Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Similar presentations


Presentation on theme: "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."— Presentation transcript:

1 http://Irongeek.com Adrian Crenshaw

2 http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  Sr. Information Security Consultant at TrustedSec  Co-Founder of Derbycon http://www.derbycon.com http://www.derbycon.com Twitter: @Irongeek_ADC

3 http://Irongeek.com  Since ports are fairly standard, if port 80tcp is listening on a host, more than likely it’s running web services  By sending packets to these port numbers, you can see what services are running on the host  Knowing what services are running lets you know something about the potential attack surface  What about finger printing?

4 http://Irongeek.com  One of the most popular port scanners  Started by Gordon Lyon (Fyodor) back in 1997, as an article for Phrack Magazine 51  Started as a fairly simple port scanner, and has suffered some pretty serious feature creep since.  Multiplatform (Linux, Windows, BSD, OS X)  Open Source and available from http://nmap.orghttp://nmap.org

5 http://Irongeek.com  To use an analogy, if IPs are an apartment complex’s address, ports are the apartment number  Both UDP and TCP use incoming and outgoing ports  Most IP based services listen on standard ports (HTTP 80/TCP, SMTP 25/TCP, SMB 139/445/TCP, DNS port 53/TCP and UDP)

6 http://Irongeek.com

7

8  MAC (Media Access Control) is the address on the NIC (Network Interface Card)  Term is user in Ethernet, but the same concept apply elsewhere  Burned in address should be unique, and if they ask on the exam it is, but reality is sometimes different

9 http://Irongeek.com  48 bits (6 bytes) long, mostly represented in HEX like this: DE:AD:BE:EF:CA:FE  OUI (Organizationally Unique Identifier) is the part in red above, extension identifier is in blue  See who is assigned what OUI here: http://standards.ieee.org/develop/regauth/oui/oui.txt http://standards.ieee.org/develop/regauth/oui/oui.txt 

10 http://Irongeek.com  64 byte MAC addesses  OUI is still 24  Not sure what uses these

11 http://Irongeek.com  IPv4 uses 32 bit addresses  Unusual represented as 4 octets : (separated into it’s 4 bytes and written in decimal) 192.168.1.1  Dec: 3232235777 HEX: C0A80101 Binary: 11000000 10101000 00000001 0000000  2 32 addresses possible (more or less), so about 4.3 billion  Began running out of these, which is one reason for IPv6 and NAT

12 http://Irongeek.com  Count from 0! 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

13 http://Irongeek.com  Version of IP protocols, 4 in this case, bits 0-3. 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

14 http://Irongeek.com  Internet Header Length, bits 4-7 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

15 http://Irongeek.com  Set the priority of the packet 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

16 http://Irongeek.com  Total length of the packet, min 20 max 65,535. 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

17 http://Irongeek.com  Identification, used for fragmentation 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

18 http://Irongeek.com  Flags, used for fragmentation 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

19 http://Irongeek.com  Fragment Offset, used for fragmentation 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

20 http://Irongeek.com  Should have been called “Hop Count” based on most implementations. Seconds since packet was born by spec. 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

21 http://Irongeek.com  ICMP=1, TCP=6, UDP=17. Way more at: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

22 http://Irongeek.com  To detect errors in transmission 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

23 http://Irongeek.com  Where did I come from? 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

24 http://Irongeek.com  Where am I going? 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

25 http://Irongeek.com  Extra options for the packet. Things like source routing would be here: http://www.networksorcery.com/enp/protocol/ip.htm#Options http://www.networksorcery.com/enp/protocol/ip.htm#Options 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

26 http://Irongeek.com  To make sure data starts on a 32 bit boundry 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

27 http://Irongeek.com  Networks have a Maximum Transmission Unit (MTU) size, often 1500 bytes  Sometimes, packets must be broken up to fit, which can be done by a router  IPID and Offset mentioned before are used to put packets back together  MTU of the path can be discovered by setting the Do Not Fragment flag and keep trying smaller sizes till you do not get an ICMP “Fragmentation needed and DF set” message back

