Open source software security

Madirish Tutorial 08

30 November -0001
Lets say we've decided we want to hack Whitepower.com (a site I chose randomly through an Alta Vista search, mostly because given the nature of thier operations they aren't likely to complain to anyone if I f*ck with them). What steps do we need to take to figure out how to get in? Well, the simplest thing to do is to first find out the IP address of the web host. We do this using the following:

C:\>ping whitepower.com

Pinging whitepower.com [64.39.238.134] with 32 bytes of data:

Reply from 64.39.238.134: bytes=32 time=71ms TTL=240
Reply from 64.39.238.134: bytes=32 time=70ms TTL=240
Reply from 64.39.238.134: bytes=32 time=70ms TTL=240
Reply from 64.39.238.134: bytes=32 time=70ms TTL=240

Ping statistics for 64.39.238.134:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 70ms, Maximum =  71ms, Average =  70ms

C:\>

Next we need to figure out who owns or runs the box, and where it is physically located. This information may be useful for social engeneering, password guessing, or just to find out if the law will come looking for you when you knock on this box's door. I used ARIN's whois lookup first, to find out who hosts the service, here are the results:

Arin Search Results:

World Internet Services (NET-HISPEED-2)
   330 Rancheros Drive Suite #108
   San Marcos, CA 92069
   US

   Netname: HISPEED-2
   Netblock: 64.39.224.0 - 64.39.239.255

   Coordinator:
      Baker, Jasen  (JB770-ARIN)  jasenb@hispeed.com
      760-761-0495 (FAX) 760-744-3778

   Domain System inverse mapping provided by:

   NS1.HISPEED.NET		209.145.61.253
   NS2.HISPEED.NET		209.145.61.254

   Record last updated on 21-Jul-2000.
   Database last updated on 27-Mar-2001 22:52:10 EDT.


Next I used a Network Solutions whois lookup to find out exactly who registered the domain, mostly for reasons mentioned above, here's what we find:

Network Solutions Search Results:

Registrant:
whitepower.com (WHITEPOWER6-DOM)
   Micetrap Distribution Post Office
   Box 8813
   Turnersville, NJ 08012
   US

   Domain Name: WHITEPOWER.COM

   Administrative Contact, Technical Contact, Billing Contact:
      Micetrap, James  (ISD16)  micetrap14@AOL.COM
      Micetrap Distribution
      Post Office Box 55
      Maple Shade, NJ  08052
      US
      609-451-9314 609-451-9314

   Record last updated on 25-Jan-2001.
   Record expires on 03-Apr-2004.
   Record created on 03-Apr-1999.
   Database last updated on 27-Mar-2001 23:15:00 EST.

   Domain servers in listed order:

   NS1.AFFORDABLE-SPACE.COM	209.145.62.111
   NS2.AFFORDABLE-SPACE.COM	64.39.238.137

Now comes the interesting part. I switched over to my linux box and ran a quick NMAP scan of the box, tons of juicy info in here:

Starting nmap V. 2.30BETA17 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on  (64.39.238.134):
Port       State       Service
21/tcp     open        ftp                     
23/tcp     open        telnet            
25/tcp     open        smtp                    
53/tcp     open        domain                  
80/tcp     open        http                    
81/tcp     open        hosts2-ns               
110/tcp    open        pop-3                   
143/tcp    open        imap2                   
444/tcp    open        snpp                    
617/tcp    open        unknown                 
1414/tcp   open        ibm-mqseries            
1488/tcp   open        docstor                 
3306/tcp   open        mysql                   

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=5661830 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds

So there are a whole lot of entry points to this domain. We could potentially exploit any of the services we see running. Of course it would be easier to do this if we knew which version and program was offering the services. You can find this out simply by telnetting to the well known ports and seeing what you find. I like to try out some basic accounts and 'expn' the root account on an SMTP server to see if it will give up any goods. Unfortunately this server doesn't allow expn (which shows the members of groups that recieve mail. 'expn users' would show recipients of mail to 'users@whitepower.com'. root, postmaster, mail, and users are all good groups to check out if you can.). Unfortunately the finger daemon isn't running or we'd 'finger 0@whitepower.com' to get a list of all user accounts if that function hadn't been disabled. Here's my results:

C:\>telnet 64.39.238.134
	Cobalt Linux release 5.0 (Pacifica) Kernel 2.2.14C10 on an i586
C:\>telnet 64.39.238.134 25
	220 www.affordable-space.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Mar 2001 11:28:
	28 -0500
	helo affordable
	250 www.affordable-space.com Hello [216.25.200.135], pleased to meet you
	expn root
	502 Sorry, we do not allow this operation
	quit
	221 www.affordable-space.com closing connection

FTP:
	C:\>ftp 64.39.238.134
	Connected to 64.39.238.134.
	220 ProFTPD 1.2.0rc3 Server (ProFTPD) [64.39.238.134]
	User (64.39.238.134:(none)):

Its also a good idea to check and see if annonymous FTP is enabled. If it is you can list 'annonymous' as your username and an e-mail address (such as 'foo@hotmail.com') as your password.

Lastly I want to check to find out what the gateway computer to this target is. To do this all we have to do is run a traceroute:

C:\>tracert 64.39.238.134

Tracing route to 64.39.238.134 over a maximum of 30 hops

  2    10 ms    20 ms    10 ms  atm4-0-0.red-devil.dca.fcc.net [216.25.192.1]
  3   >10 ms    10 ms    10 ms  209.249.187.229.fcc.net [209.249.187.229]
  4   >10 ms    10 ms    10 ms  main1-main2-ge.iad1.above.net [209.249.187.226]

  5   >10 ms    10 ms    10 ms  core4-main1-oc48.iad1.above.net [208.185.0.153]

  6   >10 ms    10 ms    10 ms  core1-iad1-oc48.iad2.above.net [209.249.0.214]
  7   >10 ms    10 ms    10 ms  level3-above-oc12.iad2.above.net [209.249.0.174]

  8   >10 ms    10 ms    10 ms  so-4-1-0.mp2.Washington1.level3.net [209.247.10.
77]
  9    70 ms    70 ms    70 ms  loopback0.hsipaccess2.SanDiego1.Level3.net [209.
244.2.81]
 10    70 ms    70 ms    70 ms  63.210.174.38
 11    70 ms    70 ms    80 ms  64.39.238.134

Trace complete.

C:\>

Using the traceroute we see that the gateway is 63.210.174.38. This is the computer that filters all information sent to and from the target web host. This could be a simple router, or it could be a firewall (doubtful in this case since the target gave up the goods really easily). In order to make a full scan, we should repeat the above steps on the gateway and see if we can find any other useful information about the target, gateway, or network.

So, as you can see we can find out a lot of useful information about a target remotely. From here we can investigate exploits for services running or simply try to brute force password guess the services.