2007
A HACKING ODYSSEY PART 2:
NETWORK SCANNING & NMAP CONTINUED...
Go and Google “generic mail server exploit”……… Good luck with
that….however if you Google ‘remote exploit Exchange 2003 sp1’ you will
get a lot of hits, if you Google ‘remote exploit exchange 2003 sp2’,
you will get a different set of hits…..knowing the version and patch
state is essential to exploiting any service.
Take a look at port 26…..how are we going to exploit that? Well we
could nip over to the IANA web site and see what should be running on
port 26:
http://www.iana.org/assignments/port-numbers
Quote:
# 26/tcp Unassigned
# 26/udp Unassigned
Hmmmm, that’s no help…..
So, let’s fire Nmap up and see if that can tell us more information
about port 26 and the others, to enable us to narrow our search for an
exploit:
Code:
C:\Documents and Settings\Nokia>nmap -sV wu-ftpd.org
Starting Nmap 4.03 ( http://www.insecure.org/nmap ) at 2007-02-24 18:03
GMT St
dard Time
Interesting ports on 67.66.8.211:
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp
22/tcp open ssh SSH 1.2.33 (protocol 1.5)
25/tcp open smtp Postfix smtpd
26/tcp open ssh OpenSSH 3.1p1 (protocol
1.99)
80/tcp open http?
Good, so now we know it is an SSH service listening on port 26; version
OpenSSH 3.1p1 using protocol 1.99 to be exact. A Google search for
‘remote exploit OpenSSH 3.1p1 protocol 1.99’ will help tremendously if
you wanted to try and exploit this service.
So now not only do we know what type of service is listening on the
port, we also know the exact version number and patch state of it and
can start researching the various vulnerabilities that this service
suffers from.
We can see what version Mail Server is on port 23 and that there is a
different SSH deamon listening on port 22.
However, we didn’t get lucky with the FTP and Web server this time as
the second part of Nmap’s output shows us:
Code:
2 services unrecognized despite returning data. If you know the
service/version
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/s
vicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)==============
SF-Port21-TCP:V=4.03%I=7%D=2/24%Time=45E07F1C%P=i686-pc-windows-windows%r(
SF:GenericLines,27,"220\x20ftp\.wu-ftpd\.org\x20FTP\x20server\x20ready\.\r
SF:\n")%r(Help,4D,"220\x20ftp\.wu-ftpd\.org\x20FTP\x20server\x20ready\.\r\
SF:n530\x20Please\x20login\x20with\x20USER\x20and\x20PASS\.\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT
INDIVIDUALLY)==============
SF-Port80-TCP:V=4.03%I=7%D=2/24%Time=45E07F18%P=i686-pc-windows-windows%r(
SF:GetRequest,FB8,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2024\x20Feb\x2
SF:02007\x2017:20:17\x20GMT\r\nServer:\x20Froglegs/104\.75\x20\(Unix\)\r\n
SF:Last-Modified:\x20Thu,\x2022\x20Jan\x202004\x2012:51:39\x20GMT\r\nETag:
SF:\x20\"3b034b-ebd-400fc75b\"\r\nAccept-Ranges:\x20bytes\r\nContent-Lengt
SF:h:\x203773\r\nConnection:\x20close\r\nContent-Type:\x20text/html\r\n\r\
SF:n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\x20Final/
SF:/EN\">\r\n<html>\r\n\x20<head>\r\n\x20\x20<title>WU-FTPD\x20Development
SF:\x20Group</title>\r\n\x20</head>\r\n<!--\x20Background\x20white,\x20lin
SF:ks\x20blue\x20\(unvisited\),\x20navy\x20\(visited\),\x20red\x20\(active
SF:\)\x20-->\r\n\x20<body\x20BGCOLOR=\"#FFFFFF\"\x20TEXT=\"#000000\"\x20LI
SF:NK=\"#0000FF\"\x20VLINK=\"#000080\"\x20ALINK=\"#FF0000\">\r\n\x20\x20<h
SF:1\x20ALIGN=\"CENTER\">\r\n\x20\x20\x20WU-FTPD\x20Development\x20Group\r
SF:\n\x20\x20</h1>\r\n\r\n<BLOCKQUOTE>\r\n<hr\x20NOSHADE>\r\n\x20\x20<p>\r
SF:\n<STRONG><EM>SECURITY\x20VULNERABILITY\x20DISCOVERED!</EM></STRONG>\r\
