Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Good port/vulnerability sanner?

  • 08-04-2011 3:07pm
    #1
    Registered Users, Registered Users 2 Posts: 74 ✭✭


    Anyone know a good vulnerability scanner for a client? I need to find the vulnerable aspects of a client PC, then once known I have to actually hack/break the client PC in the area found...College work! If anyone knows anything leave us know, I'd appreciate it.


Comments

  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    nmap

    seriously though, if you are asking about a security scanner and you dont already know of a few (and have experience of them) I think you're in a spot of bother.

    Also, some more detials would be handy, what type of system is it you are being asked to scan/break into? OS for example?

    Are you allowed to use trial versions of scanners? Does your college have a particular software that is teaches on the course you are doing?

    Not being smart here but from your post it sound like you've been handed a toothpick and told to go fight whatever you find on the other side of the hill. Surely some scanners were mentioned on your course? Are you sure you are allowed use commercial / opensource pre-built scanners - I would think that would defeat a lot of the purpose of the exercise, dont you?


  • Registered Users, Registered Users 2 Posts: 74 ✭✭Tastyboy


    I know of a few alright, nessus we were trying out. I meant what is the easiest to use.

    We haven't learnt anything, it's research project with 5 guys who have to figure it out, said I'd bang something up here to see what the thoughts were.

    Our exact project is windows 7, we've to install a few bits and pieces, get ssh running with putty which is grand, and then finally scan the entire system for vulnerabilities and then carry out 1 of the vulnerabilites.

    We can use trial versions as it has to be complete in the next 2 weeks, so we can practically use what we want. We have never used any of the software, it's research for a module so we've to figure out ourselves.

    As I said, there are 5 so are expected to figure it out between us. These posts are for advice really I suppose, but yeah, we've never done this. It's just a client machine to secure, not a network etc.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    hmmm, well there is a "no, we wont do your homework for you" general policy across boards.ie but...

    If you want to post up your observations on a tool or if you want an opinion on somethign you are discussing in your project group, please feel free to post up a question (but try to be specific).

    You wont learn anything if you get handed the answers!


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Nmap is all you need to be honest. Just use the -sV switch to get the service version, and just check any of the vulnerability databases for exploits.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    pointy clicky interface available for windows and linux called Zenmap

    nmap quick reference/cheatsheet:
    http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html

    nmap documentation:
    http://nmap.org/docs.html

    nmap download:
    http://nmap.org/download.html


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 74 ✭✭Tastyboy


    Cheers all. I'm using Nmap with the gui, zenmap. Pretty easy to use, it scanned all my ports & showed which are open, ftp, http, and so on. I'm not sure what a lot of the ports do but I presume I should leave some of them open. Have a look:

    PORT STATE SERVICE

    7/tcp unknown echo

    9/tcp unknown discard

    13/tcp unknown daytime

    21/tcp unknown ftp

    22/tcp unknown ssh

    23/tcp unknown telnet

    25/tcp unknown smtp

    26/tcp unknown rsftp

    37/tcp unknown time

    53/tcp unknown domain

    79/tcp unknown finger

    80/tcp unknown http

    81/tcp unknown hosts2-ns

    88/tcp unknown kerberos-sec

    106/tcp unknown pop3pw

    110/tcp unknown pop3

    111/tcp unknown rpcbind

    113/tcp unknown auth

    119/tcp unknown nntp

    135/tcp unknown msrpc

    139/tcp unknown netbios-ssn

    143/tcp unknown imap

    144/tcp unknown news

    179/tcp unknown bgp

    199/tcp unknown smux

    389/tcp unknown ldap

    427/tcp unknown svrloc

    443/tcp unknown https

    444/tcp unknown snpp

    445/tcp unknown microsoft-ds

    465/tcp unknown smtps

    513/tcp unknown login

    514/tcp unknown shell

    515/tcp unknown printer

    543/tcp unknown klogin

    544/tcp unknown kshell

    548/tcp unknown afp

    554/tcp unknown rtsp

    587/tcp unknown submission

    631/tcp unknown ipp

    646/tcp unknown ldp

    873/tcp unknown rsync

    990/tcp unknown ftps

    993/tcp unknown imaps

    995/tcp unknown pop3s

    1025/tcp unknown NFS-or-IIS

    1026/tcp unknown LSA-or-nterm

    1027/tcp unknown IIS

    1028/tcp unknown unknown

    1029/tcp unknown ms-lsa

    1110/tcp unknown nfsd-status

    1433/tcp unknown ms-sql-s

    1720/tcp unknown H.323/Q.931

    1723/tcp unknown pptp

    1755/tcp unknown wms

    1900/tcp unknown upnp

    2000/tcp unknown cisco-sccp

    2001/tcp unknown dc

    2049/tcp unknown nfs

    2121/tcp unknown ccproxy-ftp

    2717/tcp unknown unknown

    3000/tcp unknown ppp

    3128/tcp unknown squid-http

    3306/tcp unknown mysql

    3389/tcp unknown ms-term-serv

    3986/tcp unknown mapper-ws_ethd

    4899/tcp unknown radmin

    5000/tcp unknown upnp

    5009/tcp unknown airport-admin

    5051/tcp unknown ida-agent

    5060/tcp unknown sip

    5101/tcp unknown admdog

    5190/tcp unknown aol

    5357/tcp unknown unknown

    5432/tcp unknown postgresql

    5631/tcp unknown pcanywheredata

    5666/tcp unknown nrpe

    5800/tcp unknown vnc-http

    5900/tcp unknown vnc

    6000/tcp unknown X11

    6001/tcp unknown X11:1

    6646/tcp unknown unknown

    7070/tcp unknown realserver

    8000/tcp unknown http-alt

    8008/tcp unknown http

    8009/tcp unknown ajp13

    8080/tcp unknown http-proxy

    8081/tcp unknown blackice-icecap

    8443/tcp unknown https-alt

    8888/tcp unknown sun-answerbook

    9100/tcp unknown jetdirect

    9999/tcp unknown abyss

    10000/tcp unknown snet-sensor-mgmt

    32768/tcp unknown unknown

    49152/tcp unknown unknown

    49153/tcp unknown unknown

    49154/tcp unknown unknown

    49155/tcp unknown unknown

    49156/tcp unknown unknown

    49157/tcp unknown unknown



    Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

    Basically I've to use one to these to find a vulnerability now...any ideas what I should go for? What actions etc.

    Thanks again.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    As someone said, use the -sV option to get the versions of the services running. Then look for exploits for those versions.

    Metasploit would be my tool of choice for the actual 'hacking' of the machine. It comes with a lot of exploits built in.

    And its free. Go check out their howto's to learn how to work it, but no-one is going to spoon feed you.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    The quickest way to find the vulnerability would be to use the db_autopwn option of metasploit or fast-track.py .

    Both are available on the back-track 4 distro .

    You won't learn as much using automated tools but they get the job done.


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    with db_autopwn you not only wont learn anything but you also dont get much back to write up and hand in. it just goes off and does its thing.

    as already said: use the -sV option in nmap to identify the versions behind each port (does it automagically as it scans but the scan takes considerably longer). Once you have a list of the service running behind the port, use google or metasploit to find a useful vulnerability that works with your version of the service (mitre.org and other security disclosure sites are valuable resources for this and sometimes include some proof of concept code that you can tailor to your own ends, or they contian a link to a metasploit module that utilises the vulnerability).

    I doubt the most important part of this assignment is exploiting the machine, I'd say most of the marks will be for how you go about it and what steps you take.

    downloaded autopwn
    ran autopwn
    got admin access

    really isnt much of a write up.

    using nmap you can tak note of the services and attach links to vulnerabilities you find to your notes, then you can write a piece about why you chose the one you do choose and finish up with how the vulnerability was used and what the results were going into detail on how the vulnerability/exploit script achieved that goal.


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    @LoLth

    off Topic:

    You made a typo in your last post and discovered a brilliant new word.
    automagically

    automagically:
    The use of a script to exploit with minimal user input.


    Example of AUTOMAGICALLY:
    The sla.cker used script A to automagically gain access to the admin panel.


  • Advertisement
  • Posts: 0 [Deleted User]


    Metasploit with Armitage is worth a look.

    http://www.fastandeasyhacking.com


  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    If i only had a choice of three ports/services to attack.

    I would have to start a 23 telnet,

    then 139. And finnally have a bash/brute at port 5900.

    But there too obvious for a challenge.

    445....


