Let's start by taking a deeper look at nmap. Nmap has a lot of great features for this type of work, but before we start selecting options don't forget to keep the scope of the assessment in mind. If you are limited by time you may need to speed up you scans, which of course could impact accuracy. If accuracy can't be sacrificed then you may need to scale back what you scan for. It's an interesting balancing act when it comes down to it.
Our basic nmap scan was: nmap -n -sT 192.168.10.0/24. This is great for telling us what hosts and ports are listening, but what about what's behind those ports? To examine that we need to add the -sV option. The -sV option will gather the type and version of each service running on each port. Having the type and version of a given service is going to make our jobs much easier when it comes to exploiting it.
Exercise:
If you're playing along at home, here's a good chance to enumerate the Metasploitable VM. From BackTrack run the command: nmap -n -sT -sV 192.168.10.107 (where the IP address is the IP of the Metasploitable VM). Doing so you should get some output like this:
Nmap scan report for 192.168.10.107 Host is up (0.014s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 23/tcp open telnet Linux telnetd 25/tcp open smtp Postfix smtpd 53/tcp open domain ISC BIND 9.4.2 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) 111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000) 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 512/tcp open exec netkit-rsh rexecd 513/tcp open login 514/tcp open tcpwrapped 1099/tcp open rmiregistry GNU Classpath grmiregistry 1524/tcp open ingreslock? 2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003) 2121/tcp open ftp ProFTPD 1.3.1 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7 5900/tcp open vnc VNC (protocol 3.3) 6000/tcp open X11 (access denied) 6667/tcp open irc Unreal ircd 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port1524-TCP:V=5.61TEST4%I=7%D=11/5%Time=5097A08B%P=i686-pc-linux-gnu%r SF:(NULL,17,"root@metasploitable:/#\x20")%r(GenericLines,73,"root@metasplo SF:itable:/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20root@m SF:etasploitable:/#\x20root@metasploitable:/#\x20")%r(GetRequest,827,"root SF:@metasploitable:/#\x20<HTML>\n<HEAD>\n<TITLE>Directory\x20/</TITLE>\n<B SF:ASE\x20HREF=\"file:/\">\n</HEAD>\n<BODY>\n<H1>Directory\x20listing\x20o SF:f\x20/</H1>\n<UL>\n<LI><A\x20HREF=\"\./\">\./</A>\n<LI><A\x20HREF=\"\.\ SF:./\">\.\./</A>\n<LI><A\x20HREF=\"bin/\">bin/</A>\n<LI><A\x20HREF=\"boot SF:/\">boot/</A>\n<LI><A\x20HREF=\"cdrom/\">cdrom/</A>\n<LI><A\x20HREF=\"d SF:ev/\">dev/</A>\n<LI><A\x20HREF=\"etc/\">etc/</A>\n<LI><A\x20HREF=\"home SF:/\">home/</A>\n<LI><A\x20HREF=\"initrd/\">initrd/</A>\n<LI><A\x20HREF=\ SF:"initrd\.img\">initrd\.img</A>\n<LI><A\x20HREF=\"lib/\">lib/</A>\n<LI>< SF:A\x20HREF=\"lost%2Bfound/\">lost\+found/</A>\n<LI><A\x20HREF=\"media/\" SF:>media/</A>\n<LI><A\x20HREF=\"mnt/\">mnt/</A>\n<LI><A\x20HREF=\"nohup\. SF:out\">nohup\.out</A>\n<LI><A\x20HREF=\"opt/\">opt/</A>\n<LI><A\x20HREF= SF:\"proc/\">proc/</A>\n<LI><A\x20HREF=\"root/\">root/</A>\n<LI><A\x20HREF SF:=\"sbin/\">sbin/</A>\n<LI><A\x20HREF=\"srv/\">srv/</A>\n<LI><A\x20HREF= SF:\"sys/\">sys/</A>\n<LI><A\x20HREF=\"tmp/\">tmp/</A>\n<LI><A\x20HREF=\"u SF:sr/\">usr/</A>\n<LI><A\x20HREF=\"var/\">var/</A>\n<LI><A\x20HREF=\"vmli SF:nuz\">vmlinuz</A>\n<")%r(HTTPOptions,94,"root@metasploitable:/#\x20bash SF::\x20OPTIONS:\x20command\x20not\x20found\nroot@metasploitable:/#\x20roo SF:t@metasploitable:/#\x20root@metasploitable:/#\x20root@metasploitable:/# SF:\x20")%r(RTSPRequest,94,"root@metasploitable:/#\x20bash:\x20OPTIONS:\x2 SF:0command\x20not\x20found\nroot@metasploitable:/#\x20root@metasploitable SF::/#\x20root@metasploitable:/#\x20root@metasploitable:/#\x20")%r(RPCChec SF:k,17,"root@metasploitable:/#\x20")%r(DNSVersionBindReq,17,"root@metaspl SF:oitable:/#\x20")%r(DNSStatusRequest,17,"root@metasploitable:/#\x20")%r( SF:Help,63,"root@metasploitable:/#\x20bash:\x20HELP:\x20command\x20not\x20 SF:found\nroot@metasploitable:/#\x20root@metasploitable:/#\x20")%r(SSLSess SF:ionReq,51,"root@metasploitable:/#\x20bash:\x20{O\?G,\x03Sw=:\x20command SF:\x20not\x20found\nroot@metasploitable:/#\x20"); MAC Address: 08:00:27:FD:06:4F (Cadmus Computer Systems) Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:kernelService detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 128.00 seconds
