Network Security Testing
hi guys This is my first post here so plz be nice :P
I just wrote a long forum post but it just disappeared :(
anyway.. I'm pretty new to the hacking stuff, so I need some help to test the security of a public network provided by a friend of mine. This project is about providing a guest account through wireless internet to whoever is near the public library. Since I have a lot of free time and I'm a faster learner, he decided to challenge me into hacking into his system in order to try the security out before he go 100% public.
PS. This is NOT any illegal activity, I even have a written permission signed by him to do this, so there is no risk or what so ever…
I've tried to gather info/scans from the outside but I keep hitting the firewall every time. So I asked him to provide me with a guest account which will be available for free (soon enough) for anyone who wants to connect to the network.
so getting the account and starting searching for info gave me the following results:
Port scanning @ DHCP/Gateway IP:
Address : 192.168.200.11
Name : NETLOAN
Ping …. Ok, Time : 7
Port 53 … Ok !
Port 80 … Ok !
Port 88 … Ok !
Port 135 … Ok !
Port 139 … Ok !
Port 389 … Ok !
Port 445 … Ok !
Port 464 … Ok !
Port 593 … Ok !
Port 636 … Ok !
Port 1067 … Ok !
Port 3000 … Ok !
Port 3001 … Ok !
Port 3268 … Ok !
14 (of 1491) open port(s) detected
UDP Scan @ DHCP/Gateway ip: IP: 192.168.200.11 Name: NETLOAN Reply time: 8 ms Ports detected: 2 (*) Port #53 (DNS) .. Reply: DF 11 80 01 00 00 00 00 00 00 00 00 Port #123 (NTP) .. Reply: 1C 01 00 FA 00 00 00 00 00 0A 90 74 4C 4F 43 4C CD 76 B2 8C
NB scanning @ ip range 192.168.200.1-254: xxx.xxx.xxx.xxx (many computers who are connected to the network) and I found this as well:
192.168.200.207 (HP13306227391) Ok (OS: NT WORKSTATION v 5.1) \\192.168.200.207\Delade dokum Disk Microsoft Windows Network 1
\\192.168.200.207\Skrivare 3 Printer Microsoft Windows Network HP LaserJet 1018 1
\\192.168.200.207\Skrivare Printer Microsoft Windows Network PDF Document Creator 1
192.168.200.208 (salvation) Ok (OS: NT WORKSTATION v 6.0)
\\192.168.200.208\Public Disk Microsoft Windows Network 1
\\192.168.200.208\Users Disk Microsoft Windows Network 1
now.. all I know so far is:
- The system runs windows
- There are a lot of open ports but none that I can telnet to and get a login screen
- I've successfully been able to ping my friends iphone who's connected to the network as well.
now the question is: where do I go from here? :P I can't telnet to any of the ports, even assuming that I had the password, what can I do with it? where can I enter the system from?
Your opinions are highly appreciated guys, and remembers I'm still a newbie that want's to learn, so go easy on me :D
Thnx in advance
//D.H.
Yeah i would do the same. Check all the services and search for exploits. So for example on 139 there is running NetBios. This service could be used for example to acces the files. Search at google some string like NetBios Hack
It will give you thousends of tutorials If it doesnt work try the other services.
Grertz NoPax
thnx a lot for the answer, and great stuff btw :D
I'll have access to the server tomorrow once again, so I'll try the milw0rm and banner grabbing asap. I'm almost sure that the sesrver is running apache but I dunno the version of it, so banner grabbing will help me a lot.
although you're talking about writing my own exploits by reading source. What source do you mean? the apache source or… ? :P
cheers
//D.H.
although you're talking about writing my own exploits by reading source. What source do you mean? the apache source or… ? :P
Generally, people read the source of what they want to hack. If you think you have what it takes to spot flaws in a particular version of Apache, go right ahead.
NoPax, the NetBIOS example is a bit.. awkward.
