Chapter 5. Assessing Remote Information Services
Remote information services are probed to gather useful information that can be used later, such as usernames and IP addresses. Some remote information services are also susceptible to direct exploitation, resulting in arbitrary command execution or compromise of sensitive data. This chapter focuses on the assessment of these services and lists relevant tools and techniques used to test them.
Remote Information Services
Most platforms run remote information services that provide system, user, and network details over IP. A list of remote information services taken from the /etc/services file is as follows:
wins 42/tcp domain 53/tcp domain 53/udp finger 79/tcp auth 113/tcp ntp 123/udp snmp 161/udp ldap 389/tcp rwho 513/udp globalcat 3268/tcp
SSL-wrapped versions of LDAP and Global Catalog (GC) services are accessible on the following ports:
ldaps 636/tcp globalcats 3269/tcp
An SSL tunnel must first be established (using a tool such as stunnel) to assess these services. Standard LDAP assessment tools can then be used through the SSL tunnel to test the services.
RPC services can also be queried to enumerate useful information. These run on dynamic high ports, and the following relevant remote information service is taken from the /etc/rpc file:
Chapter 3 covered the use of DNS querying to enumerate and map IP networks, using forward and reverse DNS queries, along with DNS zone transfers. Name servers use two ports to fulfill ...