Gain Information for an Ethical Hack from Open Ports
As an ethical hacker, you should glean as much information as possible after scanning your systems. Determine what’s running on your open ports. You can often identify the following information:
Protocols in use, such as IP, IPX, and NetBIOS
Services running on the hosts, such as e-mail, web servers, and database applications
Available remote access services, such as Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), and Secure Shell (SSH)
Virtual Private Network (VPN) services, such as PPTP, SSL, and IPsec
Required authentication for network shares
You can look for the following sampling of open ports (your network-scanning program reports these as accessible or open):
Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host
TCP port 21, showing that FTP is running
TCP port 23, showing that telnet is running
TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an e-mail server is running
TCP/UDP port 53, showing that a DNS server is running
TCP ports 80, 443, and 8080, showing that a web server or web proxy server is running
TCP/UDP ports 135, 137, 138, 139 and, especially, 445, showing that an unprotected Windows host is running
Thousands of ports can be open — 65,534 each for both TCP and UDP, to be exact. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt. You can also perform a port-number lookup at www.cotse.com/cgi-bin/port.cgi.
If a service doesn’t respond on a TCP or UDP port, that doesn’t mean it’s not running. You may have to dig further to find out.
If you detect a web server running on the system that you test, you can check the software version by using one of the following methods:
Type the site’s name followed by a page that you know doesn’t exist, such as www.your_domain.com/1234.html. Many web servers return an error page showing detailed version information.
Use Netcraft’s What’s that site running? search utility, which connects to your server from the Internet and displays the web server version and operating system.
You can dig deeper for more specific information on your hosts:
NMapWin can determine the system OS version.
An enumeration utility (such as DumpSec) can extract users, groups, and file and share permissions directly from Windows.
Many systems return useful banner information when you connect to a service or application running on a port. For example, if you telnet to an e-mail server on port 25 by entering telnet mail.your_domain.com 25 at a command prompt, you may see something like this:
220 mail.your_domain.com ESMTP all_the_version_info_ you_need_to_hack Ready
Most e-mail servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system.
A share-finder tool, such as the one built in to GFI LanGuard, can find open Windows shares.
An e-mail to an invalid address might return with detailed e-mail header information. A bounced message often discloses information that can be used against you, including internal IP addresses and software versions. On certain Windows systems, you can use this information to establish unauthenticated connections and sometimes even map drives.