Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Similar presentations


Presentation on theme: "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."— Presentation transcript:

1 Adrian Crenshaw

2  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  Sr. Information Security Consultant at TrustedSec  Co-Founder of Derbycon

3  Since ports are fairly standard, if port 80tcp is listening on a host, more than likely it’s running web services  By sending packets to these port numbers, you can see what services are running on the host  Knowing what services are running lets you know something about the potential attack surface  What about finger printing?

4  One of the most popular port scanners  Started by Gordon Lyon (Fyodor) back in 1997, as an article for Phrack Magazine 51  Started as a fairly simple port scanner, and has suffered some pretty serious feature creep since.  Multiplatform (Linux, Windows, BSD, OS X)  Open Source and available from

5  To use an analogy, if IPs are an apartment complex’s address, ports are the apartment number  Both UDP and TCP use incoming and outgoing ports  Most IP based services listen on standard ports (HTTP 80/TCP, SMTP 25/TCP, SMB 139/445/TCP, DNS port 53/TCP and UDP)

6

7

8  MAC (Media Access Control) is the address on the NIC (Network Interface Card)  Term is user in Ethernet, but the same concept apply elsewhere  Burned in address should be unique, and if they ask on the exam it is, but reality is sometimes different

9  48 bits (6 bytes) long, mostly represented in HEX like this: DE:AD:BE:EF:CA:FE  OUI (Organizationally Unique Identifier) is the part in red above, extension identifier is in blue  See who is assigned what OUI here: 

10  64 byte MAC addesses  OUI is still 24  Not sure what uses these

11  IPv4 uses 32 bit addresses  Unusual represented as 4 octets : (separated into it’s 4 bytes and written in decimal)  Dec: HEX: C0A80101 Binary:  2 32 addresses possible (more or less), so about 4.3 billion  Began running out of these, which is one reason for IPv6 and NAT

12  Count from 0! Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

13  Version of IP protocols, 4 in this case, bits Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

14  Internet Header Length, bits Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

15  Set the priority of the packet Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

16  Total length of the packet, min 20 max 65, Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

17  Identification, used for fragmentation Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

18  Flags, used for fragmentation Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

19  Fragment Offset, used for fragmentation Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

20  Should have been called “Hop Count” based on most implementations. Seconds since packet was born by spec Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

21  ICMP=1, TCP=6, UDP=17. Way more at: Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

22  To detect errors in transmission Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

23  Where did I come from? Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

24  Where am I going? Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

25  Extra options for the packet. Things like source routing would be here: Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

26  To make sure data starts on a 32 bit boundry Version IHLType of ServiceTotal Length IdentificationFlagsFragment Offset Time to LiveProtocolHeader Checksum Source Address Destination Address OptionsPadding

27  Networks have a Maximum Transmission Unit (MTU) size, often 1500 bytes  Sometimes, packets must be broken up to fit, which can be done by a router  IPID and Offset mentioned before are used to put packets back together  MTU of the path can be discovered by setting the Do Not Fragment flag and keep trying smaller sizes till you do not get an ICMP “Fragmentation needed and DF set” message back

28  128 bit addressees, possible addresses (In technical terms: a shit load)  340 undecillion to use Yanks, 340 sextillion to Brits (which sounds like a fancy orgy)  In some ways, IPv6 has a simpler header

29  40 bytes, 320 bits VersionTraffic ClassFlow Label 3232 Payload LengthNext HeaderHop Limit 6464 Source Address Destination Address

30  Version is set to 6  Traffic Class and Flow Control are used for QoS  Payload Length is the size of the payload, not including the IP heard itself  Next Header, points to the header of the encapsulated protocol  Hop Limit, was TTL in old IPv4, this is a better name  Source and Destination Addresses

31  Stateless Auto Configuration eliminates the need for DHCP (though it is still possible with DHCPv6, Stateful Auto Configuration )  IPv6 address is based on MAC address & IPv6 routing advertisements  fffe is added on to the MAC if it is 48 bit, can be used as is with EUI-64 MAC address that are already 64 bits  Uses : for notation in HEX, :: can substitute for a bunch of 0s (but only once) fe80::60c:ceff:fed7:ed7c  One above is a Link-Local address, notice the fe80, and can be used to talk to other IPv6 on host on the network with out the Router  Universal/Local (U/L) set to 1 if burned in MAC address is overridden

32  Size maters NameNumber of hosts RangeLeading Bits Notes Class A16,777, to Class B65, to Class C to Class DUndefined? to Multicast Class EUndefined? to Reserved

33  CIDR allows for less waste by splitting networks up  CIDER notation: = / = / = /8  Could also be other others

34  Dickins Corp uses IP range 10.*.*.*  Assume a an example host is  Let’s say they use (/20) for a subnet  Red is network section, blue the host section  AND with host IP =  If two different IPs ANDed with the same subnet mask give the same result, they are on the same network