SF:n<P>\r\n<STRONG>A\x20vulnerability\x20has\x20been\x20found\x20in\x20the
SF:\x20current\x20versions\x20of\x20WU-FTPD\x20up\x20to\x202\.6\.2\.\x20\r
SF:\nInformation\x20describing\x20the\x20vulnerability\x20is\x20available\
SF:x20from</STRONG>\r\n<ul>\r\n<li><a\x20href=\"http://w")%r(HTTPOptions,A
SF:0,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2024\x20Feb\x202007\x2017:2
SF:0:17\x20GMT\r\nServer:\x20Froglegs/104\.75\x20\(Unix\)\r\nContent-Lengt
SF:h:\x200\r\nAllow:\x20GET,\x20HEAD,\x20OPTIONS,\x20TRACE\r\nConnection:\
SF:x20close\r\n\r\n")%r(RTSPRequest,1CC,"HTTP/1\.1\x20400\x20Bad\x20Reques
SF:t\r\nDate:\x20Sat,\x2024\x20Feb\x202007\x2017:20:18\x20GMT\r\nServer:\x
SF:20Froglegs/104\.75\x20\(Unix\)\r\nConnection:\x20close\r\nContent-Type:
SF:\x20text/html;\x20charset=iso-8859-1\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC
SF:\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">\n<HTML><HEAD>\n<TITLE>400\x20
SF:Bad\x20Request</TITLE>\n</HEAD><BODY>\n<H1>Bad\x20Request</H1>\nYour\x2
SF:0browser\x20sent\x20a\x20request\x20that\x20this\x20server\x20could\x20
SF:not\x20understand\.<P>\nThe\x20request\x20line\x20contained\x20invalid\
SF:x20characters\x20following\x20the\x20protocol\x20string\.<P>\n<P>\n</BO
SF:DY></HTML>\n");
Here is your change to help Nmap’s usefulness with regard to version
scanning. It very kindly asks us to go to a URL and submit the
fingerprint we received.
The nmap-service-probe file which can be found in your install
directory holds all the fingerprints that Nmap can currently use to
compare banners and probe responses against. This was last updated on
10th Jan 07 (version 4.21ALPHA2) and is updated on a regular basis only
because its users submit fingerprints to be included in it.
The more fingerprints is has, the more reliable it will become. So if
you know what the service is, pop along to
http://www.insecure.org/cgi-bin/servicefp-submit.cgi and submit your
fingerprints that Nmap does not recognise. C+P everything that has an
SF: at the beginning of the line.
Likewise if you think that something is being reported wrongly and want
to tell the Nmap developers about it, then a URL is provided for this
also:
Code:
Service detection performed. Please report any incorrect results at
http://insec
ure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 192.594 seconds
I included the FTP service in this paper to inform of the fingerprint
submission page and to encourage you to do it and also to demonstrate
the fact that you should not rely on the one tool to do everything for
you. Nmap is good but it is not perfect, if it returns a null value for
something like a version scan then you can always telnet in to the port
and take a look for yourself – Nmap just automates this procedure but
may sometimes provide more information then we can get manually due to
the large database it has.
Our main lesson here was port 26 – nmap was able to inform us of the
service and version of that service to allow us to progress with our
assessment/attack further….SSH using a non default port…
This can also be used for the power of good and enable Sys Admins to
determine versions of services and their patch state on an internal LAN
in a relatively small amount of time.
The final thing to say is that it is always a good idea to include this
with a UDP scan to improve the reliability of UDP results.
The syntax for this scan is: nmap –sV ip address
nmap –sV 80.80.80.80
Original Tutorial
by nokia for TheTAZZone-TAZForum
Originally posted on March 2nd, 2007 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.