Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP265 --Pentesting Tools nmap. Tons of Tools Top 125 Network Security Tools –http://sectools.org/http://sectools.org/ “I also point newbies to this.

Published byHolly Ryan Modified over 7 years ago

Similar presentations

Presentation on theme: "COMP265 --Pentesting Tools nmap. Tons of Tools Top 125 Network Security Tools –http://sectools.org/http://sectools.org/ “I also point newbies to this."— Presentation transcript:

1 COMP265 --Pentesting Tools nmap

2 Tons of Tools Top 125 Network Security Tools –http://sectools.org/http://sectools.org/ “I also point newbies to this site whenever they write me saying “I don't know where to start”. “Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with.”

3 Types of Tools Function –Scanners –Sniffers –Monitors –Viewers –Crackers –Root kits –Access servers –Packet insertion –...

4 Types of Tools (cont.) Roles Tools for each phase of a Pentest/Cracking –Foot Printing/Reconnaissance –Scanning –Enumeration –Gaining Access –Escalating Privilege –Creating Backdoors/Maintaining Access –Covering Your Tracks

5 Types of Tools (cont.) Standalone tools –Nmap, wireshark, netcat,... Frameworks –Metasploit Live CD's: http://www.darknet.org.uk/2006/03/10-best-security-live- cd-distros-pen-test-forensics-recovery/http://www.darknet.org.uk/2006/03/10-best-security-live- cd-distros-pen-test-forensics-recovery/ http://www.onemansanthology.com/blog/top-5-linux-security-distros/ –Backtrack (Now Kali) –Operator –Knoppix STD –Helix –... –We use Kali

6 Kali Based on Debian Over 300 tools FHS compliant –http://www.pathname.com/fhs/http://www.pathname.com/fhs/ GPG signed packages and repositories Gnome based GUI

7 Vulnerability Assessment Outline Pre-Inspection Visit Network Footprinting (Reconnaissance)‏ Discovery & Probing - Scanning Enumeration Vulnerability Assessment ( Penetration – Gaining access)‏ Reporting

8 Scanning –This is where we want to assess our opponent's systems. –What operating system do they use? –What ports are they listening on? –We are looking for vulnerable places to enter into their systems.

9 Step 1: What systems are there that are alive? Use ping-like tools –Fping –nping –Hping(2,3) –Nmap –Netcat –TCPtraceroute –0trace –Lots of others

10 Ping-like tools TCPtraceroute, 0trace –We might look at these later Netcat –Very general purpose and familiar Nping –Packet assembler form the nmap team

11 Fping, Hping, Hping2, Hping3 Hping Command-line oriented TCP/IP packet assembler/analyzer Ping like interface Hping2, 3 –Interactive upgrade –Hping3 is scriptable Fping fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping

12 Step2: What services are running Port scanners –Netcat –Nmap –Masscan Very fast port scanner –Firewalk Tries to traceroute through firewall Finds out what ports are open in the firewall –Others IP protocol scanner –Protos

13 Step3: What software is running? OS/Service Fingerprinting Ass –Autonomous System Scanner –Finds routers P0f –Passive OS fingerprinting tool –Works by observing traffic –Useful to inventory systems for defensive purposes also

14 Step3: What software is running? OS/Service Fingerprinting SinFP –OS fingerprinting on a per-TCP port basis xprobe2 –relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database NMAP SNMP Others

15 NMAP Tool for network exploration and security auditing Rapidly scan large networks Determine: –hosts available –services hosts are offering –operating systems and OS versions –packet filters/firewalls in use –other characteristics

16 NMAP Almost the only tool you need for scanning phase Open source Yet well documented Complicated Command line has many many options –Tools is versatile after all Nice output –Targets –Ports –OS info

17 Options Summary http://nmap.org/book/man-briefoptions.html Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL : Input from list of hosts/networks -iR : Choose random targets --exclude : Exclude hosts/networks --excludefile : Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU[portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping... Goes on for 100 lines total !

18 Port States Open –Actively accepting TCP connections or UDP packets Closed –Receives and responds to Nmap probe packets –No application listening Filtered –Packet filtering prevents probes from reaching the port. Unfiltered –Accessible, but unable to determine whether open or closed (ack scan). Open|filtered –Unable to determine whether open or filtered. Closed|filtered –Unable to determine whether closed or filtered (Idle scan)

19 NMAP scans Lots of different types nmap -sS –TCP SYN scan –Fast –Relatively unobtrusive and stealthy, –Clear, reliable differentiation between the open, closed, and filtered states. –Send a SYN then wait for a response

20 NMAP scans nmap -sT –TCP connect scan –Default TCP type when SYN scan is not an option –Asks the O/S to establish connection –Slower, more noticeable –Doesn't use raw packets

