Banner Grabbing: Enumeration & Exploitation

By ghost | 48862 Reads |

0     0

• =============================Banner Grabbing: Enumeration & Exploitation

¶============================= Banner Grabbing: Enumeration & Exploitation

Most of the time an attackers, wants to find out a remote service's version, so that he can exploit it with an exploit/vulnerability, duh.

As a general rule method, a nice tool such as amap can be used to determine the running services, their versions, and also the port(s) they're running on. For all lazy bum, use it in rhis format:

[$bash]$ amap -sT intranet.example.com 1234

But, that's too lazy, and it's not 1337 at all! Why use tools, when you can learn a lot more by doing it manually. So, let me take the people who do NOT know how to enumerate or exploit, through the rabbit hole. Let's go by example.. and do the easiest one first,

1. FTP Enumeration & Exploitation, for beginners:

a) For a server running an FTP server. To find it's version, all we do is connect to the server, and wait like good boys and girls. Hopefully, the admin is a dummy, and he didn't fake the banner info. So, go ahead and ftp to the server:

[$bash]$ ftp 192.168.1.1 connected to 192.168.1.1 (192.168.1.1) 220 192.168.1.1 FTP Server (version wu-2.6.2+Sun) ready.

We, could have done the same thing with Telnet… remember? [$bash]$ telnet 192.168.1.1 21 connected to 192.168.1.1 (192.168.1.1) 220 192.168.1.1 FTP Server (version wu-2.6.2+Sun) ready.

You've just grabbed their banner (how Schwetty!)

Now, we know the version from the result of the established connection. Logically, Since you're a bad boy/girl you think first and foremost about getting into the server. In order to get in, you go to google and type in "wu-2.6.2 exploit". Hopefully, you get a code in c (.c) or perl (.pl) already coded for you.. Or go to securityfocus, or milw0rm and find the exploit.

b) Go ahead, download the C or Perl exploit. For this example, the I found the exploit in C by using google: http://marc.theaimsgroup.com/?l=bugtraq&m=106001702232325&w=2

c) Compile it, with GCC: [$bash]$ gcc wu262.c -o wu262

d) Point it to your victim (lol): [$bash]$ ./wu262.c 192.168.1.100

[If you don't know how to make exploits right now, learn how to make your own! It won't always be this EASY, and most of the time it's not! Learn C, Perl, Ruby, or C++. I'm only using this as an example, since I can't cover how to to make exploits in the same tutorial. Time willing, I will make something on that topic later.]

2. SSH Enumeration & Exploitation, for beginners:

The same concepts and techniques apply also for the SSH deamon or service. So go ahead and telnet to it, but this time to port 22, instead of port 21.

[$bash]$ telnet 192.168.1.1 22 Trying 192.168.1.1… Connected to 192.168.1.1. Escape Character is '^]'. SSH-1.99-OpenSSH_3.4pl

You've just grabbed their banner (how Schwetty!)

So, use google ('Tis really an amazing Engine!"). Download, Compile, and "point" your exploit to the target. If all went well, then your payload should be whatever the shellcode is set to do.

[Shellcoding is also something I recommend getting into. Microprocessor Architecture, Assembly Programming, and Hex knowledge helps a LOT in coding your exploits.]

HOPEFULLY, since you understood the above examples work, you can apply it to other services, like:

3. SNMP (Simple Mail Transfer Protocol) on Port 25

4. POP3 (Post Office Protocol 3) on Port 110

5. DNS (Domain Name System) on Port 53 The most widely used DNS server software on Linux is Bind, so to find it's version, we use a different method:

[$bash]$ dig -t tct -c chaos VERSION.BIND @192.168.1.1 … (look for something like this, but there's a lot of output) ;; ANSWER SECTION: ;VERSION.BIND 0 CH TXT "8.3.3-REL" ;; Query Time: 30 msec ;; SERVER: 192.168.1.1#53 (192.168.1.1) ;; WHEN: SAT Jan 18 03:30:30 2007 ;; MSG SIZE rcvd: 64

We can see the version is: Bind 8.3.3 (so, you know what to do from here).

6. HTTP (HyperText Transfer Protocol) on Port 80

[$bash]$ telnet 192.168.1.1 80 trying 192.168.1.1… connected to www.example.com. Escape Character is '^]'.

and query the server for the following info:

HEAD / HTTP/1.0 [ENTER][ENTER]

you should get a response resembling the following:

HTTP/1.1 200 OK Date: SAT Jan 18 03:30:30 2007 Server: Apache/1.3.27 (Unix) PHP/4.2.1 mod_jk/1.2.0 mod_ssl/2.8.12 OpenSSL/0.9.6h …

WOW, what a bunch of information.. There's so much we can do with this. But it's up to you to decided what you want to attack, because we have such a plethora of choices.

7. MySQL on Port 3306 (TCP) [$bash]$ telnet 192.168.1.1 3306 trying 192.168.1.1… connected to www.example.com. Escape Character is '^]'. (3.23.49&r/3Nod*Connection closed by foreign Host.

Hmmm… Beautiful! We see the version, here, is 3.23.49

8. Obtaining the Victim's Telnet Server Banner (which, hopefully, reveals the OS Version…)

[$bash]$ telnet 192.168.1.1 Trying 192.168.1.1… Connected to 192.168.1.1. Escape Character is '^]'. SunOS 5.8

Now, we know their OS, and also it's version (Sun 5.8). Thus, we go on search looking for that particular OS's vulnerabilities.

For example, I've found Several Vulnerabilities of that particular OS Version, that are hopefully still unpatched by Administrator.

Solaris Whodo Buffer Overflow Vulnerability (Exploit, SOR, CFTIME) http://www.securiteam.com/exploits/5AP0E0U4UU.html

Multiple Vendor rpc.yppasswdd Buffer Overrun Vulnerability http://www.securityfocus.com/bid/2763/discuss

Solaris uucp Buffer Overflow Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=92

The Sun Solstice Enterprise Manager (Solstice EM) daemon and the Sun SNMP agent components http://www.symantec.com/security_response/vulnerability.jsp?bid=2005

These are old exploits, but once again, this is just an example to simulate the real world.

Hope you at least got something out of this tutorial.

• netfish

Always Remember! 1: Netfish is RIGHT. 2: If {you think Netfish is WRONG} then SLAP YOURSELF, and goto the FIRST POINT.