May 10, 2010 at 2:06 pm #5030
Hi again guys.
I’m doing a pentest (for edu purposes) on a single company server, and I’m stuck…
After doing my research using nmap, amap, nessus, nikto2 etc i’ve found this:
OS: Windows Server 2003
22: SSH(2) Not sure which sshd.
25: SMTP (xxxx.domain.local)
80: HTTP (IIS6-SP1, SSL2, Not hosting any websites that i know of)
389: LDAP (Nothing found mining…)
443: HTTPS (SSL from digicert.com)
444: SNPP (Found Fortinet/Fortigate firewall)
3389: MS-TERM (v4)
Internal IP found: 10.10.147.11
I found no exploits for the services (Im sure they exist…). The only thing i can think of atm is bruteforcing or fuzzing the SSH server.
Trojans, on-site (wlan), socialEng etc is out of the question. Just direct targeting remotely. Any thoughts on how to proceed, except bruteforcing which is kinda loud…
ps: All testing is done with “safe-checks” as they wouldnt be so happy if any services went down…
May 10, 2010 at 4:39 pm #31842
First of all, I’m going to assume you’re doing this with permission, otherwise you’re in the wrong place. Secondly, you said they “wouldnt be so happy if any services went down…”. Sounds like you shouldn’t be playing with this server even with permission. Setup a test server if you’re just trying to learn. You shouldn’t be learning on live in-production servers. Nothing good can come from it.
Maybe you can clone the system, or use some P2V tools to create a virtual copy of it?
Then you can be as aggressive as you want without worrying about shutting anything down, and you won’t crash anything unknowingly and thus bring down the wrath of your employer.
May 10, 2010 at 4:54 pm #31843
Yeah, i usually setup VMware environments, but then i know everything about it. The reason im doing this “live” is because i don’t have any knowledge about the system. And yes, im allowed to test on this server. They have multiple servers, but im restricted to this IP only. Which kinda sux a little bit because there is no proper FTP or WEB service running on this one. =)
If the services is down i can restart them (i have remote access, logmein), but its still a live server so im guessing its not that popular anyways…
I’d appreciate some concrete “actions” here instead of doubting my intensions =)
May 10, 2010 at 5:13 pm #31844
I mean no offense, I just don’t think practicing on a live server is a great idea.
At any rate, I think you still need to do some more recon. What SMTP server is running? Can you connect to it and enumerate any usernames? Some info on that process can be found at http://forums.remote-exploit.org/tutorials-guides/19158-smtp-enumeration.html.
I’d also spend some more time trying to figure out what SSH server is running. SSH is not a normal service for a Windows Server, so finding out which server could help…
Those are the things that come to mind. I’m sure others might have more suggestions.
May 10, 2010 at 5:18 pm #31845rattisParticipant
might try telneting to the ports and seeing if you get any banner information from them. Might help in finding out what programs are running the open services.
May 10, 2010 at 6:47 pm #31846ziggy_567Participant
I would also add that if they are serving DNS, SMTP, HTTP from the same host, they are not following best-practices of having a single purpose per server. It is likely that you will find misconfigurations in an environment like this.
May 10, 2010 at 7:08 pm #31847Dengar13Participant
This might be a dumb question, but are you testing this internally or externally? I am assuming externally since you said you found an internal IP address.
May 10, 2010 at 8:11 pm #31848snortymcsnortParticipant
If you use the -A option with nmap you may get a better idea of which specific applications/versions are running
May 10, 2010 at 8:12 pm #31849
Thx for the feedback everybody.. I’ll look at it ASAP. Dengar13, externally. If i wasnt at school (in another country) i would jump in the car cracking the wep encryption they are still using, and then its pretty straight forward =)
I found the internal IP due to a flaw in .asp. Make that misconf…
May 10, 2010 at 8:18 pm #31850
If you’re scanning externally, there’s a chance you aren’t directly scanning a Windows server. It looks like you’re actually scanning a firewall appliance, and certain ports are forwarded to internal servers. So SSH could be the appliance, or an internal server. IIS is on the Windows Server. etc.
May 10, 2010 at 8:46 pm #31851
Yeah. Just noticed. SSH port OS guess was 97% Fortigate100-A… (Which i know is true…) Seems like I’m hitting the firewall..
Edit: Bamed: That SMTP enumeration, will it fuck anything up? Looking at the python script it looks like regular string input, but now, im not an expert.
May 11, 2010 at 3:13 am #31852XenParticipant
You don’t have to use script. You can do this manually using VRFY and EXPN commands. It would be better if you firstly try the script in your test lab before actually using it on a company machine.
