.

Pentesting Server

<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon May 10, 2010 9:06 am

Pentesting Server

Hi again guys.

I'm doing a pentest (for edu purposes) on a single company server, and I'm stuck...
After doing my research using nmap, amap, nessus, nikto2 etc i've found this:

OS: Windows Server 2003

22: SSH(2) Not sure which sshd.
25: SMTP (xxxx.domain.local)
53: DNS
80: HTTP (IIS6-SP1, SSL2, Not hosting any websites that i know of)
113(Closed): IDENT  
389: LDAP (Nothing found mining...)
443: HTTPS (SSL from digicert.com)
444: SNPP (Found Fortinet/Fortigate firewall)
3389: MS-TERM (v4)

Internal IP found: 10.10.147.11

I found no exploits for the services (Im sure they exist...).  The only thing i can think of atm is bruteforcing or fuzzing the SSH server.

Trojans, on-site (wlan), socialEng etc is out of the question.  Just direct targeting remotely.  Any thoughts on how to proceed, except bruteforcing which is kinda loud...

ps: All testing is done with "safe-checks" as they wouldnt be so happy if any services went down...

Thx guys.
Last edited by jonas on Mon May 10, 2010 9:11 am, edited 1 time in total.
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Mon May 10, 2010 11:39 am

Re: Pentesting Server

First of all, I'm going to assume you're doing this with permission, otherwise you're in the wrong place.  Secondly, you said they "wouldnt be so happy if any services went down...".  Sounds like you shouldn't be playing with this server even with permission.  Setup a test server if you're just trying to learn.  You shouldn't be learning on live in-production servers.  Nothing good can come from it.
Maybe you can clone the system, or use some P2V tools to create a virtual copy of it?
Then you can be as aggressive as you want without worrying about shutting anything down, and you won't crash anything unknowingly and thus bring down the wrath of your employer.
chown -R bamed ./base
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon May 10, 2010 11:54 am

Re: Pentesting Server

Yeah, i usually setup VMware environments, but then i know everything about it. The reason im doing this "live" is because i don't have any knowledge about the system.  And yes, im allowed to test on this server.  They have multiple servers, but im restricted to this IP only. Which kinda sux a little bit because there is no proper FTP or WEB service running on this one. =)

If the services is down i can restart them (i have remote access, logmein), but its still a live server so im guessing its not that popular anyways... 

I'd appreciate some concrete "actions" here instead of doubting my intensions =)
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Mon May 10, 2010 12:13 pm

Re: Pentesting Server

jonas,
I mean no offense, I just don't think practicing on a live server is a great idea.
At any rate, I think you still need to do some more recon.  What SMTP server is running?  Can you connect to it and enumerate any usernames?  Some info on that process can be found at http://forums.remote-exploit.org/tutori ... ation.html.
I'd also spend some more time trying to figure out what SSH server is running.  SSH is not a normal service for a Windows Server, so finding out which server could help...

Those are the things that come to mind.  I'm sure others might have more suggestions.
chown -R bamed ./base
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon May 10, 2010 12:18 pm

Re: Pentesting Server

might try telneting to the ports and seeing if you get any banner information from them. Might help in finding out what programs are running the open services.
OSWP, Sec+
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Mon May 10, 2010 1:47 pm

Re: Pentesting Server

I would also add that if they are serving DNS, SMTP, HTTP from the same host, they are not following best-practices of having a single purpose per server. It is likely that you will find misconfigurations in an environment like this.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Mon May 10, 2010 2:08 pm

Re: Pentesting Server

This might be a dumb question, but are you testing this internally or externally?  I am assuming externally since you said you found an internal IP address.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

snortymcsnort

Newbie
Newbie

Posts: 17

Joined: Fri May 30, 2008 12:00 pm

Post Mon May 10, 2010 3:11 pm

Re: Pentesting Server

If you use the -A option with nmap you may get a better idea of which specific applications/versions are running
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon May 10, 2010 3:12 pm

Re: Pentesting Server

Thx for the feedback everybody.. I'll look at it ASAP.   Dengar13, externally.  If i wasnt at school (in another country) i would jump in the car cracking the wep encryption they are still using, and then its pretty straight forward =)

I found the internal IP due to a flaw in .asp.  Make that misconf...
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Mon May 10, 2010 3:18 pm

Re: Pentesting Server

If you're scanning externally, there's a chance you aren't directly scanning a Windows server.  It looks like you're actually scanning a firewall appliance, and certain ports are forwarded to internal servers.  So SSH could be the appliance, or an internal server.  IIS is on the Windows Server. etc.
chown -R bamed ./base
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon May 10, 2010 3:46 pm

Re: Pentesting Server

Yeah.  Just noticed. SSH port OS guess was 97% Fortigate100-A...  (Which i know is true...) Seems like I'm hitting the firewall..  

Edit: Bamed: That SMTP enumeration, will it fuck anything up?  Looking at the python script it looks like regular string input, but now, im not an expert.
Last edited by jonas on Mon May 10, 2010 3:53 pm, edited 1 time in total.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Mon May 10, 2010 10:13 pm

Re: Pentesting Server

You don't have to use script. You can do this manually using VRFY and EXPN commands. It would be better if you firstly try the script in your test lab before actually using it on a company machine.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon May 10, 2010 10:21 pm

Re: Pentesting Server

jonas wrote:If i wasnt at school (in another country) i would jump in the car cracking the wep encryption they are still using, and then its pretty straight forward =)


For starters, you state go to school but your pentesting a server for a company in another country. So how would you even know what type of wireless encryption they're using? Sounds pretty fishy if you ask me. Hey if you can get the work more power to you but I can't think of a reputable company that would allow a student to fiddle with production servers.

Secondly, your writing leads me to believe you're very inexperienced. A pentest - remotely - is usually an indication of a grey hat / black hat test most likely a blackhat since you have no idea what you're targeting (is it Windows or is it Fortinet).

With that said, a blackhat is a blackhat is a blackhat. Brute forcing would be optimal way to go on THAT machine. There are alternative mechanisms to allow for non-noisy brute forcing with timing variables. Chances are (I would hope), whomever configured the Fortinet, configured it to solely allow trusted sites to SSH in so unless you can even ATTEMPT ONCE to log in, your SOL.

In that case I would... Not go further into telling you what I would do because as stated, some things in your initial post just don't add up.
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Tue May 11, 2010 8:19 am

Re: Pentesting Server

I don't even know why i bother..  But for starters, Im from norway, but i moved abroad 1 year ago to study, hence the company is in another country -> norway.  And you think i magically know what wireless encryption they are using? No, i've been there with the it-consultant in charge, which i did some work for setting up SMB networks.  "Fiddling" with production servers is up until now just information gathering, so please get over it.  Im asking on this forum to learn, not get criticized.  If everybody were experts you wouldn't need a forum.  Im just looking for constructive criticism to learn, thats all.  And yeah, I am allowed to establish a SSH connection and try to log in.

If i wanted to do some shit, i'd steal a car...

Edit: And yes, i was allowed just for education purposes as stated earlier. I remember to ask for a contract next time and send you with their signature.
Last edited by jonas on Tue May 11, 2010 8:53 am, edited 1 time in total.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 11, 2010 8:54 am

Re: Pentesting Server

Me, I believe you jonas.

But if you start reading the other threads, you will see that many newcomers are trying to get help on how to do bad stuff and no one here wants to be part of that...

That being said, have fun and brute force these services!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software