Recon: netcat, nmap, SSL, chmod
Welcome back to my 8th iteration of this blog series. In this series we’re growing our cybersecurity knowledge starting from the very basics using the overthewire.org challenges as a guide. First, I’d like to thank everyone for their feedback based on the last post! I’ll do my best to implement it and as always, more feedback is always welcome. Now let’s start!
Our previous challenges thus far have been focused on learning the basics and we’ll continue that today but we’ll be finally going to use some “hacking tools”. Our first challenge is quite different from what we’ve done so far and it sounds incredibly simple: send the password for our current level (which we’ve used to log in) and we’ll get the next password. The question is “how?”.
We’ve briefly discussed IP addresses and how they’re used on the internet. The challenge says to send our current password to “port 30000 on localhost”. We know that localhost is the “name” of the IP address of 127.0.0.1. What is a port? How many are there? Why specifically port 30000?
Think of ports as a way to track application communications. Ports are dynamically assigned(for the most part) to services on your machine that need to communicate outside of themselves. Since a machine can address itself with the loopback address, ports can be used for communication between multiple applications on the same machine.
There are two kinds of ports: UDP and TCP. They differ in the way they communicate, UDP is “best effort” while TCP makes sure every transmission sent is received. Each port type has 65,536 ports available to it. Ports are dynamically assigned by the machine at the request of services and applications but only one service or application can run on one port at a time. There is an exception to the dynamic assignment though and that’s ports 1 to 1000 which are known as the “registered” ports. Port registration is a way for commonly used services to be dedicated to specific ports as a way of standardizing the applications so as not to have overlaps. Port 80 for example is a registered port for HTTP web service and applications that request this should be hosting some kind of web server on that port.
In our case, the port 30000 has been designated for the service of sending back the password if we give it what it’s looking for. So how do we communicate over IPs and ports?
netcat or nc (depending on the operating system you’re using) is a very simple tool for anything TCP or UDP related. It can connect to or host servers over any port and IP combination you pass to it. It is a very manual way of communicating over a network and it allows you to manually set everything including source information. In our case, we’re simply trying to connect to port 30000 and send a simple line. In fact, we’ve been using port designation for a while now with ssh to connect to our bandit machines: 2220. This is an example of dynamic assignment as well since ssh typically runs on port 22 but has been manually reassigned to 2220 instead.
Let’s try connecting to port 30000 (this kind of connection is very simple and is just nc <target IP> <target port>; make sure you check if it’s nc or netcat for your system):
Nothing happened…That’s okay because the service is waiting for us to send soemthing:
Alright, so we know it works and that it’s really looking for the password so lets try that now:
That was a quick one. We’re going to save the password somewhere for now but I’m not going to log into the next bandit user. This will in itself be a demonstration for how services running on ports are exposed to any user or machine that has access to that IP address.
So this level isn’t much different but we’ve got to do it with SSL encryption. So what’s SSL? We’ve already discussed encryption and how it makes information between two points private. SSL is an encryption method or protocol for use over IP connections such as the ones we’re making (even if they’re to the loopback address). It’s important to note that even though the name SSL has persisted, SSL is itself deprecated due to many critical vulnerablities. The replacement of SSL is TLS but the names are used interchangeably.
openssl is the SSL version of netcat. Looking at the man page of openssl, we have to specify if we’re connecting as a client or server and the usual IP and port number:
This shows us the certificate and the encryption happening in real time. If we were connecting to a service using a normal app or browser, all this would be happening in the background. Let’s give it our password:
Awesome! We now know how to start both in-the-clear and encrypted connections.
Now comes the fun part: recon. Reconnaissance is the most important part of any cybersecurity operation. Whether you’re the penetration tester (red team) trying to break into the network or the security team (blue team) trying to find vulnerabilities and patch them up. For this challenge, we have to find the port between 31000 and 32000 running SSL and the service that will give us our password.
We can simply try to connect to every single port using netcat and openssl but that would take too long. We can write a script to do that for us as well. Luckily, a tool called nmap exists to do all of that for us. nmap is an incredibly powerful tool that will scan ports on a machine and has the capability of report if a port is open, what if a service is active on that port, and even the operating system of the machine.
