Most of the time an attackers, wants to find out a remote service's
version, so that he can exploit it with an exploit/vulnerability, duh.
As a general rule method, a nice tool such as amap can be used to
determine the running services, their versions, and also the port(s)
they're running on. For all lazy bum, use it in this format:
But, that's too lazy, and it's not 1337 at all!
Why use tools, when you can learn a lot more by doing it manually. So,
let me take the people who do NOT know how to enumerate or exploit,
through the rabbit hole. Let's go by example.. and do the easiest one
first,
1. FTP Enumeration & Exploitation, for beginners:
a) For a server running an FTP server. To find it's version, all we do
is connect to the server, and wait like good boys and girls. Hopefully,
the admin is a dummy, and he didn't fake the banner info. So, go ahead
and ftp to the server:
We, could have done the same thing with Telnet... remember?
You've just grabbed their banner (how Schwetty!)
Now, we know the version from the result of the established connection.
Logically, Since you're a bad boy/girl you think first and foremost about getting into the server.
In order to get in, you go to google and type in "wu-2.6.2 exploit".
Hopefully, you get a code in c (.c) or perl (.pl) already coded for
you.. Or go to securityfocus, or milw0rm and find the exploit.
b) Go ahead, download the C or Perl exploit. For this example, the I found the exploit in C by using google:
c) Compile it, with GCC:
d) Point it to your victim (lol):
[If you don't know how to make exploits right now, learn how to make
your own! It won't always be this EASY, and most of the time it's not!
Learn C, Perl, Ruby, or C++. I'm only using this as an example, since I
can't cover how to to make exploits in the same tutorial. Time willing, I
will make something on that topic later.]
2. SSH Enumeration & Exploitation, for beginners:
The same concepts and techniques apply also for the SSH deamon or
service. So go ahead and telnet to it, but this time to port 22, instead
of port 21.
You've just grabbed their banner (how Schwetty!)
So, use google ('Tis really an amazing Engine!").
Download, Compile, and "point" your exploit to the target. If all went
well, then your payload should be whatever the shellcode is set to do.
[Shellcoding is also something I recommend getting into. Microprocessor
Architecture, Assembly Programming, and Hex knowledge helps a LOT in
coding your exploits.]
HOPEFULLY, since you understood the above examples work, you can apply it to other services, like:
3. SNMP (Simple Mail Transfer Protocol) on Port 25 4. POP3 (Post Office Protocol 3) on Port 110
5. DNS (Domain Name System) on Port 53
The most widely used DNS server software on Linux is Bind, so to find it's version, we use a different method:
We can see the version is: Bind 8.3.3 (so, you know what to do from here).
6. HTTP (HyperText Transfer Protocol) on Port 80
and query the server for the following info:
you should get a response resembling the following:
WOW, what a bunch of information.. There's so much we can do with this.
But it's up to you to decided what you want to attack, because we have
such a plethora of choices.
7. MySQL on Port 3306 (TCP)
Hmmm... Beautiful! We see the version, here, is 3.23.49
8. Obtaining the Victim's Telnet Server Banner (which, hopefully, reveals the OS Version...)
Now, we know their OS, and also it's version (Sun 5.8).
Thus, we go on search looking for that particular OS's vulnerabilities.
For example, I've found Several Vulnerabilities of that particular OS
Version, that are hopefully still unpatched by Administrator.
------------------------------- Solaris Whodo Buffer Overflow Vulnerability (Exploit, SOR, CFTIME)
