• 110 | Chapter 3: Reconnaissance
    		•

    Learning Kali Linux




    Download 22,59 Mb.
    Pdf ko'rish
    bet109/225
    Sana14.05.2024
    Hajmi22,59 Mb.
    #232856
    1   ...   105   106   107   108   109   110   111   112   ...   225
    Bog'liq
    learningkalilinux

    Manual Interaction
    Although the automated tools to gather information are great, sometimes you need to
    get down in the dirt and play with the protocol directly. This means opening up a
    connection to the service port and issuing protocol commands. One program you
    can use is the 
    telnet
    client. This is different from either the Telnet protocol or Telnet
    server. Although the 
    telnet
    client is used to interact with a Telnet server, it is really just
    a program that can open a TCP connection to a remote server. All you need to do is
    provide a port number to 
    telnet
    . In 
    Example 3-23
    , I’ve used 
    telnet
    to open a connec‐
    tion to a Simple Mail Transfer Protocol (SMTP) server.
    110 | Chapter 3: Reconnaissance

    Example 3-23. Using telnet to interact with a mail server
    root@rosebud:~# telnet 192.168.86.35 25
    Trying 192.168.86.35...
    Connected to 192.168.86.35.
    Escape character is 
    '^]'
    .
    220
    rosebud.washere.com ESMTP Postfix 
    (
    Debian/GNU
    )
    EHLO blah.com
    250-rosebud.washere.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250-DSN
    250
    SMTPUTF8
    MAIL FROM: foo@foo.com
    250
    2.1.0 Ok
    RCPT To: root@localhost
    250
    2.1.5 Ok
    If using the 
    telnet
    client, it would default to port 23, which is the standard Telnet port.
    However, if we provide a port number, in this case 25, we can get 
    telnet
    to open a TCP
    connection to that port. Once we have the connection open, which is clearly indica‐
    ted, you can start typing protocol statements. Since it’s an SMTP server, what you are
    seeing is a conversation in Extended SMTP (ESMTP). We can gather information
    using this approach, including the type of SMTP server (Postfix) as well as protocol
    commands that are available. While these are all SMTP commands, servers are not
    required to implement them. The VRFY command, for example, is used to verify
    addresses. This could be used to enumerate users on a mail server. That’s not some‐
    thing organizations will want remote users to be able to do, because it can expose
    information that might be useful to an attacker. Instead, they may just disable that
    command.
    The first message we get back from the server is the service banner. Some protocols
    use a service banner to announce details about the application. When a tool like
    nmap
    gathers version information, it is looking for these service banners. Not all pro‐
    tocols or servers will send out a service banner with protocol or server information.
    telnet
    is not the only command that can be used to interact with servers. You can also
    use netcat, which is commonly done via the command 
    nc
    . We can use 
    nc
    in the same
    way that we use 
    telnet
    . In 
    Example 3-24
    , I’ve opened a connection to a web server at
    192.168.86.1. Unlike 
    telnet

    nc
    doesn’t indicate that the connection is open. If the port
    is closed, you will get a message saying, “Connection refused.” If you don’t get that
    message, you can assume the connection is open and you can start typing commands.
    You’ll see an HTTP/1.1 request being sent to the remote server. Once the request has

    Download 22,59 Mb.
    1   ...   105   106   107   108   109   110   111   112   ...   225




    Download 22,59 Mb.
    Pdf ko'rish