Yeah i know but it schould only be an example what to do if you know the service. It is better to write he has to se google before asking here. Moreover I only knew that on port 139 is running NetBios so I took it as an example
define wrote: telnet 2 port 80, use a http get command
if u dont get a responze, ur scan is not rite… false positive
if u get a responze, ur friends n idiot
Care to explain further why did you say that? I don't even understand the part on why is his friend's an idiot.
and Demon, if you're using Nmap for scanning, try using the packet fragmentation option from the console to get more results. To see how you can do that, just type nmap –help to see how. Just a tip, since there's a possibility that the results showed might be faked by the firewall.
If you want to scan through a firewall there is a scanning programm called Firewalk. You can download it from packetfactory.net. It is for linux.
For all who want to know how it works. Firewalk sends packets with special TTL values. TTL values are calculated so that it gives back a ICMP TTL after send through the firewall. So it scans every port and normally the result ismt faked. Meamwhile there are a few firewalls which can block this kind of scanning
But you can try your luck xD
fuser wrote: Care to explain further why did you say that? I don't even understand the part on why is his friend's an idiot.
and Demon, if you're using Nmap for scanning, try using the packet fragmentation option from the console to get more results. To see how you can do that, just type nmap –help to see how. Just a tip, since there's a possibility that the results showed might be faked by the firewall.
Thanks for all the answers so far guys. I've been reading a lot for the last 24 hours and it seems like there are many more ways to exploit the system than I thought (which is both good and bad :P).
I'll for sure try the Nmap scanner, since I suspect that the results are fake.
//D.H.
NoPax wrote: If you want to scan through a firewall there is a scanning programm called Firewalk. You can download it from packetfactory.net. It is for linux.
For all who want to know how it works. Firewalk sends packets with special TTL values. TTL values are calculated so that it gives back a ICMP TTL after send through the firewall. So it scans every port and normally the result ismt faked. Meamwhile there are a few firewalls which can block this kind of scanning
But you can try your luck xD
wow xD I MUST get linux :P
thnx for the tip dude, I really appreciate it!
//D.H.
Edit: Btw.. Do you have any idea where I can get such a program for windows? since it will be a while until I get my hand on a new laptop with linux OS (and get used to it).
Demons Halo wrote: wow xD I MUST get linux :P
thnx for the tip dude, I really appreciate it! //D.H.
You're on a hacking website, you shouldn't be so excited about Linux. Be casual about it, be cool about it.
Go, fucking, learn it.
Also; stop signing your posts with //D.H. manually, just edit your profile and put it in your signature if it means that much to you.
spyware wrote: [quote]Demons Halo wrote: wow xD I MUST get linux :P
thnx for the tip dude, I really appreciate it! //D.H.
You're on a hacking website, you shouldn't be so excited about Linux. Be casual about it, be cool about it.
Go, fucking, learn it.
Also; stop signing your posts with //D.H. manually, just edit your profile and put it in your signature if it means that much to you.[/quote]
I am fucking learning it xD… I must have windows atm cause my school runs windows and I need to keep studying??!?
also, I like writing //D.H. Signatures mess up layout!
Edit: //D.H. (L)
korg wrote: Hate to break the news to you there Demons Halo, But installing and learning linux doesn't make you any better of a hacker than someone using windows or mac.
I disagree with this. Just installing Linux doesn't make you a better hacker, no, but if you actually learn to use it (the right way), it will "open" your mind.
It always the person behind the OS.
Agreed, but if that person takes the time to install and learn Linux, he/she is a better hacker than the person that won't do this and sticks with OSx/Windows. Always.
I have firewalk and really not to impressed with it, prefer to use Nmap
You have to use the right tool for the right job. Nmap is a very general, broad scan. Firewalking can be used to, for example, check what device is returning what message (ie. "port 80 is closed").
korg wrote: [quote]Uber0n wrote:
Installing linux makes your penis 15 cm longer
WHAT? Mine never did???[/quote]
HAHAHA! You guys are great.
