Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS.

Similar presentations


Presentation on theme: "Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS."— Presentation transcript:

1 Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS

2 Finding Vulnerabilities After footprinting a service Need to lookup CVE See if vulnerability is related to running software See if exploits are “in the wild” Tedious and error prone

3 Nessus – vulnerability scanner – CVE database – Highlights weaknesses Saves looking for CVE – Once service is footprinted Database needs constant updates – Commercial service – $1200/yr Was based on nmap

4 Nessus license Home use No really fancy features –Virtual appliance –Compliance checks –PCI, NIST, CIS, etc. –Scada plugins –Support Do get real time vulnerability updates

5 OpenVas Vulnerability Assessment Scanner Forked from formally open source Nessus software Open source –Free –Supported by German Federal Office for Information Security (BSI) –And others Daily updated feed of Network Vulnerability Tests

6 Saint Like nessus Also commercial Has free trial and academic license –Without vulnerability database

7 Retina Another commercial vulnerability scanner Works poorly without credentials More suitable for compliance audit than pentesting

8 Other CVE products Mostly commercial Due to cost of maintaining CVE database

9 Nitko Another type of vulnerability scanner Nikto Open Source (GPL) web server scanner perl Performs tests for –Over 3500 potentially dangerous files/CGIs, versions on over 900 servers, –Version specific problems on over 250 servers

10 w3af Web Application Attack and Audit Framework, Sponsored by Bonsai and Rapid7 Author Andrés Riancho, founder of Bonsai Rapid7 also sponsors Metasploit “find and exploit web application vulnerabilities” Works with plugins, like nessus Has gui interface

11 Tools for this week Going lower level rather than higher Hping2 (3) –Mentioned earlier –A packet crafting tool –Anything nmap can do this can do With more difficulty But more flexibility TCP, UDP or ICMP payloads

12 Hping, Hping2, Hping3 Hping –Command-line oriented TCP/IP packet assembler/analyzer –Ping like interface Hping2 –Interactive packet constructor and response analyzer –An upgrade of hping Hping3 –Scriptable with tcl –Some fixes Should use hping3 for latest fixes

13 Hping Header fields can be modified and controlled using the command line -F --fin set FIN flag -S --syn set SYN flag -R --rst set RST flag -P --push set PUSH flag -A --ack set ACK flag -U --urg set URG flag -X --xmas set X unused flag (0x40) -Y --ymas set Y unused flag (0x80)

14 SYN scan root]# hping -I eth0 -S p ++79 HPING (eth ): S set, 40 headers + 0 data bytes len=46 ip= sport=79 flags=RA seq=0 ttl=255 id=17491 win=0 rtt=2.4 ms len=46 ip= sport=80 flags=SA DF seq=1 ttl=64 id=17492 win=16080 rtt=3.1 ms len=46 ip= sport=81 flags=RA seq=2 ttl=255 id=17493 win=0 rtt=1.7 ms len=46 ip= sport=82 flags=RA seq=3 ttl=255 id=17494 win=0 rtt=1.8 ms len=46 ip= sport=83 flags=RA seq=4 ttl=255 id=17495 win=0 rtt=1.4 ms len=46 ip= sport=84 flags=RA seq=5 ttl=255 id=17496 win=0 rtt=3.6 ms

15 SYN scan Scans hosts for open ports Which were open? An open port is indicated by a SA return packet Closed ports by a RA packets. Remember the 3-way handshake! hping -I eth0 -S p ++79 | grep SA

16 hping Idle/Zombie Scan First find idle host If IP_ID increases by one after every transmission Host is idle

17 Idle Host root]# hping -I eth0 -SA HPING (eth ): SA set, 40 headers + 0 data bytes len=46 ip= flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms len=46 ip= flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms len=46 ip= flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms Notice id increasing Idea is to send continuous scan While also probing host with spoofed ip Looking for jump in id

18 Zombie Scanning the Target Host Session 1, a spoofed scan of the server by the attacker: root]# hping -I eth0 -a S p ++20 HPING (eth ): S set, 40 headers + 0 data bytes

19 Results from Zombie docs]# hping -I eth0 -r -S p 2000 HPING (eth ): S set, 40 headers + 0 data bytes len=46 ip= flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms len=46 ip= flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms (port 21) len=46 ip= flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip= flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms len=46 ip= flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip= flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms (port 25)

20 another example /]# hping HPING (eth ): icmp mode set, 28 headers + 0 data bytes ip= ttl=255 id=6241 icmp_seq=0 rtt=0.5 ms len=28 ip= ttl=255 id=6242 icmp_seq=1 rtt=0.3 ms len=28 ip= ttl=255 id=6425 icmp_seq=2 rtt=0.4 ms len=28 ip= ttl=255 id=6427 icmp_seq=3 rtt=0.2 ms len=28 ip= ttl=255 id=6428 icmp_seq=4 rtt=0.3 ms len=28 ip= ttl=255 id=6429 icmp_seq=5 rtt=0.1 ms len=28 ip= ttl=255 id=6433 icmp_seq=6 rtt=0.2 ms

21 Sending a File hping can insert data into packets of any type hping is capable of listening for packets and then extracting the data To do this, a “signature” is inserted into the packet before the data --sign “string” uses “string” as the signature --listen “string” listens for packets and extracts data following”string” –Data are dumped to standard output

22 Sending a file using ping packets hping sender-ip –listen string –safe –icmp --safe re-sends missing packets (like tcp) --icmp sends icmp packets, type ping by default hping receiver-ip –sign string –icmp -d file filename -d 100 specifies data size --file filename indicates what file to send

23 Man page –http://linux.die.net/man/8/hping2http://linux.die.net/man/8/hping2 Tutorial –http://www.scribd.com/doc/607491/hping2-v1-5http://www.scribd.com/doc/607491/hping2-v1-5 Another –http://www.ethicalhacker.net/content/vi ew/72/24/http://www.ethicalhacker.net/content/vi ew/72/24/ Zombie scan –http://nmap.org/book/idlescan.htmlhttp://nmap.org/book/idlescan.html On kali of course.

24 Coming Soon nping From the nmap team Similar functionality to hping Not yet considered stable Worth wtching

25 This week's lab Duplicate one of the nmap scans using hping Try a zombie scan Send a file using ping packets


Download ppt "Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS."

Similar presentations


Ads by Google