28 http://Irongeek.com  128 bit addressees, 2 128 possible addresses (In technical terms: a shit load)  340 undecillion to use Yanks, 340 sextillion to Brits (which sounds like a fancy orgy)  In some ways, IPv6 has a simpler header

29 http://Irongeek.com  40 bytes, 320 bits 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 0 VersionTraffic ClassFlow Label 3232 Payload LengthNext HeaderHop Limit 6464 Source Address 9696 128128 160160 192192 Destination Address 224224 256256 288288

30 http://Irongeek.com  Version is set to 6  Traffic Class and Flow Control are used for QoS  Payload Length is the size of the payload, not including the IP heard itself  Next Header, points to the header of the encapsulated protocol  Hop Limit, was TTL in old IPv4, this is a better name  Source and Destination Addresses

31 http://Irongeek.com  Stateless Auto Configuration eliminates the need for DHCP (though it is still possible with DHCPv6, Stateful Auto Configuration )  IPv6 address is based on MAC address & IPv6 routing advertisements  fffe is added on to the MAC if it is 48 bit, can be used as is with EUI-64 MAC address that are already 64 bits  Uses : for notation in HEX, :: can substitute for a bunch of 0s (but only once) fe80::60c:ceff:fed7:ed7c  One above is a Link-Local address, notice the fe80, and can be used to talk to other IPv6 on host on the network with out the Router  Universal/Local (U/L) set to 1 if burned in MAC address is overridden

32 http://Irongeek.com  Size maters NameNumber of hosts RangeLeading Bits Notes Class A16,777,2160.0.0.0 to 127.255.255.2550 Class B65,536128.0.0.0 to 191.255.255.25510 Class C256192.0.0.0 to 223.255.255.255110 Class DUndefined?224.0.0.0 to 239.255.255.2551110Multicast Class EUndefined?240.0.0.0 to 255.255.255.2551111Reserved

33 http://Irongeek.com  CIDR allows for less waste by splitting networks up  CIDER notation: 255.255.255.0 = /24 255.255.0.0 = /16 255.0.0.0 = /8  Could also be other others

34 http://Irongeek.com  Dickins Corp uses IP range 10.*.*.*  Assume a an example host is 10.69.69.69  Let’s say they use 255.255.240 (/20) for a subnet. 11111111.11111111.11110000.00000000  Red is network section, blue the host section  AND with host IP 00001010.01000101.01000101.01000101 11111111.11111111.11110000.00000000 = 00001010.01000101.01000000.00000000  If two different IPs ANDed with the same subnet mask give the same result, they are on the same network

35 http://Irongeek.com  Address Resolution Protocol allows machines to find the Layer 2 MAC address for a Layer 3 IP  If the computer has the IP, it can send a broadcast message asking who has this IP?  Then communication can happen  RARP (Address Resolution Protocol) is the opposite and is used by diskless workstations  Think about static ARP entries Hey, who has IP 192.168.1.2? That’s me! My MAC Address is DE:AD:BE:FE:CA:FE

36 http://Irongeek.com  TCP = Transmission Control Protocol  Considered a “reliable”, session based protocol (though is is said to be on the Transport layer of OSI, AKA Layer 4)  Starts with the three way handshake of:  Host 1: SYN  Host 2: SYN/ACK  Host 3: ACK  Has the concept of source and destination ports to specify what service to connect to

37 http://Irongeek.com  IP Header is above this 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

38 http://Irongeek.com  Think apartment numbers in a complex 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Foot fetish stuff

39 http://Irongeek.com  Keeps connection in sync and allow for knowing what packets got through 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Ernest Borgnine Rule 34

40 http://Irongeek.com  Gives the size of the TCP header in 32bit words, at least 5, at max is 15 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

41 http://Irongeek.com  Not all used currently, but maybe later?  These were added in 2001 and 2003 for congestion control:  CWR = Congestion Window Reduced  ECE = Explicit Congestion Notification Echo  NS = Nonce Sum 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserv ed NSNS CWRCWR ECEECE URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

42 http://Irongeek.com  URG = This is important, go look at the urgent field  ACK = Says the Acknowledgment field is important. Should be set on all packets after the initial SYN  PSH = Asked to push the buffed data to the application  RST = Reset the connection  SYN = Hey! Synchronize Sequence Numbers!  FIN = We done son, tear down the connection 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

