Gain Information for an Ethical Hack from Open Ports

As an ethical hacker, you should glean as much information as possible after scanning your systems. Determine what’s running on your open ports. You can often identify the following information:

  • Protocols in use, such as IP, IPX, and NetBIOS

  • Services running on the hosts, such as e-mail, web servers, and database applications

  • Available remote access services, such as Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and Secure Shell (SSH)

  • Virtual Private Network (VPN) services, such as PPTP, SSL, and IPsec

  • Required authentication for network shares

You can look for the following sampling of open ports (your network-scanning program reports these as accessible or open):

  • Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host

  • TCP port 21, showing that FTP is running

  • TCP port 23, showing that telnet is running

  • TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an e-mail server is running

  • TCP/UDP port 53, showing that a DNS server is running

  • TCP ports 80, 443, and 8080, showing that a web server or web proxy server is running

  • TCP/UDP ports 135, 137, 138, 139 and, especially, 445, showing that an unprotected Windows host is running

Thousands of ports can be open — 65,534 each for both TCP and UDP, to be exact. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt. You can also perform a port-number lookup at www.cotse.com/cgi-bin/port.cgi.

If a service doesn’t respond on a TCP or UDP port, that doesn’t mean it’s not running. You may have to dig further to find out.

If you detect a web server running on the system that you test, you can check the software version by using one of the following methods:

  • Type the site’s name followed by a page that you know doesn’t exist, such as www.your_domain.com/1234.html. Many web servers return an error page showing detailed version information.

  • Use Netcraft’s What’s that site running? search utility, which connects to your server from the Internet and displays the web server version and operating system.

    image0.jpg

You can dig deeper for more specific information on your hosts:

  • NMapWin can determine the system OS version.

  • An enumeration utility (such as DumpSec) can extract users, groups, and file and share permissions directly from Windows.

  • Many systems return useful banner information when you connect to a service or application running on a port. For example, if you telnet to an e-mail server on port 25 by entering telnet mail.your_domain.com 25 at a command prompt, you may see something like this:

    220 mail.your_domain.com ESMTP all_the_version_info_
    you_need_to_hack Ready

    Most e-mail servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system.

  • A share-finder tool, such as the one built in to GFI LanGuard, can find open Windows shares.

  • An e-mail to an invalid address might return with detailed e-mail header information. A bounced message often discloses information that can be used against you, including internal IP addresses and software versions. On certain Windows systems, you can use this information to establish unauthenticated connections and sometimes even map drives.

blog comments powered by Disqus
Advertisement

Inside Dummies.com