CEH Studying disconnect

SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
Hello, I would like to use this thread to ask questions I encounter during my CEH studies.

my current disconnect is in vulnerability discovery; after performing recon, finding online systems, port scanning, service and OS detection, now its time to identify vulnerable services and exploit them...

So my issue is this, I run a port scan against a 2k3 machine. I find that port 135 is open, running rpc.

Now I know that opening metasploit, I can use the msrpc exploit to exploit a vulnerability in this service... but I only know that because i've, well seen a video in this class telling me its vulnerable... I tried looking at an updated MSFC which luckily shows a few exploits and specifically states next to the name that a certain OS is not vulnerable, ect. But otherwise, how do I connect open port= vulnerability?

Comments

  • kriscamaro68kriscamaro68 Member Posts: 1,186 ■■■■■■■□□□
    SephStorm wrote: »
    Hello, I would like to use this thread to ask questions I encounter during my CEH studies.

    my current disconnect is in vulnerability discovery; after performing recon, finding online systems, port scanning, service and OS detection, now its time to identify vulnerable services and exploit them...

    So my issue is this, I run a port scan against a 2k3 machine. I find that port 135 is open, running rpc.

    Now I know that opening metasploit, I can use the msrpc exploit to exploit a vulnerability in this service... but I only know that because i've, well seen a video in this class telling me its vulnerable... I tried looking at an updated MSFC which luckily shows a few exploits and specifically states next to the name that a certain OS is not vulnerable, ect. But otherwise, how do I connect open port= vulnerability?

    I usually associate certain ports with certain services. I don't really do exploitation but knowing that dns is port 53 tells me, ok port 53 could be vulnerable. Same goes for port 23 is telnet, 123 is ntp, 3389 is rdp and so on. If you know that certain services are vulnerable which certain ones always seem to be, then that is usually how I look at it. I know its not all encompassing but its a start. By they way congrats on the sans course giveaway on EH.
  • powerfoolpowerfool Member Posts: 1,665 ■■■■■■■■□□
    There are vulnerability assessment tools that will scan a system and link to the specific CVE for a vulnerability, giving to exact exploits for it.
    2024 Renew: [ ] AZ-204 [ ] AZ-305 [ ] AZ-400 [ ] AZ-500 [ ] Vault Assoc.
    2024 New: [X] AWS SAP [ ] CKA [ ] Terraform Auth/Ops Pro
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    SephStorm wrote: »
    how do I connect open port= vulnerability?
    First off, open port != vulnerability. An open port indicates there is something listening on the port, something that may or may not be vulnerable. An attacker typically tries to do further recon by establishing what service is listening on the port, what version, and so on. Gathering this information allows the attacker to narrow down the list of vulnerabilities this service may have. Once that is done, the attacker goes on to attempting to exploit the vulnerability... Nota bene: until you verify (by successfully exploiting) the vulnerability, you can never be 100% sure that it is present...
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less
    - discounted vouchers for certs
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    open port == an opportunity to "game" the software listening on the other side of the port.

    The software (service, daemon, program, etc.) that's listening on a port doesn't need to have an actual vulnerability (i.e., software design or implementation flaw) to be misused. An exploit can act as a legitimate client connecting to the port. This is especially easy if there is no client authentication, or the authentication method is very weak (e.g., SNMPv1). Sometimes a service just doing it's job is enough for a hack.
Sign In or Register to comment.