| ||
The most fundamental of enumeration techniques is banner grabbing, which was mentioned briefly in Chapter 2. Banner grabbing can be simply defined as connecting to remote applications and observing the output, and it can be surprisingly informative to remote attackers . At the very least, they may have identified the make and model of the running service, which in many cases is enough to set the vulnerability research process in motion.
As also noted in Chapter 2, many port-scanning tools can perform banner grabbing in parallel with their main function of identifying open ports (the harbinger of an exploitable remote service). This section will briefly catalog the most common manual techniques for banner grabbing, of which no self-respecting hacker should be ignorant (no matter how automated port scanners become).
Popularity: | 5 |
Simplicity: | 9 |
Impact: | 1 |
Risk Rating: | 5 |
The tried-and-true manual mechanism for enumerating banners and application info has traditionally been based on telnet (a remote communications tool built into most operating systems). Using telnet to grab banners is as easy as opening a telnet connection to a known port on the target server, pressing ENTER a few times, if necessary, and seeing what comes back:
C:\> telnet www.corleone.com 80 HTTP/1.0 400 Bad Request Server: Netscape-Commerce/1.12 Your browser sent a non-HTTP compliant message.
This is a generic technique that works with many common applications that respond on a standard port, such as HTTP port 80, SMTP port 25, or FTP port 21.
For a slightly more surgical probing tool, rely on netcat, the "TCP/IP Swiss Army knife ." netcat was written by Hobbit (hobbit@atstake.com) and ported to the Windows NT Family (including Windows NT and Windows 2000, XP, and 2003 Server) by Weld Pond while he was with the L0pht security research group . netcat is available at http://www.atstake.com/research/tools/network_utilities. As you will see throughout this book, netcat belongs in the permanent System Administrators Hall of Fame for its elegant flexibility. When employed by the enemy, it is simply devastating. Here, we will examine one of its more simplistic uses, connecting to a remote TCP/IP port and enumerating the service banner:
C:\> nc -v www.corleone.com 80 www.corleone.com [192.168.45.7] 80 (?) open
A bit of input here usually generates some sort of a response. In this case, pressing ENTER causes the following:
HTTP/1.1 400 Bad Request Server: Microsoft-IIS/4.0 Date: Sat, 03 Apr 1999 08:42:40 GMT Content-Type: text/html Content-Length: 87 <html><head><title>Error</title></head> <body>The parameter is incorrect.</body> </html>
One tip from the netcat readme file discusses how to redirect the contents of a file into netcat to nudge remote systems for even more information. For example, create a text file called nudge.txt containing the single line GET / HTTP/1.0, followed by two carriage returns, and then the following:
[root$] nc -nvv -o banners.txt 192.168.202.34 80 < nudge.txt HTTP/1.0 200 OK Server: Sun_WebServer/2.0 Date: Sat, 10 Apr 1999 07:42:59 GMT Content-Type: text/html Last-Modified: Wed, 07 Apr 1999 15:54:18 GMT ETag: "370a7fbb-2188-4" Content-Length: 8584 <HTML> <HEAD> <META NAME="keywords" CONTENT"=igCorp, hacking, security"> <META NAME="description" CONTENT="Welcome to igCorp's Web site. "> =BigCorp is a leading manufacturer of security holes. <TITLE>BigCorp Corporate Home Page</TITLE> </HEAD </HTML>
Tip | The netcat -n argument is recommended when specifying numeric IP addresses as a target. |
Know any good exploits for Sun WebServer 2.0? You get the point. Other good nudge file possibilities include HEAD / HTTP/1.0 <cr><cr>, QUIT <cr>, HELP <cr>, ECHO <cr>, and even just a couple carriage returns ( <cr> ), depending on the service being probed.
This information can significantly focus an intruder's effort to compromise a system. Now that the vendor and version of the server software are known, attackers can concentrate on platform-specific techniques and known exploit routines until they get one right. Time is shifting in their favor and against the administrator of this machine. You'll hear more about netcat throughout this book.
As we've already noted, the best defense against banner grabbing is to shut down unnecessary services. Alternatively, restrict access to services using network access control. Perhaps the widest avenue of entry into any environment is running vulnerable software services, so this restriction should be done to combat more than just banner grabbing.
Next, for those services that are business critical and can't simply be turned off, you'll need to research the correct way to disable the presentation of the vendor and version in banners. Audit yourself regularly with port scans and raw netcat connects to active ports to make sure you aren't giving away inappropriate information to attackers.