Chapter 5. Assessing Remote Information Services

Remote information services are probed to gather useful information that can be used later, such as usernames and IP addresses. Some remote information services are also susceptible to direct exploitation, resulting in arbitrary command execution or compromise of sensitive data. This chapter focuses on the assessment of these services and lists relevant tools and techniques used to test them.

Remote Information Services

Most platforms run remote information services that provide system, user, and network details over IP. A list of remote information services taken from the /etc/services file is as follows:

wins            42/tcp
domain          53/tcp
domain          53/udp
finger          79/tcp
auth            113/tcp
ntp             123/udp
snmp            161/udp
ldap            389/tcp
rwho            513/udp
globalcat       3268/tcp

SSL-wrapped versions of LDAP and Global Catalog (GC) services are accessible on the following ports:

ldaps           636/tcp
globalcats      3269/tcp

An SSL tunnel must first be established (using a tool such as stunnel) to assess these services. Standard LDAP assessment tools can then be used through the SSL tunnel to test the services.

RPC services can also be queried to enumerate useful information. These run on dynamic high ports, and the following relevant remote information service is taken from the /etc/rpc file:

rusers          100002

DNS

Chapter 3 covered the use of DNS querying to enumerate and map IP networks, using forward and reverse DNS queries, along with DNS zone transfers. Name servers use two ports to fulfill ...

Get Network Security Assessment, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.