  • Registered Users, Registered Users 2 Posts: 10,339 ✭✭✭✭LoLth


    900913 wrote: »
    @LoLth

    off Topic:

    You made a typo in your last post and discovered a brilliant new word.



    automagically:
    The use of a script to exploit with minimal user input.


    Example of AUTOMAGICALLY:
    The sla.cker used script A to automagically gain access to the admin panel.

    unfortunately I cannot claim credit for this word. heard it on TV years ago and have heard it used by IT peoples to describe various events "no idea, the server just automagically started working again" , "the new version of internet explorer automagically fills in forms for you" , "and with this utility you can automagically email everyone in your mailbox simultaneously as well as send them a fax, every day until they respond" etc etc


  • Closed Accounts Posts: 452 ✭✭Phractal


    DB_autopwn is nto a option you EVER want to use except as a last resort, and nor is Armitage except for learning.

    Man the hell up, use the msfconsole and nmap.

    IF using Metasploit and autopwn, use the NeXpose plugin, Nessus plugin, write a script to do the nmap scans (about 30 different scans), OpenVAS plugin, and a bunch of the msf_scanners

    use the MySQL database to collate the results and then db_autopwn -p -t -e -s

    Basically you want a REALLY clear picture of your target BEFORE you hit the damn thing.

    Or, try some client side exploits. ARP poison the thing so it redirects to youer evil_web_server and launch a slew of browser exploits to download+install something like Poison Ivy or DarkComet and then use that + the 'malformed keyboard layout' to gain SYSTEM with your trojan.

    Also try exploiting IPC$ shares and C$ shares... People ALWAYS leave them open.

    install Terminal Services and try TSgrinder.


  • Registered Users, Registered Users 2 Posts: 74 ✭✭Tastyboy


    I appresicate all the comments, we're nearly there. Nessus showed a clear vision of what's secure etc, thing is we need a point where it is highly vulnerable. Therefore we need to alter Windows 7 to allow intrusion, just one part. It declares which ports are open but they are all of low priority, we need something that suggests high priority. Any ideas?


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    Is it Windows 7 without any patches?

    If your desperate, install IIS 5, although in the real world, this wouldn't make any sense.


  • Closed Accounts Posts: 20,759 ✭✭✭✭dlofnep


    Tastyboy wrote: »
    I appresicate all the comments, we're nearly there. Nessus showed a clear vision of what's secure etc, thing is we need a point where it is highly vulnerable. Therefore we need to alter Windows 7 to allow intrusion, just one part. It declares which ports are open but they are all of low priority, we need something that suggests high priority. Any ideas?

    Forget about Nessus.

    If you want to pen-test a machine, I'd reccomend downloading PwnOS, and running it as a virtual machine. It's a custom-designed linux distribution, designed to be inherently weak. It has a number of flawed services which you can attack.

    The problem with Nessus is that it's too automated. It's done in the abstract, and you don't really learn what's going on.

    Alternatively if you're not comfortable with Linux, you could just try get a Windows XP CD, and install it without any service packs. Download metasploit, and just run the ms08_067_netapi exploit. (It's pretty much the 'hello world' of metasploit)


  • Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    Tastyboy wrote: »
    I appresicate all the comments, we're nearly there. Nessus showed a clear vision of what's secure etc, thing is we need a point where it is highly vulnerable. Therefore we need to alter Windows 7 to allow intrusion, just one part. It declares which ports are open but they are all of low priority, we need something that suggests high priority. Any ideas?

    Why limit yourself windows 7? It has been hardened against exactly what your doing. (suggest you find out how/why/when windows got hardened against attacks on open services)

    There is allot more to breaking in than just port scanning a box. Have a look at the vunerabilty trends. How are most machines compramised?

    I cant tell you exactly what to do but i can point.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    There has still been some holes found in unpatched Windows 7. Are you limited to windows 7 itself or other applications you can install?


  • Closed Accounts Posts: 452 ✭✭Phractal


    Hmmm. If desparate leave remote desktop open with a **** password.

    :P EASY way in


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 367 ✭✭900913


    it's research project with 5 guys who have to figure it out,

    If any of the 5 of you have access to the pc,

    Just use Kon-boot,


  • Closed Accounts Posts: 452 ✭✭Phractal


    Or, alternatively... try the SpoolSV exploit. MS-10-***

    Its ****ing awesome!


Advertisement