attacking ports!!! ( NO OFFENCE HERE)

Printable View

October 18th, 2001, 02:46 PM
scorpion

attacking ports!!! ( NO OFFENCE HERE)

i have setup a three computer network at home..all three machines run both windows98 and red hat linux7.1 ...just out of curiosity i downloaded a port scanner (nmap ) and ran a scan on one of the windows machine...and i did get a list of ports...
port 23
port 21 (i had installed a telnet and ftp server for windows)
port 139
and a few other port numbers
all these port have their repectives daemons listening for a connection i suppose...and all of them needs passwords....
i was wondering how a hacker who attacks a remote site with out any knowledge of the system users or passwords use a portscanner to get the port list and then gain access by attacking these ports??
on my windows machine i can never get the command prompt when i telnet from the linux machine using an invalid password..(well! that is obvious)...so how are these informations of listening ports useful to a hacker,if he has no pass or at the least a valid account in the machine....
October 18th, 2001, 03:28 PM
Simon Templer

Well.. Here is probably a brief overivew of what an attacker would do:

Once they have a list of ports that are open...they would then narrow their attacks to those ports. The attacker would probably identify which OS the computer is running and then search for a way to bypass the security measures either by exploit or password guessing. (with or without a Brute Force Tool)

For example: You have port 21 open, the attacker would identify what OS & version you run..and then search for FTP exploits for your OS. Or they could try Brute Force Attempts to try and get the password.

I don't break into computer systems...but I would imagine that, that would be the attackers next course of action.

Hope this has helped to answer your question! :)
October 19th, 2001, 10:59 AM
faust

nmap will generate an os "fingerprint" that is useful when doing recon scans on remote systems. Most of the top end port scanners will "guess" at the os.

Beware of honeypots, these will emulate an os. any os you want.
http://www.specter.com
October 19th, 2001, 11:40 AM
Gobinjf

Re: attacking ports!!! ( NO OFFENCE HERE)

Ok, here are a few things an intruder should or would probably attempt ...

Port 21 open ? What about "anonymous" login in ftp ? Has it been disable ? If no, can a remote user make a "quote site exec" ?

Port 23 : he can try a few "well known" user/password (root/root, root/admin, root/administrator, root/azerty, root/qwerty, root/<words from dictionnary> and so on) He can also try to exploit a known bug, the telnet variable overflow.

Port 139 ? Even tried to do an "nbtstat -A <your ip address>" under windows, or nmblookup -A <your ip address> under linux ? Try it, it's fun.

Here are a few things to try under windows

First, edit your c:\windows\lmhosts
and add
IP-address-of-computer a-name #PRE #DOM:whatever-domain-name-you-want

Reboot

Try ping a-name, if it answer "trying to ping <ip address>", just try a "net view \\a-name"

If it says error 5, try "net use \\a-name\ipc$"
and then the net view trick again ...

Do you see what an intruder should start with ? Gathering infos about your system!

Jean-Francois
October 20th, 2001, 08:49 PM
Sp1d3r-W0lf

Enum

Just thought I would drop a quick line on the subject. Very good information here though. Even has a quick tid bit on the netbios anonymous connection on the interprocess communication share (how is that for big words?). Anyways, without jumping to hard into legacy protocols or common mistakes made by people, I would like to point out that port scanning simply opens up a means for an intruder to learn what exactly is running on the system. As stated above, a lot of common ports do leave clues as to what might be a vulnerability. Things such as banner grabbing can leave clues to OS detection as well as nmap analysis of the TCP/IP stack. Example: If you see port 25 (smtp) open and you telnet into it. You can find out what smtp engine it is using. You can then use this information to determine what OS it is running on (not to mention lookup any exploit pertaining to that particular engine). This is all related to information gathering and is more of a red flag for IDS systems rather than an attempt to compromise the system. Don't be worried if you recieve a lot of ICMP hits on certain ports. A lot of the time it will be some kid running a script that searches a particular range of subnets looking for a common exploit. Thanks for the time.

