concept public exploit database in category security
This is an excerpt from Manning's book The Art of Network Penetration Testing MEAP V09.
Depending on the particular service configuration the banner may reveal loads of information, some of which could be useful to you as an attacker. At a minimum you want to know what protocol the server is running, be it FTP, HTTP, RDP or something else. You also want to know the name and if visible the exact version of the software listening on that port. This information is critical because it allows you to search public exploit databases such as https://www.exploit-db.com for known attack vectors and security weaknesses for that particular software version. Here is an example of a service banner contained within the headers of an HTTP request using the curl command. Run the following command and be aware that raditz.capsulecorp.local could easily be replaced with an IP address:
Figure 4.2 Searching the public exploit database for “Apache Tomcat 7”
In the next chapter you’ll see just how useful these Windows account password hahses can be for gaining access to additional systems. Systems that I like to refer to as level-two targets because they were not accessible before as the vulnerabilty discovery phase didn’t yield any low-hanging-fruit for that specific host. In my experience, once you get to level-two on an INPT it’s not long before you can take over the entire network. Before wrapping up this chapter I want to briefly cover the public exploit database which is another useful resource outside of the Metasploit framework where you can sometimes find working exploits to compromise targets in your engagement scope.