Information gathering is very vital as it reveals the operating system in use by the target, the programs and services running on the target server, as well as their corresponding ports, marking it the initial step to server-side attacks. It is possible to break into the system by attempting to sign in via these services.
Exploiting Misconfigured Services
One more thing we can do is exploit misconfigured services. Such services are very common since most people install them on computers and then fail to correctly configure them. Another example is coming up in the next paragraph. Although these services are set up for computer accessibility, however, certain levels of security must be maintained. For instance, people often make mistakes while configuring such services thereby creating backdoors that can easily be used by hackers as entry points into people’s computers. There could even be some backdoors in some computers – we’ll look at an illustration for that.
Using Zenmap for Information Gathering
One can achieve this with ease using Zenmap. What we simply do is take the IP address and run Zenmap against it. Afterward, we will search all the services on Google to establish if various security weaknesses are in them. We have once used Zenmap; however, my point is that anything can be a computer. On one occasion we demonstrated how the Metasploitable machine that was fundamentally a website had a server on it. This is how websites look like, nothing new here. If you would like to obtain an IP address of a website, you simply need to ping it. Suppose we were targeting Facebook, what we could do is just ping facebook.com and we will find its IP.
A list of all the running services on Facebook may be achieved by running Zenmap against Facebook’s IP. Nonetheless, since I am prohibited from doing so, I will run Zenmap against the Metasploitable which is basically a computer device of interest for test purposes.
Running nmap
There is no reason that all things could not be considered as a computer. A website, a server, any online service, or a phone is a computer. The same way can be used to approach penetration testing. I will simply run nmap from my Activities and type the IP address of my target system, which is Metasploitable machine, 192.168.213.133. For checking the IP of the Metasploitable VM I have used ifconfig command.
Then If I run the nmap command and set the target IP: 192.168.213.133 we will be able to check the open ports and service details. Nmap Command:
nmap -T4 -sC -sV 192.168.213.133
The activity of each part of this command is as follows:
- nmap: This is a command-line utility for network discovery and security audit.
- -T4: This sets the timing template as “aggressive” There are six timing templates in Nmap (-T0 through -T5). -T4 speeds up scanning making it appropriate as well as quicker but could be detected more easily by network-based intrusion detection systems.
- -sS: This is telling Nmap in order to make a TCP SYN scan (also known as half-open scanners). It’s faster and less detectable than a full-connect scan of TCP.
- -sV: This enables service version detection, which helps determine services’ versions that open up ports.
Analyzing Scan Results
We have successfully completed the examination details with many unprotected ports and running services. In case you wish to test easily, you may look at each of these ports and their related names on Google.
For instance, Port 21 stands for File Transfer Protocol, where one can send or receive files from another machine that acts as a server. Most often these ports need a login account plus a security code because this system has been wrongly set up to permit generic access without any identification procedures let’s call it something else: appreciative unmasked port therapy.
Although FTP uses logins like other service programs like SSH, this one lets just anyone log into it without any indication of who they are. While we could log in using the default password in SSH, FTP allows you to log in without a password. Download an FTP client such as FileZilla then connect on port 21 via an IP address. I won’t say anything more about this because it’s very simple. If you request Google about an FTP server, misconfigurations, issues, or vulnerabilities are identified; code execution can be done through known exploits. This app must contain malware, just look at its name through Google search bars.
Example of Exploiting a Service
Now let us take port 512 . Let us assume that we moved through each and every port one by one but were unable to find anything until we reached TCP port 512.
I will copy the service on this port, Google it then check.
According to the first page, this is an important remote execution tool. If we feature a password to it, it will enable us to run commands on the target computer by logging into it via RSHR login. This application comes with Linux systems and is like SSH, enabling you to execute commands on a machine from a distance.
Connecting to the Service
I will use rlogin to connect with this. I will also use the help command, as I don’t know much about it. Also, an important point is that it will be rlogin followed by the options starting with the host (target IP) and the username as a key. Using ‘root’ which is the user with the most power; I will employ rlogin on 10.20 Where we have logged in at Metasploitable. I am root if I run the ID command. The root directory is obvious when I use the PWD command. I can indicate the hostname of the machine and the kernel it is using by applying uname –a when listing files. The rlogin service was misconfigured, leading to our gaining of root privileges on Metasploitable.
Conclusion
By doing a Zenmap scan and googling each port for misconfigurations, default passwords, backdoors, or code execution vulnerabilities, you arrive at the key point in this discussion. Several more such techniques are going to be demonstrated in forthcoming videos.