Scanning a lot of ports takes some time and is also bandwidth intensive. It can take down networks and paralyze machines with the amount of requests and responses that are happening in a short period of time. This issue compounds the bigger a network is and the more machines that exist on a network. It’s very important that you only scan applications, machines, or networks that you’re given permission to and only during times that are allowed. In a production environment, this would typically be done in off-peak hours and localized to network segments so as not to interrupt operations.
The of the challenge is to scan this machine and as such is our permission from overthewire.org to do so. Take a look at the man page of nmap and see if you can figure out the options we need for this scan. We need to scan one machine (localhost), only the ports between 31000 and 32000, and figure out what services are running on those ports:
When you start the scan, it’ll look like the program freezes or hangs. If this lack of information is confusing to you, try adding the -v option (verbose). This way the program running with the verbose option will tell you everything that it is doing. In my case, I’m confidant that the program is running correctly and I don’t want to clutter my screen with unnecessary information about closed ports.
Sure enough, the scan is done and here are our results. We see that there’s a service called “echo” running on all the ports except one. “Echo” simply echoes back whatever you send to it. One of the ports is running both SSL and echo. The only option left is the service running on port 31790:
Great! We need to save this private key somewhere so let’s create a directory in /tmp and store it. In my case I’ll call it “bandit17_key” and store it in the directory “samel_bandit17”:
Let’s use that key to get into bandit17 so that we can get it’s password:
If you remember our discussion about private keys, they’re meant to be only accessible by the owners of the keys. Here, ssh reminds us of that and refuses the key because its permissions are not private enough for a private key. We need to fix this by making this key only accessible to our current user and protect it from changes.
The command for changing file permissions is chmod. It takes arguments for permissions in the “octal” and symbolic formats. The octal format is what is shown in the response above “Permissions 0644 for ‘bandit17_key are too open.” The octal format is really quick and simple to use but not as intuitive as the symbolic format. Let’s take a look at both.
Adding or taking away permissions is as easy as using the permissions letters: chmod +r <file> will add the “r” to the permissions of the file for all groups. Conversely, “-r” will remove read permissions from the file altogther. You can specify which of the user, group, other, or all can get the specified permissions. You can also set the permission to be “=” to the set you pass regardless of the original setting. As demonstrated early, not specifying “u”, “g”, or “o” will automatically default to “a”.
The octal format is great for setting permissions for multiple user groups at once. The octal format is the 3 permission bits being assigned a number each. Since we have 9 (really 10 but 9 for now) permission bits, the octal format for is divided into 3 (really 4) numbers. Each of the bits is assigned a number r is equal to 4, w is 2, and x is 1. So if you want only r permissions then you’d only do 4. If you want rw, you’d add the 4 and 2 and use 6. If you want rwx then 4 + 2 + 1 is 7. If you want no permissions for that group then it’s just a 0. The order is the same as the original “ugo” so the octal format is also ugo. Going back to the octal of 0644, we’re going to ignore the first number “0” for now, it tells us that the permissions are rw for user, r for group, and r for other:
Now let’s change the permissions into read only for user only:
Let’s try using the really private private key now again:
Voila! Now for the password:
Did you notice that we didn’t need to log into any other machine except bandit14 for all of the challenges? In fact, we only needed to log into bandit17 just to be able to read the password since it’s only accessible to bandit17.
These challenges introduced us to ports and how they are assigned to services. Ports are how machines multitask with the world. Machines can handle multiple tasks running on but without ports it would be difficult to figure out which response was for which request and for which application. By assigning a port to an application, machines can bundle that port number into the request that it sends out as part of the packet’s source address. The response addressing is a simple flip of the original source and destination addresses. When the response comes back, the machine knows to forward the contents to a specific port and the application therefore gets what it asked for. Combining ports and loopback addresses is also a way for applications running on the same machine to communicate with each other without losing transmissions.
Since ports are uniquely assigned, this can create conflicts for applications that request the same port. This can be an issue for certain applications that don’t have an option for changing port requests and is a part of application compatibilities on a machine. Reassigning ports, as we have seen with the ssh connections we’ve been making to the bandit server, can also be used a way to obscure commonly attacked ports.
This post is quite a bit longer than the previous ones but we covered some new and important concepts. I hope that you found this helpful and that you’ll join me for the next challenge next week.
