SAT Lab7

tags: fh SAT jolly cooperation

For the http (pretty) Version, visit: https://hackmd.io/@FH-SDJS/SAT_Lab7

Name: Sebastian Doiber, Johannes Schwinger

Note: We originally planned on submitting 2 seperate protocols but since especially at the last point our answers merged together we decided to submit the same protocol. Thats why the first few points have answers labeled "Sebastian" and "Johannes".

Angabe

NMAP

All the tasks have to be performed while being logged in to its.fh-campuswien.ac.at using your SSH credentials from the Scapy lab-exercise.

For all the assignments , give the necessary command-line, a short explanation of the command-line switches/parameters and the resulting output, as well as additional comments to this output, if applicable. Provide suitable screenshots.

  • Determine all hosts present in the 172.16.51.0/24 network.
  • Determine the operating systems of these hosts
  • Determine all open ports on these hosts
  • Determine all services running on the hosts

Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings.

Determine all hosts present in the 172.16.51.0/24 network

Using the option -ns as Option got me the following output:

Command:

$ nmap -sn 172.16.51.0/24

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Determine the operating systems of these hosts

According to the official website the option -O should have given informations about the running OS but since root priviliges are not granted to students on the its-server i used the option -A which also gave some interesting additional information.

Command:

$ nmap -O 172.16.51.0/24
$ nmap -A 172.16.51.0/24

you could also scann each host on its own as well:

$ nmap -A 172.16.51.1
$ nmap -A 172.16.51.102
$ nmap -A 172.16.51.103
$ nmap -A 172.16.51.124

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Determine all open ports on these hosts

Using the following command all open ports were revealed. I used the option -sT since i do not have root privileges. But it turns out that was unnecessary since nmaps default mode works as well. It chooses, as the creater words it: "sane" default parameters if the user doesnt specify anything else.
To read more about the Port Scanning Techniques we searched the nmap.org website.

Command

$ nmap -sT 172.16.51.0/24 

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Determine all services running on the hosts

Service and Version Detection is what we needed to complete this task.

Enables version detection, []. Alternatively, you can use -A, which enables version detection among other things.

Command

$ nmap -sV 172.16.51.0/24

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings.

About nmap scripts.

Available services:

http         Microsoft IIS httpd 6.0
msrpc        Microsoft Windows RPC
netbios-ssn  Microsoft Windows netbios-ssn
microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
msrpc        Microsoft Windows RPC

ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
ssl/http Apache httpd 2.4.18 ((Ubuntu))
mysql    MySQL (blocked - too many connection errors)
time    (32 bits)
ftp     vsftpd 2.0.8 or later
chargen Linux chargen

Command for executing scripts

$ nmap --script <script_name> <target ip/ipRange>

Finding the correct script prooved to be a tedious work since every script had to be typed in manually. To not loose oversight of which script we ran (completely) where we used this table:

172.16.51.1 172.16.51.102 172.16.51.103 172.16.51.142
http-sql-injection.nse http-adobe-coldfusion-apsa1301.nse Text Text
Text http-wordpress-brute.nse Text Text
http-apache-negotiation.nse
Text http-affiliate-id.nse Text Text
http-apache-negotiation.nse
http-apache-server-status.nse
http-brute.nse
smb-brute.nse
rpcinfo.nse
rpc-grind.nse
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse

Every script that ran unsucsessfully returned the standard NMAP output for the specified host.


At some point we started doing random scripts that we liked since going script by script alphabetically through the list seemed more time consuming than result-delivering.
After getting even more anoyed at the tedious work we wrote a script ourselfes that would cycle through all scripts except the brute-force ones (since they take quite a while usually). BUT since we dont have explicit permissions to execute them we pasted the code into the python3 command line and exectued it from there.
Here is the code of the script:

Host 172.16.51.1

SQL Injection

http-auth-finder.nse

http-enum.nse

http-comments-displayer.nse

http-csrf.nse

Host 172.16.51.102

http-brute

Since no authentication is required we figured that would be quite the vulnerability.

http-site-generator.nse

Running Script 'http-sitemap-generator.nse'
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:09 UTC
Nmap scan report for 172.16.51.102
Host is up (0.59s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
80/tcp   open  http
| http-sitemap-generator:
|   Directory structure:
|     /
|       Other: 1; gif: 1
|   Longest directory structure:
|     Depth: 0
|     Dir: /
|   Total files found (by extension):
|_    Other: 1; gif: 1
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1053/tcp open  remote-as

Nmap done: 1 IP address (1 host up) scanned in 14.50 seconds

smb-mbenum.nse

Explanation seems inconclusive at first glance but we think the purpouse of this scipt is data collection for future attacks.
https://nmap.org/nsedoc/scripts/smb-mbenum.html

smb-protocols.nse

Again data collection for future attacks.

smb-vuln-ms08-067.nse

http-useragent-tester.nse

Host 172.16.51.103

reverse-index.nse

https://nmap.org/nsedoc/scripts/reverse-index.html

ssh-hostkey.nse

As far as we understood this vulnerabilty shows the private key part of SSH keys:

banner.nse

ssh-auth-method.nse

https://nmap.org/nsedoc/scripts/ssh-auth-methods.html

ssh2-enum-algos-nse

https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html

Host 172.16.51.142

http-useragent-tester.nse

https://nmap.org/nsedoc/scripts/http-useragent-tester.html

http-slowloris-check.nse

Created Python script:

import os from pathlib import Path def run_command(file_name: str, host: str): command = "nmap --script {} {}".format(file_name, host) os.system(command) def get_all_filenames(keywords: list): filenames = list() files = Path("/usr/share/nmap/scripts") iterdir = list(files.iterdir()) kwds = keywords for i in iterdir: filename = i.name if "brute" in filename: continue else: for kw in kwds: if kw in filename: filenames.append(filename) filenames = sorted(filenames) return filenames def run(): host = "172.16.51.1" filenames = get_all_filenames([ "http", "smb" ]) scripts_to_run = len(filenames) current_script_no = 0 for i in filenames: print("Running Script '{}'".format(i)) current_script_no += 1 run_command(i, host) print("Running Script {} of {}\n".format(current_script_no, scripts_to_run)) def run_numbers(): filenames = get_all_filenames([ "http", "ssh", "https", "mysql" ]) scripts_to_run = len(filenames) print(scripts_to_run)