Amounts all the bad things running on this box, you'll find it's got Apache httpd 2.2.8 on port 80, Apache Jserve running on port 8090, and Apache Tomcat listening on 8180. To enumerate the banners (also known as banner grabbing) we will use Netcat. Run the following: nc -v 192.168.10.107 80 (where the IP address is the IP of the Metasploitable VM). After entering the command hit the Enter and then type GET /HTTP/1.1 and then hit Enter a few more times (2 or 3 should be good). Doing so you should get some output like this:
192.168.10.107: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [192.168.10.107] 80 (www) open get / http/1.1HTTP/1.1 400 Bad Request Date: Mon, 05 Nov 2012 14:49:37 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 Content-Length: 323 Connection: close Content-Type: text/html; charset=iso-8859-1<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80</address> </body></html>
Another good tool to use against web servers is nikto. Nikto will test the web server for dangerous files, directories and general mis-configuration. To run a basic scan with nikto execute the following command from BackTrack5R2: perl /pentest/web/nikto/nikto.pl -h 192.168.10.107 (where the IP address is the IP of the Metasploitable VM). Doing so you should get some output like this:
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 192.168.10.107
+ Target Hostname: 192.168.10.107
+ Target Port: 80
+ Start Time: 2012-11-05 06:24:17 (GMT-6)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ 6474 items checked: 3 error(s) and 15 item(s) reported on remote host
+ End Time: 2012-11-05 06:30:07 (GMT-6) (350 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedNext time we'll use this output to our advantage and see what we can do using Metasploit. Until next time, thanks for reading.
Michael
Nice work with the classic enumeration steps.
ReplyDeleteCheck out your netcat GET request - looks like you generated an HTTP 400 error.
While you were able to get the information you were trying to find (the banner in this case), there's a reason that you received that 400 error.
As a hint, check out the syntax of your GET request.
* Does the "GET" casing matter?
* What about using HTTP/1.0 vs. HTTP/1.1? Have you learned the difference of what's required in the request for HTTP/1.1?
* You reference hitting "Enter" a few times, but there's a set number of line feeds it's expecting. Have you discovered what the actual line feed count is?
D.J., thanks for your comments and the ideas. I have done some research & testing and found that the case of the get statement does make a difference. In either case you receive the http header, however using the upper case 'GET / http/1.0' displays the full page. This is because http methods, in this case GET, are case sensitive.
ReplyDeleteWhen it comes to using 'http 1.1' vs. 'http 1.0' in the request, the difference depends on what version of the protocol you want to use. According to section 3.1 of RFC 2616, if a higher version number is received then can be handled, an error must be sent back to the requester. So in my example, I was requesting to communicate using HTTP 1.1, however it would appear version 1.1 could not be handled. When downgrading to 1.0, or even 0.9, the request worked and returned the web page.
Although HTTP version 1.1 is in common use today, I was receiving inconsistent results on different web servers. Going forward I will be trying both to elicit a proper response, until I learn more about this at least.
As for the number of 'enters' or line feeds it's looking for, that would be two. I was unable to find out why two is the magic number in this case, but I'll keep digging and post back if I discover why.
Please keep the comments coming.
Michael
Good research. Did you happen to catch what additional header HTTP/1.1 wants that's not required with HTTP/1.0?
DeleteSorry for the delay in getting back to you regarding your question.
ReplyDeleteWhen I did my original research I did not take note of what changed between 1.0 and 1.1 so I went back to RFC2616 to find out. Section 16.6.1.1 states:
"The requirements that clients and servers support the Host request-header, report an error if the Host request-header (section 14.23) is missing from an HTTP/1.1 request, and accept absolute URIs (section 5.1.2) are among the most important changes defined by this specification."
So my understanding of this is if a client sends a HTTP/1.1 request and does not send the host header, the server MUST respond with a "400 (Bad Request)" error. I am 'assuming' this is the reason I received the 400 error.
To prove this, I'm planning to try a packet capture and see if I can determine if this is actually the case.
Michael