43 http://Irongeek.com  Tells how much data you can send for flow control 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

44 http://Irongeek.com  Used for error checking 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

45 http://Irongeek.com  Offset from the Sequence Number to the last urgent data byte 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

46 http://Irongeek.com  Size is determined by the Data Offset field, too many to list so see https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

47 http://Irongeek.com  Makes sure the header stops at a 32bit boundary 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

48 http://Irongeek.com  Here is the data 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

49 http://Irongeek.com  During the SYN, SYN/ACK, ACK handshake, the two parties make up their own sequence numbers to exchange  As data is passed, each increments the other’s sequence number and passes it back to acknowledge that a packet was received  ACKs are used throughout, and a FIN used at the end to tear down the connections (sometimes a RST)

50 http://Irongeek.com  UDP=User Datagram Protocol  Considered connectionless, “unreliable”, fire and forget  Meant for when speed and low overhead is more important than reliability, and data passed can be lossy  NTP  VoIP  DNS  Streaming Video

51 http://Irongeek.com  Pretty simple  Checksum is optional 012345678910101 1212 1313 1414 1515 1616 1717 1818 1919 2020 21212 2323 2424 2525 2626 2727 2828 2929 3030 3131 Source PortDestination Port LengthChecksum Date: VoIP phone sex

52 http://Irongeek.com  16 bit port fields allow for 0 to 65535, or 65536 ports  1023 and lower are reserved ports (May need to be root to open)  1024 are ephemeral ports (Most apps will source from these ports)  Common ports: HTTP=80/tcp, HTTPS=443/tcp, SMTP=25/tcp, SSH=22/tcp, Telnet=23/tcp, DNS=53/udp & tcp

53 http://Irongeek.com  ICMP is Internet Control Message Protocol and helps out the other protocols  Considered to be layer 3, despite IP being layer 3 and ICMP riding on it  Used for troubleshooting (like ping) and reporting errors  Uses types and codes instead of ports

54 http://Irongeek.com  Type 8 = Echo  Type 0 = Echo Reply  All of Type 3 is Destination Unreachable  Type 3, Code 0 = Network Unreachable  Type 3, Code 1 = Host Unreachable  Type 3, Code 4 = Fragmentation Needed and Don't Fragment was Set  Type 11, Code 0 = Time to Live exceeded in Transit  Type 11, Code10 = Fragment Reassembly Time Exceeded

55 http://Irongeek.com  PING is a tool using ICMP Echo Requests and Echo Replies  Named for the sound of sonar, but the backronym is Packet Internet Groper  Used to see if a host is up  Not so reliable now as so many organizations block various ICMP packets with firewalls

56 http://Irongeek.com  Traceroute sends packets with the TTL field Incremented each time to determine the path of packets on the network  Steps: 1. Send packet with a TTL of 1 2. First router decrements the TTL of the packet, sees that it is now 0 and drops it 3. Router sends a ICMP Time Exceeded message back to the original host since this message has the IP of the router it can be used to identify it 4. Original host takes note of the first hop, then sends another packet with the TTL set to 2 5. Repeat until the destination is reached or whatever the default max is, incrementing TTL each time  Also not as reliably as it once was  Windows users ICMP packets, *nix uses UDP  Both usually send three packets back to back for each hop

57 http://Irongeek.com Packet TTL 1 Packet TTL 2 Packet TTL 3 Packet TTL 4 TTL Exceeded It Got Here!

