In this article we will focus on the various services that support the Anonymous Logins. We will be understanding the process to setup those service on your local target system and then using Kali Linux to access them or attack them.
Table of Content
·
Introduction
·
Setting up Anonymous FTP
·
Attacking Anonymous FTP
·
Setting up Anonymous SMB
·
Attacking Anonymous SMB
·
Conclusion
Introduction
Anonymous Logins are a feature that allows
the user to setup its service that is accessible by any user. It doesn’t need a
specific credentials for accessing that resource. Various servers that want to
host data which they want to be accessible to a wide range of users, they user
the anonymous logins. In real-life, while performing Network Penetration
Testing, a tester should be able to identify the Anonymous Service, and test
it. We will also be looking behind the scenes as to how these anonymous
services are setup on our local target machine running Ubuntu. We will be leaning
about the FTP service and the SMB service.
Setting up Anonymous FTP
We will begin by demonstrating the process
of setting up an Anonymous access on FTP service. We have an ubuntu machine
with root access. We install the vsftpd using apt command.
apt install vsftpd
Each service that is installed on a Linux
Machine has a configuration file that can be used to twerk options and setting
on that particular service. By default, the anonymous login is disabled on the
vsftpd. We will need to edit /etc/vsftpd.conf configuration file in order to
enable the Anonymous login functionality. We use the nano to edit the
configuration file but you can use any editor of your choice such as vi or
sublime. We scroll through all the other options and comments to reach the
“anonymous_enabled=NO” option as shown in the image below.
Change the “anonymous_enabled=NO” option to
“anonymous_enabled=YES” to enable the Anonymous Login on the machine. Refer to
the screenshot below.
Just enabling the Anonymous login or
installing a service is not enough to get it working. We want a fully
functional FTP service. To do this we need to be able to share files using the
FTP and since we have enabled the anonymous login, we should be able to
download the files from the ubuntu machine using the anonymous access. FTP
service requires a directory, whose contents can be shared over the network. We
create a directory in the /var directory. We named the directory to pub. We
also need to change the ownership of the directory in order to make is suitable
for sharing data. After creating and changing ownership, we move into the
directory and create a file with the message “Welcome to Hacking Articles” in
it. We named the text file note.txt.
mkdir -p /var/ftp/pub
sudo chown nobody:nogroup /var/ftp/pub
cd /var/ftp/pub
echo “Welcome to Hacking Articles” >
note.txt
Back to the vsftpd.conf file that we were
editing, we need to add a specific configuration to make the anonymous login
functional. We add the directory that we just created in the configurations,
then we add no_anon_password option that will stop prompting for a password.
Another option we add is hide_ids option. It will not show the username and
group of the user that is accessed, upon query it will revert the ftp:ftp
combination. At last, we need to add the range of ports that can be used for
passive FTP.
This completes all the configurations that
we require to setup an FTP service with anonymous login enabled on ubuntu
machine. All that is required is to restart the vsftpd service in order to make
the new configurations in effect. Now we will refer to our Kali Linux machine,
i.e., attacker machine.
nano /etc/vsftpd.conf
service vsftpd restart
Attacking Anonymous FTP
When attacking or targeting a system, one
of the initial steps that an attacker takes is to perform a scan of the target.
This scan gives attacker information such as open ports and running services.
We used Nmap to scan our ubuntu machine that we just configured. We can see
that the Nmap was able to identify that the FTP service was functional on the
target machine and it also takes another step into enumeration and informs the
attacker that the FTP service shas Anonymous Login Enabled.
nmap -A 192.168.1.46
Now that it is conformed that the FTP
service is running with Anonymous Login enabled, let’s try to access the
service. To do this we will connect with the FTP service by providing the IP
address of the machine. We don’t have any user credentials and anonymous login is
enabled; hence we will enter “Anonymous” in the Name option and we will be
logged in. We can run the directory listing command ls to find out the files
that are shared over FTP. We see that there is a text file by the name of
note.txt. We can transfer the text file using the get command as depicted
below. After the transfer we can read the text file to confirm that we have
successfully gained the data from the file that was created on ubuntu machine.
ftp 192.168.1.46
Anonymous
ls
cd pub
ls
get note.txt
bye
cat note.txt
Setting up Anonymous SMB
Next service that can setup Anonymous
access is the SMB service. As it was originally designed for Windows Systems,
we need to install the samba service on our Ubuntu machine. As we did with the vsftpd
we install the samba service using the apt as shown below.
apt install samba
As all services that are installed on any
Linux machine, samba also has the configuration file that is located inside the
/etc directory. Since we are trying to setup the service with the Anonymous Login,
we are going to add some additional configurations as compared to the basic
installation of the samba.
We are using the nano editor, but you can
basically use any editor of your choice. Moving down the to the file we add the
following configurations such as the directory that should be used for sharing
the files. We are making the /var/www directory for this purpose. We need to
give it proper permissions such as browsable and public so that it can be
accessed by anonymous login.
Next thing that we need to do is create a
file that can be used to test the ability of file transfer using the smb. We
created a text file named file.txt and entered the message “Welcome To Ignite
Technologies” in it. You will need to restart the service in order to make the
configurations active.
Attacking Anonymous SMB
As we did with the FTP service, it is also
possible to check if the service is running on the target machine using nmap
scan. Although we are not going to demonstrate it here. We are going to proceed
with the assumption that the service is up and running on the target machine. We
connect with the service using the smbclient. It is quite clear from the image
below that we didn’t provided an user or password combination to connect to the
service since the anonymous login is enabled. We then enumerated the share and
found the file.txt shared. We transferred the file to the local Kali Linux
machine and confirmed that the SMB Anonymous Login service is active and
working.
Conclusion
Anonymous logins are quite common in the
real-life environments and the Capture the Flags challenges as well. As an
attacker it is important to understand how it works and what kind of setup it
is required to enable the anonymous login. Most of all, it is important to know
how to interact with this kind of access.
0 comments:
Post a Comment