14.2 Accessible Network Service Identification
After identifying accessible TCP and UDP network services with nmap (which also performs IP and service fingerprinting), you must perform analysis and further identification of complex network services. The five services I want at this point in the example are:
The Telnet service running on the Cisco router (192.168.10.1)
The SSH and SMTP services running on the Sun mail server (192.168.10.10)
The HTTP and HTTPS services running on the Windows 2000 web server (192.168.10.25)
The SNMP and NTP services that are accessible via UDP on the Cisco router don't require further investigation, as they use a connectionless protocol.
14.2.1 Initial Telnet Service Assessment
nmap has already identified the router at 192.168.10.1 as running Cisco IOS 12.2.8. Example 14-9 shows how to obtain insight into the authentication mechanism in use and brute-force options, by connecting to the acessible Telnet service.
Example 14-9. Connecting to the Cisco IOS Telnet service
# telnet 192.168.10.1 Trying 192.168.10.1... Connected to 192.168.10.1. Escape character is '^]'. User Access Verification Password:
The Telnet service requires a password only for authentication purposes. Many enterprise Cisco IOS routers also require a valid username, which increases authentication security and resilience from remote attack.
14.2.2 Initial SSH Service Assessment
In the same way I connected to the Cisco router Telnet service in Example 14-9, I use telnet to connect to the SSH service at 192.168.10.10 and obtain the banner. I then use an SSH client to ensure that I can connect to the service correctly, as shown in Example 14-10.
Example 14-10. Using telnet and ssh clients to interact with the SSH service
# telnet 192.168.10.10 22 Trying 192.168.10.10... Connected to 192.168.10.10. Escape character is '^]'. SSH-2.0-OpenSSH_3.1p1 Protocol mismatch. Connection closed by foreign host. # ssh root@192.168.10.10 The authenticity of host '192.168.10.10' can't be established. RSA key fingerprint is 77:e1:ba:42:8e:5a:10:86:41:4a:ad:4c:16:47. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.10' (RSA) to the list of known hosts. root@192.168.10.10's password:
As reported previously by nmap, OpenSSH 3.1p1 is running, using the SSH 2.0 protocol. I can connect to the service and log in if I know a valid username and password combination.
14.2.3 Initial SMTP Service Assessment
nmap identified the SMTP mail service at 192.168.10.10 as Sendmail 8.11.6. I use telnet to connect to the service, and issue a HELP command to validate the nmap result, as shown in Example 14-11.
Example 14-11. Positively identifying the Sendmail service
# telnet 192.168.10.10 25 Trying 192.168.10.10... Connected to 192.168.10.10. Escape character is '^]'. 220 mail ESMTP Sendmail 8.11.6+Sun/8.11.6; Thu, 20 Nov 2003 17:11:14 -0500 (EST) HELO world 250 mail Hello hacker [10.0.0.10], pleased to meet you HELP 214-2.0.0 This is sendmail version 8.11.6+Sun 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN 214-2.0.0 For more info use "HELP <topic>". 214-2.0.0 To report bugs in the implementation contact Sun Microsystems 214-2.0.0 Technical Support. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info
Sendmail 8.11.6 is bundled out of the box with Solaris 8, confirming the IP fingerprint result from nmap previously. A useful piece of information obtained in Example 14-11 is the hostname of the server; with it, RPC overflow attacks that require the cache name of the remote host can be performed (see Chapter 12).
After positively identifying the service as Sendmail, I can test resilience from VRFY, EXPN, and RCPT TO: user enumeration attacks, as shown in Example 14-12.
Example 14-12. Sendmail user enumeration
# telnet 192.168.10.10 25 Trying 192.168.10.10... Connected to 192.168.10.10. Escape character is '^]'. 220 mail ESMTP Sendmail 8.11.6+Sun/8.11.6; Thu, 20 Nov 2003 17:13:26 -0500 (EST) HELO world 250 mail Hello hacker [10.0.0.10], pleased to meet you EXPN test 502 Sorry, we do not allow this operation VRFY test 502 Sorry, we do not allow this operation MAIL FROM:<test@test.org> 250 2.1.0 <test@test.org>... Sender ok RCPT TO: root 250 2.1.5 root... Recipient ok RCPT TO: blahblah 550 5.1.1 blahblah... User unknown
The EXPN and VRFY features are disabled, but RCPT TO: allows local users to be easily enumerated. Later in the test, we will launch brute-force username grinding against this component.
14.2.4 Initial Web Service Assessment
The full nmap TCP port scan identified the web service running on port 80 of 192.168.10.25 as Microsoft IIS 5.0. Initial assessment of Microsoft IIS web services is required to identify enabled components (see Chapter 6).
In particular, IIS 5.0 can be commonly found running the following subsystems:
Default ISAPI extensions (.printer, .ida, .idq, .shtml, .htr, .htw, etc.)
FrontPage Server Extensions
Outlook Web Access (OWA)
WebDAV
ASP.NET
Details of remote server support for these subsystems is obtained by testing for ISAPI extensions (requesting /test.printer, /test.ida, /test.idq, etc.), identifying FrontPage components (using an automated scanner such as nikto or N-Stealth), checking for OWA instances (usually accessible through /exchange, /owa, /webmail, or /mail), and analyzing HTTP OPTIONS responses for WebDAV methods (such as SEARCH and PROPFIND) and ASP.NET support details.