58 http://Irongeek.com  BOOTP, Bootstrap Protocol, server port 67/udp, client port 68/udp used by diskless workstations  DHCP, Dynamic Host Configuration Protocol, server port 67/udp, client port 68/udp  DNS, Domain Name System, 53/udp & 53/tcp, DNSSEC uses PKI to add integrity, but not confidentiality  FTP, File Transfer Protocol, 21/tcp (control) 20/tcp (data in active FTP)  HTTP/HTTPS, Hyper Text Transfer Protocol, 80/tcp, 443/tcp if using SSL/TLS  IMAP, Internet Message Access Protocol, 143/tcp  Telnet, 23/tcp, terminal emulation  TFTP, Trivial File Transfer Protocol, 69/udp  POP3, Post Office Protocol, 110/tcp  SNMP, Simple Network Management Protocol, 161/udp  SSH, 22/tcp, like telnet but encrypted, SFTP rides on top of it  SMTP, Simple Mail Transfer Protocol, 25/tcp

59 http://Irongeek.com 1. SYN 2. SYN/ACK 3. ACK 1. SYN 2. SYN/ACK3. RST 4. RST/ACK Connect Scan (-sT) Against Open Port SYN Scan (-sS) Against Open Port

60 http://Irongeek.com 1. SYN 2. RST/ACK Connect Scan (-sT) Against Closed Port SYN Scan (-sS) Against Closed Port 1. SYN 2. RST/ACK

61 http://Irongeek.com Ground work for OS detection  ACK to closed or open port, linux or windows = RST  Xmas scan (URG,PSH,FIN) on open or close port  Linux= No response  Windows = RST, ACK  Osfuscate http://www.irongeek.com/i.php?page=security/osf uscate-change-your-windows-os-tcp-ip-fingerprint- to-confuse-p0f-networkminer-ettercap-nmap-and- other-os-detection-tools http://www.irongeek.com/i.php?page=security/osf uscate-change-your-windows-os-tcp-ip-fingerprint- to-confuse-p0f-networkminer-ettercap-nmap-and- other-os-detection-tools

62 http://Irongeek.com  Closed  ICMP port unreachable error (type 3, code 3)  Filtered  ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13)  Open/Filtered  No response  Open  Any response  Version detection may help

63 http://Irongeek.com  Examples nmap 10.0.0.1 nmap –sS 10.0.0.1

64 http://Irongeek.com  Wildcards192.168.*.*  Range192.168.0-255.0-255  Mask Notation(CIDR)192.168.0.0/16 Classless Inter-Domain Routing Not all of the above range would be valid DecimalBinary 192.168.1.111000000.10101000.00000001.00000001 /1611111111.11111111.00000000.00000000 Binary AND the above together 11000000.10101000.00000000.00000000 192.168.0.011000000.10101000.00000000.00000000 192.168.255.25511000000.10101000.11111111. 11111111

65 http://Irongeek.com  --exclude Exclude some hosts  -iL Obtain targets from a file  --excludefile  All ports but 0  nmap -PN -p- egadz.metasploit.com  Include 0  nmap -PN -p 0-65535 egadz.metasploit.com

66 http://Irongeek.com  For this class  “My” site  hackme.irongeek.com  Every TCP port open  egadz.metasploit.com  Provided by Nmap.org  scanme.nmap.org

67 http://Irongeek.com  Default “Ping”  ARP if on same subnet, and that’s it, otherwise:  ICMP Echo  SYN to 443 (https)  ACK to 80 (http)  ICMP Timestamp Request  And then in reverse

68 http://Irongeek.com  -sn No port scan  -PRARP Ping  -PnNo ping (can be slow, ARP always done)  -POProtocol List Scan (Default ICMP (1), IGMP (2), & IP-in-IP (4))  -PSSYN Ping, default 80, can set with something like -PS22-25  -PIICMP Echo Ping  -PB-PT+-PI  -PEICMP Echo Ping  -PMICMP Address Mask Ping  -PPICMP Timestamp Ping  -PAMuch like SYN Ping, but with ACK  -PUUDP Ping  -PTTCP Ping  -PYSCTP Ping

69 http://Irongeek.com  Just discovery nmap -sn 10.0.0.* nmap -Pn 10.0.0.*  Ports: nmap 10.0.0.* nmap 10.0.0.3 nmap 10.0.0.0/24 -p 80 nmap -sS -sU 10.0.0.* -p T:80,U:80

70 http://Irongeek.com  -hNmap help  -sSTCP SYN scan  -sTTCP connect() scan  -sUUDP port scans  -vVerbose output  -vvVery verbose output  -O Detect Operating System (TCP/IP fingerprinting)  -sVService version detection  -PN Don't ping, just scan  -A Aggressive Options  -TParanoid|Sneaky|Polite|Normal|Aggressive|Insane  -pChoose your ports (scan all ports with 0-65535)  -FFast Scan:Scans only ports in the nmap-services file  -nDon't do reverse DNS lookup

