Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Need some help

  1. #1
    Member
    Join Date
    May 2008
    Posts
    190

    Default Need some help

    I'm trying to get some practice in at my apt. I have 4 computers hooked up on my router. I'm trying to get into a windows based puter. Any advice on which exploit to look into?

    PORT STATE SERVICE
    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1030/tcp open iad1
    1080/tcp open socks
    2105/tcp open eklogin
    3389/tcp open ms-term-serv
    7000/tcp open afs3-fileserver

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by drakoth777 View Post
    I'm trying to get some practice in at my apt. I have 4 computers hooked up on my router. I'm trying to get into a windows based puter. Any advice on which exploit to look into?
    Just because you have shown us the ports from your scanning means nothing.
    In order for you to attack a machine you are going to have to look at the OS are there service packs installed? What is running on those ports , there versions and if the app that are running are vulnerable. I would suggest further research on your part.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    It's got winxp with sp2. I ran a nmap -sV on those ports

    135/tcp open msrpc Microsoft Windows RPC
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
    1030/tcp open msrpc Microsoft Windows RPC
    1080/tcp open socks?
    2105/tcp open msrpc Microsoft Windows RPC
    3389/tcp open microsoft-rdp Microsoft Terminal Service
    7000/tcp open afs3-fileserver?

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by drakoth777 View Post
    It's got winxp with sp2. I ran a nmap -sV on those ports
    That part was obvious. Re-read what I posted above in regards to services running on those ports and then find out what if anything is vulnerable.

    Just because a certain port is open does not mean that a certain service is set to listen on that port. Example some one may choose to use port 8080, 81, 82, 8090 etc. for there http data instead of 80 or they may even use another port!
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Quote Originally Posted by drakoth777 View Post
    It's got winxp with sp2. I ran a nmap -sV on those ports

    135/tcp open msrpc Microsoft Windows RPC
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
    1030/tcp open msrpc Microsoft Windows RPC
    1080/tcp open socks?
    2105/tcp open msrpc Microsoft Windows RPC
    3389/tcp open microsoft-rdp Microsoft Terminal Service
    7000/tcp open afs3-fileserver?
    I think what arch is trying to get at, is that you need to look into and learn what is called banner grabbing. Once you know how to scan with nmap properly and get the versions and names of the services that those open ports belong to then you can start thinking about what to exploit.

  6. #6
    Just burned his ISO
    Join Date
    Mar 2006
    Posts
    21

    Default

    Hey i'm fairly new to this myself, but i'm really good with google. So I did a little searching, and I think you will like what I have found.

    hxxp://neoyudhax.blogspot.com/2005/02/nmap-tutorial-bab-ii.html

    Question for the other guys. Dose bt3 have amap, or is there an nmap command to do the same thing as amap. The command suggested in the tutorial is this.

    nmap -oG amap.nmap -sT 192.168.0.4; amap -B -i amap.nmap.gnmap

  7. #7
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    PORT STATE SERVICE
    21/tcp closed ftp
    22/tcp closed ssh
    80/tcp closed http
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    3389/tcp closed ms-term-serv
    MAC Address: 00:0E:A6:4E:87:32 (Asustek Computer)

    How do I scan for the versions running on those open ports? I took the nmap tutorial, but it said nothing solid about finding versions. The only thing I could think of would be -sV. Could you guys give me some clues? I also tried using
    amap -B -v 192.168.1.102 139
    amap -B -v 192.168.1.102 445

    amap -A -v 192.168.1.102 445 said this
    Protocol on 192.168.1.102:445/tcp (by trigger ms-ds) matches ms-ds
    but there's no version on it. Could you guys point me in the right direction?
    but no banners were picked up.

    I'm more than willing to learn. Do you guys have any other links that lead to some good reading so I could better understand how to do this?

  8. #8
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    Also a few questions,

    what does the nmap option -M 1000 do exactly?
    I know the 1000 stands for the amount of sockets. I've heard it's more effective, but in what way? If you use more sockets, does it provide more accuracy on the whether the ports are open, closed, filtered at the cost of the target being able to snort it out? Or does it create more noise in the target to create a Denial of Service?

    Also, the target system has to be running snort to create logs to see if he'd been scanned? I'm sure there are other programs. But I noticed while I was scanning the win xp target computer, no alerts from the windows firewall or anything came out on the winxp computer. So, if the avg computer educated person is using win xp, he'll more than likely won't know that I'm scanning him? Cause I was using nmap -T 5 -M 1000 -sT 192.168.1.102 and still no alerts came out on the win xp target comp.

    Any good books or online resources to read that would help me understand all this better, plz send me the link or the title and author of the book.

    Also, I know that when a port is filtered, it means it's "possibly" being firewalled, depending on how accurate the scan was. However, when is a port open and when is a port closed? Is a port open when it's in use? Cause, on my windows box, which is running winxp with sp2, I go to the firewall exceptions and I put ftp and ssh, ports 21 and 22 respectively on tcp. But when I run a nmap scan, they're closed. They're unfiltered, so I know the firewall isn't blocking them. But are they just closed because they aren't in use? For example, on that target system, if I use Wise FTP and download or upload a file, while that's occuring, will that be port open? Anyways, plz let me know.

  9. #9
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    The best things that you can do in order to learn would be to have a look at these resources:
    http://nmap.org/docs.html
    This is the home of nmap and of course the best documentation that you will find comes from there.
    As for amap it is old and I am pretty sure it is mostly outdated, however here is the readme:
    http://freeworld.thc.org/thc-amap/README
    You can also have a look here on the forums I have done several nmap tutorials. Just have a search for them.
    There is also
    Code:
    #nmap --help
    and
    Code:
    #man nmap
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  10. #10
    Member
    Join Date
    May 2008
    Posts
    190

    Default

    Alright Archangel, just read up on
    $man nmap
    that clarified alot. I never realized how well they explain a program in a man <program> Anyhow, so I ended up running

    nmap -sV --version-all 192.168.1.102 (which gives it a search intensity of 9)

    Starting Nmap 4.52 at 2008-05-17 00:10 CDT
    Interesting ports on 192.168.1.102:
    Not shown: 1708 filtered ports
    PORT STATE SERVICE VERSION
    21/tcp closed ftp
    22/tcp closed ssh
    80/tcp closed http
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
    3389/tcp closed ms-term-serv
    MAC Address: 00:0E:A6:4E:87:32 (Asustek Computer)
    Service Info: OS: Windows

    Host script results:
    |_ Discover OS Version over NetBIOS and SMB: Windows XP

    Still no versions. What else can I run? I'm pretty sure -sV with --version-all was my best hope. I mean isn't -sV the only scan that gives versions? What am I missing here? Any other clues? Maybe there are no versions for ports 139,445 on the nmap version database.

    As for now, I'm reading up on nmap.org. Let me know what you think. Thanks.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •