Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Where Do I Go From Here?

Started by Fmstrat , Oct 08 2011 06:45 AM

Please log in to reply

2 replies to this topic

#1 Fmstrat

Private

Members
4 posts

Posted 08 October 2011 - 06:45 AM

Hi all,

I'm in the learning stages of pentesting and am at a stage where I'm asking myself, "what now?" I'm learning with a friend of mine, and we're basically using his network of Windows 2003 machines behind a PFSense firewall as a lab. Below is all the information I've been able to aquire thus far (deidentified):

Pentesting with:

Backtrack 5 (updated) running in VMWare

Target systems:

PFSense firewall (so far, other than the fact that I just know this is part of the lab, I've been unable to identify that the firewall truely is PFSense via the internet)
Multiple Windows Server 2003 machines (frequently patched)

IPs on the target network:

XX.XXX.XXX.32
XX.XXX.XXX.33
XX.XXX.XXX.34
XX.XXX.XXX.35
XX.XXX.XXX.36
XX.XXX.XXX.37
XX.XXX.XXX.38

Usernames on the target network (pulled from email harvesting/defaults)

admin
administrator
flastname
first.lastname
.. (multiple variations, of course)

Nmap commands used to locate open ports (This may have been overkill in an over-the-internet test, so any suggestions here would be appreciated, too):

Syn scan: nmap --spoof-mac Apple --traceroute -v -n -O -sS -sV -Pn -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/syn --log-errors --append-output -p- -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
UDP scan: nmap --spoof-mac Apple --traceroute -v -n -sU -sV -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/udp --log-errors --append-output -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
Xmas scan: nmap --spoof-mac Apple --traceroute -v -n -sX -Pn -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/xmas --log-errors --append-output -p- -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
Null scan: nmap --spoof-mac Apple --traceroute -v -n -sN -Pn -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/null --log-errors --append-output -p- -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt

Ports found/services:

host   		port   proto  name   		state   info
----   		----   -----  ----   		-----   ----
XX.XXX.XXX.34  25 	tcp    smtp   		open    Microsoft ESMTP 6.0.3790.3959
XX.XXX.XXX.34  53 	tcp    domain 		open
XX.XXX.XXX.34  80 	tcp    http   		open    Microsoft IIS httpd 6.0
XX.XXX.XXX.34  110    tcp    tcpwrapped 	open
XX.XXX.XXX.34  143    tcp    imap   		open    Microsoft Exchange imapd refused
XX.XXX.XXX.34  389    tcp    ldap   		open
XX.XXX.XXX.34  443    tcp    http   		open    Microsoft IIS httpd 6.0
XX.XXX.XXX.34  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.34  3389   tcp    microsoft-rdp  open    Microsoft Terminal Service
XX.XXX.XXX.34  22020  tcp    unknown        open
XX.XXX.XXX.35  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.35  3389   tcp    microsoft-rdp  open    Microsoft Terminal Service
XX.XXX.XXX.35  22020  tcp    unknown        open
XX.XXX.XXX.36  25 	tcp    smtp   		open    Microsoft ESMTP 6.0.3790.3959
XX.XXX.XXX.36  53 	tcp    domain 		open    Microsoft DNS
XX.XXX.XXX.36  80 	tcp    http   		open    Microsoft IIS httpd 7.0
XX.XXX.XXX.36  110    tcp    tcpwrapped 	open
XX.XXX.XXX.36  143    tcp    imap   		open    Microsoft Exchange imapd refused
XX.XXX.XXX.36  389    tcp    ldap   		open
XX.XXX.XXX.36  500    udp    isakmp 		open
XX.XXX.XXX.36  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.36  3389   tcp    microsoft-rdp  open    Microsoft Terminal Service
XX.XXX.XXX.36  5001   udp    commplex-link  closed
XX.XXX.XXX.36  22020  tcp    unknown        open
XX.XXX.XXX.37  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.37  22020  tcp    unknown        open
XX.XXX.XXX.38  113    tcp    auth   		closed

Other Information I've located

.36 runs Gallery Server Pro on the webserver. All other web ports are default IIS pages.

What I've tried thus far:

I've run everything through Nessus, and no vulnerabilities were located.
I've tried enumeration on the SMTP service, but it didn't work, and quickly realized it was because Exchange 2003 has no VRFY vulnerability.
I've checked for vulnerabilities in Gallery Server Pro, and he's running an updated version.
I've tried brute forcing a coupld of services with a wordlist, but none of them seem to work (Hydra just exits)

So far, I think it's safe to say his network is pretty secure (at least from the outside), but what would everyone do next? Have we been thorough enough?

Thanks!

