Yea, my advice.. Study harder.

Anyway, do you have a website for your course or are we just supposed to trust you?

Learning is good. Generally in most college classes, you are given tools to start solving a problem, then an assignment to demonstrate your knowledge of those tools.

google search, keywords "OS Fingerprinting"

You should be able to tell us at this point. What tools have you been given in this class? What are the topics that have been covered so far? If this is a lab, what was the lab lecture about?

I don't know many professors who say, "Welcome to class. Break into this server," unless there is a point to the process, such as to demonstrate the students should think about where to start, estimate the skillset of the students, demonstrate use of tools covered in class/lecture, etc.

If your professor has no reason to offer you this task, then you may want to consider another professor or school.

Here is the website for my course http://jacobsonk.pageout.net/page.dy...urse_id=101618

okay We are working out of windows and linux. We have been working with variouse tools, from this book "Guide to Network Degense and countermeasures". This wasn't the book that he wanted, but oh well. So asked us to form groups and chose what you want to do. So I joined the pen testing group, and we have been going at it. All i am looking for is some good suggestions.

I do not see a schedule, but I do find a lot of broken links.
Course Content shows a calendar, but clicking on days provide an error of "Bad Request."

The only "developed" links on that site appear to be the "Home" and Web links section, and even these leave something to be desired.

First, it looks like a lower divison, undergraduate course, so the professor is probably not expecting you to build your own exploits.
From the Web links section, you have a single link for Pen Testing with only 4 things listed on it:
Four stages of Pen Testing
1. planning
2. discovery
3. attack
4. reporting

So, again, what tools have you been provided for this task? What was the content of the lectures before this task was assigned to you? Is this a homework assignment? What is the stated purpose of this assignment/project?

We are assigned one computer for the use of breaking in on a controlled network. Then 3 computers with different levels of exploits one is getting harder and harder. I am working on the hardest one. For tools we are recommenced tools to use, but what ever works. The system has Linux and windows installed. Right now all i have done is use netcat to find the ports, and researching the one's that would help me the most to reach my goal.

As for th lecture we have been going over arp poisoning, buffer overflowing, netcat, nmap, and whatever else is in that book. This is kind of homework as in looking for exploits, but all of this is conducted in a controlled environment.
The peruse of this project is to show the processes of pen testing computers, for personal experience, and to give a presentation of your findings. This is to the other class mates and the teachers for our grade.

On the chance that you may be someone that people I know may encounter in the real world, I want to avoid giving away answers. I really dislike encountering people in the Real World who aren't able to find solutions on their own.
Many colleges have rules on how much assistance can be granted without it being considered cheating; so I'll try not to be too helpful.

OK. And how would you be able to use this with any of the services? Are pseudo-clients actually authenticating against services on this server during any of your attempts?

Are you expected to write your own, or will you be playing the role of a "script-kiddie"?

These are good tools. Some "scripts" are written with the assumption these are installed, but if you do not understand these scripts, you may end up screwing yourself as a result of them actually being trojans as many are.

It really sounds like you are expected to find pre-written exploits and use them. I do not see any tools listed for more advanced things like "writing your own exploits."

I don't know what is in that book. Without specifics, I can't do much; I am not going to just give you any answers. You are in this class to demonstrate your ability to find solutions. Research and collaboration are part of this, but collaboration is possible with your peers. Work in the real world is much like your project-- but all the time. New issues are created, and you will need to always be learning about what is new.
(And you can't always keep hiring consultants for each issue.)

So far, everything points to "act like a script kiddie." So? What would be your next step? Imagine yourself as a script kiddie. What would you do next?
(There are many directions you can take at this point.)

Thank you for the help and the not too helpful suggestions. Let me start at the top.

Arp poisoning of the network to intercept from another destination seems kind of pointless. This is a box has no one logging into it, and no type of pseudo-clients authenticating against any of its services. I monitored it traffic with Eatheral.

I am going to make my own buffer overflow, or die trying. I will have some assistance in making it.

The Book that we are using for the class is “Guide to network Defense and countermeasures”. This i find is a not bad book, but these project are something that the teacher thought would be more fun than what the book had. So they have been making there own assignment. Which i find is awesome.