Method to my Madness,

Sp1d3r
October 21st, 2001, 12:59 AM
8trak

Yes... Portscanning is kinda gay,
It's almost like screaming "HEY EVERYBODY LOOK AT ME"

You see, if someone is making connections to all of your ports, (usually in numerical order) then its obvious that your being portscanned.

Then again, This doesnt matter if your talking about hacking into systems that dont have competent admins.

I often portscan systems that i just want to do small hacks on.
It just gives you somewhere to start.
What services to look for holes in.

As for the "Interprocess Communication Share"
there's no reason to make things sound more complicated then they are.

The IPC$ share is rather useless on its own.
The information gained through it is trivial.
Any other smb shares on the other hand...
I love them... People think that good passwords will protect them.

None of this business would be really helpful if you wanted to hack somthing big... Like a government computer of somthing...
You could always set it to check ports realllly slowly... like for a couple days so that it didnt seem strange.

-8trak
October 21st, 2001, 09:38 PM
Sp1d3r-W0lf

Hmmm...$IPC share worthless eh'? Well....it does pull it's weight as far as system functions but may seem useless to somebody eager to hack a netbios share. My opinion is any default setting on a box that allows you to pick information is generally a good thing. About the only thing you can do with it is restrict anonymous connections. I know you can get more complicated with things like mib walking (snmp), but the only real way you are going to exploit a system *without using some automated tool* is by gathering information on it. I mean, even if you are cranking up legion or some **** you are just letting the tool work for you. Even in troubleshooting you must be able to determine what you are dealing with before you can move on. Hell, how can you even hack a name share unless you first know that port 139 is listening? For me shotgunning **** is a waste of time. I would rather know what is available before I worry about risking my ass poking around. As far as port scanning goes....most IDS systems will look for patterns such as the same IP hitting the computer in sequential order. Either scan slow or wait for somebody to come out with distributed port scanning or whip out the drones. Sorry for the long lecture....just throwing around some ideas. Laterz

Sp1d3r
October 21st, 2001, 10:47 PM
8trak

Oh man, yeah, i forgot about snmp walking,
that's the friggin greatest...

The only way i could see the IPC$ share on its own to be useful is if you were looking for a username to find a password for...
or somthing like that.

I think Info is nothing more then a way to find holes.
Like the PRINTER$ share,
There's all the info you'll ever want...
drivers and everything...
But I've never used the info found that way to do anything.

-8trak
October 22nd, 2001, 01:14 AM
Terr

Quote:

Originally posted by Sp1d3r W0lf
most IDS systems will look for patterns such as the same IP hitting the computer in sequential order. Either scan slow or wait for somebody to come out with distributed port scanning or whip out the drones.

You could probably portscan in multiples of X, or randomly, keeping track of which ones were already attempted. Or just randomly within 500 port chunks... It will sure look weird if a real person takes a look, though.
October 22nd, 2001, 02:37 PM
Half^A^Biscuit

:)

Yes.. i agree with you all..

however, your overlooking the never ending problem that surrounds IT, if someone can do something, then another person can find a way around it..

i mean if u really wanted me to .. i would write u a port scanner with all those options u talked aboout... the scary thing is its not hard.. :)

but i mean as soon as i gave it to someone.. it would spread.. i mean especially if someone posted it on an underground site.. i mean then everyone would have it.. and then someone would make an IDS to look for the way that the program scans, then somoeone would alter mine, and the cycle continues..

either way... noone will ever be 100% safe... :( i know it sucks..
but we just have to track down and lock up those little lamers who try to breach our machines..

no offence to anyone :P
October 23rd, 2001, 11:22 AM
sparkant

hm

I've heard allready alot, but I was not aware of "snmp walking". How's such thing generally done and how could one protect against it?

Enlighten me!

Grtz,