Back to top

#2 Glyph

General of the Army

GSO Management
1,597 posts

Posted 10 October 2011 - 12:49 PM

Hi all,

I'm in the learning stages of pentesting and am at a stage where I'm asking myself, "what now?" I'm learning with a friend of mine, and we're basically using his network of Windows 2003 machines behind a PFSense firewall as a lab. Below is all the information I've been able to aquire thus far (deidentified):

Pentesting with:
Backtrack 5 (updated) running in VMWare
Target systems:
PFSense firewall (so far, other than the fact that I just know this is part of the lab, I've been unable to identify that the firewall truely is PFSense via the internet)
Multiple Windows Server 2003 machines (frequently patched)
IPs on the target network:
XX.XXX.XXX.32
XX.XXX.XXX.33
XX.XXX.XXX.34
XX.XXX.XXX.35
XX.XXX.XXX.36
XX.XXX.XXX.37
XX.XXX.XXX.38
Usernames on the target network (pulled from email harvesting/defaults)
admin
administrator
flastname
first.lastname
.. (multiple variations, of course)
Nmap commands used to locate open ports (This may have been overkill in an over-the-internet test, so any suggestions here would be appreciated, too):
Syn scan: nmap --spoof-mac Apple --traceroute -v -n -O -sS -sV -Pn -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/syn --log-errors --append-output -p- -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
UDP scan: nmap --spoof-mac Apple --traceroute -v -n -sU -sV -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/udp --log-errors --append-output -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
Xmas scan: nmap --spoof-mac Apple --traceroute -v -n -sX -Pn -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/xmas --log-errors --append-output -p- -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
Null scan: nmap --spoof-mac Apple --traceroute -v -n -sN -Pn -oA /mnt/hgfs/pentest/DOMAIN.net/nmap.output/null --log-errors --append-output -p- -iL /mnt/hgfs/pentest/DOMAIN.net/ipaddresses.txt
Ports found/services:
host   		port   proto  name   		state   info
----   		----   -----  ----   		-----   ----
XX.XXX.XXX.34  25 	tcp    smtp   		open    Microsoft ESMTP 6.0.3790.3959
XX.XXX.XXX.34  53 	tcp    domain 		open
XX.XXX.XXX.34  80 	tcp    http   		open    Microsoft IIS httpd 6.0
XX.XXX.XXX.34  110    tcp    tcpwrapped 	open
XX.XXX.XXX.34  143    tcp    imap   		open    Microsoft Exchange imapd refused
XX.XXX.XXX.34  389    tcp    ldap   		open
XX.XXX.XXX.34  443    tcp    http   		open    Microsoft IIS httpd 6.0
XX.XXX.XXX.34  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.34  3389   tcp    microsoft-rdp  open    Microsoft Terminal Service
XX.XXX.XXX.34  22020  tcp    unknown        open
XX.XXX.XXX.35  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.35  3389   tcp    microsoft-rdp  open    Microsoft Terminal Service
XX.XXX.XXX.35  22020  tcp    unknown        open
XX.XXX.XXX.36  25 	tcp    smtp   		open    Microsoft ESMTP 6.0.3790.3959
XX.XXX.XXX.36  53 	tcp    domain 		open    Microsoft DNS
XX.XXX.XXX.36  80 	tcp    http   		open    Microsoft IIS httpd 7.0
XX.XXX.XXX.36  110    tcp    tcpwrapped 	open
XX.XXX.XXX.36  143    tcp    imap   		open    Microsoft Exchange imapd refused
XX.XXX.XXX.36  389    tcp    ldap   		open
XX.XXX.XXX.36  500    udp    isakmp 		open
XX.XXX.XXX.36  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.36  3389   tcp    microsoft-rdp  open    Microsoft Terminal Service
XX.XXX.XXX.36  5001   udp    commplex-link  closed
XX.XXX.XXX.36  22020  tcp    unknown        open
XX.XXX.XXX.37  1723   tcp    pptp   		open    Microsoft (Firmware: 3790)
XX.XXX.XXX.37  22020  tcp    unknown        open
XX.XXX.XXX.38  113    tcp    auth   		closed
Other Information I've located
.36 runs Gallery Server Pro on the webserver. All other web ports are default IIS pages.
What I've tried thus far:
I've run everything through Nessus, and no vulnerabilities were located.
I've tried enumeration on the SMTP service, but it didn't work, and quickly realized it was because Exchange 2003 has no VRFY vulnerability.
I've checked for vulnerabilities in Gallery Server Pro, and he's running an updated version.
I've tried brute forcing a coupld of services with a wordlist, but none of them seem to work (Hydra just exits)

So far, I think it's safe to say his network is pretty secure (at least from the outside), but what would everyone do next? Have we been thorough enough?

Thanks!

I'd run an ldap browser against port 389, great for gathering internal structures/users/groups.
Use that info and a really good word list and just launch thc hydra.

http://www.governmen...showtopic=15611

Back to top

#3 Fmstrat

Private

Members
4 posts

Posted 12 October 2011 - 12:55 PM

I'd run an ldap browser against port 389, great for gathering internal structures/users/groups.
Use that info and a really good word list and just launch thc hydra.

I'm guessing I can't connect to the ldap services anonymously, as Luma throws the "Could not retrieve baseDN. Reason: {'desc': "Can't contact LDAP server"}" error. Having said that, I don't have much to go on from a brute force perspective. (I also happen to know the lab passwords are not susceptible to the word lists I have, but am continuing down every path an attacker would).

Any other ideas, or is this test finished?

Thanks!