- 560.2
- Day2: Scanning
- announcements
- hack lab thursday night
- paul dot com webcast
- core security tools to try
- coming today
- NMAP
- enum users
- netcat
- 7 exercises
- goal of scanning
- are target hosts alive?
- network topology
- identify OS
- open ports and services
- potential vulns
- minimize risk of impairing host or service
- scan types
- ICMP scan
- if system does not respond to ICMP, tools may miss
- network sweep: what IPs are alive
- network tracing
- port scans
- IPS may shun you
- os fingerprint
- possible proxy device
- tcp/ip obfuscation
- version scan
- banners may lie
- vuln scan
- scan by IP not name
- round robin DNS
- load sharing
- content services switch
- but, webserver may refuse to talk
- GET request does not contain name
- very large scans
- 65536 ports * number of hosts
nc -l -p 70000
- impossible, need workaround
- limit scope
- select a subset of targets
- look for most interesting ports only, some subset
- review firewall ruleset
- implied rules
- Checkpoint top 10 helpdesk requests
- Why doesn't DNS work from DMZ?
- So GUI automatically opens ports from DMZ
- ruleset customer gives you may be out of date
- speed up
- NMAP retries if it does not get any response to a SYN
- separate sender and listener
- sender sends many SYNs
- listener listens for responses
- can overwhelm pipes
- increase number of scanning machines
- lower timeouts
- sniff while scanning
- just to display activity
- not to capture full packets
- use tcpdump
- filter by host or net you are scanning
- network sweeping
- people filter PINGs and PONGs
- "steelpost security"
- Ranum and Schneier
- other ICMP requests might still work
- angryip
-
- tcp portscan
- MAC addresses if same subnet
- NETBIOS info
- icmpquery
- linux c code
- ubuntu package available now?
-
- sends ICMP type 13 and type 17 messages
- see slide 21
- hping
- about
- hping3 supports TCL
- read the manpages
- can be used to alarm on services that die
- send icmp, udp, rawip, tcp
- simple syntax to set control bits (syn, ack, rst, urg, psh, ack)
- target selection
- not as granular as NMAP allows
- --rand-dest 10.10.10.x
- makes a lot of noise: does incident reponse occur?
- --spoof [ip] [ip]
- port selection
- --destport 6666
- --destport +6666
- --destport ++6666
- --scan [portrange | list]
scan a /24 for 21, 23, when a new system is being installed, compromise it immediately before patching
- --baseport 666
- src port to start with, then increment
- --keep
- can emulate known worm activity
- UDP to 1434
- --count
- --beep when packet is received
- good when checking when system goes down
- --data N
- length of payload
- payload is XXXXX if no file specified
- --file {name}
- send the file contents
- must also use --data
- speed
tcpdump and hping exercise- slides 32 - 40
- LAND attack
- hping3 -c 1 --syn -p 80 -s 80 -k --spoof 10.10.10.20 10.10.10.20
morning break
- network tracing
- map between you and them
- lawful intercept
- avoid traversing certain countries like Germany?
- determine topology
- multiple gateways?
- traceroute
- the TTL value
- originally an actual timer value
- decremented by each router
- if TTL reaches 0
- you get ICMP TTL exceeded
- rtr IP
- sometime rtr name too
- Linux/Unix
- use UDP
- port 33434++
- -I option to use ICMP
- -p 6666 to specify baseport
- Windows
- use ICMP echo request
- -w 4000 is default: 4 second timeout
- LFT Layer Four Traceroute
-
- *nix
- uses tcp, udp, ICMP echo request
- try tcp 80
- 3d traceroute
- Windows
-
- Graphical output, updated in real time
- web-based traceroute services
- see if you are being shunned
-
- www.kloth.net
- www.net.cmu.edu/etc...
