Good port/vulnerability sanner?

Tastyboy

Anyone know a good vulnerability scanner for a client? I need to find the vulnerable aspects of a client PC, then once known I have to actually hack/break the client PC in the area found...College work! If anyone knows anything leave us know, I'd appreciate it.

LoLth

nmap

seriously though, if you are asking about a security scanner and you dont already know of a few (and have experience of them) I think you're in a spot of bother.

Also, some more detials would be handy, what type of system is it you are being asked to scan/break into? OS for example?

Are you allowed to use trial versions of scanners? Does your college have a particular software that is teaches on the course you are doing?

Not being smart here but from your post it sound like you've been handed a toothpick and told to go fight whatever you find on the other side of the hill. Surely some scanners were mentioned on your course? Are you sure you are allowed use commercial / opensource pre-built scanners - I would think that would defeat a lot of the purpose of the exercise, dont you?

Tastyboy

I know of a few alright, nessus we were trying out. I meant what is the easiest to use.

We haven't learnt anything, it's research project with 5 guys who have to figure it out, said I'd bang something up here to see what the thoughts were.

Our exact project is windows 7, we've to install a few bits and pieces, get ssh running with putty which is grand, and then finally scan the entire system for vulnerabilities and then carry out 1 of the vulnerabilites.

We can use trial versions as it has to be complete in the next 2 weeks, so we can practically use what we want. We have never used any of the software, it's research for a module so we've to figure out ourselves.

As I said, there are 5 so are expected to figure it out between us. These posts are for advice really I suppose, but yeah, we've never done this. It's just a client machine to secure, not a network etc.

LoLth

hmmm, well there is a "no, we wont do your homework for you" general policy across boards.ie but...

If you want to post up your observations on a tool or if you want an opinion on somethign you are discussing in your project group, please feel free to post up a question (but try to be specific).

You wont learn anything if you get handed the answers!

dlofnep

Nmap is all you need to be honest. Just use the -sV switch to get the service version, and just check any of the vulnerability databases for exploits.

LoLth

pointy clicky interface available for windows and linux called Zenmap

nmap quick reference/cheatsheet:
http://nmapcookbook.blogspot.com/2010/02/nmap-cheat-sheet.html

nmap documentation:
http://nmap.org/docs.html

nmap download:
http://nmap.org/download.html

Tastyboy

Cheers all. I'm using Nmap with the gui, zenmap. Pretty easy to use, it scanned all my ports & showed which are open, ftp, http, and so on. I'm not sure what a lot of the ports do but I presume I should leave some of them open. Have a look:

