Finally, we’ve come to the exploitation part. We can now use the knowledge acquired so far to gain access to the target machine. Exploitation can be both server side and client side. Server side exploitation consists in having a direct contact with the server, and it does not involve any user interaction. Client side exploitation, on the other hand, is where you directly engage with the target in order to exploit it.
Server side exploitation will be the focus of this post. The main goal of this chapter is to familiarize the audience with the methodologies that can be used to hack into a target. The following topics will be covered:
Server side exploitation will be the focus of this post. The main goal of this chapter is to familiarize the audience with the methodologies that can be used to hack into a target. The following topics will be covered:
1. Understanding the network protocols
2. Attacking network remote services
3. Introduction to Metasploit
4. Reconnaissance with Metasploit
5. Exploiting the local/remote target with Metasploit
6. Introducing to Armitage
7. Exploiting local/remote target with Metasploit
2. Attacking network remote services
3. Introduction to Metasploit
4. Reconnaissance with Metasploit
5. Exploiting the local/remote target with Metasploit
6. Introducing to Armitage
7. Exploiting local/remote target with Metasploit
UNDERSTANDING NETWORK PROTOCOLS
Having a solid introduction about network protocols is fundamental in the server exploitation phase; you just cannot attack a protocol without knowing how it works. I will not be explaining the ins and outs of every protocol because there are good resources available where you can learn about them, so I don’t need to reinvent the wheel. However, in this post, I will give a brief introduction to network protocols.
As a penetration tester, most of the times, you would come across only three protocols:
1. TCP (Transmission Control Protocol)
2. UDP (User Datagram Protocol)
3. ICMP (Internet Control Messaging Protocol)
As a penetration tester, most of the times, you would come across only three protocols:
1. TCP (Transmission Control Protocol)
2. UDP (User Datagram Protocol)
3. ICMP (Internet Control Messaging Protocol)
TRANSMISSION CONTROL PROTOCOL
Most of the Internet’s traffic is based upon TCP since it guarantees a reliable communication unlike UDP. Most of the protocols that we encounter in our daily lives are based upon TCP. Common examples are FTP, SMTP, Telnet, and HTTP.
TCP is used whenever we need to perform a reliable communication between a client and
a server. TCP performs a reliable communication via the three-way handshake.
TCP is used whenever we need to perform a reliable communication between a client and
a server. TCP performs a reliable communication via the three-way handshake.
USER DATAGRAM PROTOCOL
UDP is the exact opposite of TCP. It is used for faster communications. An example would be for video streaming, such as Skype (VOIP) communication. The advantage of this protocol over TCP is that it’s much faster and efficient. The disadvantage of UDP is that it does not guarantee that the packet will reach the destination, since it does not perform the three-way handshake, thus causing reliability issues. Some of the common UDP protocols that we will run into as a penetration tester are DNS and SQL Server.
INTERNET CONTROL MESSAGING PROTOCOL
ICMP runs upon layer 3 (network layer) of the OSI model, unlike TCP and UDP, which runs
upon layer 4. The protocol was developed for troubleshooting error messages on a network. It is a connectionless protocol, which means that it gives us no guarantee that the packet will reach the destination. Common applications that use ICMP are “Ping” and “Traceroute.” I have discussed both of them in great detail in the “Information Gathering Techniques” post.
upon layer 4. The protocol was developed for troubleshooting error messages on a network. It is a connectionless protocol, which means that it gives us no guarantee that the packet will reach the destination. Common applications that use ICMP are “Ping” and “Traceroute.” I have discussed both of them in great detail in the “Information Gathering Techniques” post.
SERVER PROTOCOLS
In this module, we will be attacking server protocols, but as mentioned earlier, first we need to understand how they work. All server protocols are divided into two basic categories:
1. Text-based protocols
2. Binary protocols
1. Text-based protocols
2. Binary protocols
TEXT-BASED PROTOCOLS (IMPORTANT)
Text-based protocols are human readable protocols, and this is where you, as a penetration tester, need to spend most of your time as they are very easy to understand. Common examples of text-based protocols are HTTP, FTP, and SMTP.
BINARY PROTOCOLS
Binary protocols are not human readable and are very difficult to understand; they are designed for efficiency across the wire. As a penetration tester, our primary focus would be on text/ASCII- based protocols, not binary protocols.
So let’s talk about some of the popular text-based protocols such as FTP, HTTP, and SMTP.
So let’s talk about some of the popular text-based protocols such as FTP, HTTP, and SMTP.
FTP
FTP stands for File Transfer Protocol; it runs on port 21. FTP is commonly used for uploading/downloading files from a server. FTP, in my opinion, is the weakest link in a network because it’s unencrypted, meaning that anybody on a local network can use a network sniffer to capture all the communication. The following image shows the Wireshark capture when I was trying to log in to an FTP server. The username was set to “username” and the password to “password”, as you can clearly see, the username and the password are unencrypted and sent in plain text.
Also, there are some FTP servers that allow anonymous log-ins and are often not updated/
patched, making it easier for an attacker to compromise them.
patched, making it easier for an attacker to compromise them.
SMTP
SMTP stands for Simple Mail Transfer Protocol. It runs on port 25. It is used in most of the mailing servers nowadays. As a penetration tester, we will encounter SMTP a lot as it’s always exposed on the Internet and would mostly contain sensitive information.
HTTP
You open up your browser, type a URL into the address bar, and connect to the website. The protocol you are using to do this is HTTP. It runs upon port 80. It’s a fundamental of the web.
FURTHER READING
We will not go into specifics about protocols in this book as it does not deal with that subject. But as a penetration tester, sometimes you would run into a protocol that you haven’t seen before. The best way to learn is by reading the RFC (Request for Comment) of each protocol, which is an official documentation for the book. It contains ins and outs of every protocol. I won’t ask you to memorize all the commands because it’s not necessary to do that; what is necessary is to know where to get information when needed. The RFC source books are something you want to spend some time on every day. In the following, I would recommend some sources that should spend some time on before proceeding with this discussion.
No comments:
Post a Comment