-
- portscanning
- TCP vs. UDP
- TCP
- UAPRSF
- rfc3148 congestion control bits
- TCP ports
- syn, syn-ack
- port is open
- syn, rst-ack
- port is closed
- syn, ICMP port unreachable
- probably blocked
- TCP would not respond this way
- nmap says "filtered"
- syn, {nothing}
- nmap says "filtered"
- many more closed than open ports
- if no response to SYN, scan takes a long time
- UDP
- very basic header structure
- scanning is slower, less reliable
- udp, udp
- open
- udp, ICMP port unreachable
- closed
- udp, {nothing}
- open|filtered
- blocked by firewall on way in our way out, or port closed, or port listening but not responding to YOU
- NMAP
fyodor- www.insecure.org
- options
- --packet-trace
- runtime interaction
- p = turn on tracing
- v = increase verbosity
- d = increase debug
- with shift = invert meaning of above commands
- timing options
- be tactical at beginning of pentest
- scan for basic ports only
- avoid IDS detection
- many IDS set threshold to nmap's "normal"
- -T sneaky, etc.
- --host-timeout
- --max-rtt-timeout
- - and _ are equivalent
- --initial-rtt-timeout
- --scan-delay
- detect honeypot
- often does not respond to first ARP request
- NMAP will not scan if ARP is slow
- --send-ip
- forces NMAP to scan even if ARP is slow
- ping sweep options
- -P0 or -PN
- -PS80
- send SYN to port 80
- others
- --traceroute
- does it backwards
- send one probe, estimate the delta from an expected TTL (255, 128, 64)
- make TTL count down from that estimate, not up from 0
- for subsequent targets, NMAP stops trace when hits a known closer router
- allows us to traceroute large subnets very quickly
- zenmap
- good for screencaptures for reports
- does not scan all ports by default
- low: 1-1024
- well known (about 1700 in nmap-services file)
- -F to only use nmap-services file
- types
- connect scan
- NMAP will do 3-way, then RST
- SYN scan
- will close half-open with RST
- ACK scan
- gets through stateless filtering
- worthless for portscanning since RST is always the response
- other
- fin
- null
- all flags 0
- xmas
- all flags 1
- maimon
- fin and ack
- for identifying BSD
- custom control bits
- --scanflags URG|ACK|etc.
- FTP bounce
- send data to FTP server
- FTP server forwards it to victims
- often printers will do this
- UDP scans
- a lot slower
- always use --reason flag
- --badsum
- for getting past firewalls or identifying what firewall is there
- end system will reject and silently drop
- some firewalls and IPS may send RST or ICMP port unreachable
- insertion attack: endsystem drops but IDS may not
- send a FIN with invalid checksum
- IDS obeys and drops connection since checksum ignored
- target sees invalid checksum, ignores packet
- next packet completes the attack
- on same connection
- gets to endsystem
- IDS starts new connection for it, misses attack
- NMAP exercise slide 89
- Lunch break
- NMAP OS fingerprinting
- first generation
- prior to 4.51
- been around a while, so lots of fingerprints
- -O1 will invoke
- second generation
- 30 methods
- a lot of math involved
- how were sequence numbers generated?
- etc.
- see slide 94
- fidelity improved over first generation
- OS
- even OS version sometimes
- needs fingerprints sent to fyodor still
- Version scanning
- identifying service versions
- checks the standard port as in nmap-services file
- -sV (or -A, which also includes -O and fires up all the scripts)
- basic stimulus and response, not interactive with the service
- NSE (scripting engine) extends the idea and interacts with service
- THC Amap
- http://freeworld.thc.org/thc-amap
- precursor to nmap
- run to get second opinion to NMAP
- can read NMAP output file
- p0f
- Bill Stearns (SANS)
- Exercise: NMAP scan with OS fingerprinting
- slides 101-112
- Vuln scanning
- manual method
- have NMAP check software versions
- then, for each open port, look for known vulns on Internet
- CERT, etc.
- remember: go to Sourceforge project page and look for bugs
- NMAP and AMAP are limited: only stimulus/response
- NMAP scripting engine (NSE)
- written in LUA
- designed for World of Warcraft
- easy to learn scripting language
- powerful
- www.lua.org
- interact
- many uses
- nmap -sC [target] -p [ports]
- runs all applicable scripts
- nmap --script{sfwrf} [target] -p [ports]
- runs one script
- does portscan first to see if target service is available
- script categories
- safe
- intrusive
- may leave logs
- may guess passwords
- may have other impact
- malware
- version
- discovery
- autograb robots.txt
- auto enum users
- vulnerability
- examples
- anon logins FTP?
