|
Title: Pentesting. What to do after port scan? Post by: Dissident85 on May 05, 2008, 06:37:42 PM Hi all, I am attempting to do some pen testing for the first time. Ok so I have scaned the servers I want to test using nmap, and I now have a list of open ports and the service and version for each port. I know that I need to find an appropriate exploit. But that is where I am stuck. How do I know what one to use? I have been looking through metasploit but there are just so many.
Below are the resaults of my port scan I performed. Any advice??? Quote windows server 2k PORT STATE SERVICE VERSION 7/tcp open echo 9/tcp open discard? 13/tcp open daytime Microsoft Windows USA daytime 17/tcp open qotd Windows qotd 19/tcp open chargen 21/tcp open tcpwrapped 25/tcp open smtp Microsoft ESMTP 5.0.2195.6713 | SMTP: Responded to EHLO command | ****** Hello [10.0.0.6] | AUTH GSSAPI NTLM LOGIN | AUTH=LOGIN | TURN | ATRN | SIZE 2097152 | ETRN | PIPELINING | DSN | ENHANCEDSTATUSCODES | 8bitmime | BINARYMIME | CHUNKING | VRFY | Responded to HELP command | This server supports the following commands: |_ HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY 53/tcp open domain Microsoft DNS 80/tcp open http Microsoft IIS webserver 5.0 |_ HTML title: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open ssl Microsoft IIS SSL | SSLv2: server still supports SSLv2 | SSL2_RC4_128_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_CBC_128_CBC_WITH_MD5 | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 |_ SSL2_RC2_CBC_128_CBC_WITH_MD5 445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC 1026/tcp open msrpc Microsoft Windows RPC 1029/tcp open msrpc Microsoft Windows RPC 3389/tcp open microsoft-rdp Microsoft Terminal Service 6101/tcp open VeritasBackupExec? 6106/tcp open msrpc Microsoft Windows RPC 10000/tcp open backupexec Veritas Backup Exec 9.0 Windows server 2003 PORT STATE SERVICE VERSION 21/tcp open ftp? 25/tcp open smtp Microsoft ESMTP 6.0.3790.3959 | SMTP: Responded to EHLO command | **.*********.local Hello [10.0.0.15] | TURN | SIZE | ETRN | PIPELINING | DSN | ENHANCEDSTATUSCODES | 8bitmime | BINARYMIME | CHUNKING | VRFY | X-EXPS GSSAPI NTLM LOGIN | X-EXPS=LOGIN | AUTH GSSAPI NTLM LOGIN | AUTH=LOGIN | X-LINK2STATE | XEXCH50 | Responded to HELP command | This server supports the following commands: |_ HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY 80/tcp open http Microsoft IIS webserver 6.0 |_ HTML title: Site doesn't have a title. 443/tcp closed https 1723/tcp open pptp Microsoft (Firmware: 3790) 3389/tcp open microsoft-rdp Microsoft Terminal Service Title: Re: Pentesting. What to do after port scan? Post by: BillV on May 06, 2008, 07:36:49 AM Hi all, I am attempting to do some pen testing for the first time. Care to elaborate? What are you testing? Your own system(s)? Title: Re: Pentesting. What to do after port scan? Post by: don on May 06, 2008, 10:32:46 AM A pretty standard thing to do after a port scan is a vulnerability scan. Try Nessus. You may want to look up some pen testing or ethical hacking methodologies before continuing. Search this forum for "methodology" to get a good start.
I would second BillV's questions and add another. Are these production servers? Even if you have full permission to test production servers, I would never touch them on my first ever attempt at a pen test. Try this out in a lab first. Try to mimic the OS, patch level and running services, etc. Then go through the methodology in your lab. Hope this helps, Don Title: Re: Pentesting. What to do after port scan? Post by: Kev on May 06, 2008, 12:51:48 PM Wow what a nice scan. You cant get in with that?
Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 06, 2008, 08:50:55 PM Hi all, I am attempting to do some pen testing for the first time. Care to elaborate? What are you testing? Your own system(s)? I am testing 2 servers at my work. a mail server and a web server... they are the 2 servers that are exposed to the internet. Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 06, 2008, 08:56:11 PM A pretty standard thing to do after a port scan is a vulnerability scan. Try Nessus. You may want to look up some pen testing or ethical hacking methodologies before continuing. Search this forum for "methodology" to get a good start. well i have full backups of the servers, perhaps i could take yesterdays backups and load them into vmware? then try to penetrate them? I would second BillV's questions and add another. Are these production servers? Even if you have full permission to test production servers, I would never touch them on my first ever attempt at a pen test. Try this out in a lab first. Try to mimic the OS, patch level and running services, etc. Then go through the methodology in your lab. Hope this helps, Don as for a vonerability scan, i would use one of these tools http://backtrack.offensive-security.com/index.php/Tools#Vulnerability_Identification right? Yes i have permision to perform these test. We are a small company and from what started as a job as a web developer has turned into web developer / IT Admin. Title: Re: Pentesting. What to do after port scan? Post by: don on May 06, 2008, 08:57:16 PM Well, even if their intended purpose is different, they both are web servers, and one is even on IIS 5 which is bad news. Upgrading that would be my first recommendation.
