El pasado martes 22 de septiembre, comenzó la primera edición del curso
Hacking Ético de MONDRAGON UNIBERTSITATEA.
En la primera tarea de la unidad 1, se trata de obtener información de servidores externos.
Los comandos básicos que se utilizarán son:
Mediante el comando
ping, comprobaremos la comunicación entre el host local y un equipo remoto.
Se puede realizar un ping directamente a la dirección IP o bien al dominio. Con la opción -c y un número se define la cantidad de ping a realizar.
sergio@tux:~$ ping 192.168.1.1 -c 4
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1.95 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.887 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.865 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.883 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.865/1.146/1.950/0.464 ms
sergio@tux:~$
sergio@tux:~$ ping www.lemaker.org -c 4
PING www.lemaker.org (120.25.215.191) 56(84) bytes of data.
64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=1 ttl=44 time=331 ms
64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=2 ttl=44 time=332 ms
64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=3 ttl=44 time=373 ms
64 bytes from www.lemaker.org (120.25.215.191): icmp_seq=4 ttl=44 time=368 ms
--- www.lemaker.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 331.379/351.571/373.880/19.756 ms
sergio@tux:~$
En algunos casos, los servidores se configuran para que no contesten a la peticiones de ping.
sergio@tux:~$ ping www.guadalinex.org -c 4
PING inv2.juntadeandalucia.es (217.12.28.33) 56(84) bytes of data.
--- inv2.juntadeandalucia.es ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3007ms
sergio@tux:~$
WHOIS, es un protocolo con el que podemos obtener información del propietario de un dominio, email, dirección, etc.
Mediante el comando
whois dominio obtendremos dicha información, también podemos guardarla directamente en un fichero añadiendo >>.
sergio@tux:~$ whois lemaker.org >> whois_lemaker.log
sergio@tux:~$
Contenido whois lemaker.org
Domain Name:LEMAKER.ORG
Domain ID: D170120242-LROR
Creation Date: 2013-11-07T08:22:43Z
Updated Date: 2015-08-19T09:49:10Z
Registry Expiry Date: 2017-11-07T08:22:43Z
Sponsoring Registrar:Chengdu West Dimension Digital Technology Co., Ltd. (R1898-LROR)
Sponsoring Registrar IANA ID: 1556
WHOIS Server:
Referral URL:
Domain Status: ok -- http://www.icann.org/epp#ok
Registrant ID:1556-75475-d-001
Registrant Name:Fu Lanhui
Registrant Organization:Shenzhen Lemaker Science Technology Co Ltd.
Registrant Street: HIT Campus of ShenZhen University Town, XiLi
Registrant City:Shenzhen
Registrant State/Province:GD
Registrant Postal Code:518055
Registrant Country:CN
Registrant Phone:+86.00100000001
Registrant Phone Ext:
Registrant Fax: +86.075526033009
Registrant Fax Ext:
Registrant Email:709983059@qq.com
Admin ID:1556-75475-a-001
Admin Name:Joe Zheng
Admin Organization:Joe Zheng
Admin Street: HIT Campus of ShenZhen University Town, XiLi
Admin City:Shenzhen
Admin State/Province:GD
Admin Postal Code:518055
Admin Country:CN
Admin Phone:+86.075536330749
Admin Phone Ext:
Admin Fax: +86.075536330749
Admin Fax Ext:
Admin Email:joe.zheng@lemaker.org
Tech ID:1556-75475-t-001
Tech Name:Fu Lanhui
Tech Organization:Shenzhen Lemaker Science Technology Co Ltd.
Tech Street: HIT Campus of ShenZhen University Town, XiLi
Tech City:Shenzhen
Tech State/Province:GD
Tech Postal Code:518055
Tech Country:CN
Tech Phone:+86.00100000001
Tech Phone Ext:
Tech Fax: +86.075526033009
Tech Fax Ext:
Tech Email:709983059@qq.com
Name Server:S1.DNSNS5.COM
Name Server:S2.DNSNS5.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.
El tercer comando
Nmap, sirve para escanear puertos y servicios de un servidor.
