- 5,622
- eMadman
I'm unsure as to whether or not the topic i'm coverign here is against the AUP. If it is, please say so and either a moderator or I will remove the thread immediately.
One of my courses this semester is Network+... and the prof likes to dabble into network security on occasion. That sparked a bit of interest in me so I decided to see what I could do to break into my desktop pc (which btw, doesn't have a firewall). The reason I uninstalled the firewall on the computer is because it was just giving me nothing but major buttaches - plus the ones I tried ended up blocking too much out and outright refused to allow me to run some things even after disabling the software.
Anyways, with that in mind, I decided to let my desktop run the apps I usually have going when it's sitting idly - so azureus and eMule going side by side with a RemotelyAnywhere server and MySQL running as well (I'm too lazy to disable mysql even though i rarely use it). In addition to this, windows update hasn't been run since I installed SP2.
With the system set up, I went onto my laptop and portscanned the sucker. It should be noted that the only way I have of accessing the desktop at this point is via remote control since my mom has already gone to bed.
This is what it found after 15 minutes of scanning (it would probably have found more but i'm using a 11mbps wireless connection right now and the speed isn't ideal):
Ports 22, 25, 80, and 139 are the primary ones to worry about since 25, 80 and 139 are the ones most commonly attacked. Port 22 is potentially worrysome because it's used by a remote system administration program called RemotelyAnywhere.
Attempting to access port 80 seems to be useless as I can't gain access to it. The exploits for the IIS 5.1 framework that I found have a few errors in the code and won't compile properly. I'm too tired at the moment to see if I can teach myself C and fix the problems - maybe after my exams are over. If I get a chance, I'll try using the exploit libraries on my linux disks.
The ones that caught my eye however, are 1025 and 3306. A quick google search showed that 1025 is related to the RPC exploit (I've already got that patched up and a quick penetration test made certain of it). Another google search for port 3306 revealed that this is potentially related to mysql.
I attempted the standard tests to see if I could gain access to port 3306 and to see whether or not anything was running on it. I managed to gain telnet access but it seems as though nothing was running on that port. In order to do a more thorough test, I'd need to reboot my laptop into Linux to get access to the entire pre-compiled securityfocus and packetstorm exploit libraries and try them one by one. I'm not in the mood to do that at the moment.
Of these ports that are open, only 139 is completely open to access. I figured this by entering the following into command prompt:
That created a network drive under My Computer in which I had complete access to the SharedDocs folder. Keep in mind that my laptop is not on the workgroup at home. I *think* it gave me access because my username and password on both the laptop and desktop are the same... but I'm not certain about that.
Now... i got access to the folder... but then again, it *is* being shared... Anyways, just to further test this, I ran a utility called enum. The information it gave was scary
The end conclusion. I've got one massive vulnerability caused by enabling windows file sharing and thus NetBios. The others are less common and would be difficult for most script kiddies to break. It seems that as long as you keep the crap running in the background to a minimum, the only really major thing most people will have to worry about is being DOS'ed. To counter that, all you got to do is configure your system not to respond to ping.
For protection from the outside world, I have only my router which has most ports opened already (the netbios ones excepted).
I had fun doing this for the past hour and a half and I'll probably try this again but with more testing and a more thorough procedure to test my desktop. I'll also see if I can do anything to compromise ZoneAlarm on that computer.
ps. sorry for the image sizes - I only have ms paint on my laptop for image handling
One of my courses this semester is Network+... and the prof likes to dabble into network security on occasion. That sparked a bit of interest in me so I decided to see what I could do to break into my desktop pc (which btw, doesn't have a firewall). The reason I uninstalled the firewall on the computer is because it was just giving me nothing but major buttaches - plus the ones I tried ended up blocking too much out and outright refused to allow me to run some things even after disabling the software.
Anyways, with that in mind, I decided to let my desktop run the apps I usually have going when it's sitting idly - so azureus and eMule going side by side with a RemotelyAnywhere server and MySQL running as well (I'm too lazy to disable mysql even though i rarely use it). In addition to this, windows update hasn't been run since I installed SP2.
With the system set up, I went onto my laptop and portscanned the sucker. It should be noted that the only way I have of accessing the desktop at this point is via remote control since my mom has already gone to bed.
This is what it found after 15 minutes of scanning (it would probably have found more but i'm using a 11mbps wireless connection right now and the speed isn't ideal):
Ports 22, 25, 80, and 139 are the primary ones to worry about since 25, 80 and 139 are the ones most commonly attacked. Port 22 is potentially worrysome because it's used by a remote system administration program called RemotelyAnywhere.
Attempting to access port 80 seems to be useless as I can't gain access to it. The exploits for the IIS 5.1 framework that I found have a few errors in the code and won't compile properly. I'm too tired at the moment to see if I can teach myself C and fix the problems - maybe after my exams are over. If I get a chance, I'll try using the exploit libraries on my linux disks.
The ones that caught my eye however, are 1025 and 3306. A quick google search showed that 1025 is related to the RPC exploit (I've already got that patched up and a quick penetration test made certain of it). Another google search for port 3306 revealed that this is potentially related to mysql.
I attempted the standard tests to see if I could gain access to port 3306 and to see whether or not anything was running on it. I managed to gain telnet access but it seems as though nothing was running on that port. In order to do a more thorough test, I'd need to reboot my laptop into Linux to get access to the entire pre-compiled securityfocus and packetstorm exploit libraries and try them one by one. I'm not in the mood to do that at the moment.
Of these ports that are open, only 139 is completely open to access. I figured this by entering the following into command prompt:
Code:
C:\> net use J: \\192.168.2.26\SharedDocs
there was actually a lot more to this than just this one line but for simplicity's sake, I'll leave it at thisNow... i got access to the folder... but then again, it *is* being shared... Anyways, just to further test this, I ran a utility called enum. The information it gave was scary
The end conclusion. I've got one massive vulnerability caused by enabling windows file sharing and thus NetBios. The others are less common and would be difficult for most script kiddies to break. It seems that as long as you keep the crap running in the background to a minimum, the only really major thing most people will have to worry about is being DOS'ed. To counter that, all you got to do is configure your system not to respond to ping.
For protection from the outside world, I have only my router which has most ports opened already (the netbios ones excepted).
I had fun doing this for the past hour and a half and I'll probably try this again but with more testing and a more thorough procedure to test my desktop. I'll also see if I can do anything to compromise ZoneAlarm on that computer.
ps. sorry for the image sizes - I only have ms paint on my laptop for image handling
