Dropbox 17 – Dropbox Server (Hardening)

We’ve been hardening as we go, so there really wasn’t much to do here in the first iteration when I was using Kali 2016.1. By default RPCBIND was bound to all interfaces on port 111 so I ran the following commands to disable it.

systemctl stop rpcbind.service
systemctl disable rpcbind.service

Now there’s even less to do as it looks like in the 2016.2 release RPCBIND is disabled by default. A review of active servers shows only the connections listening on localhost that we’ve enabled, even without running the above.

netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:22 0.0.0.0:* LISTEN 670/sshd
tcp 0 0 127.0.0.1:3128 0.0.0.0:* LISTEN 794/(squid-1)
tcp 0 0 127.0.0.1:5901 0.0.0.0:* LISTEN 762/Xtightvnc

We can verify this by scanning from the Raspberry Pi I’ve been using as a test outbound proxy server.

pi@raspberrypi:~ $ nmap -p- 192.168.1.253
Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-14 18:19 UTC
Nmap scan report for 192.168.1.253
Host is up (0.00087s latency).
All 65535 scanned ports on 192.168.1.253 are closed

Squid does open a high UDP port for DNS management.

netstat -plnu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:36778 0.0.0.0:* 794/(squid-1)
udp 0 0 0.0.0.0:68 0.0.0.0:* 1212/dhclient
udp6 0 0 :::51863 :::* 794/(squid-1)

According to the following article it should be possible to change the address binding (http://linuxplayer.org/2012/02/why-squid-listen-on-high-udp-port-number). I may consider testing the effect of this modification on proxied web application tests sometime in the future, but for now I have left the default configuration in tact.

We could go a step further and block ICMP or filter incoming traffic to the Dropbox Server, but we don’t want to make things overly difficult for ourselves either. This is a penetration testing device after all and at some point we’ll want it to perform ARP spoofing, accept reverse shells, etc…

OK, now to setup our Dropbox Client and start controlling the Dropbox Server remotely, or as I like to call it “How to perform an internal penetration test from <INSERT FAVORITE COFFEE SHOP/PUB HERE>”.

Leave a Reply

Your email address will not be published. Required fields are marked *