Thursday, April 24, 2014

Using nmap and netcat to fingerprint a machine

At times you will run into a situation where you don't have access to a machine that is vulnerable but not sure what applications are running or who owns the machines or AWS a/c to which the machines belong to. You can use "nmap" and "nc" to identify the ports open and possibly the applications running on it. Firstly, if you know the ip address then you can do a "dig" or "host" command to determine the hostname and SOA record:-

$ dig -x 54.186.x.x

*****************
; <<>> DiG 9.7.1 <<>> -x 54.186.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58324
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;62.162.186.54.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
62.162.186.54.in-addr.arpa. 176 IN      PTR     ec2-54-186-x-x.us-west-2.compute.amazonaws.com.

;; Query time: 21 msec
;; SERVER: 10.106.x.x#53(10.106.x.x)
;; WHEN: Thu Apr 24 12:30:24 2014
;; MSG SIZE  rcvd: 107
*****************

$ host -v ec2-54-186-x-x.us-west-2.compute.amazonaws.com

*****************
Trying "ec2-54-186-x-x.us-west-2.compute.amazonaws.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14067
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN A

;; ANSWER SECTION:
ec2-54-186-x-x.us-west-2.compute.amazonaws.com. 6060 IN A 54.186.x.x

Received 83 bytes from 10.106.x.x#53 in 5 ms
Trying "ec2-54-186-x-x.us-west-2.compute.amazonaws.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12789
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN AAAA

;; AUTHORITY SECTION:
us-west-2.compute.amazonaws.com. 899 IN SOA     dns-external-master.amazon.com.
root.amazon.com. 5267 600 120 604800 900

Received 135 bytes from 10.106.x.x#53 in 66 ms
Trying "ec2-54-186-x-x.us-west-2.compute.amazonaws.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8921
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN MX

;; AUTHORITY SECTION:
us-west-2.compute.amazonaws.com. 899 IN SOA     dns-external-master.amazon.com.
root.amazon.com. 5267 600 120 604800 900

Received 135 bytes from 10.106.x.x#53 in 44 ms
*****************

$dig SOA +multiline ec2-54-186-x-x.us-west-2.compute.amazonaws.com

*****************
; <<>> DiG 9.7.1 <<>> SOA +multiline ec2-54-186-x-x.us-west-2.compute.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26020
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ec2-54-186-x-x.us-west-2.compute.amazonaws.com. IN SOA

;; AUTHORITY SECTION:
us-west-2.compute.amazonaws.com. 899 IN SOA dns-external-master.amazon.com. root
.amazon.com. (
                                5267       ; serial
                                600        ; refresh (10 minutes)
                                120        ; retry (2 minutes)
                                604800     ; expire (1 week)
                                900        ; minimum (15 minutes)
                                )

;; Query time: 110 msec
;; SERVER: 10.106.x.x#53(10.106.x.x)
;; WHEN: Thu Apr 24 12:39:43 2014
;; MSG SIZE  rcvd: 135
*****************

Next, you can run nmap on the machine to see the list of TCP ports open:

$nmap -v -sT 54.186.x.x

*****************
Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-24 12:51 PDT
Initiating Ping Scan at 12:51
Scanning 54.186.x.x [2 ports]
Completed Ping Scan at 12:51, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:51
Completed Parallel DNS resolution of 1 host. at 12:51, 0.05s elapsed
Initiating Connect Scan at 12:51
Scanning ec2-54-186-x-x.us-west-2.compute.amazonaws.com (54.186.x.x) [1000 ports]
Discovered open port 443/tcp on 54.186.x.x
Discovered open port 3389/tcp on 54.186.x.x
Discovered open port 21/tcp on 54.186.x.x
Discovered open port 80/tcp on 54.186.x.x
Discovered open port 9009/tcp on 54.186.x.x
Completed Connect Scan at 12:52, 59.26s elapsed (1000 total ports)
Nmap scan report for ec2-54-186-x-x.us-west-2.compute.amazonaws.com (54.186.x.x)
Host is up (0.030s latency).
Not shown: 805 filtered ports, 190 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
3389/tcp open  ms-wbt-server
9009/tcp open  pichat

Read data files from: /usr/bin/../share/nmap
*****************

From the open ports it seems like a windows machine that is running a webserver on port 80 and RDP connection on port 3389. Next we can try to hit the port 80 on the above machine either through a browser or other tools to see the kind of web server that is running. Typically, if web servers have been hardened correctly, they will not serve a default page or deny connections. Below, is an example using "nc" or netcat tool to send a malformed request (HTTP/3.0 instead of HTTP/1.0 or HTTP/1.1):

$nc 54.186.x.x 80

*****************
HEAD / HTTP/3.0
Connection closed by foreign host.
*****************

Hopefully, the above should give you some idea about the applications running and then perhaps get in touch with Amazon support to send an outbound email to the AWS a/c owner where that machine resides.


No comments:

Post a Comment