Try   HackMD

SAT Lab7

tags: fh SAT jolly cooperation

For the http (pretty) Version, visit: https://hackmd.io/@FH-SDJS/SAT_Lab7

Name: Sebastian Doiber, Johannes Schwinger

Note: We originally planned on submitting 2 seperate protocols but since especially at the last point our answers merged together we decided to submit the same protocol. Thats why the first few points have answers labeled "Sebastian" and "Johannes".

Angabe

NMAP

All the tasks have to be performed while being logged in to its.fh-campuswien.ac.at using your SSH credentials from the Scapy lab-exercise.

For all the assignments , give the necessary command-line, a short explanation of the command-line switches/parameters and the resulting output, as well as additional comments to this output, if applicable. Provide suitable screenshots.

  • Determine all hosts present in the 172.16.51.0/24 network.
  • Determine the operating systems of these hosts
  • Determine all open ports on these hosts
  • Determine all services running on the hosts

Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings.

Determine all hosts present in the 172.16.51.0/24 network

Using the option -ns as Option got me the following output:

Command:

$ nmap -sn 172.16.51.0/24

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Determine the operating systems of these hosts

According to the official website the option -O should have given informations about the running OS but since root priviliges are not granted to students on the its-server i used the option -A which also gave some interesting additional information.

Command:

$ nmap -O 172.16.51.0/24
$ nmap -A 172.16.51.0/24

you could also scann each host on its own as well:

$ nmap -A 172.16.51.1
$ nmap -A 172.16.51.102
$ nmap -A 172.16.51.103
$ nmap -A 172.16.51.124

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Determine all open ports on these hosts

Using the following command all open ports were revealed. I used the option -sT since i do not have root privileges. But it turns out that was unnecessary since nmaps default mode works as well. It chooses, as the creater words it: "sane" default parameters if the user doesnt specify anything else.
To read more about the Port Scanning Techniques we searched the nmap.org website.

Command

$ nmap -sT 172.16.51.0/24

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Determine all services running on the hosts

Service and Version Detection is what we needed to complete this task.

Enables version detection, []. Alternatively, you can use -A, which enables version detection among other things.

Command

$ nmap -sV 172.16.51.0/24

Screenshot

Sebastian

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Johannes

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Select a suitable set of scripts from the /usr/share/nmap/scripts/ directory (the http* or smb* would be good possible candidates, but you are free to choose) and use them to try and find actual vulnerabilities on the hosts. Clearly document your findings.

About nmap scripts.

Available services:

http         Microsoft IIS httpd 6.0
msrpc        Microsoft Windows RPC
netbios-ssn  Microsoft Windows netbios-ssn
microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
msrpc        Microsoft Windows RPC

ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
ssl/http Apache httpd 2.4.18 ((Ubuntu))
mysql    MySQL (blocked - too many connection errors)
time    (32 bits)
ftp     vsftpd 2.0.8 or later
chargen Linux chargen

Command for executing scripts

$ nmap --script <script_name> <target ip/ipRange>

Finding the correct script prooved to be a tedious work since every script had to be typed in manually. To not loose oversight of which script we ran (completely) where we used this table:

172.16.51.1 172.16.51.102 172.16.51.103 172.16.51.142
http-sql-injection.nse http-adobe-coldfusion-apsa1301.nse Text Text
Text http-wordpress-brute.nse Text Text
http-apache-negotiation.nse
Text http-affiliate-id.nse Text Text
http-apache-negotiation.nse
http-apache-server-status.nse
http-brute.nse
smb-brute.nse
rpcinfo.nse
rpc-grind.nse
smb2-capabilities.nse
smb2-security-mode.nse
smb2-time.nse
smb2-vuln-uptime.nse
smb-double-pulsar-backdoor.nse
smb-enum-domains.nse
smb-enum-groups.nse
smb-enum-processes.nse
smb-enum-services.nse
smb-enum-sessions.nse
smb-enum-shares.nse
smb-enum-users.nse
smb-flood.nse

Every script that ran unsucsessfully returned the standard NMAP output for the specified host.


At some point we started doing random scripts that we liked since going script by script alphabetically through the list seemed more time consuming than result-delivering.
After getting even more anoyed at the tedious work we wrote a script ourselfes that would cycle through all scripts except the brute-force ones (since they take quite a while usually). BUT since we dont have explicit permissions to execute them we pasted the code into the python3 command line and exectued it from there.
Here is the code of the script:

Host 172.16.51.1

SQL Injection

http-auth-finder.nse

http-enum.nse

http-comments-displayer.nse

http-csrf.nse

Host 172.16.51.102

http-brute

Since no authentication is required we figured that would be quite the vulnerability.

