Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Bsquedadevulnerabilidades
DavidNezlvarez
PSI2011/2012
Conmotivodenorevelarlosdatosdelservidoralqueselerealizelestudiovamosasuponer
quesudominioesftp.objetivo.comysuIPnosercompletamentevisible.
Enunprincipio,sloconocemoseldominiowebdelservidorFTPquesernuestroobjetivode
estudio,ftp.objetivo.com
NosconectamosalldesdeelnavegadoryvemosqueelserviciodeFTPestaactivoy
funcionandocorrectamente.
1.Inicio
LoprimeroqueharemosserconseguirsudireccinIP:
$nslookupftp.objetivo.com
Name: ftp.objetivo.com
Address:1...6
EstaIPserlabasedetodasnuestraspruebas.
1.1)Empezaremosintentandohacerunpingalobjetivo.
$pingc31...6
PING1...6(1...6)56(84)bytesofdata.
1...6pingstatistics
3packetstransmitted,0received,100%packetloss,time2009ms
Sevequeelobjetivonorespondealping,estopuededeberseadiferentesmotivos,como
sabemosquelamquinaestfuncionandoelmscomnesquetengandesactivadala
respuestaalosmensajesICMP.
1.2)Intentaremosllegaralatravsdeotrosmedioscomotracerouteparahacernosunaidea
dequmquinashayentrenosotrosyelobjetivoaversidescubrimosalgo,lomasseguroes
quetambinsenosfiltreantesdellegaralobjetivoyaquetraceroutefuncionasobreICMP.
$traceroute1...6
ConlasalidaquenosdiotraceroutevemosqueapartirdeunpuntolasdireccionesIPsenos
ocultan,cosaquenosindicaqueseguramenteestemospasandoatravsdeunfirewallque
nosestfiltrandolapaqueteraenviada.
1.3)Nohayquepreocuparse,haydiferentesmanerasdellegaraunamquinadetrsdeun
firewall.
Unadeellasesconlaherramientahping3.
Usaremoslaopcint1combinadaconlaopcinZloquenospermitequealpulsarCTRL+Z
elTTLdelospaquetesqueenvahping3aumenteen1yvayavariandoelpuntoquenos
respondeentrenosotrosyelobjetivo.
SeusartambinlaopcinSquepondrelflagSYNdeTCPa1,flagquelosfirewallsuelen
dejarpasaryaqueeselflagquepermiteiniciarunaconexinTCP.
#hping3 -S -t 1 -p 21 -n -z1...6
HPING1...6 (wlan01...6): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=192.168.1.1
2: TTL 0 during transit from ip=..176.1
3: TTL 0 during transit from ip=...254
4: TTL 0 during transit from ip=...62
5: TTL 0 during transit from ip=...97
6: TTL 0 during transit from ip=...162
7: TTL 0 during transit from ip=...26
8: TTL 0 during transit from ip=...10
9: TTL 0 during transit from ip=...122
10: TTL 0 during transit from ip=...50
11: TTL 0 during transit from ip=...130
12: len=44 ip=1...6 ttl=116 DF id=14741 sport=21 flags=SA seq=27 win=8192 rtt=58.3 ms
len=44 ip=1...6 ttl=116 DF id=14742 sport=21 flags=SA seq=28 win=8192 rtt=59.4 ms
len=44 ip=1...6 ttl=116 DF id=14743 sport=21 flags=SA seq=29 win=8192 rtt=58.6 ms
Hemostenidosuerte,conseguimospasaratravsdelfirewallyalcanzarnuestroobjetivo.
ConestodescubrimoslaIPdelfirewallylossaltosquehayentreesteylamquinaobjetivo.
EnunprincipionuestroobjetivoparaestereporteslaIPdondeseencuentraelservidorFTP,
peroconlasalidaanteriorhemosdescubiertodndeestelfirewall,otraposiblemquina
vulnerabledelaredinterna.
2)Descubrimiento
Continuaremoselanlisisintentandodescubrirlosserviciosquetienenuestramquinaobjetivo
(sesabequeyatieneunservidorFTPcorriendoenelpuerto21).
Usaremoslaherramientanmap.
Unabuenaprcticaenunescaneorealserautilizaropcionesdenmapquenospermitanocultarnosdetrs
demquinaszombiescomotcnicasdeidlescan.Ousarherramientascomotorsocksquenos
permitiranmeterlaspruebasdeescaneoporlaredTORysaliratravsdeunaIPdiferentealanuestra.
ocultandoasquinestescaneandolamquina.
Empezaremosconunescaneoatrespuertosconocidosquepodranestarabiertosyconla
opcinPNquedesactivael"nmapdiscovering(usandoPING)yaqueyasabemosquela
mquinaexisteyestfuncionando.
# nmap -sT -PN -p 21,22,80 -v
Starting Nmap 5.00 ( http://nmap.org ) at 2012-04-30 23:25 CE
NSE: Loaded 0 scripts for scanning.
Initiating Connect Scan at 23:25
Scanning 1...6 [3 ports]
Completed Connect Scan at 23:25, 0.76s elapsed (3 total ports
Host 1...6 is up (0.78s latency).
Interesting ports on 1...6:
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
80/tcp filtered http
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds
Comprobamosqueefectivamenteelpuerto21tienecorriendoftpdetrs,losdemspuertos
vemosquenmapnosindicaqueestnfiltrados.
Haremosahoraunescaneounpocomscompletousandodirectamenteelescaneodenmap
sinindicarlepuertos,loqueharquenmaphagaunescaneodelospuertosmscomnmente
usados(msde1500).
# nmap -sT -PN -v 1...6
Starting Nmap 5.00 ( http://nmap.org ) at 2012-05-01 00:06 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 00:06
Completed Parallel DNS resolution of 1 host. at 00:06, 0.04s elapsed
Initiating Connect Scan at 00:06
Scanning 1...6 [1000 ports]
Host 1...6 is up (0.059s latency).
Interesting ports on 1...6:
Not shown: 913 filtered ports
PORT STATE SERVICE
21/tcp open ftp
24/tcp open priv-mail
80/tcp open http
212/tcp open anet
311/tcp open asip-webadmin
406/tcp open imsp
465/tcp open smtps
667/tcp open unknown
668/tcp open unknown