.

Pentesting. What to do after port scan?

<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Mon May 05, 2008 6:37 pm

Pentesting. What to do after port scan?

Hi all, I am attempting to do some pen testing for the first time. Ok so I have scaned the servers I want to test using nmap, and I now have a list of open ports and the service and version for each port. I know that I need to find an appropriate exploit. But that is where I am stuck. How do I know what one to use? I have been looking through metasploit but there are just so many.

Below are the resaults of my port scan I performed. Any advice???

windows server 2k
PORT      STATE SERVICE            VERSION
7/tcp    open  echo
9/tcp    open  discard?
13/tcp    open  daytime            Microsoft Windows USA daytime
17/tcp    open  qotd              Windows qotd
19/tcp    open  chargen
21/tcp    open  tcpwrapped
25/tcp    open  smtp              Microsoft ESMTP 5.0.2195.6713
|  SMTP: Responded to EHLO command
|  ****** Hello [10.0.0.6]
|  AUTH GSSAPI NTLM LOGIN
|  AUTH=LOGIN
|  TURN
|  ATRN
|  SIZE 2097152
|  ETRN
|  PIPELINING
|  DSN
|  ENHANCEDSTATUSCODES
|  8bitmime
|  BINARYMIME
|  CHUNKING
|  VRFY
|  Responded to HELP command
|  This server supports the following commands:
|_ HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY
53/tcp    open  domain            Microsoft DNS
80/tcp    open  http              Microsoft IIS webserver 5.0
|_ HTML title:
135/tcp  open  msrpc              Microsoft Windows RPC
139/tcp  open  netbios-ssn
443/tcp  open  ssl                Microsoft IIS SSL
|  SSLv2: server still supports SSLv2
|  SSL2_RC4_128_WITH_MD5
|  SSL2_DES_192_EDE3_CBC_WITH_MD5
|  SSL2_RC2_CBC_128_CBC_WITH_MD5
|  SSL2_DES_64_CBC_WITH_MD5
|  SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_CBC_128_CBC_WITH_MD5
445/tcp  open  microsoft-ds      Microsoft Windows 2000 microsoft-ds
1025/tcp  open  msrpc              Microsoft Windows RPC
1026/tcp  open  msrpc              Microsoft Windows RPC
1029/tcp  open  msrpc              Microsoft Windows RPC
3389/tcp  open  microsoft-rdp      Microsoft Terminal Service
6101/tcp  open  VeritasBackupExec?
6106/tcp  open  msrpc              Microsoft Windows RPC
10000/tcp open  backupexec        Veritas Backup Exec 9.0


Windows server 2003

PORT    STATE  SERVICE      VERSION
21/tcp  open  ftp?
25/tcp  open  smtp          Microsoft ESMTP 6.0.3790.3959
|  SMTP: Responded to EHLO command
|  **.*********.local Hello [10.0.0.15]
|  TURN
|  SIZE
|  ETRN
|  PIPELINING
|  DSN
|  ENHANCEDSTATUSCODES
|  8bitmime
|  BINARYMIME
|  CHUNKING
|  VRFY
|  X-EXPS GSSAPI NTLM LOGIN
|  X-EXPS=LOGIN
|  AUTH GSSAPI NTLM LOGIN
|  AUTH=LOGIN
|  X-LINK2STATE
|  XEXCH50
|  Responded to HELP command
|  This server supports the following commands:
|_ HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY
80/tcp  open  http          Microsoft IIS webserver 6.0
|_ HTML title: Site doesn't have a title.
443/tcp  closed https
1723/tcp open  pptp          Microsoft (Firmware: 3790)
3389/tcp open  microsoft-rdp Microsoft Terminal Service
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue May 06, 2008 7:36 am

Re: Pentesting. What to do after port scan?

Loic wrote:Hi all, I am attempting to do some pen testing for the first time.


Care to elaborate? What are you testing? Your own system(s)?
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue May 06, 2008 10:32 am

Re: Pentesting. What to do after port scan?

A pretty standard thing to do after a port scan is a vulnerability scan. Try Nessus. You may want to look up some pen testing or ethical hacking methodologies before continuing. Search this forum for "methodology" to get a good start.

