.

Discovering Services without Portscanning

<<

ryan.cartner

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Aug 15, 2006 12:26 pm

Post Tue Sep 19, 2006 2:13 pm

Discovering Services without Portscanning

Port scanning is obviously the most common approach for determining what service daemons exist on a host, but it isn't the only way. An IDS that detects portscans might be a helpful tool to give an admin a headsup in SOME scenarios, but depending on a hacker to portscan is like picking low-hanging fruit.

As researchers, we should be aware of all possible avenues for an attacker to accomplish a goal.

So how else might an attacker enumerate which service ports are available on a remote server?

If SNMP is available and the community strings are default/guessable, often this can provide an interface for listing listening ports. This is interesting because we can often retrieve the entire TCP connection table (including all established connections/listening ports) using only SNMP. This could allow an attacker to glean even MORE information than a portscan would if there was a firewall in place.

Another way would be through a zone transfer. Often times DNS names clearly indicate a service. If zone transfers aren't disallowed to the attacker, this could be a useful feature:

  Code:
S:\>nslookup
Default Server: ns
Address:  10.81.1.12

> set type=ns
> learnsecurityonline.com
Server:  ns
Address:  10.81.1.12

Non-authoritative answer:
learnsecurityonline.com nameserver = ns10.dynamichosting.biz
learnsecurityonline.com nameserver = ns11.dynamichosting.biz

ns10.dynamichosting.biz internet address = 216.83.6.33
ns11.dynamichosting.biz internet address = 216.83.31.25
> server ns10.dynamichosting.biz
Default Server:  ns10.dynamichosting.biz
Address:  216.83.6.33

> set type=any
> ls -d learnsecurityonline.com
[ns10.dynamichosting.biz]
...
 learnsecurityonline.com.       A      216.83.24.173
 ftp                            A      216.83.24.173
 mail                           A      216.83.24.173
 webmail                        A      216.83.24.173
 www                            A      216.83.24.173
...
>


These are only a few. Can anyone else think of uncommon methods for accomplishing common hacker tasks? portscanning or otherwise?
<<

Negrita

User avatar

Sr. Member
Sr. Member

Posts: 299

Joined: Sat Sep 10, 2005 5:45 pm

Location: /dev/null

Post Tue Sep 19, 2006 2:45 pm

Re: Discovering Services without Portscanning

I don't think that DNS records could be used in this situation. Just because there is a DNS record and also because the appropriate port is open, doesn't mean that the server is up and running. I know this for a fact from my work experience.

The best way to determine the service is to telnet to it. This will usually also give you a banner with the type of service running, i.e. Apache webserver or Microsoft Exchange etc.

Another way would be to use vulnerability scanners like Nessus.
CEH, CCSA NG/AI, NNCSS, MCP, MCSA 2003

There are 10 kinds of people, those that understand binary, and those that don't.
<<

LSOChris

Post Tue Sep 19, 2006 3:12 pm

Re: Discovering Services without Portscanning

i guess i appreciate you using LSO as an example :- ???

a real "old school zone transfer" would have shown the mappings to our internal and external facing boxes.  what you put would be necessary for normal functioning of those services...
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Wed Sep 20, 2006 4:16 am

Re: Discovering Services without Portscanning

Well If you are on a LAN, a sniffer will tell you which Servers are running which applications as long as somebody in that VLAN/switch communicates.
Skel
<<

ryan.cartner

User avatar

Newbie
Newbie

Posts: 20

Joined: Tue Aug 15, 2006 12:26 pm

Post Wed Sep 20, 2006 10:39 am

Re: Discovering Services without Portscanning

I should have indicated 2 things, first that allowing zone transfers doesn't necesarily indicate bad security (for instance, in the LSO example nothing is being displayed that wouldn't be available normally), and second that these alternative methods sometimes produce false positives, as negrita indicated, however they do still give an indication of certain probabilities.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software