May 11, 2010 at 3:21 am #31853silParticipant
If i wasnt at school (in another country) i would jump in the car cracking the wep encryption they are still using, and then its pretty straight forward =)
For starters, you state go to school but your pentesting a server for a company in another country. So how would you even know what type of wireless encryption they’re using? Sounds pretty fishy if you ask me. Hey if you can get the work more power to you but I can’t think of a reputable company that would allow a student to fiddle with production servers.
Secondly, your writing leads me to believe you’re very inexperienced. A pentest – remotely – is usually an indication of a grey hat / black hat test most likely a blackhat since you have no idea what you’re targeting (is it Windows or is it Fortinet).
With that said, a blackhat is a blackhat is a blackhat. Brute forcing would be optimal way to go on THAT machine. There are alternative mechanisms to allow for non-noisy brute forcing with timing variables. Chances are (I would hope), whomever configured the Fortinet, configured it to solely allow trusted sites to SSH in so unless you can even ATTEMPT ONCE to log in, your SOL.
In that case I would… Not go further into telling you what I would do because as stated, some things in your initial post just don’t add up.
May 11, 2010 at 1:19 pm #31854
I don’t even know why i bother.. But for starters, Im from norway, but i moved abroad 1 year ago to study, hence the company is in another country -> norway. And you think i magically know what wireless encryption they are using? No, i’ve been there with the it-consultant in charge, which i did some work for setting up SMB networks. “Fiddling” with production servers is up until now just information gathering, so please get over it. Im asking on this forum to learn, not get criticized. If everybody were experts you wouldn’t need a forum. Im just looking for constructive criticism to learn, thats all. And yeah, I am allowed to establish a SSH connection and try to log in.
If i wanted to do some shit, i’d steal a car…
Edit: And yes, i was allowed just for education purposes as stated earlier. I remember to ask for a contract next time and send you with their signature.
May 11, 2010 at 1:54 pm #31855caissydParticipant
Me, I believe you jonas.
But if you start reading the other threads, you will see that many newcomers are trying to get help on how to do bad stuff and no one here wants to be part of that…
That being said, have fun and brute force these services! 😉
May 11, 2010 at 2:13 pm #31856
Actually, getting a contract is not a bad idea. I would be cautious of doing anything with verbal permission alone. If anything does go wrong, you want your own back covered.
With that being said… any more progress?
May 11, 2010 at 2:22 pm #31857silParticipant
No, i’ve been there with the it-consultant in charge, which i did some work for setting up SMB networks.
“Fiddling” with production servers is up until now just information gathering
Im asking on this forum to learn, not get criticized.
Im just looking for constructive criticism to learn, thats all.
So again, getting back to the previous comments made by others and myself:
If you’ve been there AND HAVE done work for them, then why would you ask what kind of server are you hitting (is it Windows or is it a firewall?)
“Fiddling” with production servers doesn’t seem like something a company would tolerate unless they don’t mind potentially losing business. So nothing you can add makes much sense. Most companies allowing security testing to be done almost ALWAYS 1) ask for business references 2) look for insurance policies, etc., so unless the principals of the company you’re testing are 1) insane 2) completely void of understanding risk 3) eye dee 10 tees it smells fishy as heck period.
If you’re looking to learn is one thing. Looking to learn on a production server is outright stupidity and anyone allowing it should not be working on that server either. My PROFESSIONAL two cents. (Not that anyone’s asked). Back to the learning curve. If you’re truly just curious, stay away from potentially taking out a server as it seems (and I mean this constructively) you don’t know enough to avoid causing potential harm to a production environment. I’ve performed quite a few pentests and have recurring companies on a quarterly basis. I can tell you firsthand the last thing you want to do is cause a potential outage.
For those stating: “mimic the network with VMWare” while it may be a theoretical approach, one can’t know about the patch levels on a machine in order to mimic it. The patch levels, the configurations, the user account/group configurations, etc to make it a feasbile test. You’d be pentesting nothing more than your own VMWare image, not a mirror of a target.
Jonas, I suggest you focus on learning OUTSIDE of production servers. Since you seem to still be learning, explain to this ‘company’ that ‘allowed’ you to tinker with their servers that you don’t want to potentially damage their business by possibly bringing down a production server. Be honest with them: “I’m learning and there is a risk by allowing me to tinker that I can bring down (DoS) your server inadvertently.” They’ll appreciate you more than finding out by you fiddling you cost them money.
