.

please shed some light

<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Jul 26, 2012 7:26 pm

Re: please shed some light

ok, sometimes an open port is just an open port to an open service.  But you won't know unless you take a look.  So port 80 is up, well that's a website most likely.  Check it out.  May throw the IP into a whois (not for a private but if you were scanning a public range).  See if it goes back to a site, maybe see if any other records are registered to that same IP.  Now as for finding ports like 21 or 22 open..  Well both of these are some form of remote access.  They could be a direct in to the environment and may be pretty open. 

Port 21, FTP, hmmm do they accept anonymous access?  If so what can I see as an anonymous user when I connect? 

port 22, SSH, can it be brute-forced?  were there any possible hints to usernames on the website?  Maybe some email addresses?  Maybe those recipient names are the same as network user IDs?  Hmmm write those down for later.  That is where hydra will come in.  Once I get into SSH, do I have elevated privileges?  Can I sudo up?  Can I find some interesting files that may lead me to root? 

Many people believe root is the key to the pen test, but actually root just helps you get further in.  Your ultimate goal is to show you were able to retrieve and exfiltrate critical data such as PHI, PII, PCI, IP or other types of juicy data.

Now back to the accessible websites, you can go further than just recon.  You can spider site (with a tool like Burp Suite or manually) to look for possible vulnerable sections.  Is it vulnerable to cross-site scripting or SQLi?  Is the site running on IIS or Apache?  Any other types of plug-ins or 3rd party apps running on the site?  Basically, can I use the site as a jump point or a way to get more user information?

OK, think I gave you a good amount to work with.  Good luck!!
Certs: GCWN
(@)Dewser
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Fri Jul 27, 2012 12:02 pm

Re: please shed some light

Thanks for that reply. It provides some awesome info. Especially about the ftp.  I forgot about the ability to log into that as an unclaimed user,

Ok, so i tried to use the hackerdemia live cd to learn hydra but even the new live cd of hackerdemia is still missing the hydra tutorial. is there a fix for that soon?

Some of the other stuff you mentioned i am unfamilular with such as the sql injection stuff. I have never used sql. I think i need to finish the HPTF(thomas willhelms course) course first. haha before moving into more complicated stuff.

FYI, in case your not sure what i mean by HPTF course. Thomas willhil has made courses to teach this stuff using the de-ice. i started last night. I found my dvd from his book that has the ISSAF course.

Anyway, Back to topic. I was along the same thinking that an open port is just an open port. But ones such as ssh or ftp, that means a user can log in. BUT i do not have the user name or password. I assume my goal is to find a stupid mistake by someone(not stupid but un-logical) and that my give me a password.

Im not sure how much can be done on the lvl 1 disk but i hope i can find the company picnic pictures. I want to see htem getting attacked. haha. But the other interesting thing on the site:

"We hope that Marie M. has a speedy recovery - flowers and cards can be sent to the North Annex of "Our Lady of Unfortunate Demise, Hospital and Backhoe Rental". We will post pictures of the picnic soon, so check back later"

I see the backhoe rental hint  and wonder if i can grab peoples financial data from the rental records. IF the backhoe page does exist. Is there a way to see what other webpages they may have? IE an site map so i can see what other pages they have.

Ill do some more digging but im not sure what has been thought of in the lvl 1 disk so im not to sure what can be done and what cant be done.

Thanks for the help. Time to make a list of names and find that dang hackerdemia live cd tutorial.

EDIT. well, i guess emailing the names from gmail aint a good idea. I was guessing that it would come back as a bad address BUT i was hoping the email address adamsa@herot.net actually worked and maybe be able to get a reply from it. nope. oh well.
Last edited by LT72884 on Fri Jul 27, 2012 12:08 pm, edited 1 time in total.
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Fri Jul 27, 2012 2:41 pm

Re: please shed some light

If you need a tutorial for hydra, you don't have to depend on the course material to provide it, just look for it on Google. It's a well known program and there are plenty of tutorials out there. You can even test it on one of your own machines to get familiar with it.

Open ports like ftp don't necessarily mean that there are weak passwords. It could also be a service that's vulnerable to an exploit. If you're looking for usernames, you typically need a list of employee names and you can generate your list of usernames from there.

If you're interested in looking for hidden files or directories on the webserver, you can use dirb and DirBuster. You give them a wordlist and they'll start probing the server and let you know if they find anything. Nikto is another great tool for identifying vulnerabilities and interesting files on a webserver.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jul 29, 2012 6:47 am

Re: please shed some light

Any emails you find in those built in sites are probably not active but may be worth noting for another use.  Like... I dunno, creating a username list for a potential brute-force attack on some open service port that allows logons. ;) 

And Shadow makes a good point.  You are not limited to using only the tools provided on the DVD, some of the material is old and has not been maintained.  In fact the author has moved most of the material to hackingdojo I believe.  So further in the book you go, you may need to hunt down tools to assist you further.  One version of BT I had didn't have any of the wordlists for Hydra to use, so I had to hunt them down from the net.  Found a number of even more useful lists as well.