@op, korg is right that gui is almost always lacking when compared to command line options. If you're going to choose the gui anyway, you might look into nessus…but both nmap and nessus are better from a command line.
penis size does not have a thing to do with the topic guys :P
but anyway.. I've installed Linux a couple of times and I know how to use it, but I like windows cause it's easier to navigate through!
Although I'm sure that if you learn Linux the right way, you'll be able to understand how systems work a lot better, since all the creative ppl that are designing programs often use Linux.
I'm not saying installing Linux will make me a better hacker, but it will certainly grant me a larger number of tools I can play with when I'm practicing hacking, comparing to windows that is…
//D.H.
I've been off for a couple of days, but now I'm back :D
Nmap gave me some interesting results that you guys might help me out with!
Not shown: 64979 closed ports
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 80/tcp open http Microsoft IIS webserver 6.0 88/tcp open kerberos-sec Microsoft Windows kerberos-sec 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 791/tcp open unknown? 1025/tcp open msrpc Microsoft Windows RPC 1027/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 1041/tcp open msrpc Microsoft Windows RPC 1067/tcp open msrpc Microsoft Windows RPC 1073/tcp open msrpc Microsoft Windows RPC 3000/tcp open kerberos-sec Microsoft Windows kerberos-sec 3001/tcp open nessus? 3268/tcp open ldap 3269/tcp open tcpwrapped 3389/tcp open microsoft-rdp Microsoft Terminal Service
Device type: general purpose|media device
Running (JUST GUESSING) : Microsoft Windows 2003|XP|2000|PocketPC/CE (98%), Microsoft embedded (90%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (98%), Microsoft Windows Server 2003 SP1 (94%), Microsoft Windows Server 2003 R2 SP1 (94%), Microsoft Windows XP Professional SP2 (93%), Microsoft Windows Server 2003 (93%), Microsoft Windows Server 2003 SP2 (91%), Microsoft Windows XP Professional SP2 (German) (91%), Microsoft Windows XP Professional SP2 or Windows Server 2003 (91%), Microsoft Windows XP SP2 (91%), Microsoft Windows 2000 or Server 2003 SP1 (91%)
No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop
This looks a lot better than the previous one indeed :D Nmap (L)
aiight, I've tried banner grabbing over TCP port 80 by telnetting but it seems like i get a BAD REQUEST no matter what command I use :P which makes the port 80 pretty useless…
now I'm searching through the net for information about the ports and some known exploits, but it seems like all the ports are pretty covered :/ I'm able to connect to all the ports through telnet, but I don't get any answer back no matter what command I enter :/
I'm searching atm through milw0rm for something that might be helpful.
any other ideas that might be helpful ?? :P
remember that I'm running windows so the programs mentioned earlier is not going to help me unless there is a windows version :P
thnx for all the answers so far!!
//D.H.
Edit: scanning the machines connected to the network (the owners machines) gave me the following result:
PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 4000/tcp open remoteanything
Edit 2: Port 4000 is used by a program called: Remote-Anything. I downloaded the program and tried to connect to the remote PC. The thing is that with a trial version the only password you can use is trial, and the default admin pass is a blank password bar. So I tried to connect to the PC but I think it was my fucking crap shit vista firewall that blocked the connection or it was refused by the pc. I could not figure out the reason for this :/
If I'm going to install linux, what version would you guys recommend for a windows user? the most important thing is that it must have a graphic interface!
It is running IIS 6 so thats not realy secure.
here you have an exploit http://seclists.org/fulldisclosure/2005/Apr/0412.html
and one at milw0rm http://www.milw0rm.com/exploits/3965
Than you shpuld check all the other services if that one doesn't work.
But I think remote anything will be a possibility to hack. You can try to download a cracked version of it at torrentz.com or some other sites.
Than write a programm which will bruteforce it. But that could take a while to bruteforce =)
edit/ I would try to search for exploits all the Microsoft Services. They are normally always vulnerably.
NoPax wrote: It is running IIS 6 so thats not realy secure.
