3

I am trying to learn the basics about security so I started by scanning the IP of a friend using Nmap, I have some questions about this section:

PORT     STATE SERVICE    VERSION
3389/tcp open  tcpwrapped
| ssl-cert: Subject: commonName=Ventas-gp-1
| Issuer: commonName=Ventas-gp-1
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2016-09-25T12:11:37
| Not valid after:  2017-03-27T12:11:37
| MD5:   95cf e484 a18f 98d1 49f1 186b 45ad ee62
|_SHA-1: 53c8 b5f3 4424 0863 7d2e 42e3 f09c 3148 1c1d dafa
|_ssl-date: 2017-02-17T12:41:06+00:00; +2m26s from scanner

This is obviously about a Remote Desktop, but with all the information about encryption, could this be used to crack the windows password? passing this data to "John the ripper" for example

Also in this network there is a Voip phone, this phone is in the DMZ of the router and also in the router the TCP 5060 is open, but none of this are shown in my nmap output, I want to know why? I am using: -T4 -A -v

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179

2 Answers2

4

What you have there is information about an SSL certificate. The certificate identifies a computer, or more precisely a service running on a computer. The numbers after “MD5” and “SHA-1” are “fingerprints” of the certificate: the computer says that it can prove that it knows some secret value which is associated with these fingerprints. (MD5 has known attacks and SHA-1 is deprecated though; today SHA-256 or SHA-512 should be used for this purpose.) There is no way to obtain the secret values from those fingerprints — they're hashes of a public key, and the computer knows the corresponding private key. If you want to understand more about how this works, see How does SSL/TLS work?

The information you have here identify a service running on a computer (e.g. the RDP service). They do not identify a particular user of that computer. They have nothing to do whatsoever with any user's password or with any way in which a remote party could gain access to that computer. The information here is how another computer trying to talk to this computer can know that it's talking to the right computer.

Despite the appearance of sha1WithRSAEncryption, the information here is related to signatures (roughly speaking, how this computer can sign “yes, I am me”), not to encryption. The word “encryption” here relates to what happens during the TLS protocol, but not to the part where the certificate is directly relevant.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
1

Answer: No.

NMAP inspects a machines network services through scanning ports, not its hashed password database. At best (using banner grabbing techniques or using P0F or NMAPs native capability) you can make inferences about the strength of the transport/connection security of the service being queried.

Cracking Windows passwords is a separate issues and is an attack, NOT on a network service but the Operating Systems password hash database.

In your example, you've scanned Remote Desktop Protocol (RDP) TCP/UDP Port 3389 and determined from its certificate something about RDP's security (i.e. it's Common Name (CN) and that it use a pre-shared 2048 bit RSA key (PSK)).

This might help you attack an RDP session perhaps, but not the passwords contained in the password database. These attributes are relevant to the RDP service and describe how it protects data is transit (i.e. between client and server).

Windows passwords are stored in the the Security Accounts Manager database, or SAM database (details found HERE about where Windows passwords are stored, and HERE about attacking them).

Perhaps, if you successfully attacked an RDP session you might be able to grab a password in transit (unlikely given a 2048bit RSA key), but that is the only way the two attacks might work together.

To summarize: Passwords are hashed and stored using one mechanism. Your use of NMAP addresses questions about another mechanism. The attributes you're discovering using NMAP describe the RDP service's Transport Layer Security and not the OS password strength.

user34445
  • 503
  • 2
  • 12