Example 14-13 shows HTTP HEAD and OPTIONS methods being used to obtain details from the web server. In particular, I gain insight into the complexity and customization of the service, and details of supported HTTP methods.
Example 14-13. Issuing HTTP HEAD and OPTIONS requests
# telnet 192.168.10.25 80 Trying 192.168.10.25... Connected to 192.168.10.25. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 24 Nov 2003 22:33:19 GMT X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 23 Sep 2003 17:32:24 GMT ETag: "bc3799a6f881c31:ac4" Content-Length: 627 Connection closed by foreign host. # telnet 192.168.10.25 80 Trying 192.168.10.25... Connected to 192.168.10.25. Escape character is '^]'. OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 24 Nov 2003 22:33:43 GMT MS-Author-Via: MS-FP/4.0,DAV Content-Length: 0 Accept-Ranges: none DASL: <DAV:sql> DAV: 1, 2 Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK Cache-Control: private Connection closed by foreign host.
I find that the server is indeed running IIS 5.0, and has ASP.NET support (from the X-Powered-By: field), along with WebDAV (due to SEARCH and PROPFIND method support), and probably FrontPage Server Extensions (from the MS-Author-Via: field).
14.2.4.1 ASP.NET investigation
ASP.NET support can be further investigated with H D Moore's dnascan.pl utility. Example 14-14 shows ASP.NET details being obtained from the web server.
Example 14-14. Using dnascan.pl to query the ASP.NET subsystem
# ./dnascan.pl http://192.168.10.25
[*] Sending initial probe request...
[*] Sending path discovery request...
[*] Sending application trace request...
[*] Sending null remoter service request...
[ .NET Configuration Analysis ]
Server -> Microsoft-IIS/5.0
ADNVersion -> 1.1.4322.573
AppTrace -> LocalOnly
CustomErrors -> On
Application -> /
The ASP.NET version information has been expanded from 1.1.4322 (obtained through a previous HEAD request), to 1.1.4322.573. By enumerating valid ISAPI extensions and running an automated test (such as nikto or N-Stealth) to test for the presence of FrontPage Server Extensions or OWA components, you can get a clear idea of the web server and its enabled subsystems.
14.2.4.2 ISAPI extension enumeration
Example 14-15 shows how to use telnet to test for valid ISAPI extensions on the target IIS web server. In this case, I find that .printer and .ida extensions are mapped (returning 200 and 500 code responses), but .idc isn't (returning a 404 Page Not Found).
Example 14-15. Enumerating valid ISAPI extensions
# telnet 192.168.10.25 80 Trying 192.168.10.25... Connected to 192.168.10.25. Escape character is '^]'. GET /test.printer HTTP/1.0 HTTP/1.1 500 13 Server: Microsoft-IIS/5.0 Date: Mon, 24 Nov 2003 22:53:20 GMT Content-Type: text/html <b>Error in web printer install.</b> Connection closed by foreign host. # telnet 192.168.10.25 80 Trying 192.168.10.25... Connected to 192.168.10.25. Escape character is '^]'. GET /test.ida HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 24 Nov 2003 22:56:18 GMT Content-Type: text/html <HTML>The IDQ file test.ida could not be found. Connection closed by foreign host. # telnet 192.168.10.25 80 Trying 192.168.10.25... Connected to 192.168.10.25. Escape character is '^]'. GET /test.idc HTTP/1.0 HTTP/1.1 404 File Not Found Server: Microsoft-IIS/5.0 Date: Mon, 24 Nov 2003 22:59:19 GMT Connection closed by foreign host.
I use this technique to test for each ISAPI extension (see Section 6.3.5 in Chapter 6). Table 14-2 provides a breakdown of the interesting extensions and their respective server HTTP response code (200, 500, 404, etc.).
|
File extension |
Server-side DLL |
Server HTTP response |
|---|---|---|
|
HTR |
ISM.DLL |
404 File Not Found |
|
IDA |
IDQ.DLL |
200 OK |
|
IDQ |
IDQ.DLL |
200 OK |
|
HTW |
WEBHITS.DLL |
200 OK |
|
IDC |
HTTPODBC.DLL |
404 File Not Found |
|
PRINTER |
MSW3PRT.DLL |
500 13 |
I can later investigate vulnerabilities in the DLL files associated with these mapped ISAPI extensions, particularly idq.dll, webhits.dll, and msw3prt.dll.
14.2.4.3 Automated scanning for FrontPage and OWA components
Microsoft FrontPage Server Extensions and OWA subsystems are made up of a number of active components, some of which can be abused if accessible. When I say active, I mean components such as server-side DLLs (including /_vti_bin/_vti_aut/fp30reg.dll and author.dll) that can send traffic to the server and potentially launch overflow attacks. I use automated scanning tools, such as nikto or N-Stealth, to identify these components efficiently. In this case of the IIS 5.0 web server at 192.168.10.25, no active FrontPage or OWA components are found.
14.2.4.4 SSL web service investigation
The second accessible service (running on TCP port 443) is an SSL-enhanced IIS 5.0 web service instance. Using stunnel to establish an SSL connection to the service, the same enabled subsystems and components are identified. I can use this encrypted SSL access to attack the server and potentially bypass IDS or other security mechanisms.