Also go google SQLi and do a quick read on it to understand it.  It is certainly worth knowing about it since it has been used in a number of high-profile breaches.  LulzSec and Anonymous used it for many of their attacks.
Certs: GCWN
(@)Dewser
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Sun Jul 29, 2012 4:44 pm

Re: please shed some light

For the ftp service try to crack the user and pass with ncrack. In back track open the terminal and type:
Ncrack -- v (user) (target ip address):(port which is 21 in this case)
ICS Academy Network Security Certified
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Mon Jul 30, 2012 12:36 pm

Re: please shed some light

cyber.spirit wrote:For the ftp service try to crack the user and pass with ncrack. In back track open the terminal and type:
Ncrack -- v (user) (target ip address):(port which is 21 in this case)


ah, thank you. i will read up on ncrack to see what switches are doing. Does ncrack actaully crack the password sorta like hydra?

thanks guys. here is how i am doing this project. I hope you dont mind me telling you but i want to let you know my metho of doing things just in case some one can benifit from it. Plus you have answered my questions and i feel that i need to make sure your info is put to good use

my plan of attack:
watch the videos from my dvd course i purchased from thomas and take notes
take notes on the slides from the movie
document my notes from the movie and slides in a word file
read the required pages he has posted in the course ISSAF .2.1.b (13-61,87-169)
highlight the ISSAF reading and document the highlighted sections
Then any tools he/ethicalhacker.net discuses, write small one paragraph summaries for what i find and what they do to each device including time stamps.
take screen shoots(if i remember)
Follow the examples thomas and you guys show me for de-ice and document those examples in my word file.
take all the documentation including summaries of the ISSAF reading notes and create a technical report that i can give to someone for review.

Thats my course plan. haha

thanks guys.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Tue Jul 31, 2012 1:30 pm

Re: please shed some light

Hi im realy realy happy that my info was helpful for someone

Ncrack is not a complete password cracker actually its a credential finder. Hydra and brutus is an advanced pass cracker u can perform brute force attack and so on.

But ncrack is so fast. The first step is finding a valid username  u cant perform pass cracking without it no matter what u use ncrack or hydra and sometimes pass cracking cant help u in these cases u must exploit the machine
Last edited by cyber.spirit on Tue Jul 31, 2012 1:32 pm, edited 1 time in total.
ICS Academy Network Security Certified
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Tue Jul 31, 2012 1:35 pm

Re: please shed some light

And the pro penetration test creating and operating a formal hacking lab dvd is great go further and futher man dont miss practice take care
ICS Academy Network Security Certified
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Tue Jul 31, 2012 3:14 pm

Re: please shed some light

Here's a good comparison of ncrack, medusa, and hydra: http://hackertarget.com/brute-forcing-p ... nd-medusa/

You'll find that hydra supports the largest number of protocols. I suggest playing with all three. There are many tools that can do the same thing, but sometimes, one just does it better.
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Tue Jul 31, 2012 3:28 pm

Re: please shed some light

Yeah shadow zero i agree that hydra is more advanced and better and i said that before too but ncrack its not bad besides its too fast
ICS Academy Network Security Certified
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Wed Aug 01, 2012 2:07 pm

Re: please shed some light

cyber.spirit wrote:And the pro penetration test creating and operating a formal hacking lab dvd is great go further and futher man dont miss practice take care


Awesome. I am hoping the courses on teh dvd are going to help me complete at least level one. I tried reading the book first but got lost in some of the material for the actual pen test when he starts using other things. I then realized, the book is not what walks you trough the de-ice scenes, its the dvd. The book is just extra info that can be used to suppliment the dvd course. So i am doing the dvd courses first and then reading the book to get the more in depth info.

@ shadow zero, thanks for the link of comparison. I will read up on those and once im in a state of understanding it, i wil use them.

last minute question. i notice in the dvd lectures thomas always says to practice against de-ice1.101. i do not and can not find de-ice 1.101. i can find 1.110 but not 1.101.

thanks
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Wed Aug 01, 2012 2:53 pm

Re: please shed some light

LT72884 wrote:last minute question. i notice in the dvd lectures thomas always says to practice against de-ice1.101. i do not and can not find de-ice 1.101. i can find 1.110 but not 1.101.


Not sure about that... maybe he's referring to an older release of 1.110, or just recorded it wrong.
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Wed Aug 01, 2012 4:36 pm

Re: please shed some light

shadowzero wrote:
LT72884 wrote:last minute question. i notice in the dvd lectures thomas always says to practice against de-ice1.101. i do not and can not find de-ice 1.101. i can find 1.110 but not 1.101.


Not sure about that... maybe he's referring to an older release of 1.110, or just recorded it wrong.


Thats what i was thinking. just wanted to make sure. he does say 1.101 multiple times so it must be an older version then. haha. hopefully what i can do to 1.100, i can do to 1.110

but i will find out.

thanks
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Aug 02, 2012 2:59 pm

Re: please shed some light

If memory serves, there was a 101.1, I have the labs at home and can take a peak later on.  There are some things that may no longer be valid since he has moved some of his material to HackingDojo. 
Certs: GCWN
(@)Dewser
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Thu Aug 02, 2012 3:25 pm

Re: please shed some light

3xban wrote:If memory serves, there was a 101.1, I have the labs at home and can take a peak later on.  There are some things that may no longer be valid since he has moved some of his material to HackingDojo. 


awesome. yeah some things must have changed because in the video his nmap scan of 1.100 shows port 25 open. mine is closed. he creates a telnet session to port 25 to grab banners. haha.

thanks
PreviousNext

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software