Results 1 to 5 of 5

Thread: Learning about pentesting: Questions regarding the approach

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default Learning about pentesting: Questions regarding the approach

    I seem to be missing something, and need to be pointed in the right direction if you don't mind. In my lab I have a fully patched Vista and XP box and am attacking with a BT 4 box.

    As they are fully patched, Metasploit attacks are a no go. Now, I am assuming that some of the software on each box is exploitable, such as firefox, and various p2p programs I have running.

    Although I know what software I have installed, I don't know how an attacker would identify this. How could I find out for instance what software and version the box/user uses to surf the web or download the top 40 say?

    The Vista Box:

    135/tcp open msrpc
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    5357/tcp open unknown
    MAC Address: XXXXXXXX
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Device type: general purpose
    Running: Microsoft Windows Vista
    OS details: Microsoft Windows Vista
    Network Distance: 1 hop


    The XP box:

    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    1026/tcp open LSA-or-nterm
    2869/tcp closed unknown
    5214/tcp open unknown
    45100/tcp open unknown
    MAC Address: XXXXXXXXX
    Device type: general purpose|authentication server
    Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (99%), Juniper Windows 2000 (90%)
    Aggressive OS guesses: Microsoft Windows XP SP2 (99%), Microsoft Windows XP SP2 or SP3 (97%), Microsoft Windows 2000 SP4 or Windows XP SP2 (96%), Microsoft Windows 2003 Small Business Server (96%), Microsoft Windows Small Business Server 2003 (95%), Microsoft Windows XP Professional SP2 (95%), Microsoft Windows Server 2003 SP1 or SP2 (94%), Microsoft Windows XP Professional SP2 (firewall enabled) (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows XP SP2 (firewall disabled) (92%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 1 hop


    googling ports tells me that Limewire has 2 ports open on the XP box, which it does but how would one know which version. Also, Winamp is running on this box (shoutcast radio) but this doesn't seem to be detectable neither does port 80 traffic. How can I gather further information?

    Thanks

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    @OP its not showing because nmap scans for servers not clients. Also impretty sure gnutella, torrents and edonkey are all udp based.
    @Prez, lolwat? See my above comment.

    Also, generallyattackingaclient requires knowledgeit exists, assuch,almost all attacksare based againstweb browsers.

    Browserrecon is a toolfor webbrowsers,for most other protocols, youdneed documentation for the protocol, and anintinate knowledgeof it.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by SilvaRizla View Post
    How could I find out for instance what software and version the box/user uses to surf the web or download the top 40 say?
    Not with nmap, as mentioned above that just scans a system for listening ports and optionally then interrogates those ports to determine service version. One approach for clients is to try and identify it by the data is sends when it connects to a server. Web browsers for example have a user-agent string in the HTTP header, ssh clients sometimes mention their name and version before protocol negotiation and encryption (putty does this), etc, etc. Getting this information means controlling the server or sniffing the communication between client and server.

    Beware that the client can present misleading or incorrect information in its identifying string.

    Another approach is to scan the system with some sort of network/system management tool that can query APIs on the system that will return information about installed software. On Windows you could use WMI or MSRPC to do this, however this usually requires Windows authentication before it will work... and if you have that you may not need to find software to exploit.

    @HitThemLow - Your space key appears to be on the fritz...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default

    Thanks for the replies, I understand a lot more now. I'll do some further research

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •