Learning about pentesting: Questions regarding the approach

[SilvaRizla]

I seem to be missing something, and need to be pointed in the right direction if you don't mind. In my lab I have a fully patched Vista and XP box and am attacking with a BT 4 box.

As they are fully patched, Metasploit attacks are a no go. Now, I am assuming that some of the software on each box is exploitable, such as firefox, and various p2p programs I have running.

Although I know what software I have installed, I don't know how an attacker would identify this. How could I find out for instance what software and version the box/user uses to surf the web or download the top 40 say?

The Vista Box:

135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open unknown
MAC Address: XXXXXXXX
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista
Network Distance: 1 hop


The XP box:

139/tcp open netbios-ssn
445/tcp open microsoft-ds
1026/tcp open LSA-or-nterm
2869/tcp closed unknown
5214/tcp open unknown
45100/tcp open unknown
MAC Address: XXXXXXXXX
Device type: general purpose|authentication server
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (99%), Juniper Windows 2000 (90%)
Aggressive OS guesses: Microsoft Windows XP SP2 (99%), Microsoft Windows XP SP2 or SP3 (97%), Microsoft Windows 2000 SP4 or Windows XP SP2 (96%), Microsoft Windows 2003 Small Business Server (96%), Microsoft Windows Small Business Server 2003 (95%), Microsoft Windows XP Professional SP2 (95%), Microsoft Windows Server 2003 SP1 or SP2 (94%), Microsoft Windows XP Professional SP2 (firewall enabled) (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows XP SP2 (firewall disabled) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


googling ports tells me that Limewire has 2 ports open on the XP box, which it does but how would one know which version. Also, Winamp is running on this box (shoutcast radio) but this doesn't seem to be detectable neither does port 80 traffic. How can I gather further information?

Thanks

[theprez98]

Try this Chapter 7. Service and Application Version Detection

[hitthemlow]

@OP its not showing because nmap scans for servers not clients. Also impretty sure gnutella, torrents and edonkey are all udp based.
@Prez, lolwat? See my above comment.

Also, generallyattackingaclient requires knowledgeit exists, assuch,almost all attacksare based againstweb browsers.

Browserrecon is a toolfor webbrowsers,for most other protocols, youdneed documentation for the protocol, and anintinate knowledgeof it.

[lupin]

How could I find out for instance what software and version the box/user uses to surf the web or download the top 40 say?

Not with nmap, as mentioned above that just scans a system for listening ports and optionally then interrogates those ports to determine service version. One approach for clients is to try and identify it by the data is sends when it connects to a server. Web browsers for example have a user-agent string in the HTTP header, ssh clients sometimes mention their name and version before protocol negotiation and encryption (putty does this), etc, etc. Getting this information means controlling the server or sniffing the communication between client and server.

Beware that the client can present misleading or incorrect information in its identifying string.

Another approach is to scan the system with some sort of network/system management tool that can query APIs on the system that will return information about installed software. On Windows you could use WMI or MSRPC to do this, however this usually requires Windows authentication before it will work... and if you have that you may not need to find software to exploit.

@HitThemLow - Your space key appears to be on the fritz...

[SilvaRizla]

Thanks for the replies, I understand a lot more now. I'll do some further research