Service enumeration - How to...

SERVICE ENUMERATION-HOW TO...

To be able to gain access into a server or a network, one need to be able to collect all the necessary information. And to do so, there are so many tools to help us. In this article we want to discuss some and see how they can help us gather information. For this article we will do it with two common services namely; SNMP(Simple Network Management Protocol), DNS(Domain Name System) and SMTP(Simple Mail Transfer protocol).

This is always an important part of a penetration test.Having the knowledge of services running on a target, will help you know how to handle you test. You will know which potantial vulnerabilies they have and which exploits to use.

Please note that in the examples below we are using Kali Linux.

DNS Enumeration

 The DNSEnum tool comes with kali linux and to start it, Open terminal and run the following command:

cd /user/bin

./dnsenum --enum  example.com 

                       

·    The results should include information about the host , about name server(s), mail server(s) and in some cases it will also do zone transfers.

·         You can use some switches to get results with grainer detals. Here are some of the options.

--threads [number] this switch lets you set how many processes you want to run at once or simultaneously

-r this lets you enable recursive lookups

-d enables you to set time delay(in seconds) between WHOIS requests

-o  you can set an output location with this switch

-w this switch enables WHOIS queries

       It would really be nice to scan a domain and get ip adresses and hostnames , plus more information.  Well there is another tool for that, fierce. To run it we will use the following command:

cd /user/bin
fierce -dns example.com

To use fierce with a word list, we will use the following command:
fierce –dns example.com –wordlist targets.txt –file /temp/output.txt

·     SNMP Enumeration    

      So, for SNMP we use the snmpwalk tool. This tool uses SNMP GETNEXT requests to collect information form the target. In terminal run this command:

snmpwalk -c  public 192.168.10.100 -v  2c

·         To enumerate installed software, run the command below:

snmpwalk -c  public 192.168.10.100 -v  1 | grep hrSWInstalledName

Running this command will list the installed software on the target machine.

·         

      

      To enumerate open TCP ports with snmpwalk, we will use this command:

snmpwalk -c  public 192.168.10.100 -v | grep tcpConnState | cut -d”.” -f6 | sort –nu

In the results, you will get a list of open tcp ports. This is important information from your enumeration.

·    Another cool tool to enumerate snmp is snmpcheck, here is the command to run it:

cd /user/bin

snmpcheck -t 192.168.10.100

In the results, you will see information that you can later use in exploiting the target.

SMTP Enumeration

·     To enumerate the users on an smtp(simple mail transfer protocol) server(s) we will use the following command:

smtp-user-enum -M VRFY -U /temp/users.txt -t 192.168.10.100

 The results will show in the users.txt file and you will get email usernames of your target smtp server(s).

Enumeration is very crucial to the success of a penetration test. And having the information on hand during the exploitation phase of the test is super helpful. With that information you can know which version of the service they are using , does it already have a known vulnerability or how you can bypass the defense mechanisms in place. So this can not be taken for granted.

Stealth Scanning With hping3

In addition to the discovery techniques that it can perform , hping3 can also be used   to perform port scans. This specific article demonstrates how we can use hping3 to perform a TCP stealth scan.

To use  hping3 to perform a  TCP stealth scan, you will need to  have a remote system that is running accessible network services over TCP. In the examples provided, an instance of Metasploitable2 is used to perform this task.You could use any other target for your practice.