PORT STATE SERVICE

7/tcp unknown echo

9/tcp unknown discard

13/tcp unknown daytime

21/tcp unknown ftp

22/tcp unknown ssh

23/tcp unknown telnet

25/tcp unknown smtp

26/tcp unknown rsftp

37/tcp unknown time

53/tcp unknown domain

79/tcp unknown finger

80/tcp unknown http

81/tcp unknown hosts2-ns

88/tcp unknown kerberos-sec

106/tcp unknown pop3pw

110/tcp unknown pop3

111/tcp unknown rpcbind

113/tcp unknown auth

119/tcp unknown nntp

135/tcp unknown msrpc

139/tcp unknown netbios-ssn

143/tcp unknown imap

144/tcp unknown news

179/tcp unknown bgp

199/tcp unknown smux

389/tcp unknown ldap

427/tcp unknown svrloc

443/tcp unknown https

444/tcp unknown snpp

445/tcp unknown microsoft-ds

465/tcp unknown smtps

513/tcp unknown login

514/tcp unknown shell

515/tcp unknown printer

543/tcp unknown klogin

544/tcp unknown kshell

548/tcp unknown afp

554/tcp unknown rtsp

587/tcp unknown submission

631/tcp unknown ipp

646/tcp unknown ldp

873/tcp unknown rsync

990/tcp unknown ftps

993/tcp unknown imaps

995/tcp unknown pop3s

1025/tcp unknown NFS-or-IIS

1026/tcp unknown LSA-or-nterm

1027/tcp unknown IIS

1028/tcp unknown unknown

1029/tcp unknown ms-lsa

1110/tcp unknown nfsd-status

1433/tcp unknown ms-sql-s

1720/tcp unknown H.323/Q.931

1723/tcp unknown pptp

1755/tcp unknown wms

1900/tcp unknown upnp

2000/tcp unknown cisco-sccp

2001/tcp unknown dc

2049/tcp unknown nfs

2121/tcp unknown ccproxy-ftp

2717/tcp unknown unknown

3000/tcp unknown ppp

3128/tcp unknown squid-http

3306/tcp unknown mysql

3389/tcp unknown ms-term-serv

3986/tcp unknown mapper-ws_ethd

4899/tcp unknown radmin

5000/tcp unknown upnp

5009/tcp unknown airport-admin

5051/tcp unknown ida-agent

5060/tcp unknown sip

5101/tcp unknown admdog

5190/tcp unknown aol

5357/tcp unknown unknown

5432/tcp unknown postgresql

5631/tcp unknown pcanywheredata

5666/tcp unknown nrpe

5800/tcp unknown vnc-http

5900/tcp unknown vnc

6000/tcp unknown X11

6001/tcp unknown X11:1

6646/tcp unknown unknown

7070/tcp unknown realserver

8000/tcp unknown http-alt

8008/tcp unknown http

8009/tcp unknown ajp13

8080/tcp unknown http-proxy

8081/tcp unknown blackice-icecap

8443/tcp unknown https-alt

8888/tcp unknown sun-answerbook

9100/tcp unknown jetdirect

9999/tcp unknown abyss

10000/tcp unknown snet-sensor-mgmt

32768/tcp unknown unknown

49152/tcp unknown unknown

49153/tcp unknown unknown

49154/tcp unknown unknown

49155/tcp unknown unknown

49156/tcp unknown unknown

49157/tcp unknown unknown



Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Basically I've to use one to these to find a vulnerability now...any ideas what I should go for? What actions etc.

Thanks again.

syklops

As someone said, use the -sV option to get the versions of the services running. Then look for exploits for those versions.

Metasploit would be my tool of choice for the actual 'hacking' of the machine. It comes with a lot of exploits built in.

And its free. Go check out their howto's to learn how to work it, but no-one is going to spoon feed you.

900913

The quickest way to find the vulnerability would be to use the db_autopwn option of metasploit or fast-track.py .

Both are available on the back-track 4 distro .

You won't learn as much using automated tools but they get the job done.

LoLth

with db_autopwn you not only wont learn anything but you also dont get much back to write up and hand in. it just goes off and does its thing.

as already said: use the -sV option in nmap to identify the versions behind each port (does it automagically as it scans but the scan takes considerably longer). Once you have a list of the service running behind the port, use google or metasploit to find a useful vulnerability that works with your version of the service (mitre.org and other security disclosure sites are valuable resources for this and sometimes include some proof of concept code that you can tailor to your own ends, or they contian a link to a metasploit module that utilises the vulnerability).

I doubt the most important part of this assignment is exploiting the machine, I'd say most of the marks will be for how you go about it and what steps you take.

downloaded autopwn
ran autopwn
got admin access

really isnt much of a write up.

using nmap you can tak note of the services and attach links to vulnerabilities you find to your notes, then you can write a piece about why you chose the one you do choose and finish up with how the vulnerability was used and what the results were going into detail on how the vulnerability/exploit script achieved that goal.

900913

@LoLth

off Topic:

You made a typo in your last post and discovered a brilliant new word.

automagically

automagically:
The use of a script to exploit with minimal user input.


Example of AUTOMAGICALLY:
The sla.cker used script A to automagically gain access to the admin panel.

Metasploit with Armitage is worth a look.

http://www.fastandeasyhacking.com

900913

If i only had a choice of three ports/services to attack.

I would have to start a 23 telnet,

then 139. And finnally have a bash/brute at port 5900.

