# Service Enumeration & Exploitation ## 🎯 Overview **Service enumeration and exploitation** focuses on systematically testing discovered services for vulnerabilities, misconfigurations, and attack vectors. This phase moves from reconnaissance to active testing of **FTP**, **SSH**, **SMTP**, **DNS**, **HTTP**, and **email services**. ## 📊 Discovered Services Analysis ### 🔍 Service Inventory ```cmd # Primary services identified: Port 21: FTP (vsftpd 3.0.3) Port 22: SSH (OpenSSH 8.2p1) Port 25: SMTP (Postfix smtpd) Port 53: DNS (custom banner) Port 80: HTTP (Apache 2.4.41) Port 110/143/993/995: Email (Dovecot) Port 111: rpcbind Port 8080: HTTP (Apache 2.4.41) # Attack priority: 1. Anonymous/weak authentication services 2. Web applications (multiple HTTP ports) 3. Email services for user enumeration 4. Misconfigured network services ``` ## 📁 FTP Service Testing ### 🔓 Anonymous Access Validation ```bash # Manual FTP connection test ftp TARGET_IP # Login attempt: Name: anonymous Password: [blank or any string] # Result: 230 Login successful # Directory listing: ftp> ls -rw-r--r-- 1 0 0 38 May 30 17:16 flag.txt # File retrieval: ftp> get flag.txt ftp> !cat flag.txt # Result: HTB{...} flag discovered ``` ### 🔧 FTP Security Assessment ```bash # Upload permission testing: ftp> put test.txt # Result: 550 Permission denied (read-only access) # Directory traversal testing: ftp> cd .. # Result: Limited directory access # Additional enumeration: ftp> pwd # Current directory ftp> passive # Passive mode testing ftp> binary # Binary transfer mode ``` ### 📋 FTP Attack Vectors ```cmd # Common FTP attacks tested: - Anonymous access (SUCCESSFUL) - File upload capabilities (DENIED) - Directory traversal (LIMITED) - FTP bounce attacks (NOT APPLICABLE) - Brute force attacks (NO USERNAMES) # Vulnerability research: - vsFTPd 3.0.3: Only DoS exploits available - No RCE vulnerabilities for this version - Configuration appears secure except anonymous read ``` ## 🔑 SSH Service Assessment ### 📊 Version Analysis ```bash # Banner grabbing: nc -nv TARGET_IP 22 # Result: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5 # Vulnerability research: # OpenSSH 8.2p1: No known RCE vulnerabilities # Modern, patched version # Brute force unlikely without usernames ``` ### 🔧 Authentication Testing ```bash # Common credential testing: ssh admin@TARGET_IP # admin:admin ssh root@TARGET_IP # root:toor ssh admin@TARGET_IP # admin:Welcome ssh admin@TARGET_IP # admin:Pass123 # Results: All authentication attempts failed # Recommendation: SSH appears properly configured ``` ## 📧 Email Services Enumeration ### 📋 SMTP Configuration Analysis ```bash # Detailed SMTP enumeration: sudo nmap -sV -sC -p25 TARGET_IP # SMTP commands supported: # PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, # ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING # Key finding: VRFY command enabled (user enumeration) ``` ### 👤 User Enumeration via SMTP ```bash # VRFY command testing: telnet TARGET_IP 25 # Commands: 220 ubuntu ESMTP Postfix (Ubuntu) VRFY root 252 2.0.0 root # ← Valid user VRFY www-data 252 2.0.0 www-data # ← Valid user VRFY randomuser 550 5.1.1 : Recipient address rejected: User unknown # Finding: VRFY command enables user enumeration # Risk level: Low (information disclosure) ``` ### 🔧 Advanced SMTP Testing ```bash # Additional enumeration commands: EXPN root # Expand mailing lists RCPT TO: # Recipient verification # Automated user enumeration: smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t TARGET_IP # Open relay testing: nmap -p25 -Pn --script smtp-open-relay TARGET_IP # Result: Server doesn't seem to be an open relay ``` ## 📮 POP3/IMAP Testing ### 🔍 Authentication Analysis ```bash # POP3 connection testing: telnet TARGET_IP 110 # Commands: +OK Dovecot (Ubuntu) ready. user www-data -ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections # Finding: Secure configuration requiring SSL/TLS # Result: No plaintext authentication allowed ``` ### 🔒 Secure Email Port Testing ```bash # SSL/TLS email ports: Port 993: SSL/TLS IMAP Port 995: SSL/TLS POP3 # Testing approach: openssl s_client -connect TARGET_IP:993 openssl s_client -connect TARGET_IP:995 # Certificate analysis for additional information ``` ## 🌐 RPC Service Assessment ### 📊 rpcbind Enumeration ```bash # RPC service information: rpcinfo TARGET_IP # Results: program version netid address service owner 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser # Finding: RPC service exposed externally # Risk level: Low (unnecessary external exposure) # Recommendation: Block external access to RPC services ``` ## 🎯 HTB Academy Lab Solution ### Lab Environment ```bash # Target: 10.129.211.225 (ACADEMY-AEN-DMZ01) # Ensure /etc/hosts entry exists: sudo sh -c 'echo "TARGET_IP inlanefreight.local" >> /etc/hosts' ``` ### 📁 Question: Enumerate Services and Find Flag ```bash # Service enumeration reveals anonymous FTP access # Connect to FTP service: ftp TARGET_IP # Login with anonymous credentials: Name: anonymous Password: [blank] # Result: 230 Login successful # List files: ftp> ls -rw-r--r-- 1 0 0 38 May 30 17:16 flag.txt # Download and read flag: ftp> get flag.txt ftp> !cat flag.txt # Answer: HTB{...} (flag content discovered) ``` ## 🔄 Service Testing Methodology ### 📋 Systematic Approach ```bash # 1. Service identification sudo nmap -sV -sC -p- TARGET_IP # 2. Anonymous access testing # FTP, SMTP, RPC, HTTP directories # 3. Authentication bypass attempts # Default credentials, common passwords # 4. Misconfiguration discovery # User enumeration, open relays, unnecessary services # 5. Vulnerability research # CVE lookup for service versions # Public exploit availability # 6. Documentation # Finding severity assessment # Evidence collection # Remediation recommendations ``` ### 🎯 Finding Categories ```cmd # High-risk findings: - Remote code execution vulnerabilities - Authentication bypass mechanisms - Sensitive data exposure # Medium-risk findings: - User enumeration capabilities - Weak authentication mechanisms - Service misconfigurations # Low-risk findings: - Information disclosure - Unnecessary service exposure - Version disclosure ``` ## ⚠️ Testing Limitations ### 🔒 Ethical Boundaries ```cmd # Avoid during external testing: - Aggressive brute force attacks - Service disruption attempts - Denial of service testing - Unauthorized data access beyond validation # Safe testing practices: - Limited authentication attempts - Non-disruptive enumeration - Read-only access validation - Minimal system interaction ``` ### 📋 Documentation Requirements ```cmd # Essential evidence: - Service versions and configurations - Anonymous access capabilities - User enumeration results - Failed exploitation attempts - Security recommendations # Risk assessment: - Business impact evaluation - Exploit complexity analysis - Remediation effort estimates - Compliance implications ``` ## 💡 Key Takeaways 1. **Anonymous FTP access** often provides immediate foothold opportunities 2. **User enumeration** via SMTP VRFY creates attack vectors 3. **Service versioning** enables targeted vulnerability research 4. **Email services** require SSL/TLS for secure authentication 5. **RPC services** should not be externally exposed 6. **Systematic testing** ensures comprehensive service coverage 7. **Professional documentation** supports finding validation and remediation *** *Service enumeration and exploitation systematically tests each discovered service for security weaknesses while maintaining ethical boundaries and comprehensive documentation standards.*