⚔️Service Enumeration & Exploitation

🎯 Overview

Service enumeration and exploitation focuses on systematically testing discovered services for vulnerabilities, misconfigurations, and attack vectors. This phase moves from reconnaissance to active testing of FTP, SSH, SMTP, DNS, HTTP, and email services.

📊 Discovered Services Analysis

🔍 Service Inventory

# Primary services identified:
Port 21:  FTP (vsftpd 3.0.3)
Port 22:  SSH (OpenSSH 8.2p1)
Port 25:  SMTP (Postfix smtpd)
Port 53:  DNS (custom banner)
Port 80:  HTTP (Apache 2.4.41)
Port 110/143/993/995: Email (Dovecot)
Port 111: rpcbind
Port 8080: HTTP (Apache 2.4.41)

# Attack priority:
1. Anonymous/weak authentication services
2. Web applications (multiple HTTP ports)
3. Email services for user enumeration
4. Misconfigured network services

📁 FTP Service Testing

🔓 Anonymous Access Validation

# Manual FTP connection test
ftp TARGET_IP

# Login attempt:
Name: anonymous
Password: [blank or any string]
# Result: 230 Login successful

# Directory listing:
ftp> ls
-rw-r--r--    1 0        0              38 May 30 17:16 flag.txt

# File retrieval:
ftp> get flag.txt
ftp> !cat flag.txt
# Result: HTB{...} flag discovered

🔧 FTP Security Assessment

# Upload permission testing:
ftp> put test.txt
# Result: 550 Permission denied (read-only access)

# Directory traversal testing:
ftp> cd ..
# Result: Limited directory access

# Additional enumeration:
ftp> pwd          # Current directory
ftp> passive      # Passive mode testing
ftp> binary       # Binary transfer mode

📋 FTP Attack Vectors

# Common FTP attacks tested:
- Anonymous access (SUCCESSFUL)
- File upload capabilities (DENIED)
- Directory traversal (LIMITED)
- FTP bounce attacks (NOT APPLICABLE)
- Brute force attacks (NO USERNAMES)

# Vulnerability research:
- vsFTPd 3.0.3: Only DoS exploits available
- No RCE vulnerabilities for this version
- Configuration appears secure except anonymous read

🔑 SSH Service Assessment

📊 Version Analysis

# Banner grabbing:
nc -nv TARGET_IP 22
# Result: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

# Vulnerability research:
# OpenSSH 8.2p1: No known RCE vulnerabilities
# Modern, patched version
# Brute force unlikely without usernames

🔧 Authentication Testing

# Common credential testing:
ssh admin@TARGET_IP     # admin:admin
ssh root@TARGET_IP      # root:toor
ssh admin@TARGET_IP     # admin:Welcome
ssh admin@TARGET_IP     # admin:Pass123

# Results: All authentication attempts failed
# Recommendation: SSH appears properly configured

📧 Email Services Enumeration

📋 SMTP Configuration Analysis

# Detailed SMTP enumeration:
sudo nmap -sV -sC -p25 TARGET_IP

# SMTP commands supported:
# PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, 
# ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING

# Key finding: VRFY command enabled (user enumeration)

👤 User Enumeration via SMTP

# VRFY command testing:
telnet TARGET_IP 25

# Commands:
220 ubuntu ESMTP Postfix (Ubuntu)
VRFY root
252 2.0.0 root              # ← Valid user
VRFY www-data  
252 2.0.0 www-data          # ← Valid user
VRFY randomuser
550 5.1.1 <randomuser>: Recipient address rejected: User unknown

# Finding: VRFY command enables user enumeration
# Risk level: Low (information disclosure)

🔧 Advanced SMTP Testing

# Additional enumeration commands:
EXPN root           # Expand mailing lists
RCPT TO: <user>     # Recipient verification