But there too obvious for a challenge.

445....

LoLth

900913 wrote: »

@LoLth

off Topic:

You made a typo in your last post and discovered a brilliant new word.



automagically:
The use of a script to exploit with minimal user input.


Example of AUTOMAGICALLY:
The sla.cker used script A to automagically gain access to the admin panel.

unfortunately I cannot claim credit for this word. heard it on TV years ago and have heard it used by IT peoples to describe various events "no idea, the server just automagically started working again" , "the new version of internet explorer automagically fills in forms for you" , "and with this utility you can automagically email everyone in your mailbox simultaneously as well as send them a fax, every day until they respond" etc etc

Phractal

DB_autopwn is nto a option you EVER want to use except as a last resort, and nor is Armitage except for learning.

Man the hell up, use the msfconsole and nmap.

IF using Metasploit and autopwn, use the NeXpose plugin, Nessus plugin, write a script to do the nmap scans (about 30 different scans), OpenVAS plugin, and a bunch of the msf_scanners

use the MySQL database to collate the results and then db_autopwn -p -t -e -s

Basically you want a REALLY clear picture of your target BEFORE you hit the damn thing.

Or, try some client side exploits. ARP poison the thing so it redirects to youer evil_web_server and launch a slew of browser exploits to download+install something like Poison Ivy or DarkComet and then use that + the 'malformed keyboard layout' to gain SYSTEM with your trojan.

Also try exploiting IPC$ shares and C$ shares... People ALWAYS leave them open.

install Terminal Services and try TSgrinder.

Tastyboy

I appresicate all the comments, we're nearly there. Nessus showed a clear vision of what's secure etc, thing is we need a point where it is highly vulnerable. Therefore we need to alter Windows 7 to allow intrusion, just one part. It declares which ports are open but they are all of low priority, we need something that suggests high priority. Any ideas?

h57xiucj2z946q

Is it Windows 7 without any patches?

If your desperate, install IIS 5, although in the real world, this wouldn't make any sense.

dlofnep

Tastyboy wrote: »

I appresicate all the comments, we're nearly there. Nessus showed a clear vision of what's secure etc, thing is we need a point where it is highly vulnerable. Therefore we need to alter Windows 7 to allow intrusion, just one part. It declares which ports are open but they are all of low priority, we need something that suggests high priority. Any ideas?

Forget about Nessus.

If you want to pen-test a machine, I'd reccomend downloading PwnOS, and running it as a virtual machine. It's a custom-designed linux distribution, designed to be inherently weak. It has a number of flawed services which you can attack.

The problem with Nessus is that it's too automated. It's done in the abstract, and you don't really learn what's going on.

Alternatively if you're not comfortable with Linux, you could just try get a Windows XP CD, and install it without any service packs. Download metasploit, and just run the ms08_067_netapi exploit. (It's pretty much the 'hello world' of metasploit)

JimmyCrackCorn

Tastyboy wrote: »

I appresicate all the comments, we're nearly there. Nessus showed a clear vision of what's secure etc, thing is we need a point where it is highly vulnerable. Therefore we need to alter Windows 7 to allow intrusion, just one part. It declares which ports are open but they are all of low priority, we need something that suggests high priority. Any ideas?

Why limit yourself windows 7? It has been hardened against exactly what your doing. (suggest you find out how/why/when windows got hardened against attacks on open services)

There is allot more to breaking in than just port scanning a box. Have a look at the vunerabilty trends. How are most machines compramised?

I cant tell you exactly what to do but i can point.

h57xiucj2z946q

There has still been some holes found in unpatched Windows 7. Are you limited to windows 7 itself or other applications you can install?

Phractal

Hmmm. If desparate leave remote desktop open with a **** password.

:P EASY way in

900913

it's research project with 5 guys who have to figure it out,

If any of the 5 of you have access to the pc,

Just use Kon-boot,

Phractal

Or, alternatively... try the SpoolSV exploit. MS-10-***

Its ****ing awesome!