71 http://Irongeek.com  Examples: nmap -O 10.0.0.* nmap -sV 10.0.0.* nmap -A 10.0.0.*

72 http://Irongeek.com

73  -oN Human readable, looks like normal Nmap output printed to the screen  -oX XML output (--webxml for online stylesheet)  -oG Grepable log  -oS S| { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4228413/slides/slide_73.jpg", "name": " -oN Human readable, looks like normal Nmap output printed to the screen  -oX XML output (--webxml for online stylesheet)  -oG Grepable log  -oS S|

74 http://Irongeek.com  -sA ACK Scan, useful on non-stateful firewalls for mapping out rule sets  -sF FIN Scan, just uses bare FIN packets  -sX XMAS (as in "all lit up like a Christmas tree") Scan, sends packets with the FIN, URG, and PSH flags turned on  -sN NULL Scan, sends packets with all flags turned off

75 http://Irongeek.com  Example nmap 10.0.0.* -oA somenameforlog cat somenameforlog.gnmap grep 80/open/tcp some.gnmap nmap 10.0.0.* --open

76 http://Irongeek.com  -sI Idlescan, an advance scan that relies on sequential or predictable IPIDs, it “bounces” an attack off of another box, allowing for extra stealth and maybe the ability to get past firewalls Open: idle-scan.swfidle-scan.swf  -b FTP bounce attack, can be used with badly configured FTP servers to use the FTP daemon as a sort of proxy  -D Add decoy IPs to confuse the target's logs  -f Fragment Packets

77 http://Irongeek.com -sO IP protocol scans, find what IP protocols are supported (TCP, UDP, ICMP, etc.) --send_eth Send packets using raw Ethernet instead of raw socket --randomize_hosts Randomizes the order in which hosts are scanned --spoof_mac Allows you to choose a different MAC than your normal one, use 0 if you want Nmap to just choose a random MAC (DEADBEEFCAFE) -sL Just do a DNS lookup but nothing else, great for foot printing -n Never do a DNS lookup -PR ARP ping, only works if you are on the same subnet -e Specify network interface --source_port Specify source port, may be useful for getting around non-stateful firewalls

78 http://Irongeek.com  List scan nmap -sL 10.0.0.*

79 http://Irongeek.com  -sC Performs a script scan using the default set of scripts.  --script | | |all  Categories: safe, intrusive, malware, version, discovery, vuln, auth, default  C:\Program Files\Nmap\scripts C:\Program Files\Nmap\scripts

80 http://Irongeek.com Nmap NSE/LUA Scripts  -sC Performs a script scan using the default set of scripts.  --script | | |all  Categories: safe, intrusive, malware, version, discovery, vuln, auth, default  Fyodor did a talk at Defcon 18 on the subject Metasploit  If you can learn Ruby, write your own script and add it to auxiliary

81 http://Irongeek.com description = [[ Let's try to print something. Based this on the pptp script ]] -- rev 0.1 (08-23-2010) author = "Adrian Crenshaw" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {“safe"} require "comm" require "shortport" portrule = shortport.version_port_or_service(9100) action = function(host, port) local payload = "Did I print?\n\n\027"; -- Just print this comm.exchange(host, port, payload, {timeout=5000}) return ("Hope for the best") end Test with: nmap --script printsomething localhost ncat -l -p 9100 NSE docs: http://nmap.org/nsedoc/http://nmap.org/nsedoc/

82 http://Irongeek.com Derbycon Sept 24th-28th, 2014 http://www.derbycon.com http://www.derbycon.com Others http://www.louisvilleinfosec.com http://skydogcon.com http://hack3rcon.org http://outerz0ne.org http://phreaknic.info http://notacon.org Photo Credits to KC (devauto) Derbycon Art Credits to DigiP

83 http://Irongeek.com 42 Twitter: @Irongeek_ADC


Download ppt "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."

Similar presentations


Ads by Google