All Help Files > Security Auditing: Step 1 in Penetration Testing is Looking for Vulnerabilities

Security Auditing: Step 1 in Penetration Testing is Looking for Vulnerabilities

Let's start simple and show a listing of someone trying different keys to get into a server guessing port 23 (DPT - destination port)

root@localhost:~# tail /var/log/ufw.log -f

May 11 15:38:25 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54573 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

May 11 15:38:28 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54574 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

May 11 15:38:34 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=1.182.64.189 DST=198.74.51.236 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=54575 DF PROTO=TCP SPT=32929 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0

On the above 3 - note the DPT is port 23 - a non-standard port and is closed and correctly blocked by UFW (Uncomplicated Firewall). They all originate from a fake IP address of 1.182.64.189 They are all sent from port 32929. There are three and only three tries because fail2ban is installed and blocks over 5 tries.

This next example is a port-scan. He is escalating through the server looking for open ports. Here is the source.

root@localhost:~# tail /var/log/ufw.log -f

May 11 15:41:44 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=106 ID=256 PROTO=TCP SPT=6000 DPT=5901 WINDOW=16384 RES=0x00 SYN URGP=0

May 11 15:42:12 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=5902 WINDOW=16384 RES=0x00 SYN URGP=0

May 11 15:42:24 localhost kernel: [UFW BLOCK] IN=eth0 OUT= MAC=f2:3c:91:70:48:cc:84:78:ac:0d:a6:41:08:00 SRC=222.186.21.202 DST=198.74.51.236 LEN=40 TOS=0x00 PREC=0x00 TTL=105 ID=256 PROTO=TCP SPT=6000 DPT=5903 WINDOW=16384 RES=0x00 SYN URGP=0

Note the climbing destination ports (DPT) of 5901, 5902, 5903

Then he stops but will return and keep mapping his way through the ports until he has a full picture of the server. Studying the server is the first step.

Contact us to upgrade to Tendenci

The open source solution chosen by associations around the world.

Want to talk? (281) 497-6567

Sign up for Tendenci - The Open Source AMS

No per user pricing. Unlimited admins.

Demo Now

Have Questions?

Contact us!

Site Search



Recent News

I agree

Our site saves small pieces of text information (cookies) on your device in order to deliver better experience and for statistical purposes. You can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings you grant us permission to store that information on your device. See our Privacy Policy