Interacting With Ports And Exploitation

Hey guys. Today we're gonna go more deep into ports. How it help in connecting client and server and how we can interact with them. We will be using Netcat for this purpose and make sure you have installed it you system. And I suggest you to read basic articles on networkingto build a good base. So what ports are basically? They act as a door behind which a specific service is listening for connections or you can say packets. Let’s get more deep. The internet works on client-server model. One provides services and one takes it. So you need to connect these to in order to exchange information. There connection can be called a socket connection. For proper connection you'll need destination IP, destination port, source IP, source port, and protocol. If you've read our previous articles you know what’s an ip and a port. Let’s revise. Ip acts like an address and port verifies that packet is reached to appropriate receiver. What’s protocol? Protocol is the set of rules over which the communication will take place. Eg. TCP, UDP, HTTP, SMTP etc. If all conditions meet then both client and server have setup a connection and they can exchange information. Let’s look at the sockets now. First a server socket. When a program wants to provide service. It'll bind its service to a port and the client can connect to it in form,

p:port serv_addr.sin_family = AF_INET; 
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY); 
serv_addr.sin_port = htons(5000); 
bind(listenfd, (struct sockaddr*)&serv_addr, sizeof(serv_addr)); 
listen(listenfd, 10);

The code above makes a server socket and starts listening for connection on port 5000. We can code it to provide some service like a webpage, FTP, some program, etc. on a port. Let’s look at client side socket,

server.sin_addr.s_addr = inet_addr(" 1.2.3.4"); 
server.sin_family = AF_INET; 
server.sin_port = htons( 5000 ); 
connect(sock , (structsockaddr *)&server ,sizeof(server);

The above code makes a client side socket to connect to server on port 5000. We can now exchange services from the server. So when you open a website in your browser, it requests the server for the webpage on port 80 and hence it’s shown on our browser. So an open port doesn't mean that it's vulnerable. It means that it’s providing some service on that port. What hackers do is finding some vulnerability in that service so they can exploit that. We'll talk more about it later. Also some people have doubt that how a server can serve on same port to multiple users? Well port is just a number to communicate to particular service. Once connection is established with one client, the server can keep listening on port 80 from another user, or any other port. Connections are distinguished because each connection has different source IP and source port. Even if same ip(behind a NAT or router) then also ports are different. Yeah. Server can host 2 services on same port. They can be distinguished by the protocol used. Now. Let’s make a server socket to listen on for connections. I will use a simple tool called netcat. It’s written in C and preinstalled in most Linux distros and is also available for windows. It a very basic tool for interacting with TCP/UDP connections. It’s also called Swiss army knife for TCP/UDP. We will make a server socket and serve bash shell on a port so whoever connects to it will able to use the shell. Hence we're providing a service on that port. Enter command

nc -vv -l -p 5000 -e /bin/bash

Here, nc is for netcat, -vv is for more verbose output which means it'll display what’s happening in more detail. -l is for listening mode. -p is for port. I've entered 5000. You can use any of your choice but remember ports below 1024 need root permissions to be used. -e is for execute. I'm executing bash shell in it. For windows you can type ’’ -e cmd.exe’’ for windows shell.

As you can see in the picture it has started listening on that port. So it pipes the shell to that socket so that the client can use it. Now let’s connect the client to it. For connecting the client the command is nc here I’m connecting from another terminal on same machine so I’ll use ip as localhost i.e. 127.0.0.1. You can connect with any other device on same network by entering the LAN IP of server. For serving on WAN you'll need to forward your port to make it available outside your network. My command is

nc -vv 127.0.0.1 5000

As soon as you hit enter you'll see connection to localhost from the client which is also local host in our case.

You can also see that client has connected through some random port 53052 to the server. In client side window you can see there's connection established. Since we're providing bash service on our server let’s try executing 'stdin' some commands from client side. The server will execute it and pipe the 'stdout' result to client. I’ve entered "ls" and you can see the list of files and folders in that directory.

Now let’s again make a server and try to connect in from browser to see how your browser requests a webpage. Remember websites are served on port 80 of the server. I've used 5000 in our case. Again our server is listening for connections. Now let’s connect it from different machine on my lan. First find your server IP with ifconfig (in windows use ipconfig). Now open any browser in another device and go to "ip:port" like in my case my server IP is 192.168.1.101 and port is 5000 so I’ll go to 192.168.1.101:5000 in browser. Once I hit enter I can see connection on my terminal. Its connection from client IP and also a random port 55038. Now there's a GET HTTP request to pull the webpage.

There are other HTTP options too like post, put, trace, delete, etc. Yeah. Heard it right. Delete too. If a server a is vulnerable to it then you can craft a HTTP packet and delete contents of server. Scary huh ? Don't worry its old thing now though. Other parts include the host name and also the user agent. You can see the info of my browser and even the OS I’m running on client side in user agent. Think of how much info you send to server when you just request a web page. There are some more things like connection, language and encoding too. At bottom you can see a cookie. I hooked my browser with BeEF(Browser exploitation framework) so it even sends me the cookies from the browser with just a HTTP request. Ummmm Now let’s interact with some outside servers. I took a random IP and did a NMap port scan for it.So as you can see here,

We've a lot of ports open on our target. You would have understood till now that open port doesn't mean it’s vulnerable. It’s just providing some service on that port. The thing lies in finding the vulnerability and exploiting it to gain some kinda access to the system. Let’s first connect to port 80 and fetch some webpage. Command

nc -vv ip port

You'll see connected now let’s use GET request of HTTP protocol 1.1 Here we're crafting a packet as our browser does. Once connected type

GET /index.php / HTTP/1.1

and hit enter 2 times. (You can also add some more info as we can see in server side in previous example of connecting through a browser) Here it’s requesting for output HTML format for index.php script. It'll directly send if we request a HTML document. A script will be first executed on server and then output HTML will be sent since we're using HTTP. You can see the output,

It also contains info about server like in this case it’s running on "nginx". It'll be same as you'll visit that IP in browser. Let’s try connecting to some other services. There's FTP and SMTP too on port 21 and 25 respectively. Command is same NC You can type nc -h for help box.

As you can see we've connected to FTP and it has also sent some welcome information. Though we can't use it since we aren't logged in. In SMTP (simple mail transfer protocol) I've sent "HELLO" and it has also replied back greeting.

This protocol is used for mailing. You can also craft a mail request packet and send to it. Since we've covered how we interact with ports now let’s talk on how we can exploit some. As a beginner we'll imagine a simple vulnerable service running on remote server. So what it does is accepts some input from client, stores it in memory, process it and sends result to the client. So simple that we can code it too. Pretty cool huh?! Now a malicious client intends to use this service. I hope you would have read my article about Basic working of computers. Now so when a code is to be executed it’s provided a space in memory and a buffer memory for input. What if the malicious client sends an input so long that it fills and crosses the buffer even reaching to the return address of the code. If you're a programmer you know what I'm talking about. Yes a buffer overflow. For others, don't worry. We'll talk about it in detail in future. Now if attacker sends some malicious shellcode with it and overwrites the return address pointing towards shellcode or any malicious code. The malicious code will be executed and may provide shell access to the attacker. Oops. The server is pwned. Yeah. It was just a basic example of a simple vulnerable server. In future tutorials we'll talk more about how code is stored and executed from memory and some local buffer and stack buffer exploits and yeah remote exploits too. And a lot more things. So keep learning, keep researching, clear your basics, keep pwning LOL. Bye. See you next time soon.