Everything you need to know about remote exploitation
Everyone wants to turn their GOD mode on when looking for vulnerabilities. Indeed, we have reached that point — Remote Exploitation. This term means finding a way to access the content you don’t have access to. Once found, just wait for the AHHHH moment!
Step 3: Exploiting vulnerabilities
After acquiring information about your target, it’s time to use that knowledge to gain access to it. Make sure you have completed till here if you’re following the roadmap. In case it is not, go back and
Exploitation can be both server-side and client-side. At the server end, it’s about having direct access to the server. On the other hand, on the client-side, it is about engaging with targets to exploit them.
This will require knowing about some fundamentals of network protocol. You can learn about them in detail here. Most of the time you’ll come across these protocols:
- TCP(Transmission Control Protocol): TCP is a protocol that is used to ensure reliable communication of data(packets)
- UDP(User Datagram Protocol): UDP is a protocol that is used for faster communication of packets
- ICMP(Internet Control Messaging Protocol): ICMP is used to send control messages to network devices and hosts
When interacting with a server, we target some specific protocols. Let’s talk about these:
- Text-based protocol: This is where we spend most of our time, which are human-readable for example HTTP, FTP, SMTP
FTP — File Transfer Protocol is used for uploading and downloading files from a server. It is considered to be the weakest because it’s unencrypted. It runs on port 21.
SMTP — Simple Mail Transfer Protocol is used in mailing servers. This is usually exposed and contains sensitive information as we saw in bypassing Cloudflare. It runs on port 25 usually. - Binary protocol: These utilize bytes and are intended for machines to read.
Attacking Network Remote services
A while back, we learned about how to find open ports and find running services on them. We will now look into various ways to crack usernames and passwords for these network services for example FTP, SSH. The choice of ways depends on how hard it is to break. In this, the most common way is brute force. It can easily crack passwords if the authentication is weak. As penetration testers, this is not the way we go until it’s intelligent. The reason is brute force can be easily detected and it generates a lot of noise. The common target protocols and services are:
Tools
There are various tools that are used for cracking network services, let’s check out a few:
THC Hydra
The oldest, hence, the password cracking tool with the best coverage. You’ll use this for most of your penetration testing. For using this we would need a user and password list to download those from here. Let’s try to crack services with Hydra.
How to use it?
Hydra -L users.txt -P password.txt <target ip><service>
Medusa
Medsua is an alternate to THC Hydra, it’s faster and more stable than it.
How to use it?
medusa -h <target-ip> -u admin -P password_list.txt -M <service> -n <port> h - host ip u - usernames P - password M - modules to test n - port number
These are the tools that help to break weak authentication on our target services be it FTP, ssh, etc. These all services can be captured the same way. But this is not all about remote exploitation, it’s just the start. We’ll continue to learn more about this. In the coming articles, we’ll know more about this. But for now, this is what you have to practice.
To-Do
- Read about these protocols and services
- Try out Hyrda and Medusa
Don’t forget to do this with caution:CAUTION: This information is for educational purposes only. Do not use it for any illegal purposes. If you find something sensitive during the practice, report it to the concerned person immediately.
Keep practicing till the next one. We’ll next know more about it, stay tuned! If you have not yet subscribed, go ahead and subscribe to the newsletters.