13

Hackers usually attack open ports and services, but I want to know how they find security holes in specific ports or services.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ghost ghoster
  • 163
  • 1
  • 4
  • 2
    I re-tagged your question with some answers to your question. – schroeder Jul 21 '20 at 07:18
  • Thanks but how do you vulnerability scan a port? Also what are you suppose to look for when you are information gathering? – ghost ghoster Jul 21 '20 at 08:08
  • Please google "vulnerability scanners" – schroeder Jul 21 '20 at 08:09
  • Ok thanks, but what more is there to figure out about a port other than the service that runs on it? – ghost ghoster Jul 21 '20 at 08:14
  • This is all very easy to look up. Look up port scanning, vulnerability scanning, and look at nmap's scripts. If you are asking how to find a new vulnerability that no one else has found before, that's a much bigger question that we can't tackle here, – schroeder Jul 21 '20 at 08:40
  • 1
    @ghostghoster Re. "_what more is there to figure out about a port other than the service that runs on it_"... essentially, nothing. The port is _just_ a "connector" between the outside world and a process/service that might be running behind it. The tools described in the other answers are not about finding vulnerabilities in _ports_, but in the processes _connected to_ those ports. – TripeHound Jul 21 '20 at 10:51
  • 8
    Ports don't have vulnerabilities, services do. – user253751 Jul 21 '20 at 16:29

2 Answers2

24

Basically some tools (like nmap) try to open session over each port of a target. If the session is opened, the tool will try to dialog with the port in every way it knows (http, ftp, smtp, mysql, ...) until it finds the good protocol.

For UDP, the first step is omitted as this is a sessionless protocol.

Before trying every protocol, the scanner can often rely on the banner sent by the server after the session is opened (for example something like "welcome to OpenSSH server v2.2, only the corporate users are allowed to login").

Knowing an open port and the associated protocol the hacker can start to look for vulnerabilities.
There are 3 main ways to do that:

  • recognize a specific version displayed in the banner and look for publicly known vulnerabilities associated with this version (based on the CVE database for example)
  • active exploitation: try to run exploits (a program written to exploit a vulnerability) against the target and see which ones are succeeding
  • read or deduce how the service is configured to discover vulnerabilities due to misconfiguration (most of the time, a service displays its configuration, if not, it is possible to deduce if a specific setting is present or not by trying to call the associated function)

If your question was more about how the vulnerabilities are discovered at the first time. It's more by code audits, bug bounties, whitebox testing, reverse engineering, ... in a controlled environment.
Then the discovered vulnerabilities are registered in the CVE database (maintained by the MITRE) and become public vulnerabilities that everyone can know if a host is affected knowing the version it uses.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Sibwara
  • 1,316
  • 7
  • 19
  • 3
    Should mention that they don't always get registered in a public database. Some vulnerabilities are kept and hoarded as zero-days so that they can be used later or sold. Sometimes this is done by government agencies and used as weapons – slebetman Jul 22 '20 at 01:55
  • 1
    I wrote the dedicated article on wikipedia french https://fr.wikipedia.org/wiki/Scanner_de_vuln%C3%A9rabilit%C3%A9 but the english version is not well documented – Sibwara Jul 22 '20 at 10:45
  • @Sibwara Thanks for sharing. C'est plutôt rare de tomber sur des articles wikipedia avec davantage de contenu en français qu'en anglais. – Gainz Jul 22 '20 at 13:17
  • 1
    @Gainz. You're welcome. But since my all rebuild of the initial article, many "commercial oriented paragraphs" were added. C'est un peu énervant – Sibwara Jul 22 '20 at 15:34
11

Tools like Metasploit can be used to automate this process. The tool scans the target host for open ports, then attempts to identify the services running on these ports, then attempts to exploit known vulnerabilities in these services.

These tools can also be used to find and exploit vulnerabilities resulting common mistakes made by developers, such as SQL injection vulnerabilities, XSS vulnerabilities, etc.

mti2935
  • 19,868
  • 2
  • 45
  • 64