Results 1 to 10 of 13

Thread: Service finding

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    3

    Default Service finding

    This is my first post to this forum, so hello.

    I am currently "pentesting" my website, trying to hack into it. Social engineering myself is cheating, as is social engineering my boss, so social engineering is out (except for social engineering the web hosting company, but that is something that I would like to avoid (I could "cheat" and make it very easy due to my knowledge as a web admin for the site. I will do it as a last resort, but I would rather learn something new)). If grabbing a banner using ncat fails to reveal service types, versions, and anything else, and nmap only gives a 90% secure guess on operating system type without reliable version information, and nothing on the version of the ftp, http, smtp, etc. services running on various ports, but is still able to get the type of service running on a given open port, is there any other way for me to find out the versions my website/webhost is running?

    Thanks to any responders in advance.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by RedScare View Post
    , and nmap only gives a 90% secure guess on operating system type without reliable version information, and nothing on the version of the ftp, http, smtp, etc.
    You really need to re-think re-read how nmap works and it's capabilities.
    nmap will tell you better than 90% in most cases. It will tell you services given that a service is running and it responds to the probes sent out by nmap.
    If the server responds to probes of any sort then one is going to be able to find out what is being offered on a given port.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    What you are doing is a violation of your web hosting companies TOS most likely. Maybe I should report you.

  4. #4

    Default

    Maybee post's like this are useless

    The reasons are always the same.

    " I just want to check the security o my ....network...wlan....homepage....

    very sad...-.-
    www.myownremote.blogspot.com

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Sometimes version information is provided in error messages, such as error messages from the HTTP server (like 404 page missing errors), or error messages from server side scripts that fail.

    You may also want to make sure that you are sending the right requests when you try banner grabbing. You wont get any "banner grabbable" response from a HTTP server with an ncat connection unless you send the server a valid HTTP request that it supports.

    Edit: Oh yeah, and Pureh@te is right, you need permission from your hosting company to pen test a site hosted by them. Stop now if you dont have it!
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #6
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    3

    Default

    Alright then, in order:

    @archangel.amael : I'm pretty sure I'm using nmap correctly. Isn't it possible to block or spoof fingerprints than nmap reads?

    @pureh@te : Is it really worth it? Anyway, I'm only looking at service versions, that's still legal in my country (it's all I plan to do).

    @Reeth : I could get the information I'm asking about by social engineering people relatively easily. Why would I bother?

    @lupin : I'm assuming the same applies for ftp and other connections?

    Thanks for the responses.

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by RedScare View Post
    @lupin : I'm assuming the same applies for ftp and other connections?
    Each service will respond differently to different probes. FTP for example will give up some information after just a carriage return before requiring you to logon. That information may sometimes contain version info.

    Nmap and amap use a variety of different probes to elicit this version information from services. Have a look at the nmap-service-probes file for more information.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #8
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Did you do any pentesting before or is that your first time?

    Sounds like the later one to me.
    Tiocfaidh ár lá

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by RedScare View Post
    If grabbing a banner using ncat fails to reveal service types, versions, and anything else, and nmap only gives a 90% secure guess on operating system type without reliable version information, and nothing on the version of the ftp, http, smtp, etc. services running on various ports, but is still able to get the type of service running on a given open port, is there any other way for me to find out the versions my website/webhost is running?
    Did you run nmap with either -A or -sV? Have you tried another tool like Nessus or httpprint? Have you tried default accounts for ftp and smtp? etc.

    As someone else suggested purposefully triggering server errors (particularly WRT http servers/services) can be very revealing. Try directory listings, 404s, requests for active page types (blef.aspx blef.ashx etc.), purposefully try to cause a HTTP 500 error by submitting a form with some invalid parameters or with the expected parameters simply removed (you might need a personal proxy for this), try requests via HTTP 0.9 and 1.0 instead of 1.1, try HEAD requests instead of full GETs or POSTs, etc.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •