Madirish Tutorial 08
C:\>ping whitepower.com Pinging whitepower.com [18.104.22.168] with 32 bytes of data: Reply from 22.214.171.124: bytes=32 time=71ms TTL=240 Reply from 126.96.36.199: bytes=32 time=70ms TTL=240 Reply from 188.8.131.52: bytes=32 time=70ms TTL=240 Reply from 184.108.40.206: bytes=32 time=70ms TTL=240 Ping statistics for 220.127.116.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 70ms, Maximum = 71ms, Average = 70ms C:\>
Next we need to figure out who owns or runs the box, and where it is physically located. This information may be useful for social engeneering, password guessing, or just to find out if the law will come looking for you when you knock on this box's door. I used ARIN's whois lookup first, to find out who hosts the service, here are the results:
Arin Search Results: World Internet Services (NET-HISPEED-2) 330 Rancheros Drive Suite #108 San Marcos, CA 92069 US Netname: HISPEED-2 Netblock: 18.104.22.168 - 22.214.171.124 Coordinator: Baker, Jasen (JB770-ARIN) firstname.lastname@example.org 760-761-0495 (FAX) 760-744-3778 Domain System inverse mapping provided by: NS1.HISPEED.NET 126.96.36.199 NS2.HISPEED.NET 188.8.131.52 Record last updated on 21-Jul-2000. Database last updated on 27-Mar-2001 22:52:10 EDT.
Next I used a Network Solutions whois lookup to find out exactly who registered the domain, mostly for reasons mentioned above, here's what we find:
Network Solutions Search Results: Registrant: whitepower.com (WHITEPOWER6-DOM) Micetrap Distribution Post Office Box 8813 Turnersville, NJ 08012 US Domain Name: WHITEPOWER.COM Administrative Contact, Technical Contact, Billing Contact: Micetrap, James (ISD16) micetrap14@AOL.COM Micetrap Distribution Post Office Box 55 Maple Shade, NJ 08052 US 609-451-9314 609-451-9314 Record last updated on 25-Jan-2001. Record expires on 03-Apr-2004. Record created on 03-Apr-1999. Database last updated on 27-Mar-2001 23:15:00 EST. Domain servers in listed order: NS1.AFFORDABLE-SPACE.COM 184.108.40.206 NS2.AFFORDABLE-SPACE.COM 220.127.116.11
Now comes the interesting part. I switched over to my linux box and ran a quick NMAP scan of the box, tons of juicy info in here:
Starting nmap V. 2.30BETA17 by email@example.com ( www.insecure.org/nmap/ ) Interesting ports on (18.104.22.168): Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop-3 143/tcp open imap2 444/tcp open snpp 617/tcp open unknown 1414/tcp open ibm-mqseries 1488/tcp open docstor 3306/tcp open mysql TCP Sequence Prediction: Class=random positive increments Difficulty=5661830 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.14 Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds
So there are a whole lot of entry points to this domain. We could potentially exploit any of the services we see running. Of course it would be easier to do this if we knew which version and program was offering the services. You can find this out simply by telnetting to the well known ports and seeing what you find. I like to try out some basic accounts and 'expn' the root account on an SMTP server to see if it will give up any goods. Unfortunately this server doesn't allow expn (which shows the members of groups that recieve mail. 'expn users' would show recipients of mail to 'firstname.lastname@example.org'. root, postmaster, mail, and users are all good groups to check out if you can.). Unfortunately the finger daemon isn't running or we'd 'finger email@example.com' to get a list of all user accounts if that function hadn't been disabled. Here's my results:
C:\>telnet 22.214.171.124 Cobalt Linux release 5.0 (Pacifica) Kernel 2.2.14C10 on an i586 C:\>telnet 126.96.36.199 25 220 www.affordable-space.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Mar 2001 11:28: 28 -0500 helo affordable 250 www.affordable-space.com Hello [188.8.131.52], pleased to meet you expn root 502 Sorry, we do not allow this operation quit 221 www.affordable-space.com closing connection FTP: C:\>ftp 184.108.40.206 Connected to 220.127.116.11. 220 ProFTPD 1.2.0rc3 Server (ProFTPD) [18.104.22.168] User (22.214.171.124:(none)):
Its also a good idea to check and see if annonymous FTP is enabled. If it is you can list 'annonymous' as your username and an e-mail address (such as 'firstname.lastname@example.org') as your password.
Lastly I want to check to find out what the gateway computer to this target is. To do this all we have to do is run a traceroute:
C:\>tracert 126.96.36.199 Tracing route to 188.8.131.52 over a maximum of 30 hops 2 10 ms 20 ms 10 ms atm4-0-0.red-devil.dca.fcc.net [184.108.40.206] 3 >10 ms 10 ms 10 ms 220.127.116.11.fcc.net [18.104.22.168] 4 >10 ms 10 ms 10 ms main1-main2-ge.iad1.above.net [22.214.171.124] 5 >10 ms 10 ms 10 ms core4-main1-oc48.iad1.above.net [126.96.36.199] 6 >10 ms 10 ms 10 ms core1-iad1-oc48.iad2.above.net [188.8.131.52] 7 >10 ms 10 ms 10 ms level3-above-oc12.iad2.above.net [184.108.40.206] 8 >10 ms 10 ms 10 ms so-4-1-0.mp2.Washington1.level3.net [209.247.10. 77] 9 70 ms 70 ms 70 ms loopback0.hsipaccess2.SanDiego1.Level3.net [209. 244.2.81] 10 70 ms 70 ms 70 ms 220.127.116.11 11 70 ms 70 ms 80 ms 18.104.22.168 Trace complete. C:\>
Using the traceroute we see that the gateway is 22.214.171.124. This is the computer that filters all information sent to and from the target web host. This could be a simple router, or it could be a firewall (doubtful in this case since the target gave up the goods really easily). In order to make a full scan, we should repeat the above steps on the gateway and see if we can find any other useful information about the target, gateway, or network.
So, as you can see we can find out a lot of useful information about a target remotely. From here we can investigate exploits for services running or simply try to brute force password guess the services.