# Automated user enumeration:
smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t TARGET_IP

# Open relay testing:
nmap -p25 -Pn --script smtp-open-relay TARGET_IP
# Result: Server doesn't seem to be an open relay

📮 POP3/IMAP Testing

🔍 Authentication Analysis

# POP3 connection testing:
telnet TARGET_IP 110

# Commands:
+OK Dovecot (Ubuntu) ready.
user www-data
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections

# Finding: Secure configuration requiring SSL/TLS
# Result: No plaintext authentication allowed

🔒 Secure Email Port Testing

# SSL/TLS email ports:
Port 993: SSL/TLS IMAP
Port 995: SSL/TLS POP3

# Testing approach:
openssl s_client -connect TARGET_IP:993
openssl s_client -connect TARGET_IP:995

# Certificate analysis for additional information

🌐 RPC Service Assessment

📊 rpcbind Enumeration

# RPC service information:
rpcinfo TARGET_IP

# Results:
program version netid     address                service    owner
100000    4    tcp       0.0.0.0.0.111          portmapper superuser
100000    3    tcp       0.0.0.0.0.111          portmapper superuser
100000    2    tcp       0.0.0.0.0.111          portmapper superuser

# Finding: RPC service exposed externally
# Risk level: Low (unnecessary external exposure)
# Recommendation: Block external access to RPC services

🎯 HTB Academy Lab Solution

Lab Environment

# Target: 10.129.211.225 (ACADEMY-AEN-DMZ01)
# Ensure /etc/hosts entry exists:
sudo sh -c 'echo "TARGET_IP inlanefreight.local" >> /etc/hosts'

📁 Question: Enumerate Services and Find Flag

# Service enumeration reveals anonymous FTP access
# Connect to FTP service:
ftp TARGET_IP

# Login with anonymous credentials:
Name: anonymous
Password: [blank]
# Result: 230 Login successful

# List files:
ftp> ls
-rw-r--r--    1 0        0              38 May 30 17:16 flag.txt

# Download and read flag:
ftp> get flag.txt
ftp> !cat flag.txt

# Answer: HTB{...} (flag content discovered)

🔄 Service Testing Methodology

📋 Systematic Approach

# 1. Service identification
sudo nmap -sV -sC -p- TARGET_IP

# 2. Anonymous access testing
# FTP, SMTP, RPC, HTTP directories

# 3. Authentication bypass attempts
# Default credentials, common passwords

# 4. Misconfiguration discovery
# User enumeration, open relays, unnecessary services

# 5. Vulnerability research
# CVE lookup for service versions
# Public exploit availability

# 6. Documentation
# Finding severity assessment
# Evidence collection
# Remediation recommendations

🎯 Finding Categories

# High-risk findings:
- Remote code execution vulnerabilities
- Authentication bypass mechanisms
- Sensitive data exposure

# Medium-risk findings:
- User enumeration capabilities
- Weak authentication mechanisms
- Service misconfigurations

# Low-risk findings:
- Information disclosure
- Unnecessary service exposure
- Version disclosure

⚠️ Testing Limitations

🔒 Ethical Boundaries

# Avoid during external testing:
- Aggressive brute force attacks
- Service disruption attempts
- Denial of service testing
- Unauthorized data access beyond validation

# Safe testing practices:
- Limited authentication attempts
- Non-disruptive enumeration
- Read-only access validation
- Minimal system interaction

📋 Documentation Requirements

# Essential evidence:
- Service versions and configurations
- Anonymous access capabilities
- User enumeration results
- Failed exploitation attempts
- Security recommendations

# Risk assessment:
- Business impact evaluation
- Exploit complexity analysis
- Remediation effort estimates
- Compliance implications

💡 Key Takeaways

1. Anonymous FTP access often provides immediate foothold opportunities

2. User enumeration via SMTP VRFY creates attack vectors

3. Service versioning enables targeted vulnerability research

4. Email services require SSL/TLS for secure authentication

5. RPC services should not be externally exposed

6. Systematic testing ensures comprehensive service coverage

7. Professional documentation supports finding validation and remediation

---

Service enumeration and exploitation systematically tests each discovered service for security weaknesses while maintaining ethical boundaries and comprehensive documentation standards.