Really?
here you have an exploit http://seclists.org/fulldisclosure/2005/Apr/0412.html
This is a prank, I think that the shell code was rm -fr /
and one at milw0rm http://www.milw0rm.com/exploits/3965
And DoS sucks
Than you shpuld check all the other services if that one doesn't work.
But I think remote anything will be a possibility to hack. You can try to download a cracked version of it at torrentz.com or some other sites.
Than write a programm which will bruteforce it. But that could take a while to bruteforce =)
edit/ I would try to search for exploits all the Microsoft Services. They are normally always vulnerably.
Have a look into rpc port 135, if it's running SP2 it should be vulnerable. Also yeah you can btforce rdp, there are some decent bruteforcers out there, but it's rather time lenghy and resource wasteful
You may want to try DNS Dan Kaminsky Exploit, now since it's even included in msf3.
There are few ports I haven't seen, have a look around there might be some exploit for them, and don't forget milw0rm isn't the only security website
So investigate the unknown port/s, and verify manually the port banners with the nmap result to ensure they aren't false positives
DoS might suck but it works so why not =)
Yeah in my opinion IIS is not very secure. Until now there have been in all versions of it mayor security holes.
It didn't say that remote anything is the only solution. But it would be my last solution if nothing else would work. Because with bruteforcing there would be a chance to get in the system. So why not try it.
Greetz
[quote]and one at milw0rm http://www.milw0rm.com/exploits/3965
Than you shpuld check all the other services if that one doesn't work.
But I think remote anything will be a possibility to hack. You can try to download a cracked version of it at torrentz.com or some other sites.
Than write a programm which will bruteforce it. But that could take a while to bruteforce =)
edit/ I would try to search for exploits all the Microsoft Services. They are normally always vulnerably.
Have a look into rpc port 135, if it's running SP2 it should be vulnerable. Also yeah you can btforce rdp. You may want to try DNS Dan Kaminsky Exploit, now since it's even included in msf3.
There are few ports I haven't seen, have a look around there might be some exploit for them, and don't forget milw0rm isn't the only security website [/quote]
thnx for the posts guys. This thing is a lot harder than it seems :P I've been googling for some time now, trying to find exploits/vulnerbilities for IIS 6 and the open ports, but it seems like I don't have that much luck :/
nmap -sO -v 192.168.200.11 Not shown: 250 closed protocols PROTOCOL STATE SERVICE 1 open icmp 2 open|filtered igmp 6 open tcp 17 open udp 47 open|filtered gre 255 open|filtered unknown MAC Address: 00:13:20:41:34:74 (Intel Corporate)
here is some additional info. Since I'm pretty new at this kind a stuff I wanted to ask what all those services are. you don't need to explain what TCP and UDP are :P but what about the rest? ICMP is the one blocking my commands right? I have ICMP activated at home, which is (if I remember correctly) the service that blocks commands like ping etc. coming through the internet to my pc… am I right or…? :P
what about GRE, IGMP and the unknown one??!? I can google the services up and check them out, but I'd like to know if there is something that I could use against the server using those services ;D
//D.H.
Edit: IGMP seems like a vulnerable service. There are some listed attack types against it like DoS etc. does anyone of you guys have any experience dealing with this serive maybe?
Edit2: What irritates me the mos is that I can telnet to any port I want and get established connection, but whatever command I use does not give any response (except for port 80 listed in below). I keep using help, head, etc. and pressing enter, and well… nothing happens :S This means that the server does not understand the commands I'm giving right? or am I missing something here?
Edit3: using banner grabbing @ port 80 gives me the same msg whatever command I try to use, maybe I'm doing something wrong here:
Telnet 102.168.200.11 80 connecting to 192.168.200.11 … Connection established >HEAD HTTP/1.1 400 Bad Request Content-Type: text/html Date: Thu, 02 Apr 2009 12:23:19 GMT Connection: close Content-Length: 35
<h1>Bad Request (Invalid Verb)</h1> Session closed
the same msg keeps showing using all the commands I know… :/