Security 105 - Common and Legacy Services
Author: Bill Ricardi
In order to understand what you're seeing when you perform a port scan or monitor a promiscuous network interface, you need to know what common services are present, and what each task is supposed to be doing. Each service (assumed to be running over TCP/IP in this case) has a history and a set of common vulnerabilities if they aren't patched. And Legacy services are either already outmoded, or are the second best option. So as part of your security studies, you should familiarize yourself with the following services:
FTP – Port 20 – Common/Legacy
File Transfer Protocol is the way that files have been uploaded and downloaded over the Internet for decades. It can be accessed via a web browser (using the ftp:// standard in most web browsers), a client end application, or a text based application within a Telnet session. FTP is still in common use, but there are safer and more secure options available. SFTP, for example, is FTP encrypted within an SSH wrapper. HTTP or HTTPS can also be used for either in the clear, or secure file transfer these days.
The main weaknesses of FTP servers lay in the realm of authentication. Buffer overrun attacks on the login that can impact back end databases, default accounts and passwords, and weak user passwords are all targets.
SSH – Port 22 – Common
Secure Shell is a method of encrypting data streams, and encapsulating them in a standardized format. It can be accessed via a terminal session, or as part of other programs that have a secure option built in. It is the preferred solution to the insecurities of protocols such as Telnet and FTP.
The main weaknesses in SSH involve older versions, and use of weak ciphers. Attacks against these old revisions and cracked cyphers can be launched with the correct automated tools.
Telnet – Port 23 – Common/Legacy
Telnet is a protocol used for direct two way communication between a client and a server. It has been around for over 40 years, and is still in common use today. It is typically accessed via a command line or text based terminal session. Because Telnet sends user names and passwords in the clear, SSH is the preferred method of making a text based client-server connection these days.
Telnet's security weaknesses are legion. Because it uses unencrypted passwords, anybody who has access to a router, switch, or hub on the same network can intercept authentication with a packet sniffer. Other vulnerabilities depend on the exact version of Telnet that the server is using, but many are buggy and should be replaced with SSH. Buffer overflows, default accounts, and hijacking sessions in progress are all possible routes of attack.
SMTP – Port 25 – Common
Sendmail Transfer Protocol is used to transfer E-mail from server to server. It has been in common use since the early 1980's. SMTP is a push-only protocol, meaning it can't request mail specifically, only receive it. When it reaches its final destination, the E-mail can then be picked up by a client using the IMAP or POP protocol. In addition to direct server to server communication, it can be accessed via Telnet for command injection and snooping around since the protocol is text based.
Weaknesses depend on the version of SMTP being used by the server, but things to try include access via Telnet to attempt direct commands upon the server, specially crafted header information intending to overrun buffers and execute commands, and normal authentication vulnerabilities. There are additional weaknesses in POP3 (Port 110) and IMAP (Port 143), which are used by clients to 'pick up' the mail being held by the SMTP server. You should really approach these three protocols as a holistic suite that you can attack, rather than dealing with each individually. Their interaction (when custom headers are crafted for example) can be just as insecure as the individual protocols themselves.
Gopher – Port 70 – Legacy
Gopher is an old text based information exchange method used in the 1990's, somewhere between an old bulletin board system and the modern World Wide Web. The Gopher protocol can still be accessed via UNIX or BSD shells, or in some web browser address fields via the gopher:// command. It is a completely legacy protocol, and should have been replaced with HTTP years ago, though some gopher servers are still in use today.
Attacks against gopher are many, but the most reliable ones are buffer overflow attacks. Simply put, there is no reason to be running Gopher if the client has access to IIS or Apache HTTPD based servers instead.
HTTP – Port 80 – Common
HyperText Transfer Protocol is is a method of serving and sharing information over the World Wide Web. It is the successor to the Gopher protocol, and has much broader functionality. It also has a secure and encrypted version (HTTPS which runs on port 443) for more delicate transactions. It can be accessed via a web browser, but also with a Telnet session for direct command injection (like PUT, POST, and DELETE).
The number of vulnerabilities in HTTP and HTTPS depend entirely on the version of the HTTPD that you're using. IIS is the most common web server for the Windows OS, and Apache is the most common implementation of HTTPD for UNIX and BSD based systems. Simply put, learning these systems inside and out is the first step to determining their weaknesses, followed by specific research into the version and patch level of the server that you plan to attack.
IRC – Port 194 – Common
Internet Relay Chat is a kind of group communication, often used in discussion forums. Because IRC is a fully functional, bidirectional pipe, it can be used as a conduit for file transfer protocols, such as DCC. Though there are many other options for both point to point and group chat environments, IRC has thrived for over 20 years. It is usually accessed with an IRC client downloaded by the user.
Though some versions of the IRC server can support an SSL pipe, most pass user names and passwords in the clear, and are thus vulnerable to the same sort of sniffing that Telnet is. Common attacks via IRC include denial of service to use up a server's processor or memory, and using the snooped user names and passwords to attack more important services (on this server or others) that users are known to frequent.
Now that you know the most common protocols and modes of attack, you can focus your research on attacks that will affect the specific versions of the software that you're dealing with. Start with a port scan, then an automated probe to try to get the version of the service that is running, then do your research to craft a specific exploit. Good luck!