SAT Lab7 - HackMD

# SAT Lab7 ###### tags: `fh` `SAT` `jolly cooperation` For the http (pretty) Version, visit: https://hackmd.io/@FH-SDJS/SAT_Lab7 Name: Sebastian Doiber, Johannes Schwinger :::warning Note: We originally planned on submitting 2 seperate protocols but since especially at the last point our answers merged together we decided to submit the same protocol. Thats why the first few points have answers labeled "Sebastian" and "Johannes". ::: # Angabe ## NMAP All the tasks have to be performed while being logged in to its.fh-campuswien.ac.at using your SSH credentials from the Scapy lab-exercise. For all the assignments , give the necessary command-line, a short explanation of the command-line switches/parameters and the resulting output, as well as additional comments to this output, if applicable. Provide suitable screenshots. * Determine all hosts present in the 172.16.51.0/24 network. * Determine the operating systems of these hosts * Determine all open ports on these hosts * Determine all services running on the hosts Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings. # Determine all hosts present in the 172.16.51.0/24 network Using the option -ns as Option got me the following output: ## Command: ``` $ nmap -sn 172.16.51.0/24 ``` ## Screenshot ### Sebastian ![](https://i.imgur.com/oCmMziS.png) ### Johannes ![](https://i.imgur.com/6wXXSdy.png) # Determine the operating systems of these hosts According to the [official website](https://nmap.org/book/man-os-detection.html) the option `-O` should have given informations about the running OS but since root priviliges are not granted to students on the its-server i used the option `-A` which also gave some interesting additional information. ## Command: ``` $ nmap -O 172.16.51.0/24 $ nmap -A 172.16.51.0/24 ``` you could also scann each host on its own as well: ``` $ nmap -A 172.16.51.1 $ nmap -A 172.16.51.102 $ nmap -A 172.16.51.103 $ nmap -A 172.16.51.124 ``` ## Screenshot ### Sebastian ![](https://i.imgur.com/tH8Nr7V.png) ![](https://i.imgur.com/yUvCCj4.png) ![](https://i.imgur.com/4LADi4i.png) ![](https://i.imgur.com/MdDvhwW.png) ### Johannes ![](https://i.imgur.com/Q58DUx7.png) # Determine all open ports on these hosts Using the following command all open ports were revealed. I used the option `-sT` since i do not have root privileges. But it turns out that was unnecessary since nmaps default mode works as well. It chooses, as the creater words it: "sane" default parameters if the user doesnt specify anything else. To read more about the Port Scanning Techniques we searched the [nmap.org](https://nmap.org/book/man-port-scanning-techniques.html) website. ## Command ``` $ nmap -sT 172.16.51.0/24 ``` ## Screenshot ### Sebastian ![](https://i.imgur.com/RQR1DvX.png) ### Johannes ![](https://i.imgur.com/A8lQ1CM.png) # Determine all services running on the hosts [Service and Version Detection](https://nmap.org/book/man-version-detection.html) is what we needed to complete this task. > Enables version detection, [...]. Alternatively, you can use -A, which enables version detection among other things. ## Command ``` $ nmap -sV 172.16.51.0/24 ``` ## Screenshot ### Sebastian ![](https://i.imgur.com/aIKH5lP.png) ### Johannes ![](https://i.imgur.com/QMJPTwo.png) # Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings. About [nmap scripts](https://nmap.org/book/man-nse.html). Available services: ``` http Microsoft IIS httpd 6.0 msrpc Microsoft Windows RPC netbios-ssn Microsoft Windows netbios-ssn microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds msrpc Microsoft Windows RPC ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) ssl/http Apache httpd 2.4.18 ((Ubuntu)) mysql MySQL (blocked - too many connection errors) time (32 bits) ftp vsftpd 2.0.8 or later chargen Linux chargen ``` Command for executing scripts ``` $ nmap --script <script_name> <target ip/ipRange> ``` Finding the correct script prooved to be a tedious work since every script had to be typed in manually. To not loose oversight of which script we ran (completely) where we used this table: | 172.16.51.1 | 172.16.51.102 | 172.16.51.103 | 172.16.51.142 | |:----------------------:|:----------------------------------:|:-------------:|:-------------:| | http-sql-injection.nse | http-adobe-coldfusion-apsa1301.nse | Text | Text | | Text | http-wordpress-brute.nse | Text | Text | | | http-apache-negotiation.nse | | | | Text | http-affiliate-id.nse | Text | Text | | | http-apache-negotiation.nse | | | | | http-apache-server-status.nse | | | | | http-brute.nse | | | | | smb-brute.nse | | | | | rpcinfo.nse | | | | | rpc-grind.nse | | | | | smb2-capabilities.nse | | | | | smb2-security-mode.nse | | | | | smb2-time.nse | | | | | smb2-vuln-uptime.nse | | | | | smb-double-pulsar-backdoor.nse | | | | | smb-enum-domains.nse | | | | | smb-enum-groups.nse | | | | | smb-enum-processes.nse | | | | | smb-enum-services.nse | | | | | smb-enum-sessions.nse | | | | | smb-enum-shares.nse | | | | | smb-enum-users.nse | | | | | smb-flood.nse | | | | | | | | | | | | | Every script that ran unsucsessfully returned the standard NMAP output for the specified host. ![](https://i.imgur.com/h5JcVs8.png) At some point we started doing random scripts that we liked since going script by script alphabetically through the list seemed more time consuming than result-delivering. After getting even more anoyed at the tedious work we wrote a script ourselfes that would cycle through all scripts except the brute-force ones (since they take quite a while usually). BUT since we dont have explicit permissions to execute them we pasted the code into the python3 command line and exectued it from there. Here is the code of the script: ## Host 172.16.51.1 ### SQL Injection ![](https://i.imgur.com/7obk7wE.png) ### http-auth-finder.nse ![](https://i.imgur.com/UpOIXJ6.png) ### http-enum.nse ![](https://i.imgur.com/g50LBMg.png) ### http-comments-displayer.nse ![](https://i.imgur.com/BCw3Zum.png) ### http-csrf.nse ![](https://i.imgur.com/UV6fv2a.png) ## Host 172.16.51.102 ### http-brute Since no authentication is required we figured that would be quite the vulnerability. ![](https://i.imgur.com/b8YGEpB.png) ### http-site-generator.nse ``` Running Script 'http-sitemap-generator.nse' Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:09 UTC Nmap scan report for 172.16.51.102 Host is up (0.59s latency). Not shown: 994 closed ports PORT STATE SERVICE 80/tcp open http | http-sitemap-generator: | Directory structure: | / | Other: 1; gif: 1 | Longest directory structure: | Depth: 0 | Dir: / | Total files found (by extension): |_ Other: 1; gif: 1 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1053/tcp open remote-as Nmap done: 1 IP address (1 host up) scanned in 14.50 seconds ``` ### smb-mbenum.nse Explanation seems inconclusive at first glance but we think the purpouse of this scipt is data collection for future attacks. https://nmap.org/nsedoc/scripts/smb-mbenum.html ![](https://i.imgur.com/jIBIua5.png) ### smb-protocols.nse Again data collection for future attacks. ![](https://i.imgur.com/JRAZIDG.png) ### smb-vuln-ms08-067.nse ![](https://i.imgur.com/8a4msBg.png) ### http-useragent-tester.nse ![](https://i.imgur.com/Rrj3jUo.png) ## Host 172.16.51.103 ### reverse-index.nse https://nmap.org/nsedoc/scripts/reverse-index.html ![](https://i.imgur.com/fcH70Me.png) ### ssh-hostkey.nse As far as we understood this vulnerabilty shows the private key part of SSH keys: ![](https://i.imgur.com/vR9D1U8.png) ### banner.nse ![](https://i.imgur.com/bfRTRlN.png) ### ssh-auth-method.nse https://nmap.org/nsedoc/scripts/ssh-auth-methods.html ![](https://i.imgur.com/cHv1qJ2.png) ### ssh2-enum-algos-nse https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html ![](https://i.imgur.com/uJ4lTdB.png) ## Host 172.16.51.142 ### http-useragent-tester.nse https://nmap.org/nsedoc/scripts/http-useragent-tester.html ![](https://i.imgur.com/hQ3jvXf.png) ### http-slowloris-check.nse ![](https://i.imgur.com/aI5FgTz.png) ## Created Python script: ```python= import os from pathlib import Path def run_command(file_name: str, host: str): command = "nmap --script {} {}".format(file_name, host) os.system(command) def get_all_filenames(keywords: list): filenames = list() files = Path("/usr/share/nmap/scripts") iterdir = list(files.iterdir()) kwds = keywords for i in iterdir: filename = i.name if "brute" in filename: continue else: for kw in kwds: if kw in filename: filenames.append(filename) filenames = sorted(filenames) return filenames def run(): host = "172.16.51.1" filenames = get_all_filenames([ "http", "smb" ]) scripts_to_run = len(filenames) current_script_no = 0 for i in filenames: print("Running Script '{}'".format(i)) current_script_no += 1 run_command(i, host) print("Running Script {} of {}\n".format(current_script_no, scripts_to_run)) def run_numbers(): filenames = get_all_filenames([ "http", "ssh", "https", "mysql" ]) scripts_to_run = len(filenames) print(scripts_to_run) ```