunOS 5.8

Now, we know their OS, and also it\'s version (Sun 5.8).
Thus, we go on search looking for that particular OS\'s vulnerabilities.

For example, I\'ve found Several Vulnerabilities of that particular OS Version, that are hopefully still unpatched by Administrator.

Solaris Whodo Buffer Overflow Vulnerability (Exploit, SOR, CFTIME)
http://www.securiteam.com/exploits/5AP0E0U4UU.html

Multiple Vendor rpc.yppasswdd Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/2763/discuss

Solaris uucp Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=92

The Sun Solstice Enterprise Manager (Solstice EM) daemon and the Sun SNMP agent components
http://www.symantec.com/security_response/vulnerability.jsp?bid=2005

These are old exploits, but once again, this is just an example to simulate the real world.

Hope you at least got something out of this tutorial.

- netfish

Always Remember!
1: Netfish is RIGHT.
2: If {you think Netfish is WRONG} then SLAP YOURSELF, and goto the FIRST POINT.

Comments

z3roon February 06 2007 - 02:00:08
wow finnaly a decent article on hbh Smile
smack300on February 06 2007 - 04:04:36
Wow thats pretty intense, tons of knowlodge in that article. A++ Gonna have to save that article and keep it handy Smile
only_samuraion February 06 2007 - 04:22:06
I gotta give this article massive props....it expresses one of my biggest problems with modern hacking. the use of apps....JTR, nmap, and others... unless you write the tool, you can hack all you want with it and still not be elite. this article goes back to fundamentals and i love it. nicely done netfish :ninja:
0X702CHon February 06 2007 - 16:21:42
Another method getting info about the http server is OPTIONS / HTTP/1.0
SwiftNomadon February 11 2007 - 06:56:36
not bad, not bad at all.
3l_f3n1xon September 18 2007 - 03:15:04
Awesome article Grin it is good to see this tipe of articles here in HBH
Neoburneron December 31 2010 - 12:19:33
Great article to grasp the workings Smile
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.