Читать книгу Hacking For Dummies - Kevin Beaver - Страница 70
Determining What’s Running on Open Ports
ОглавлениеAs a security professional, you need to gather the things that count when scanning your systems. You can often identify the following information:
Protocols in use, such as Domain Name System and NetBIOS
Services running on the hosts, such as email, web, and database systems
Available remote access services, such as Remote Desktop Protocol, telnet, and Secure Shell (SSH)
Encrypted network services such as SSL/TLS and IPsec
Permissions and authentication requirements for network shares
You can look for the following sample open ports (which your network scanner reports as accessible or open):
Ping (ICMP echo) replies, showing that ICMP traffic is allowed to and from the host.
TCP port 21, showing that FTP could be running.
TCP port 23, showing that Telnet could be running.
TCP ports 25 or 465 (SMTP and SMPTS), 110 or 995 (POP3 and POP3S), or 143 or 993 (IMAP and IMAPS), showing that an email server could be running.
TCP/UDP port 53, showing that a DNS server could be running.
TCP ports 80, 443, and 8080, showing that a web server or web proxy could be running.
TCP/UDP ports 135, 137, 138, 139, and, especially, 445, showing that a Windows host could be running.
Thousands of ports can be open — 65,534 each for both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), to be exact. I cover many popular port numbers when describing security checks throughout this book. A continually updated listing of all well-known port numbers (ports 0–1023) and registered port numbers (ports 1024–49151), with their associated protocols and services, is located at www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
.
If a service doesn’t respond on a TCP or UDP port, that result doesn’t mean that the service isn’t running. You may have to dig further to find out.
If you detect a web server running on the system that you test, you might be able to check the software version by using one of the following methods:
Type the site’s name followed by a page that you know doesn’t exist, such as www.your_domain.com/1234.html. Many web servers return an error page showing detailed version information.
Use Netcraft’s What’s That Site Running? search utility (
https://sitereport.netcraft.com/
), which connects to your server from the Internet and displays the web-server version and operating system, as shown in Figure 4-1.
FIGURE 4-1: Netcraft’s web server version utility.
You can dig deeper for more specific information on your hosts by using these tools:
NMapWin (
https://sourceforge.net/projects/nmapwin
) can determine the system OS version.A scanning and enumeration tool such as SoftPerfect Network Scanner (
www.softperfect.com/products/networkscanner
) can extract users, groups, and file and share permissions directly from Windows.Many systems return useful banner information when you connect to a service or application running on a port. If you Telnet to an email server on port 25 by entering telnet mail.your_domain.com 25 at a command prompt, you may see something like this: 220 mail.your_domain.com ESMTP all_the_version_info_you_need_to_hack ReadyMost email servers return detailed information, such as the version and the current service pack installed. After you have this information, you (and the bad guys) can determine the vulnerabilities of the system from some of the websites listed in the next section.
An email to an invalid address may return with detailed email header information. A bounced message often discloses information that can be used against you, including internal IP addresses and software versions. On certain Windows systems, you can use this information to establish unauthenticated connections and sometimes even map drives. I cover these issues in Chapter 12.