In the mind set of a “script kiddie” i would want to find out what each port means:

dpsvr2003.mtolympus.local [134.39.10.240] 1088 (?) open
dpsvr2003.mtolympus.local [134.39.10.240] 1038 (?) open
dpsvr2003.mtolympus.local [134.39.10.240] 1028 (?) open
dpsvr2003.mtolympus.local [134.39.10.240] 1025 (?) open
dpsvr2003.mtolympus.local [ 134.39.10.240] 636 (ldaps) open
dpsvr2003.mtolympus.local [134.39.10.240] 593 (?) open
dpsvr2003.mtolympus.local [134.39.10.240] 464 (kpasswd) open
dpsvr2003.mtolympus.local [134.39.10.240] 445 (microsoft-ds) open
dpsvr2003.mtolympus.local [134.39.10.240] 389 (ldap) open
dpsvr2003.mtolympus.local [134.39.10.240] 135 (?) open
dpsvr2003.mtolympus.local [134.39.10.240] 88 (kerberos) open
dpsvr2003.mtolympus.local [134.39.10.240] 53 (domain) open

Looking at this list that i got from using “nc -v -w 5 -z 134.39.10.240 1-1204” i find that its apart of the windows server family. Then I want to Google ports from 646 down to find exploits. I can also us putty to see what they're running.

Run putty and telnet port 593 and I came up with “ncacn_http/1.0”. Then Google this and check it out.

The reason why i went for the 646 and down was because of the high ports will probably just be open, but i will check anyway. I also want to not make to much noise on this computer. Thinking that it might be keeping a log. So be discrete.

After doing the research on these ports, and the programs that run on them. I want to then find the programs that would best fit my intentions. To gain access to information that the server holds.

I'm going to try out nessus tomorrow on another machine to make sure i understand how it works. So that i don't screw my self over, and so that i don't make a lot of noise in the logs. Then if that doesn't work. Then I will just move on to another program that would fit this matter.

Are you sure you took the prerequisite? It seems like you don't know what your talking about or your all mixed up.


PS.. its Ethereal, not eatheral (ether like ethernet)

[/QUOTE]

What you write makes it appear as though you have not researched the problem or tools you can use very well.

You write about finding what service a port is using, but such estimates are actuallty provided to you with one of your tools and in your reply.

Another point:
Many first generation "script kiddies" actually only know how to use one exploit, and then they search for machine that are vulnerable-- their work is so simple, they can be replaced with worms that do the same thing. They don't actually target a specific machine, but instead look for door with cheap locks. What is even funnier, is many of the first generation "script kiddies" don't even know what to do with a box they "root" or "admin" except maybe install a pre-packaged rootkit/irc-relay/file-server-service(ftp, irc-dcc, etc.)

Second generation "script kiddies" may know several exploits, and a little about getting around a system, while 3rd generation and beyond may actually be able to understand some of the code involved, modify it in some way.

The only other new tool I see you have mentioned is google, but you do not appear to be using it very well; you have not found an exploit yet even after 15 hours between posts.

This does not make sense:
This is one example to point out where dyn4mic's statement appears to be true.
A port means nothing; it runs a service or it does not. If it is running a service, is is either the default service for that port or it is not. It probably also has a version, and an application name associated with it. This is what first generation script kiddies look for.

The terms you use, and how you use them does not suggest you really understand where you are going, or that you have a foundation necessary for this project. How much of your book have you actually read?

Your lack of preparation shows me that you don't really know where you are going. I suggest you speak with your professor during office hours and tell him/her what you have, and see if you are on the right track.

Something else that causes me to not want to help you, is that you showed no progress in working on this problem between your first post and this last one. That is 15 hours!

Since I'm afraid this comment might discourage the original poster, I'd like to say that I think Ozone is actually doing quite well for an individual just getting into computer security. TheCotMan took Ozone to task for his use phrasing concerning ports, but I think it is rather clear that Ozone understands that a service doesn't necessarily have to run a specific port and went so far as to identify one of the applications on an open port.

