Begginner to hacking; help with open ports needed.

[Cyb3rTr1x]

Hello everyone,
I'm currently attempting my first penetration of a website. I have been using tools such as nmap and metasploit to no real avail. I have scanned the ip of the site and have found the following ports open:
25 -  tcp - smtp
80 -  tcp - http
443 - tcp - https
The OS is windows.
Now this is where I get stuck, I've looked all over (brute-force, buffer overflows etc.) but I don't know where to start to gain acess through these ports or what tools.
Regards,
Cyb3rtr1x

[Stackprotector]

did you do a fingerprint scan on those ports? to see what is actually listening on the port   :nmap -sV

[Cyb3rTr1x]

No I don't believe so.
When I run the argument: nmap -sV -T4 -A -v -Pn
I get this for the ports:

Not shown: 996 filtered ports


PORT     STATE  SERVICE    VERSION


25/tcp   open   smtp       Microsoft ESMTP 6.0.3790.4675


| smtp-commands: cranbrook-10.cranbrook.kent.sch.uk Hello [88.xxx.xxx.13], TURN, SIZE, ETRN, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK


|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY


80/tcp   open   http       Microsoft IIS


|_http-methods: No Allow or Public header in OPTIONS response (status code 302)


|_http-title: Did not follow redirect to https://www.xxxxx.co.uk and no page was returned.


443/tcp  open   ssl/http   Microsoft IIS


|_sslv2: server still supports SSLv2


|_http-methods: No Allow or Public header in OPTIONS response (status code 440)


|_http-title: Did not follow redirect to https://www.xxxxxx.xx.xx/CookieAuth.dll?GetLogon?curl=Z2F&reason=0&formdir=3 and no page was returned.


9090/tcp closed zeus-admin

[Stackprotector]

L0L, there seems to be a zeus bot listening on 9090,  try http://ip:9090/, it may be fully closed

[Cyb3rTr1x]

Sorry for my lack of knowledge but what exactly does this zeus bot do? Is it good or bad?

[Stackprotector]

http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29  may be a false positive

[Cyb3rTr1x]

Okay so what should my next step be?

[ande]

Almost deleted this topic, but I guess we don't have much info on this. Perhaps a tutorial is needed.

Nonetheless. Don't think about it as ports, the ports and port numbers are insignificant. What you want to know and do has to do with the software using the ports.

This is a universal task. Once you know what ports are open, you try to figure out what software are using the ports and then you target the software. Ports in them selfs are not vulnerable to anything.

Once you know or think you know what software are running, try looking for existing exploits for the software running. If there are none or they are up to date you would want to move on to find exploits/vulnerabilities. However, always go the easiest path. There is no need to sit hours on hours on hours fuzzing or looking at code to find vulnerabilities when there might be a web-application flaw(which is much easier to exploit). That is, unless you are looking for a challenge

[Cyb3rTr1x]

Okay, I've done my research and I have the following info on the network of the site:

• Ip
• Open ports
• OS
• MAC Address
• DNS Server

Now, what can I do with this?
Regards,
Cyb3rtr1x

[ande]

I'm sorry mate, but I am not going to answer that. The question, with the information you provided is going to be so generalized that its no point. Besides, I already told you in my previous reply.

IP is not important
Open ports is important
OS is not that important (at this point)
MAC is not important
DNS server is not important

[neusbeer]

When I've no idea what to do after a good Nmap scan.
and still going blank of the possibilities I use Retina for Windows.
It holds a large database with known vulnerabilities and links to metasploit's exploits and/or exploit-db.com links.. very handy..(and free of charge!)
this will give a lot of info about the running server. http://www.eeye.com/downloads
(acunetix is handy for enumerating/listing files)
if will give you pointers..
also there's a good Nmap GUI wich implement vuln's listing.  (NmapSI4)

[Cyb3rTr1x]

Thank you for the help, I will get on it straight away!

[imation]

I agree with Ande on this one,
 
OP = Read alot more, get some books, watch you tube vids etc..... Look at "IIS"
 
LOL at the Zeus port...
 
cranbrook-10.cranbrook.kent.sch.uk
 
https://portal.cranbrook.kent.sch.uk/INSIGHT/secure.aspx?ReturnUrl=%2fInsight%2f

[neusbeer]

Which version of IIS is running?


you can try:
http://www.goitworld.com/microsoft-iis-60-webdav-remote-authentication-bypass-exploit-php/


Microsoft IIS <= 5.1 Hit Highlighting Authentication Bypass Exploit
http://www.exploit-db.com/exploits/4016/
(this one works.. tried it this week actualy on an old webserver.