[Day 4] Scanning Scanning through the snow¶
Le cours¶
Scanning Types¶
Scanning is classified as either active or passive based on the degree of intrusiveness to gathering information about a target system or network, as explained below:
Passive Scanning: This method involves scanning a network without directly interacting with the target device (server, computer etc.). Passive scanning is usually carried out through packet capture and analysis tools like Wireshark; however, this technique only provides basic asset information like OS version, network protocol etc., against the target.
Active Scanning: Active scanning is a scanning method whereby you scan individual endpoints in an IT network to retrieve more detailed information. The active scan involves sending packets or queries directly to specific assets rather than passively collecting that data by « catching » it in transit on the network’s traffic. Active scanning is an immediate deep scan performed on targets to get detailed information. These targets can be a single endpoint or a network of endpoints.
Scanning Techniques¶
The following standard techniques are employed to scan a target system or network effectively.
####### Network Scanning A network is usually a collection of interconnected hosts or computers to share information and resources. Network scanning helps to discover and map a complete network, including any live computer or hosts, open ports, IP addresses, and services running on any live host and operating system. Once the network is mapped, an attacker executes exploits as per the target system and services discovered. For example, a computer in a network with an outdated Apache version enables an attacker to launch an exploit against a vulnerable Apache server.
####### Port Scanning Per Wikipedia, « In computer networking, a port is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service ».
Port scanning is a conventional method to examine open ports in a network capable of receiving and sending data. First, an attacker maps a complete network with installed devices/ hosts like firewalls, routers, servers etc., then scans open ports on each live host. Port number varies between 0 to 65,536 based on the type of service running on the host. Port scanning results fall into the following three categories:
Closed Ports: The host is not listening to the specific port.
Open Ports: The host actively accepts a connection on the specific port.
Filtered Ports: This indicates that the port is open; however, the host is not accepting connections or accepting connections as per certain criteria like specific source IP address.
####### Vulnerability Scanning The vulnerability scanning proactively identifies the network’s vulnerabilities in an automated way that helps determine whether the system may be threatened or exploited. Free and paid tools are available that help to identify loopholes in a target system through a pre-build database of vulnerabilities. Pentesters widely use tools such as Nessus and Acunetix to identify loopholes in a system.
Scanning Tools¶
Network Mapper (Nmap)¶
Nmap is a popular tool used to carry out port scanning, discover network protocols, identify running services, and detect operating systems on live hosts. You can learn more about the tool by visiting rooms Nmap,Nmap live host discovery, Nmap basic port scan and Nmap advanced port scan rooms on TryHackMe.
Nikto¶
Nikto is open-source software that allows scanning websites for vulnerabilities. It enables looking for subdomains, outdated servers, debug messages etc., on a website. You can access it on the AttackBox by typing nikto -host MACHINE_IP.
Les questions :¶
Pour cette épreuve, on doit instancier la machine et se connecter au smb à l’aide des credentials que l’on a eu lors de l’étape 3.
Question 1 : What is the name of the HTTP server running on the remote host?¶
Ok, quand bien même on pourrait répondre à cette question juste à l’aide des étoiles, on va quand même faire l’effort de lancer un scan de port :
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-06 19:27 CET
Nmap scan report for 10.10.95.104
Host is up (0.035s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2ddbdbb9c822e60bd8d1e38acc3c99d (RSA)
| 256 dc5813dda2753008adb229df04b25380 (ECDSA)
|_ 256 0b180a66c7a1c58d1139f70159fd4beb (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: IP-10-10-95-104; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-12-06T18:27:43
|_ start_date: N/A
|_nbstat: NetBIOS name: IP-10-10-95-104, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: ip-10-10-95-104
| NetBIOS computer name: IP-10-10-95-104\x00
| Domain name: eu-west-1.compute.internal
| FQDN: ip-10-10-95-104.eu-west-1.compute.internal
|_ System time: 2022-12-06T18:27:43+00:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.54 seconds
Question 2 : What is the name of the service running on port 22 on the QA server?¶
Pour cette question, il suffit de lire le scan précédent, on voit bien ici que le port 22 est utilisé par le port SSH.
Question 3 : What flag can you find after successfully accessing the Samba service?¶
┌──(kali㉿kali)-[~/Christmas]
└─$ smbmap -u ubuntu -p 'S@nta2022' -H $ip
[+] IP: 10.10.95.104:445t... Name: 10.10.95.104
Disk Permissions Comment
---- ----------- -------
print$ READ ONLY Printer Drivers
sambashare READ, WRITE Samba on Ubuntu
admins READ, WRITE Samba on Ubuntu
IPC$ NO ACCESS IPC Service (ip-10-10-95-104 server (Samba, Ubuntu))
┌──(kali㉿kali)-[~/Christmas]
└─$ smbmap -u ubuntu -p 'S@nta2022' -H $ip -R admins
[+] IP: 10.10.95.104:445 Name: 10.10.95.104
Disk Permissions Comment
---- ----------- -------
admins READ, WRITE
.\admins\*
fr--r--r-- 23 Wed Nov 9 18:55:58 2022 flag.txt
fr--r--r-- 111 Thu Nov 10 06:44:29 2022 userlist.txt
┌──(kali㉿kali)-[~/Christmas]
└─$ smbmap -u ubuntu -p 'S@nta2022' -H $ip --download admins/flag.txt
[+] Starting download: admins\flag.txt (23 bytes)
[+] File output to: /home/kali/Christmas/10.10.95.104-admins_flag.txt
┌──(kali㉿kali)-[~/Christmas]
└─$ smbmap -u ubuntu -p 'S@nta2022' -H $ip --download admins/userlist.txt
[+] Starting download: admins\userlist.txt (111 bytes)
[+] File output to: /home/kali/Christmas/10.10.95.104-admins_userlist.txt
┌──(kali㉿kali)-[~/Christmas]
└─$ cat 10.10.95.104-admins_*
{THM_SANTA_SMB_SERVER}
USERNAME PASSWORD
santa santa101
santahr santa25
santaciso santa30
santatech santa200
santaaccounts santa400
Question 4 : What is the password for the username santahr?¶
On retrouve le mot de passe dans le fichier userlist que l’on a téléchargé précédemment. Voilà c’est tout pour aujourd’hui !