hi there,

I'm a newbie interested in linux security and IT security in general. I'm trying to use metasploit with bt4 for educational purposes, and I have a two questions:
- I have some very basic knowledge about the ip protocol and ip addresses, but there's something I don't really understand. In case I want to access to a computer over the internet rather than the local network, which ip address should be set (with set RHOST, if I understood correctly): the ip of the victim (his netword card's ip address), or the ip that appears when he goes to a website (which I guess is his isp's ip address) ? The thing that confuses me is that I think I should use the latter, but then wouldn't I be accessing the isp router rather than the victim's computer?
- The other thing I didn't figure out is whether it is possible to automate a search on the victim to know what his vulnerabilities are, rather than having to try all exploits one by one by hand ?


thx.

Removing my reply -- unsure if OP was breaking rules

Seriously, you might try reading the LQ rules you agreed to when you signed up. Particularly :

While you read that a few times, you might also consider the novel idea that security and cracking are two rather different things.

Oh I'm really sorry, I didn't know I couldn't ask a question about this here.
It's just that I didn't find an official forum about bt4 and metasploit so it seemed to me quite natural to come here, a linux forum. bt4 is just a linux distribution, it's not illegal, nor are the softwares that are on it as far as I know. I was just asking further information about that.
My post isn't about cracking, piracy, warez, fraud or anything like that, I'm just a newbie and I hardly think that professional hackers would come here to find information about that. I was merely curious.
Actually my first question isn't even about bt4 at all when you read it carefully, it's just about the three way handshake of the ip protocol, which I am beginning to understand in the local area network but I still don't understand how it works in the internet world.

If you really want to start learning about security, start looking at some of the references that are collected in the sticky at the top of this forum. And you're right, BT isn't illegal, but if you do start looking at those references, you'll see that penetration testing actually makes up a pretty small part of the security world. In my opinion, penetration testing makes is absolutely useless unless it is done in the context of an overall security plan.


As for your network question, the answer is it kind of depends. If the IP address of the remote site is a routeable, then you can access it directly. However, if the address is non-routable, like you find on most home LANs, then no, you can't access using the IP address. For example, the server my site is on has an IP address in the 192.168 range which you couldn't use to see the site because that range is non-routeable. The only reason you can see it is because there is a router that knows what to do with HTTP traffic that does understand that IP address.

As part of an overall security assessment of your own system, you can use some standard tools, such as nmap and openvas. This will tell you what ports, IP addresses, and services, and identification strings you are exposing to the world.

Hangdog42 is correct. Pen testing is a small part of a comprehensive security and hardening system. It is a step that should be performed after you have applied a number of other intrusion prevention and detection methods. What pen testing will tell you is if someone were to get past your initial defenses, how far into your system will the be able to get. Unfortunately, this is a question that most people and companies can not answer and knowing the answer to this could be crucial.

From a defensive standpoint, your best defense is to secure your exposed systems as much as you can. Do not open ports and services you don't need. Do not have advertising banners that display what software you are running and version levels unless you need to. Keep your programs patched and up to date. >> 90% of what these pen testing tools will make use of is out of date software, so avoid that condition to the extent possible.

Unfortunately, from time to time zero-day exploits to crop up. For example, there was one recently discussed regarding exim. Pen testing won't tell you much, if anything about those.

Thanks for your answer, I will definitely look into the references you mentioned.

From making a quick googling, I can see that routable ip addresses are class A reserved space 10.0.0.0/8, class B reserved space 172.16.0.0/12, class C reserved space 192.168.0.0/16, class E reserved for research 240.0.0.0. Is that what you were talking about? I thought ip classes were not used anymore ?

So if I understand your answer correctly, if I want to access a computer over the net, I should use the ip of its isp network card, rather than the one found in ifconfig, which usually starts in 192.168 and is therefore non routable. But then, as far as metasploit is concerned, wouldn't I be trying to access the router of the isp rather than the victim's machine ?
This really confuses me, I'm new at network computing and I don't really understand much. Now that I come to think of it, what would happen if several computers are using the same isp subscription ? When the isp router receives an answer from a website, how does it know which computer it is intended to if all that's mentionned is the ip of the isp, which is the same for all the computers in the same subscription? This is really newbie stuff, I'm sorry to ask such stupid questions, but I'd really like to understand a bit how this internet works.

Could you please also try to answer the second question? I know one answer would be to make a script, but that's not what I'm talking about, I don't want to use it, it's just for educational purposes. I would just like to know if it is native option that is given with the package. I do understand, as it is said in the tutorials I'm reading, that the only way to be sure whether a vulnerability is there is to try it, but I was wondering if it is possible to have a list of 'possible' vulnerabilities, rather than just the OS that is given by nmap.

Thank you very much.

You are correct, that internet classes are not used anymore. Instead, it uses a modified version called CIDR - classless internet domain routing. It is essentially IP address and mask. In those terms, the address ranges you mention are RFC-1918 addresses which means that they are private and not route-capable on public networks. A router performs NAT, network address translation, which allows multiple machines with unique private (LAN) addresses to share a common public IP address. It does this by proxying outbound connections on a port to a desired host and keeps track of the connections. For example, lets say you have two PCs 192.168.0.2 and 0.3. 0.2 connects to google and your router which has public ip a.b.c.d will proxy your 192.168.0.2 to your public IP address a.b.c.d on a port say port 5000. So google gets a connection from a.b.c.d:5000 to its iport 80. Then at the same time .3 wants to connect to google, so your router establishes a connection from a.b.c.d:5001 to googleort 80. When the response comes back, your router knows where to send the data based on the response port 5000 or 5001.

The cousin of this is called port forwarding and is a technique that is used to allow you to run server features, such as a web server, on your private network. You can say I want all traffic inbound to port 80 to go to this LAN IP. So, the public connects to you at your a.b.c.d address and this in turn gets proxied to your 192.168.0.2 machine on port 80. All behind the scenes.

When penetration testing comes into play is if someone where able to take control of your router, they would then able to see and potentially access all of the machines that are behind it. Unfortunately, this sort of thing does happen. People mistakenly leave the command ports on their routers open, there are known exploits for some routers, etc and a protocol called uPnP has been known to expose quite a few people. When this happens, they would have access to the internal LAN systems that they otherwise would not be able to directly access.

This is why it is important to take a wholistic approach to securing your entire network and all the machines on it. You can't put a router out there and say, "I'm protected"

1 members found this post helpful.

The problem is that of your two original questions, the second one is probably the one that most clearly bends/breaks the rules. You've got to understand that we have absolutely no way of verifying your intentions to practice only on machines you own. And even if we could, this is a public forum, and giving you help in doing this will also be aiding people with much more unsavory intentions. There are forums out there that do discuss these things in great detail, just not this one.

Thanks a lot for this very instructive answer. I thought that when I used the web, I was using my port 80, but if I understood you correctly, I am using a random port, and it's the server whose port is 80 ?

From what I saw in some youtube videos, some people seemed to manage to access someone else's computer, let's say a windows machine. But how can that be if the isp router is in the way ? Is it possible to get a connection to someone on the internet directly, without passing by the isp router? I mean, is there an other internet connection scheme that does not have an isp router, or does a basic adsl connection always go through a router?

As stated before, "educational", "I'm not using it" or not, this violates the LQ Rules: thread closed. Thanks for understanding & not pushing the issue.