In addition to the discovery capabilities that have already been mentioned, hping3 can also be used to perform a TCP port scan. To perform a port scan with hping3, we need to use the --scan  mode with an integer value to indicate the port number to be scanned:

In the example  provided, a SYN scan was performed  against TCP port  80  of the IP address indicated. The  -S  option identifies the  TCP  flags activated in the packet sent to the remote system. The table indicates the attributes of the packet received in response. As indicated by the output, a  SYN+ACK  response was received, thereby indicating that port  80  is open on the target host. Additionally, we can scan multiple ports by passing a comma-delimited series of port numbers as follows:

In the scan output provided, you can see that the results are only displayed in the case that a SYN+ACK  response is received. Note that the response associated with  the  SYN  request sent to port  443  is not displayed. As indicated in the output, we can view all of the responses by increasing the verbosity with the  -v  option. Additionally, a sequential range of ports can be scanned by passing the first and last port address valued, separated by a dash notation   as follows:

In the example provided, the 100 port scan was sufficient to identify several services on the Metasploitable2 system. However, to perform a scan of all possible TCP ports, all of the possible port address values need to be scanned. The portions of the TCP header that define the source and  destination port addresses are both  16 bits in length, and each bit can retain a value of  1  or  0. As such, there are 216  or 65,536 possible TCP port addresses. For the total possible address space to be scanned, a port range of  0  to  65535  needs to be supplied   as follows:

hping3  differs from some of the other tools that  have been mentioned since it doesn't have a SYN scanning mode, but rather, it allows you to specify the  TCP  flag bits that are activated when the  TCP  packets are sent. In the example provided in this article, the  -S  option instructed hping3 to use the  SYN  flag for the  TCP  packets that were sent.

THE MILLION DOLLAR HACKING TOOL - YOUR    EYES!


 

Penetration testing is a little bit more complex in this age that everyone is trying to implement tough security on their systems and the time to perform the test is significantly reducing. When you start a penetration test you want to be quick and effective and most of all go unnoticed. In this article we are going to discuss how shoulder surfing can be used in hacking and why it is an effective method, also we will talk about mitigations.

 

What shoulder surfing is!

Just as you see in the picture below, it is simply looking over the shoulders of a computer user or as someone enters their credentials in an access device.




Why is it effective?

With improvements in technology systems are being encrypted with very strong encryption. For example, it is now very easy to encrypt laptops with up to 512bit encryption standards.  Although that is not really the case with the vast majority of computer and mobile device users, systems and devices are now more secure than ever before.

One could crack those encryptions easily, but it would take a lot of time, talking about hundreds of years and even more.  To gain access you could just walk up to the target and ask for the password, but believe they cannot just tell you the password unless of course they were drugged or drunk. So by looking over the shoulders you could obtain the password and use at a letter time. What makes this very effective is that people still use the same password for many different accounts. Get one password you've got access to many places. Unlike using password cracker or trying to brute force, you get instant results. Once you get the password or pin, you can use it. And it is the easiest hack, anyone can pull it off.

 

The challenge!

You would need physical access, well in many cases business executives use their laptops even in public places like coffee shops and sitting close to them can afford a chance to obtain a password by sight. If it is access control at a door once you get the pin you could use it another occasions,  for example if you want to plant an evil twin device in an office building.  I find it hard to watch someone type and get the password, but with a body cam or a hidden camera you can still get a password, with the video recording you could view it in slow motion and get the keys to whatever you want.

 

On mobile devices.

Your eyes can help you hack a mobile device. More than once I have gained access to my friends’ devices, how did I do it? In some mobile platforms using a lock pattern is an option and I find that many people love using the lock pattern and not a pin or password. In touch screen devices that comes to the advantage of the hacker. Holding the device in an angle will reveal the last drawn pattern. This is because of the prints left but the users’ finger. What makes it easy is that if the pattern was Z for example, it could only be drawn in one of two directions so at most 2 attempts and you are in. You will be amazed how much information you can get from a mobile device in your pentesting exercise. A caution though,  some devices use the front facing camera to capture the face of one attempting to unlock it, you could just mask the camera and work with ease.

 

Mitigations

Just saying excuse me, when typing your password or entering your pin.

Using multi factor authentication

Using biometrics for authentication, this is even available on mobile devices.

Type your password or enter your pin fast

On mobile devices with touch screens, use a pin or password instead of a lock pattern

You could do this. LOL!