- DNS AXFR?
- SMTP relay?
- /usr/share/nmap/scripts
- script.db contains inventory
- grep for categories to see what is there
- NSE engine exercise slide 122
- nmap -n -sC --script=robots.nse {ip range} -p 80
- nmap -n -sVC --script=SSHv1-support.nse {ip}
- version scan needed to spot off ports running SSH
- nmap -n -sC --script=nbtstat.nse {ip}
- Nessus
- now completely commercial, closed-source
- check the other commercial and free packages too
- qualys
- eeye retina
- updating plugins
- do it manually
- "evilgrade ISR"
- beware of auto-updating software
- DNS cache poisoning
- java, qt, mac osx goes to evilgrade server
- gets critical security patch
- installs it
- you are backdoored!
- notepad++
- nessus-update-plugins
- Problem: if you have changed public IP, it needs to be re-registered
- report plugin version to customer, in report
- all plugins enabled will crash most systems
- use credentialled scan if possible
- if cust's nessus automatically uses authentication over SMB
- use smbrelay on metaqsploit
- wait until nessus sends userid and passwordhash
- metasploit pivots and authenticates back
- this attack also works on regular users or admins
- use "SMB use host SID to enum local users"
- if null sessions are restricted
- enum won't work
- so use this
- tip: output reports in every possible format to share with customer as needed
- nessus exercise slide 140
- grep -r -m 1 ACT_DENIAL /usr/local/lib/nessus/plugins
- to find dangerous plugins
- afternoon break
- others
- saint
- saintcorporation.com
- eeye retina
- qualys
- core impact
- coresecurity.com
- lumension
- sensepost
- Sara
- see slide 152
- languard GFI
- on Backtrack
- free
BiDiBLAH- commercial tool
- sensepost.com
- steps through and ties together many open source tools
- uses Kaminsky scanrand technique (separate scanners and listeners)
- you supply Nessus and Metasploit for it to use
- Enumerating users
- corp phone directory
- unix
- $ cat /etc/passwd
- $ finger
- $ w
- or $ watch w
- windows
- went out of their way to make it easy
- null session
- works if file and print sharing is on
- net use \\1.2.3.4 "" /u:""
- on windows 2000, the default is to allow null sessions
- on windows 2003, XP, Vista, not the default
- MS did not turn off null sessions
- just restricted what they can access
- enum
- enum -U 1.2.3.4
- enum -G 1.2.3.4
- winfingerprint
- by Vacuum
- the SID
- S-x-y-domain/computer-RID
- admin's RID is always 500
- guest is 501
- users are 1000++
- lookupaccountSID API
- allows anon user via null session to convert SID to username, from across network
- different from lookupaccountname API, which converts username to SID
- not prevented by RestrictAnonymous and RestrictAnonmousSam keys
- prevented by:
- edit local security policy using secpol.msc
- Local Policies
- Security Options
- "Network Access: Allow anonymous SID/Name translation"
- allowed by default on most except on Windows 2003 DCs
- sid2user
- harvest names from target
- net use \\1.2.3.4 "" /u:""
- user2sid \\1.2.3.4 machinename
- for %L in (1000,1,1010) do @sid2user \\1.2.3.4 {SID without RID} %i
- see slide 165
- exercise slide 168-170
- Netcat
- -p = local port
- listening port, if server
- src port, if client
- -L = listen harder (Windows)
- -u = UDP mode
- -e = exec this program
- -wN = wait for connect for N seconds
- variants
- socat
- receive TCP, transmit UDP
- uses
- are services alive
- relays
- portscans
- connection string gathering
- file transfers
- talk to webserver
- nc to 80
- HEAD / HTTP/1.0
- enter enter for each EOL
- nudging: echo a space to service to get banner
- echo "" | nc -v -n -w1 {IP} 1-100
- returns banners on ports 1-100 on IP
- grab what browser people are using
- nc -v -l -p 80
- make browser surf there (see 560.3)
trivia: why does MS browser clam to be Mozilla?- watch for service crash
- see slide 178
- service is dead
- see slide 179
- to kill loop, ^Z to bg, then kill
- Netcat exercise, slide 183