21 NMAP scans nmap -sU –UDP scans –Sends an empty (no data) UDP header –ICMP port unreachable or other error –Maybe a response

22 NMAP scans nmap -sN(FS) –TCP NULL, FIN, and Xmas scans –Exploit a subtle loophole in the TCP RFC –Differentiate between open and closed ports –Any packet not containing SYN, RST, or ACK Return RST if the port is closed No response if the port is open

23 NMAP scans nmap -sN; -sF; -sX –Null scan (-sN) Does not set any bits (TCP flag header is 0) –FIN scan (-sF) Sets just the TCP FIN bit. –Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

24 NMAP scans NMAP -sA –TCP ACK scan –Used to map out firewall rulesets –Whether stateful or not –Which ports are filtered –Only the ACK flag set Unfiltered systems, open and closed will return a RST Filtered systems don't respond or return certain ICMP error messages

25 NMAP scans NMAP -sW –TCP Window scan –Same as ACK scan except... –Differentiates open ports from closed ones by examining the TCP Window field of the RST packets –On some systems, Open ports use a positive window size Closed ones have a zero window.

26 NMAP scans NMAP-sO –IP protocol scan –Determine IP protocols (TCP, ICMP, IGMP, etc.) –Isn't technically a port scan –Cycles through IP protocol numbers –Similar to UDP scan –Sends IP packet headers and iterates through the eight-bit IP protocol field –Looking for ICMP protocol unreachable messages –Any response marks that protocol open –Protocol unreachable marked as closed –Other unreachable errors marked filtered Though they prove that ICMP is open too –No response marked open|filtered

27 NMAP scans NMAP -sI [: ] – Idle scan –Allows for a truly blind TCP port scan –No packets are sent to the target from your IP address –Scan is bounced off a dumb "zombie host" –Exploits predictable IP fragmentation ID sequence generation on the zombie host –Permits mapping out IP-based trust relationships between machines –Shows open ports from the perspective of the zombie host

28 Idle scan IP packets have a fragment identification number (IP ID) –Probing the IPID tells how many packets have been sent since the last probe Send a SYN to target, spoofing zombie's address as source –SYN/ACK if the port is open, Zombie responds to unsolicited SYN/ACK packet with RST. –RST if the port is closed Unsolicited RST ignored

29 Idle scan Probe the zombie's IP ID Forge a SYN packet from the zombie and send it to the desired port on the target Reaction may or may not cause the zombie's IP ID to be incremented. Probe the zombie's IP ID again IP ID should have increased by either one or two

30 Idle Scan

31 Fingerprinting Version detection NMAP -sV –--allports Database contains probes for querying various services and match expressions to recognize and parse responses Tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP) The application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), The version number, hostname, device type (e.g. printer, router) The OS family (e.g. Windows, Linux) Sometimes miscellaneous details like whether an X server is open to connections Most services don't provide all of this information

32 OS Detection TCP/IP stack fingerprinting Sends a series of TCP and UDP packets Examines practically every bit in the responses Such as TCP ISN (initial sequence number) sampling, TCP options support and ordering, IP ID sampling, initial window size Compares results to database of more than a thousand known OS fingerprints Prints out the OS details if there is a match

33 Some Options -F –Fast scan. 100 likeliest ports rather than 1000 --version-light –Faster but less accurate OS fingerprint option --host-timeout time –Give up on slow target hosts --min-parallelism numprobes; --max-parallelism numprobes -n (No DNS resolution)

34 NMAP – Good News There is a GUI –ZENMAP Shows you the command line as you choose options Then runs the command Shows you the output

35 NMAP Some links http://www.counterhack.net/base_clippy_image. htmlhttp://www.counterhack.net/base_clippy_image. html http://www.ethicalhacker.net/content/view/11/2/

36 Today's Lab Scan the internal network Detect and categorize the machines Fingerprint the OS and other software Explain the command line options –You may use Zenmap to generate the commands –But run them from the command line

Download ppt "COMP265 --Pentesting Tools nmap. Tons of Tools Top 125 Network Security Tools –http://sectools.org/http://sectools.org/ “I also point newbies to this."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Computer Security Fundamentals

Computer Security Fundamentals
Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.

Network Mapping  Identify Live Hosts  Determine running Services TCP Port Scanning UDP Port Scanning Banner Grabbing ARP Discovery  Identify Perimeter.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Xmas Tree Scan Detection with Snort Presented by: Aqila Dissanayake University of Windsor Olalekan Kadri University of Windsor

Xmas Tree Scan Detection with Snort Presented by: Aqila Dissanayake University of Windsor Olalekan Kadri University of Windsor
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS.

Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Port Scanning CT1406 lab#5.

Port Scanning CT1406 lab#5.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Description “Nmap stands for Network Mapper. Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.

Description “Nmap stands for "Network Mapper". Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.

Similar presentations

Ads by Google