http-site-generator.nse

Running Script 'http-sitemap-generator.nse'
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-23 10:09 UTC
Nmap scan report for 172.16.51.102
Host is up (0.59s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
80/tcp   open  http
| http-sitemap-generator:
|   Directory structure:
|     /
|       Other: 1; gif: 1
|   Longest directory structure:
|     Depth: 0
|     Dir: /
|   Total files found (by extension):
|_    Other: 1; gif: 1
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1053/tcp open  remote-as

Nmap done: 1 IP address (1 host up) scanned in 14.50 seconds

smb-mbenum.nse

Explanation seems inconclusive at first glance but we think the purpouse of this scipt is data collection for future attacks.
https://nmap.org/nsedoc/scripts/smb-mbenum.html

smb-protocols.nse

Again data collection for future attacks.

smb-vuln-ms08-067.nse

http-useragent-tester.nse

Host 172.16.51.103

reverse-index.nse

https://nmap.org/nsedoc/scripts/reverse-index.html

ssh-hostkey.nse

As far as we understood this vulnerabilty shows the private key part of SSH keys:

banner.nse

ssh-auth-method.nse

https://nmap.org/nsedoc/scripts/ssh-auth-methods.html

ssh2-enum-algos-nse

https://nmap.org/nsedoc/scripts/ssh2-enum-algos.html

Host 172.16.51.142

http-useragent-tester.nse

https://nmap.org/nsedoc/scripts/http-useragent-tester.html

http-slowloris-check.nse

Created Python script:



















































import os
from pathlib import Path


def run_command(file_name: str, host: str):
    command = "nmap --script {} {}".format(file_name, host)
    os.system(command)


def get_all_filenames(keywords: list):
    filenames = list()
    files = Path("/usr/share/nmap/scripts")
    iterdir = list(files.iterdir())
    kwds = keywords
    for i in iterdir:
        filename = i.name
        if "brute" in filename:
            continue
        else:
           for kw in kwds:
               if kw in filename:
                   filenames.append(filename)
    filenames = sorted(filenames)
    return filenames


def run():
    host = "172.16.51.1"
    filenames = get_all_filenames([
        "http",
        "smb"
    ])
    scripts_to_run = len(filenames)
    current_script_no = 0
    for i in filenames:
        print("Running Script '{}'".format(i))
        current_script_no += 1
        run_command(i, host)
        print("Running Script {} of {}\n".format(current_script_no, scripts_to_run))

def run_numbers():
    filenames = get_all_filenames([
        "http",
        "ssh",
        "https",
        "mysql"
    ])
    scripts_to_run = len(filenames)
    print(scripts_to_run)
Last changed by 
FH-Coop
0
503

Read more

Virtual Worlds Questions

[TOC] Link to HACKMD file https://hackmd.io/@FH-SDJS/VR-AR-ExamQuestions Which are three ways of modeling 3D objects in VR? By Hand i.e. CAD Drawings | hand modeled: via appropriate tools like CAD software. This process CAN be supported by motion capture technology. Procedural Modelling | proceduraly generated: requires some data to work off but is a very time saving technique for things that populate the background 3D Scans of Real Objects: using depth-cameras, and volumetric methods or computertomography. This requires some additional steps:

Nov 24, 2020
QoL-Learning Diary

Team: Sebastian Doiber, Johannes Schwiner Important links: Our trello-board 18.06. First Sprint Was war bisher Im ersten Sprint haben wir einen Nav-Graph entworfen um eine Grundstruktur festzulegen und einen &quot;Angangspunkt&quot; zu haben. Dazu haben wir uns eine basic design Idee &#xFC;berlegt und versuchen uns an die zu halten (material.io). Zus&#xE4;tzlich wurde eine Klasse f&#xFC;r die Zustandsprofile erstellt.

Sep 1, 2020
IoT Lab_4

Group members: Sebastian Doiber, Johannes Schwinger This lab exercise&#x2019;s topic is LoRaWAN. We will use the LoRa Boards provided by the IoT-LAB: ST B-L072Z-LRWAN1 boards with ST MEMS extension X-NUCLEO-IKS01A2. We will set up a LoRaWAN application which sends data o a network server; finally, we will connect our app to an application server (for a graphical presentation of our data. We will use the same setup as we did for lab exercises 1 &amp; 2: Ubuntu 18.04. (VM) with RIOT-OS and the IoT-Lab. Documents your work with screenshots and thorough expalanation where applicable. First steps with TTN :::info

Jul 7, 2020
Secure Admin Tools – Lab Exercise 8 + 9

(c) Aymeric Hollaus, Sebastian Doiber, Johannes Schwinger Table of Contents [TOC] Procedure To make any actions on the server we needed to connect to the fh-campus-server by using our ID. For this process we used an SSH clinet. The first thing we did to set us up for the lab, is unsing Nmap to make a port scan. This allowed us to see every open port and the associated servies. To find any exploits we reseached the services and the OS revealed by the nmap scan. If we did find a possible exploit we used metasploit to check if it works.

Jul 4, 2020
Read more from FH-Coop
Published on HackMD