Service finding

[RedScare]

This is my first post to this forum, so hello.

I am currently "pentesting" my website, trying to hack into it. Social engineering myself is cheating, as is social engineering my boss, so social engineering is out (except for social engineering the web hosting company, but that is something that I would like to avoid (I could "cheat" and make it very easy due to my knowledge as a web admin for the site. I will do it as a last resort, but I would rather learn something new)). If grabbing a banner using ncat fails to reveal service types, versions, and anything else, and nmap only gives a 90% secure guess on operating system type without reliable version information, and nothing on the version of the ftp, http, smtp, etc. services running on various ports, but is still able to get the type of service running on a given open port, is there any other way for me to find out the versions my website/webhost is running?

Thanks to any responders in advance.

[Archangel-Amael]

, and nmap only gives a 90% secure guess on operating system type without reliable version information, and nothing on the version of the ftp, http, smtp, etc.

You really need to re-think re-read how nmap works and it's capabilities.
nmap will tell you better than 90% in most cases. It will tell you services given that a service is running and it responds to the probes sent out by nmap.
If the server responds to probes of any sort then one is going to be able to find out what is being offered on a given port.

[purehate]

What you are doing is a violation of your web hosting companies TOS most likely. Maybe I should report you.

[reeth]

Maybee post's like this are useless

The reasons are always the same.

" I just want to check the security o my ....network...wlan....homepage....

very sad...-.-

[lupin]

Sometimes version information is provided in error messages, such as error messages from the HTTP server (like 404 page missing errors), or error messages from server side scripts that fail.

You may also want to make sure that you are sending the right requests when you try banner grabbing. You wont get any "banner grabbable" response from a HTTP server with an ncat connection unless you send the server a valid HTTP request that it supports.

Edit: Oh yeah, and Pureh@te is right, you need permission from your hosting company to pen test a site hosted by them. Stop now if you dont have it!

[RedScare]

Alright then, in order:

@archangel.amael : I'm pretty sure I'm using nmap correctly. Isn't it possible to block or spoof fingerprints than nmap reads?

@pureh@te : Is it really worth it? Anyway, I'm only looking at service versions, that's still legal in my country (it's all I plan to do).

@Reeth : I could get the information I'm asking about by social engineering people relatively easily. Why would I bother?

@lupin : I'm assuming the same applies for ftp and other connections?

Thanks for the responses.

[lupin]

@lupin : I'm assuming the same applies for ftp and other connections?

Each service will respond differently to different probes. FTP for example will give up some information after just a carriage return before requiring you to logon. That information may sometimes contain version info.

Nmap and amap use a variety of different probes to elicit this version information from services. Have a look at the nmap-service-probes file for more information.

[KMDave]

Did you do any pentesting before or is that your first time?

Sounds like the later one to me.

[RedScare]

@KMDave : Yep, first time. I've looked into the theory before, and tried social engineering before, but this is the first "in the field" experience for me where I want to use only the computer. Why do you ask?

@lupin : Thanks, I'll look into that when I got some time.

[Gitsnik]

Why do you ask?

Probably because it was obvious.
Get yourself a virtual machine program and run up a lot of older OS's, create a lab and learn to crack systems in there - rather than (potentially) breaching all sorts of laws on public hosts, not to mention risking destruction of data or denial of service. Working within the lab environment is safest anyway and you can install sniffing software on every host so you can analyse how an attack works from the attackers point of view and the victims point of view. A greater understanding will improve your skills immensely.