Network Fundamentals - Services
Today I’m gonna write about network services. This time I will not only give an introduction to what they are, but in some of them, I will give some tips on how to enumerate the services and even how to try and exploit them. In some cases, there is a need for external tools, and in those cases, I’ll try to explain how to use those tools on that service. I will not be going in-depth on how to use those tools, but maybe I’ll make a post someday explaining that.
With the intro out of the way, let’s begin…
The first service I want to talk about is SMB (Server Message Block). SMB is a client-server communication protocol used for sharing access to files, printers, serial ports, and other resources on a network. It provides client applications with a secure and controlled method for accessing files on a remote server.
Many of you should be familiar with the name Samba, but Samba is just a free software re-implementation of the SMB protocol.
The first thing you should always do when enumerating a target is a Nmap scan. I will only mention this step this time because you should do all targets. I will also mention other Nmap scans when they are involved in an exploit and not in the first scan of the machine.
When you scan a target you potentially have this output:
You should know that SMB runs on ports 139 and 445 TCP. So having found SMB in use, you now should start enumerating it using the tool, for example, Enum4Linux.
enum4linux -a <IP>The -a switch will perform a full basic enumeration.
The output is too large to put it here, but there is a lot of useful information such as the operating system version, name of the machine, and workgroup. You should search for things such as lists of shares or printers, information about domain and workgroup, and information about password policies.
To exploit SMB you can use, for example, the tool smbclient because it’s part of the default samba suite.
smbclient ////<ip>//<share> -U <user> -P <port>If you haven’t found any users yet, you can use the user ‘anonymous’ as an unauthenticated entry point to the machine. If it’s badly configured you might access some interesting documents. The -P flag is optional.
You can also try to enter the system with a user using smbclient, just remember you need to know its password.
smbclient -L <IP> -U <user>There are also other tools and techniques you can use to enumerate and exploit SMB, but here I will only talk about these because they are very simple and easy to use.
Next on my list, we have Telnet. Telnet is a protocol used to virtually access a remote computer that runs a Telnet server. It works as a client-server protocol that opens a command line on the remote server. Because Telnet is insecure, it sends messages in clear text, in most implementations it has been replaced by SSH.
It’s important to note that Telnet doesn’t have a specific port of communication. You should do a Nmap scan to all ports to increase your chances of finding it.
It’s very simple to use Telnet you just have to do the following command:
telnet <IP> <Port>If you can run commands in the system this way you can create a reverse shell and have access to the system. (a reverse shell is a shell created on the target machine that connects to your machine).
Continuing the services list we have FTP (File Transfer Protocol). As you can deduce by the name, FTP is a protocol used to allow remote transfer of files over a network. It uses a client-server model and relays commands and data e a very efficient way.
An FTP session operates using two channels:
- command channel — used to transmit commands.
- data channel — used to transmit data.
Apart from these two channels, it has two types of connections:
- active — the client opens a port and waits. The server has to actively connect to that port.
- passive — the server opens a port and waits for a client connection.
FTP runs by default on port 21 TCP. To connect to FTP you just have to run the following command:
ftp <IP>With just this connection you can’t do much because it will ask for credentials. However, if you have a username, you can use hydra to find its password. Hydra is a very fast online password cracking tool that performs attacks on protocols. In this case, you run:
hydra -t 4 -l <User> -P <Password_List> -vV <IP> <Protocol>- -t is the flag for the number of parallel connections to the target.
- -vV shows the login+password combination for each attempt.
We will now explore a service that is quite similar to FTP, and that NFS (Network File System). It’s a protocol that allows sharing of directories and files on a network. Users can use commands to create, remove, read, write and set file attributes for remote files and directories.
I will not go in-depth explaining how NFS works, I’m just gonna give a brief explanation so you can have an idea. First, the client mounts a directory from a remote host on a local directory, then the mount services will connect to the mount daemon using RPC (Remote Procedure Call).
The server then checks if the user has the right permissions to mount the requested directory. It will then return a file handle that uniquely identifies each file. It’s useful to know that an RPC call is placed to the NFSD (NFS Daemon) when someone wants to access the files. This call takes parameters such as:
- File handle
- Name of the file
- User ID
- User’s group ID
To perform a more complete enumeration on an NFS server, we need to have the tool nfs-common which is key to interacting with any NFS share from our local machine.
Having found a port running NFS during our Nmap scan, we then need to use the following command to list the NFS shares:
/usr/sbin/showmount -e <IP>Then we need to mount that share on our local machine to see what are its contents. But first, we need to create a temporary folder on our machine to mount the share to. To mount the share we need to use the following command:
sudo mount -t nfs <IP>:<share> /tmp/mount/ -nolock- -t — specifies the type of device to mount, in this case, nfs.
- /tmp/mount — is the folder we create to mount the share to.
- -nolock — specifies not to use NLM (Network Lock Manager) locking.
If we then go to /tmp/mount, we can see what files there are in that share, and hopefully, find some interesting information.
Next, I will show the steps to exploit it, and only then will I explain some of the steps.
- Have NFS access
- Gain Low Privilege Shell
- Upload Bash Executable to NFS share
- Set SUID Permissions due to Misconfigured Root Squash
- Login through SSH
- Execute SUID Bit Bash Executable
- Have Root Access
Let’s start with root squash. By default, it is enabled and prevents anyone from connecting to the share from having root access. If it’s misconfigured and disabled, it allows the creation of SUID bit files.
You can find a more in-depth explanation of SUID on my post about Privilege Escalation (Linux) — Part 1, but for this post, all you need to know is that a file with SUID bit set can be run with the permissions of the file owner/group, and in this case, as the super-user.
Well, this is all that's needed to exploit a misconfigured NFS share.
Finally, to end this post, let’s talk a bit about SMTP (Simple Mail Transfer Protocol). As the name says, it’s a protocol used to handle the sending of emails. To do this, it’s required a pair of protocols comprising of SMTP and POP/IMAP. Together these allow the user to send and receive email.
POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) are both email protocols responsible for the transfer of mail between a client and a mail server.
It’s rather easy to explain how it works because it’s very similar to the physical mail system. The user supplies the email and a service, and through a series of steps, it will be delivered to the recipient's inbox. The role of the SMTP is to act as a sorting office, which means that the email is sent to the SMTP server that will direct it to its recipient.
There are 3 basic functions you should know about SMTP:
- It verifies who is sending the email.
- It sends emails (obviously).
- If the email can’t be sent, it warns who tried to send the email.
You can go more in-depth on how it works step-by-step, but I think this top-level explanation is enough to understand it.
SMTP runs on port 25 TCP.
To enumerate SMTP it’s easier to use Metasploit which has two modules that do the work for us. These modules are:
- smtp_version
- smtp_enum
After running this we should have useful info, and if you actually find a username, you can use hydra, just like in FTP, to try to brute-force the password on ssh.
hydra -t 16 -l <User> -P <Password_List> -vV <IP> <Protocol>You have a little breakdown of the command on the FTP section of this post.
This post was a lot of fun to write, it being the first post I make that explains some entry points to machines. I’m not saying that when you see these services you have an automatic entry point, just saying that now you have a simple guide of how you can try to exploit them. Remember that almost all exploits require some misconfiguration.
This was supposed to be in the “other” section with a “cybersecurity” tag but, as I finished writing this I thought that it was better fitted for the pentesting section because it actually has tips/guides to exploit these services.
Thank you for reading and see you next time.