Algunas de las opciones interesantes son:
-O detección sistema operativo
-v modo detallado
-sV versiones
-A sistema operativo y versiones
-T4 incrementar los tiempos
Detección sistema operativo lemaker.org
sergio@tux:~$ sudo nmap -O -v lemaker.org
[sudo] password for sergio:
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-26 12:46 CEST
Initiating Ping Scan at 12:46
Scanning lemaker.org (120.25.215.191) [4 ports]
Completed Ping Scan at 12:46, 1.41s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:46
Completed Parallel DNS resolution of 1 host. at 12:46, 0.01s elapsed
Initiating SYN Stealth Scan at 12:46
Scanning lemaker.org (120.25.215.191) [1000 ports]
SYN Stealth Scan Timing: About 8.50% done; ETC: 12:52 (0:05:34 remaining)
SYN Stealth Scan Timing: About 16.50% done; ETC: 12:52 (0:05:09 remaining)
SYN Stealth Scan Timing: About 24.10% done; ETC: 12:52 (0:04:47 remaining)
SYN Stealth Scan Timing: About 32.50% done; ETC: 12:52 (0:04:11 remaining)
SYN Stealth Scan Timing: About 43.10% done; ETC: 12:51 (0:03:19 remaining)
SYN Stealth Scan Timing: About 38.60% done; ETC: 12:53 (0:04:48 remaining)
Increasing send delay for 120.25.215.191 from 0 to 5 due to max_successful_tryno increase to 4
SYN Stealth Scan Timing: About 45.18% done; ETC: 12:53 (0:04:17 remaining)
SYN Stealth Scan Timing: About 53.20% done; ETC: 12:53 (0:03:33 remaining)
SYN Stealth Scan Timing: About 59.78% done; ETC: 12:53 (0:03:03 remaining)
Discovered open port 80/tcp on 120.25.215.191
SYN Stealth Scan Timing: About 65.93% done; ETC: 12:53 (0:02:36 remaining)
Discovered open port 22/tcp on 120.25.215.191
Increasing send delay for 120.25.215.191 from 5 to 10 due to 11 out of 23 dropped probes since last increase.
SYN Stealth Scan Timing: About 84.87% done; ETC: 12:52 (0:00:59 remaining)
Completed SYN Stealth Scan at 12:52, 365.51s elapsed (1000 total ports)
Initiating OS detection (try #1) against lemaker.org (120.25.215.191)
adjust_timeouts2: packet supposedly had rtt of -56517 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -56517 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -77059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -77059 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99119 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99119 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99662 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -99662 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -89396 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -89396 microseconds. Ignoring time.
Retrying OS detection (try #2) against lemaker.org (120.25.215.191)
Nmap scan report for lemaker.org (120.25.215.191)
Host is up (0.33s latency).
Not shown: 977 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp closed https
20000/tcp closed dnp
20005/tcp closed btx
20031/tcp closed unknown
20222/tcp closed ipulse-ics
20828/tcp closed unknown
21571/tcp closed unknown
22939/tcp closed unknown
23502/tcp closed unknown
24444/tcp closed unknown
24800/tcp closed unknown
25734/tcp closed unknown
25735/tcp closed unknown
26214/tcp closed unknown
27000/tcp closed flexlm0
27352/tcp closed unknown
27353/tcp closed unknown
27355/tcp closed unknown
27356/tcp closed unknown
27715/tcp closed unknown
30000/tcp closed unknown
Device type: general purpose|WAP|storage-misc|media device|broadband router
Running (JUST GUESSING): Linux 2.6.X|2.4.X|3.X (94%), Linksys Linux 2.4.X (91%), HP embedded (91%), Netgear embedded (89%), Western Digital embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:2.6.22 cpe:/o:linksys:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.4 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:3 cpe:/h:netgear:dg834g cpe:/o:westerndigital:wd_tv
Aggressive OS guesses: Linux 2.6.32 (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (92%), OpenWrt White Russian 0.9 (Linux 2.4.30) (91%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (91%), HP P2000 G3 NAS device (91%), Linux 3.0 (89%), Netgear DG834G WAP or Western Digital WD TV media player (89%), Linux 3.2 (88%), Linux 2.4.18 (88%), Linux 2.6.38 (88%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 379.39 seconds
Raw packets sent: 5666 (253.036KB) | Rcvd: 315 (23.068KB)
sergio@tux:~$
No se puede determinar la versión del sistema operativo, pero nos indica en % los posibles.
Detección sistema operativo y versiones.
sergio@tux:~$ nmap -T4 -A -v lemaker.org >> nmap_lemaker.log
sergio@tux:~$
Contenido nmap -T4 -A -v lemaker.org
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-26 13:07 CEST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 13:07
Scanning lemaker.org (120.25.215.191) [2 ports]
Completed Ping Scan at 13:07, 3.50s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:07
Completed Parallel DNS resolution of 1 host. at 13:07, 0.00s elapsed
Initiating Connect Scan at 13:07
Scanning lemaker.org (120.25.215.191) [1000 ports]
Discovered open port 22/tcp on 120.25.215.191
Discovered open port 80/tcp on 120.25.215.191
Connect Scan Timing: About 21.40% done; ETC: 13:09 (0:01:54 remaining)
Increasing send delay for 120.25.215.191 from 0 to 5 due to 11 out of 22 dropped probes since last increase.
Connect Scan Timing: About 24.35% done; ETC: 13:11 (0:03:10 remaining)
Connect Scan Timing: About 27.30% done; ETC: 13:12 (0:04:02 remaining)
Increasing send delay for 120.25.215.191 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Connect Scan Timing: About 30.25% done; ETC: 13:13 (0:04:39 remaining)
Connect Scan Timing: About 33.20% done; ETC: 13:14 (0:05:04 remaining)
Connect Scan Timing: About 38.20% done; ETC: 13:16 (0:05:27 remaining)
Connect Scan Timing: About 53.80% done; ETC: 13:16 (0:04:26 remaining)
Connect Scan Timing: About 63.95% done; ETC: 13:16 (0:03:12 remaining)
Connect Scan Timing: About 70.85% done; ETC: 13:16 (0:02:45 remaining)
Connect Scan Timing: About 76.95% done; ETC: 13:17 (0:02:16 remaining)
Connect Scan Timing: About 82.80% done; ETC: 13:17 (0:01:45 remaining)
Connect Scan Timing: About 88.30% done; ETC: 13:17 (0:01:13 remaining)
Connect Scan Timing: About 93.70% done; ETC: 13:17 (0:00:40 remaining)
Completed Connect Scan at 13:17, 613.05s elapsed (1000 total ports)
Initiating Service scan at 13:17
Scanning 2 services on lemaker.org (120.25.215.191)
Completed Service scan at 13:17, 7.25s elapsed (2 services on 1 host)
NSE: Script scanning 120.25.215.191.
Initiating NSE at 13:17
Completed NSE at 13:18, 23.98s elapsed
Nmap scan report for lemaker.org (120.25.215.191)
Host is up (0.38s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| ssh-hostkey: 1024 20:dd:d7:6f:30:57:34:c1:17:13:97:0f:c8:aa:06:a2 (DSA)
|_2048 b0:0f:aa:ce:c9:8a:95:c0:7c:1f:78:48:3d:8f:5a:e4 (RSA)
80/tcp open http nginx
|_http-favicon: Unknown favicon MD5: D7A9C4E1F7BD1804B152F93603FA0055
|_http-generator: Discuz! X3.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
| http-robots.txt: 22 disallowed entries (15 shown)
| /api/ /data/ /source/ /install/ /template/ /config/
| /uc_client/ /uc_server/ /static/ /admin.php /search.php
|_/member.php /api.php /misc.php /connect.php
| http-title: LeMaker|The Open Source SBCs Community
|_Requested resource was http://www.lemaker.org/
443/tcp closed https
21571/tcp closed unknown
22939/tcp closed unknown
27356/tcp closed unknown
NSE: Script Post-scanning.
Initiating NSE at 13:18
Completed NSE at 13:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 650.57 seconds
Detección servicios y versiones.
sergio@tux:~$ nmap -T4 -sV -v lemaker.org
Starting Nmap 6.40 ( http://nmap.org ) at 2015-09-26 13:48 CEST
NSE: Loaded 23 scripts for scanning.
Initiating Ping Scan at 13:48
Scanning lemaker.org (120.25.215.191) [2 ports]
Completed Ping Scan at 13:48, 0.38s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:48
Completed Parallel DNS resolution of 1 host. at 13:48, 0.00s elapsed
Initiating Connect Scan at 13:48
Scanning lemaker.org (120.25.215.191) [1000 ports]
Discovered open port 80/tcp on 120.25.215.191
Discovered open port 3306/tcp on 120.25.215.191
Discovered open port 22/tcp on 120.25.215.191
Connect Scan Timing: About 15.30% done; ETC: 13:51 (0:02:52 remaining)
Increasing send delay for 120.25.215.191 from 0 to 5 due to 11 out of 23 dropped probes since last increase.
Connect Scan Timing: About 18.45% done; ETC: 13:53 (0:04:30 remaining)
Connect Scan Timing: About 21.55% done; ETC: 13:55 (0:05:31 remaining)
Increasing send delay for 120.25.215.191 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Connect Scan Timing: About 24.75% done; ETC: 13:56 (0:06:08 remaining)
Connect Scan Timing: About 28.15% done; ETC: 13:57 (0:06:33 remaining)
Connect Scan Timing: About 54.90% done; ETC: 13:57 (0:04:12 remaining)
Connect Scan Timing: About 63.65% done; ETC: 13:58 (0:03:43 remaining)
Connect Scan Timing: About 70.45% done; ETC: 13:59 (0:03:12 remaining)
Connect Scan Timing: About 76.35% done; ETC: 13:59 (0:02:39 remaining)
Connect Scan Timing: About 81.95% done; ETC: 13:59 (0:02:05 remaining)
Connect Scan Timing: About 90.75% done; ETC: 13:59 (0:01:02 remaining)
Completed Connect Scan at 13:58, 609.29s elapsed (1000 total ports)
Initiating Service scan at 13:58
Scanning 3 services on lemaker.org (120.25.215.191)
Completed Service scan at 13:58, 7.31s elapsed (3 services on 1 host)
NSE: Script scanning 120.25.215.191.
Nmap scan report for lemaker.org (120.25.215.191)
Host is up (0.31s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http nginx
443/tcp closed https
3306/tcp open mysql MySQL 5.6.25-log
23502/tcp closed unknown
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 617.84 seconds
sergio@tux:~$
Con los diferentes análisis que se han realizado, encontramos 3 puertos abiertos (22, 80, y 3306), servicios ssh, http y mysql con sus respectivas versiones.
Para determinar si existen vulnerabilidades en algunos de los servicios encontrados, se puede consultar la Base de Datos de Vulnerabilidades Nacional de Estados Unidos (
NVD)
En el servicio ssh versión 5.3, se han detectado 2 vulnerabilidades (
busqueda), nginx se han detectado 20 vulnerabilidades (
busqueda) y en el servicio mysql 0 vulnerabilidades (
busqueda)