May 11, 2010 at 2:31 pm #31858
sil does have a good point. You really don’t want to mess with production servers unless you really know what you’re doing. I’m assuming from the description so far that this is a small business, so they are probably more likely to let someone fiddle with things simply because they don’t know better. However, if something does go wrong, even if it wasn’t your fault, say someone else ( a real malicious user), gets into the system, steals some info, loads a virus, or whatever. I’d say there’s a pretty good chance you could take the blame whether it’s your fault or not.
We’re just trying to watch your back here. It’s real easy for people starting out to start fiddling with things and find themselves up a creek full of fecal matter without an adequate means of propulsion.
So, at the very least, get written permission and some kind of liability release so they can’t come after you if something goes wrong.
May 11, 2010 at 3:41 pm #31859rattisParticipant
so unless the principals of the company you’re testing are 1) insane 2) completely void of understanding risk 3) eye dee 10 tees
There are more of those companies out there than you’d believe Sil. You can usually spot them by the fact that they don’t have a legal department / 1 lawyer on staff.
I’m all for lab building and testing. But there is only so much a lab can teach you, unless you’re lab is really really high end (including firewalls). Even then there are things you’ll not understand like the current situation Jonas is in.
I agree, there are some things that are off. I applaud jonas’ desire to learn, and his willing to try. AND THE FACT HE IS WILLING TO ASK QUESTIONS.
since you’ve mentioned you’ve got contacts there. I think it wouldn’t hurt to ask them about some of the things you’re seeing. They know the network better and might be able to give you some information you’ll need. You can also let them know that something is misconfiguration and leaking internal ip address.
May 11, 2010 at 6:00 pm #31860
I appreciate the input, and understand the risk. It’s just that when I’m asking a technical question I would like a straight answer, not an essay on wether or not i should do it, or if im doing it with “malicious” intent. However, i do understand you guys asking. That being said, this is a small company. Sil, can we just drop this “fishy” talk”? I said i did some work for him, he has over 50 customers, i never said I did work at that business. So please just leave it and try discussing IT, which is more worth everyone’s while =)
Edit: thx for the wordlist bamed.
May 11, 2010 at 6:08 pm #31861
May 11, 2010 at 7:07 pm #31862
Ok, so to save time and be a little nice to the service, i asked for the password for the SSH server, and put it in my wordlist. Using auxiliary/scanner/ssh/ssh_login in msf, in verbose mode, i can see that its trying all passwords, and when it hits the correct password i get an error msg:
[-] Auxiliary failed: NoMethodError undefined method `rindex’ for nil:NilClass
[-] Call stack:
[-] /opt/metasploit3/msf3/lib/msf/core/framework.rb:242:in `session_event’
[-] /opt/metasploit3/msf3/lib/msf/core/framework.rb:262:in `on_session_open’
[-] /opt/metasploit3/msf3/lib/msf/core/event_dispatcher.rb:169:in `block in method_missing’
[-] /opt/metasploit3/msf3/lib/msf/core/event_dispatcher.rb:167:in `each’
[-] /opt/metasploit3/msf3/lib/msf/core/event_dispatcher.rb:167:in `method_missing’
[-] /opt/metasploit3/msf3/lib/msf/core/session_manager.rb:70:in `register’
[-] (eval):107:in `do_login’
[-] (eval):140:in `block in run_host’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/auth_brute.rb:65:in `call’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/auth_brute.rb:65:in `block (2 levels) in each_user_pass’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/auth_brute.rb:95:in `each_pass’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/auth_brute.rb:64:in `block in each_user_pass’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/auth_brute.rb:83:in `each_user’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/auth_brute.rb:63:in `each_user_pass’
[-] (eval):135:in `run_host’
[-] /opt/metasploit3/msf3/lib/msf/core/auxiliary/scanner.rb:92:in `block in run’
Which is really not a problem, as it only happens when it gets the correct password. But could anyone explain why i get this error?
May 11, 2010 at 8:25 pm #31863dynamikParticipant
You need to understand people are trying to protect you as well. You really should have a signed, written contract. You may find that the person who gave you permission to do this doesn’t actually have the authority to do so. Or he passes the blame on to you if something goes wrong. You’re also subject to the laws of countries you’re in, the target’s in, and any country the packets pass through (they may not go in a straight line). You could quickly find yourself in serious trouble and ruin your career. It’s a point that’s worth bringing up, even if you only want technical information.
P.S. Run Dir Buster against the web server. Maybe you’ll find some interesting web apps.
May 11, 2010 at 9:41 pm #31864
I appreciate that you all think so well of me and want me all the best 😉 hehe.
Thx for all the feedback, and it seems im done now anyways, even though i still dont get that error. But its a good error so no worries 😉
- You must be logged in to reply to this topic.