Scanning & Enumeration – Practical Ethical Hacking by TCM

by Kal Bartal

Installing Kioptrix

https://www.vulnhub.com

Scanning with Nmap

Finding vulnerable machine’s IP address:

Use the ping command to find IP address of an older machine.

Alternatively run an arp-scan from kali.

arp-scan -l

Alternatively run netdiscover from kali.

netdiscover -r 192.168.57.0/24

Nmap stands for network mapper and it scans for open ports and services.
Nmap works in a similar way to the three-way handshake.
(SYN SYNACK ACK)

Stealth scanning (-sS) used to be undetectable but very detectable nowadays. Stealth scanning sends back a reset flag (RST) and it doesn’t establish the connection.
(SYN SYNACK RST)

SYN + SYNACK reveals that the port or service is open for connection while RST abandons it. the connection was never established and therefore it is technically stealthy.

A typical nmap scan:

nmap -T4 -p- -A 192.168.57.134

Scanning UDP is slow so use the command below to scan the top 1000 ports:

nmap -sU -T4 -p 192.168.57.134

Ports commonly found with exploits:
80 http
443 https
139 smbd (Samba)
(445)

Typically there’s no remote code execution for SSH (port 22) so it’s not a common point of attack.

Enumerating HTTP and HTTPS

The plan:
1, port 80 and 443
2, port 139

Starting with opening the website (IP address) in a browser. (both http and htttps)

View source code with hidden comments, passwords etc.

Default webpages are automatic findings for the report. They potentially reveal architecture and hygiene.

Nikto

Nikto is a web vulnerability scanner. A good security website can autoblock nikto.

nikto -h http://192.168.57.134
  • Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
  • mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
  • OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
  • OSVDB-838: Apache/1.3.20 – Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution.
  • OSVDB-2733: Apache/1.3.20 – Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
  • mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
  • OSVDB-3092: /manual/: Web server manual found.
  • OSVDB-3268: /icons/: Directory indexing found.
  • OSVDB-3233: /icons/README: Apache default file found.
  • OSVDB-3092: /test.php: This might be interesting…

Directory busting

Dirbuster, dirb, gobuster are built-in directory buster tools in kali.

List of HTTP status codes:
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

  1. Informational responses (100–199)
  2. Successful responses (200–299)
  3. Redirection messages (300–399)
  4. Client error responses (400–499)
  5. Server error responses (500–599)

Enumerating SMB

SMB is a file share and it is commonly used in work and internal environments.

Host script results:
|_clock-skew: 5h00m35s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)

Metasploit

Metasploit is an exploitation framework.

msfconsole
search smb version

9 auxiliary/scanner/smb/smb_version

use 9
info
options
set RHOSTS 192.168.57.139
run

SMB – Unix (Samba 2.2.1a)

Smbclient

smbclient -L \\\\192.168.57.134\\

Smbclient attempts to connect to the file share (smb)

smbclient \\\\192.168.57.134\\ADMIN$
smbclient \\\\192.168.57.134\\IPC$

help – to see the list of commands

Access denied.

exit

Enumerating SSH

22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)

ssh 192.168.57.134

Unable to negotiate with 192.168.80.129 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

Unable to connect. The purpose of trying though is that sometimes a banner is exposed with SSH information.

Researching Potential Vulnerabilities

Potential order of attack:

  1. 80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
  2. mod_ssl/2.8.4 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
  3. SMB – Unix (Samba 2.2.1a)
  4. Webalizer Version 2.01 – http://192.168.80.129/usage/usage_202206.html
  5. SSH – OpenSSH 2.9p2 (protocol 1.99)

mod_ssl/2.8.4 exploit

80/443 – Potentially vulnerable to OpenLuck
https://www.exploit-db.com/exploits/764
https://github.com/heltonWernik/OpenLuck

Samba 2.2.1a exploit

139 Potentially vulnerable to trans2open
https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open
https://www.exploit-db.com/exploits/7
https://www.exploit-db.com/exploits/10

Searchsploit

Searchsploit searches the built-in database in kali for potential exploits. The search cannot be too specific as searchsploit searches for the exact term.

searchsploit Samba 2

Related Posts

Leave a Comment