Don Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 06, 2008, 08:59:42 PM Wow what a nice scan. You cant get in with that? Yes i was also quite surprised with the results of that scan. nmap really is a wonderful tool. well what i have been doing is trying to find exploits. on sites like milw0rm and using metasploit. but haven't had any luck. i guess as don said i need to do a venerability scan... im thinking prob cause i missed that stop could be why i am having so much trouble getting in. Title: Re: Pentesting. What to do after port scan? Post by: ChrisG on May 06, 2008, 09:31:11 PM i'd be taking a look at the veritas services, no one ever updates that stuff :-P
Title: Re: Pentesting. What to do after port scan? Post by: BillV on May 06, 2008, 09:48:47 PM i'd be taking a look at the veritas services, no one ever updates that stuff :-P Yeah, v9 is a good 3 versions behind Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 06, 2008, 10:12:46 PM i'd be taking a look at the veritas services, no one ever updates that stuff :-P veritas services??? Edit: Sorry, just looked into it, i know what you are talking about... By the way, dose anyone know how to convert a ".v2i" to a ".vmdk" ???? Title: Re: Pentesting. What to do after port scan? Post by: don on May 06, 2008, 10:19:02 PM Quote 10000/tcp open backupexec Veritas Backup Exec 9.0 Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 06, 2008, 10:30:41 PM ok, so i just did a search on securityfocus.com and miliw0rm.com and i couldn't any exploits for version, dose that mean that there are no public exploits for that version?
Title: Re: Pentesting. What to do after port scan? Post by: don on May 06, 2008, 10:42:50 PM You seem to be very stuck on getting an exploit. You're not even at that stage yet. Plus, there are plenty of other ways into a machine in addition to exploits.
Don Title: Re: Pentesting. What to do after port scan? Post by: Kev on May 07, 2008, 02:07:23 AM Very true Don. Why is it that some people think the only way to "get in" is to exploit? Its sweet when you get one but I always take issue with those that think if we could only code better there would be no more stealing of data. The majority of my "hacks" have been using techniques that don't involve a software exploit. Please don't think just because your system is patched that you are 100% safe.
Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 07, 2008, 04:55:04 AM ok, i always thought that that was how people got into systems. well exploits and man in the middle, and cracking passwords...
How else could someone get into a system? Title: Re: Pentesting. What to do after port scan? Post by: BillV on May 07, 2008, 07:24:58 AM ok, i always thought that that was how people got into systems. well exploits and man in the middle, and cracking passwords... How else could someone get into a system? There was a recent thread about client-side attacks that might be of interest to you. Just do a quick search or I think it's still in the side-bar on the right side of the page. Title: Re: Pentesting. What to do after port scan? Post by: Dissident85 on May 07, 2008, 06:31:36 PM Ok so by client-side attacks your talking about social engineering, Trojans etc etc… the best way to protect against that is proper education of your staff? Oh and firewalls.
I’m more interested in protecting against people getting in without tricking staff to opening pages/emails… Title: Re: Pentesting. What to do after port scan? Post by: BillV on May 07, 2008, 09:19:41 PM Quote Ok so by client-side attacks your talking about social engineering, Trojans etc etc… the best way to protect against that is proper education of your staff? Oh and firewalls. Sort of... a trojan isn't really a client-side exploit. Think more along the lines of some malicious code, maybe a buffer overflow, that exploits the users browser or maybe a program that they use. Yes, user awareness/security training is one of the ways to safeguard against such attacks. Core Security actually has a pretty good definition on their website here (http://www.coresecurity.com/?module=ContentMod&action=item&id=519). Quote I’m more interested in protecting against people getting in without tricking staff to opening pages/emails… It's all dependent on what type of test you're doing. As mentioned in many other posts at this site, you'll notice that there is a lot of emphasis placed on other tactics rather than trying to get in through a firewall. If you're goal is to do a full penetration test of your network/information system, then you're only doing your company a disservice by not exploring all possibilities. On the other hand, if the objective is to get in through the Internet (minus using anything client-side for leverage), than you're certainly on the right track thus far. From your scan, it looks like you've got plenty of places to dig deeper... IIS 5, DNS, FTP, Mail. Are those web servers hosting websites? What about attacking the websites? You mentioned MITM attacks in an earlier post, does your FTP server support non-secure connections? As previously recommended, you should probably run a scan with a vulnerability scanner (ex: Nessus (http://www.nessus.org)). And, also as Don mentioned earlier in the thread, you should probably consider looking into a testing methodology (ex: OSSTMM (http://www.isecom.org/osstmm)). Hope that gives you a bit more insight. Best of luck. BillV
Powered by SMF 1.1.5 |
SMF © 2006-2008, Simple Machines LLC
Joomla Bridge by JoomlaHacks.com |