Netcat, Bash Scripting, Backtrack
In this tutorial we will continue on from last time. We have 2 target machines 192.168.1.2 and 192.168.1.14 next we will enumerate the different services and accounts running on each of them. Let's start with ftp enumeration since we know that .12 is running ftp and a web server. The first thing we are going to do is try connecting to the ftp server to see if we can grab the actual version and software information. To do this, we will use netcat. For those of you that do not know what netcat is, basically it is a tool that can be used to connect to or from, transfer to, and many other things related to systems.
nc -v 192.168.1.14 21
(UNKNOWN) [192.168.1.14] 21 (ftp) open
vsftpd version 2.0.7
Welcome to my ftp server!
Next we will test for an anonymous ftp account.
ftp 192.168.1.14
Name (192.168.1.14:root): anonymous
331 Please specify the password.
Password:anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Ok, so we have verified the service is running, the version, and we know that we have anonymous ftp enabled. I could tear this system a new one, but I will save that for the an upcoming tutorial. Next we will look to make sure the previous results for the version the http server is running are correct. This is performed by issuing the HEAD /HTTP/1.0 command once the connection is established like so.
nc -v 192.168.1.14 80
(UNKNOWN) [192.168.1.14] 80 (www) open
HEAD /HTTP/1.0
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Apache/2.2.4 (Fedora) Server at localhost6.localdomain6 Port 80
As you can see, the server version is apache 2.2.4 and is running on a fedora server. This has just verified the operating system and the actual version of the apache software. It is good to know this information so that we know the directory structure of the web server, it will come in handy later. Since I already know that the VNC service is not vulnerable, I will not waste time going into this. Next we are going to see if we can grab any other information about our system. Next, we will move onto the snmp enumeration techniques to gather some more info about possible attack vectors. Even though we most likely have a way to get in, it is good to be as thorough as possible. We will use snmpcheck, and snmpenum to gather info about our server.
perl snmpenum.pl 192.168.1.14 public linux.txt
----------------------------------------
UPTIME
----------------------------------------
30 Days 21 Hours
----------------------------------------
HOSTNAME
----------------------------------------
GHOST.LOCAL
----------------------------------------
RUNNING SOFTWARE PATHS
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
RUNNING PROCESSES
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
MOUNTPOINTS
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
SYSTEM INFO
----------------------------------------
ERROR: No response from remote host '192.168.1.14'
----------------------------------------
LISTENING UDP PORTS
----------------------------------------
21
22
80
----------------------------------------
LISTENING TCP PORTS
----------------------------------------
161
I cut the amount of info from this scan down. There was a bunch of unneeded garbage. Next we will run the snmpcheck.pl script to see what we can come up with.
snmpcheck.pl -t 192.168.1.14 -d
----------------------------------------
User Accounts
----------------------------------------
ghost
anonymous
root
games
nobody
proxy
syslog
www-data
root
news
bin
mail
dhcp
daemon
sshd
man
lp
mysql
dovecot
gnats
backup
sys
klog
postfix
list
irc
sync
uucp
The output from this file is pretty much the same and it actually has a bunch of extra stuff that we will not need. So for the sake of keeping this tutorial short, I will leave it out. One thing that I will include is the user accounts section. As you can see, we grabbed some user accounts. This info is very useful and can be used later as a dictionary file for a brute force attack.
Being as I set up this network, I know that snmp is not running on the windows machine, so I will not waste my time here. In fact, the windows machine is secured so I will target only the Linux server for now. Later we will use the information that we have gathered to run brute force attacks, and use pass the hash with Metasploit to exploit the windows box. Next tutorial will be the use of a vulnerability scanner on the server.