I would second BillV's questions and add another. Are these production servers? Even if you have full permission to test production servers, I would never touch them on my first ever attempt at a pen test. Try this out in a lab first. Try to mimic the OS, patch level and running services, etc. Then go through the methodology in your lab.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue May 06, 2008 12:51 pm

Re: Pentesting. What to do after port scan?

Wow what a nice scan. You cant get in with that?
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Tue May 06, 2008 8:50 pm

Re: Pentesting. What to do after port scan?

BillV wrote:
Loic wrote:Hi all, I am attempting to do some pen testing for the first time.


Care to elaborate? What are you testing? Your own system(s)?


I am testing 2 servers at my work. a mail server and a web server... they are the 2 servers that are exposed to the internet.
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Tue May 06, 2008 8:56 pm

Re: Pentesting. What to do after port scan?

don wrote:A pretty standard thing to do after a port scan is a vulnerability scan. Try Nessus. You may want to look up some pen testing or ethical hacking methodologies before continuing. Search this forum for "methodology" to get a good start.

I would second BillV's questions and add another. Are these production servers? Even if you have full permission to test production servers, I would never touch them on my first ever attempt at a pen test. Try this out in a lab first. Try to mimic the OS, patch level and running services, etc. Then go through the methodology in your lab.

Hope this helps,
Don

well i have full backups of the servers, perhaps i could take yesterdays backups and load them into vmware? then try to penetrate them?

as for a vonerability scan, i would use one of these tools http://backtrack.offensive-security.com ... tification right?

Yes i have permision to perform these test. We are a small company and from what started as a job as a web developer has turned into web developer / IT Admin.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue May 06, 2008 8:57 pm

Re: Pentesting. What to do after port scan?

Well, even if their intended purpose is different, they both are web servers, and one is even on IIS 5 which is bad news. Upgrading that would be my first recommendation.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Tue May 06, 2008 8:59 pm

Re: Pentesting. What to do after port scan?

Kev wrote:Wow what a nice scan. You cant get in with that?


Yes i was also quite surprised with the results of that scan. nmap really is a wonderful tool.

well what i have been doing is trying to find exploits. on sites like milw0rm and using metasploit. but haven't had any luck.

i guess as don said i need to do a venerability scan... im thinking prob cause i missed that stop could be why i am having so much trouble getting in.
<<

LSOChris

Post Tue May 06, 2008 9:31 pm

Re: Pentesting. What to do after port scan?

i'd be taking a look at the veritas services, no one ever updates that stuff :-P
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue May 06, 2008 9:48 pm

Re: Pentesting. What to do after port scan?

ChrisG wrote:i'd be taking a look at the veritas services, no one ever updates that stuff :-P


Yeah, v9 is a good 3 versions behind
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Tue May 06, 2008 10:12 pm

Re: Pentesting. What to do after port scan?

ChrisG wrote:i'd be taking a look at the veritas services, no one ever updates that stuff :-P


veritas services???

Edit: Sorry, just looked into it, i know what you are talking about...

By the way, dose anyone know how to convert a ".v2i" to a ".vmdk" ????
Last edited by Loic on Tue May 06, 2008 10:21 pm, edited 1 time in total.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue May 06, 2008 10:19 pm

Re: Pentesting. What to do after port scan?

10000/tcp open  backupexec        Veritas Backup Exec 9.0
CISSP, MCSE, CSTA, Security+ SME
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Tue May 06, 2008 10:30 pm

Re: Pentesting. What to do after port scan?

ok, so i just did a search on securityfocus.com and miliw0rm.com and i couldn't any exploits for version, dose that mean that there are no public exploits for that version?
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue May 06, 2008 10:42 pm

Re: Pentesting. What to do after port scan?

You seem to be very stuck on getting an exploit. You're not even at that stage yet. Plus, there are plenty of other ways into a machine in addition to exploits.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Wed May 07, 2008 2:07 am

Re: Pentesting. What to do after port scan?

Very true Don.  Why is it that some people think the only way to "get in" is to exploit? Its sweet when you get one but I always take issue with those that think if we could only code better there would be no more stealing of data. The majority of my "hacks" have been using techniques that don't involve a software exploit. Please don't think just because your system is patched that you are 100% safe.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software