fh
SAT
jolly cooperation
For the http (pretty) Version, visit: https://hackmd.io/@FH-SDJS/SAT_Lab7
Name: Sebastian Doiber, Johannes Schwinger
Note: We originally planned on submitting 2 seperate protocols but since especially at the last point our answers merged together we decided to submit the same protocol. Thats why the first few points have answers labeled "Sebastian" and "Johannes".
All the tasks have to be performed while being logged in to its.fh-campuswien.ac.at using your SSH credentials from the Scapy lab-exercise.
For all the assignments , give the necessary command-line, a short explanation of the command-line switches/parameters and the resulting output, as well as additional comments to this output, if applicable. Provide suitable screenshots.
Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings.
Using the option -ns as Option got me the following output:
According to the official website the option -O
should have given informations about the running OS but since root priviliges are not granted to students on the its-server i used the option -A
which also gave some interesting additional information.
you could also scann each host on its own as well:
Using the following command all open ports were revealed. I used the option -sT
since i do not have root privileges. But it turns out that was unnecessary since nmaps default mode works as well. It chooses, as the creater words it: "sane" default parameters if the user doesnt specify anything else.
To read more about the Port Scanning Techniques we searched the nmap.org website.
Service and Version Detection is what we needed to complete this task.
Enables version detection, […]. Alternatively, you can use -A, which enables version detection among other things.
About nmap scripts.
Available services:
Command for executing scripts
Finding the correct script prooved to be a tedious work since every script had to be typed in manually. To not loose oversight of which script we ran (completely) where we used this table:
172.16.51.1 | 172.16.51.102 | 172.16.51.103 | 172.16.51.142 |
---|---|---|---|
http-sql-injection.nse | http-adobe-coldfusion-apsa1301.nse | Text | Text |
Text | http-wordpress-brute.nse | Text | Text |
http-apache-negotiation.nse | |||
Text | http-affiliate-id.nse | Text | Text |
http-apache-negotiation.nse | |||
http-apache-server-status.nse | |||
http-brute.nse | |||
smb-brute.nse | |||
rpcinfo.nse | |||
rpc-grind.nse | |||
smb2-capabilities.nse | |||
smb2-security-mode.nse | |||
smb2-time.nse | |||
smb2-vuln-uptime.nse | |||
smb-double-pulsar-backdoor.nse | |||
smb-enum-domains.nse | |||
smb-enum-groups.nse | |||
smb-enum-processes.nse | |||
smb-enum-services.nse | |||
smb-enum-sessions.nse | |||
smb-enum-shares.nse | |||
smb-enum-users.nse | |||
smb-flood.nse | |||
Every script that ran unsucsessfully returned the standard NMAP output for the specified host.
At some point we started doing random scripts that we liked since going script by script alphabetically through the list seemed more time consuming than result-delivering.
After getting even more anoyed at the tedious work we wrote a script ourselfes that would cycle through all scripts except the brute-force ones (since they take quite a while usually). BUT since we dont have explicit permissions to execute them we pasted the code into the python3 command line and exectued it from there.
Here is the code of the script:
Since no authentication is required we figured that would be quite the vulnerability.
Explanation seems inconclusive at first glance but we think the purpouse of this scipt is data collection for future attacks.
https://nmap.org/nsedoc/scripts/smb-mbenum.html
Again data collection for future attacks.
https://nmap.org/nsedoc/scripts/reverse-index.html
As far as we understood this vulnerabilty shows the private key part of SSH keys:
https://nmap.org/nsedoc/scripts/ssh-auth-methods.html
https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html
https://nmap.org/nsedoc/scripts/http-useragent-tester.html