Ozone has demonstrated a willingness to learn, wants to do things himself rather than use existing tools when he thinks it will aid his understanding, and is apparently setting up test systems outside of class so that he can examine an attacked computer in a controlled environment. He isn't asking for you to do his work for him, but he is looking for a nudge in the right direction at a point in his learning where he is still stumbling around.

Cut him some slack, TheCotMan. After all, you must remember what the level of teaching was like when you were in college.

PS: It sounds like Ozone is in an interesting class. I wish something like it were available when I was an high school/undergraduate student.

Being willing to learn is not enough; there must be ambition to try to work on things while waiting for help. Lack of progress is an indication to me that there is expectation to have others do the work.

Finding exploits for a specific service does not take much time with google. Finding an exploit for a specific version may take a little longer.

There has been mention of "nessus" but an implication that it has never been used. There are other tools out there that will "automagically" scan a host for service versions to look for services with known exploits in the application's DB. There are even tools that allow a user to choose to enable "dangerous tests" that could potentially DoS a box during the testing process where security holes to network services are sought out.

From my point of view, a class like this would have at least covered some of these by name if this was a task given to this user by the professor.

Stumbling to me is a sign that something is not quite right with this project.

:-P~~~~~ (heh)

What about "extracirricular activities"? ]:>

OK. Voltage Spike has granted you some pity, and that is worth something. Here is an obvious resource:

Check out MS KB articles for security updates and notices per service with each SP and hotfix. MS can be helpful when pointing out what security problems exist in unpatched services. Some can even tell you the CAN or Sec-ID or ... that is addressed with a particular hotfix/SP.

Determination of service version can help determineSP/Hotfix. Backtracking from an announcement to fixes gives you a huge collection of keywords to use in searching, and things to try. Some exploits will even include statements like, "This works on Win XP pre SP2," and may even list hotfixes names that defeat them as well.

If you build a library of exploits with source code, you can better understand what they share in design.

In your class, using the short list they have on penetration testing:
1. planning
2. discovery
3. attack
4. reporting

You will spend most of your time in state changes from 1 to 2 back to 1 back to 2. Planning leads to discovery which may improve your planning for another round, and then help you to discover more. This is your research. This is time consuming. 3 is very fast, and you go back to 2 to examine the result. From there, you may go back to 1, or you may move on to 4.

1 and 2 are the most sexy of the the items listed. 3 is the biggest rush, and 4 is boring. For me, the best 4 is, "Your system service XXX is vulnerable. Fix it." Writing up reports on the process is the worst part.

Here is your push:
Identify a chosen service. Find a way to determine the name of the application (like the .exe name for windows), the name of the application (like apache vs IIS) and version (if possible) and get hints to what SP/Hotfixes are included. Search for notices on new hotfixes/SP that have come out since then and backtrack to see what security holes have been fixed. This is your keyword list. Google is your friend.

And another script kiddie is born.

I think it has more to do with the teacher assuming self-motivated students. Most undergraduate classes tend to give the students 1 and 2 and ask for 3, but some of the better projects ask for 3 and let the students make their own discoveries.

This is an excellent suggestion. Unfortunately exploit code tends to be ... obtuse. Work through it and figure out how each exploit works you will be infinitely better. This does take time, but it will ultimately be the best education at conquering stage 3. You have already discovered a running service on the server with a known exploit, and I applaud you for not simply running a canned script (if an actual implementation exists). Now you get to the fun part.

I don't think so. Ozone seems genuine, and he already knows more about the available tools than most of his peers.

This is such a great comment. At first there is a counter to Ozone now being labeled a script kiddie, but then there is suggestion that counters the former when he is compared to his peers.

If it was intentional, that was nice. :-)

If we assume that Ozone eventually moves beyond script kiddie, but still plays this role now, he is still playing this role.

Beyond this, we cannot be certain that a lurker won't use the advice too. If this is the case, then the comment about a script kiddie being born can be true for for than just one person.

Let's see what kind of progress this user makes between now and their next post.

This whole discussion reminds me of Don Ameche and Ralph Bellamy arguing over Eddie Murphy in Trading Places.