35  Address Resolution Protocol allows machines to find the Layer 2 MAC address for a Layer 3 IP  If the computer has the IP, it can send a broadcast message asking who has this IP?  Then communication can happen  RARP (Address Resolution Protocol) is the opposite and is used by diskless workstations  Think about static ARP entries Hey, who has IP ? That’s me! My MAC Address is DE:AD:BE:FE:CA:FE

36  TCP = Transmission Control Protocol  Considered a “reliable”, session based protocol (though is is said to be on the Transport layer of OSI, AKA Layer 4)  Starts with the three way handshake of:  Host 1: SYN  Host 2: SYN/ACK  Host 3: ACK  Has the concept of source and destination ports to specify what service to connect to

37  IP Header is above this Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

38  Think apartment numbers in a complex Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Foot fetish stuff

39  Keeps connection in sync and allow for knowing what packets got through Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Ernest Borgnine Rule 34

40  Gives the size of the TCP header in 32bit words, at least 5, at max is Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

41  Not all used currently, but maybe later?  These were added in 2001 and 2003 for congestion control:  CWR = Congestion Window Reduced  ECE = Explicit Congestion Notification Echo  NS = Nonce Sum Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserv ed NSNS CWRCWR ECEECE URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

42  URG = This is important, go look at the urgent field  ACK = Says the Acknowledgment field is important. Should be set on all packets after the initial SYN  PSH = Asked to push the buffed data to the application  RST = Reset the connection  SYN = Hey! Synchronize Sequence Numbers!  FIN = We done son, tear down the connection Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

43  Tells how much data you can send for flow control Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

44  Used for error checking Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

45  Offset from the Sequence Number to the last urgent data byte Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

46  Size is determined by the Data Offset field, too many to list so see https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

47  Makes sure the header stops at a 32bit boundary Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

48  Here is the data Source Port Destination Port Sequence Number Acknowledgment Number Data Offset Reserved URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Check SumUrgent Pointer OptionsPadding Porn, uhhh I mean data

49  During the SYN, SYN/ACK, ACK handshake, the two parties make up their own sequence numbers to exchange  As data is passed, each increments the other’s sequence number and passes it back to acknowledge that a packet was received  ACKs are used throughout, and a FIN used at the end to tear down the connections (sometimes a RST)

50  UDP=User Datagram Protocol  Considered connectionless, “unreliable”, fire and forget  Meant for when speed and low overhead is more important than reliability, and data passed can be lossy  NTP  VoIP  DNS  Streaming Video

51  Pretty simple  Checksum is optional Source PortDestination Port LengthChecksum Date: VoIP phone sex

52  16 bit port fields allow for 0 to 65535, or ports  1023 and lower are reserved ports (May need to be root to open)  1024 are ephemeral ports (Most apps will source from these ports)  Common ports: HTTP=80/tcp, HTTPS=443/tcp, SMTP=25/tcp, SSH=22/tcp, Telnet=23/tcp, DNS=53/udp & tcp

53  ICMP is Internet Control Message Protocol and helps out the other protocols  Considered to be layer 3, despite IP being layer 3 and ICMP riding on it  Used for troubleshooting (like ping) and reporting errors  Uses types and codes instead of ports

54  Type 8 = Echo  Type 0 = Echo Reply  All of Type 3 is Destination Unreachable  Type 3, Code 0 = Network Unreachable  Type 3, Code 1 = Host Unreachable  Type 3, Code 4 = Fragmentation Needed and Don't Fragment was Set  Type 11, Code 0 = Time to Live exceeded in Transit  Type 11, Code10 = Fragment Reassembly Time Exceeded

55  PING is a tool using ICMP Echo Requests and Echo Replies  Named for the sound of sonar, but the backronym is Packet Internet Groper  Used to see if a host is up  Not so reliable now as so many organizations block various ICMP packets with firewalls

56  Traceroute sends packets with the TTL field Incremented each time to determine the path of packets on the network  Steps: 1. Send packet with a TTL of 1 2. First router decrements the TTL of the packet, sees that it is now 0 and drops it 3. Router sends a ICMP Time Exceeded message back to the original host since this message has the IP of the router it can be used to identify it 4. Original host takes note of the first hop, then sends another packet with the TTL set to 2 5. Repeat until the destination is reached or whatever the default max is, incrementing TTL each time  Also not as reliably as it once was  Windows users ICMP packets, *nix uses UDP  Both usually send three packets back to back for each hop

57 Packet TTL 1 Packet TTL 2 Packet TTL 3 Packet TTL 4 TTL Exceeded It Got Here!

58  BOOTP, Bootstrap Protocol, server port 67/udp, client port 68/udp used by diskless workstations  DHCP, Dynamic Host Configuration Protocol, server port 67/udp, client port 68/udp  DNS, Domain Name System, 53/udp & 53/tcp, DNSSEC uses PKI to add integrity, but not confidentiality  FTP, File Transfer Protocol, 21/tcp (control) 20/tcp (data in active FTP)  HTTP/HTTPS, Hyper Text Transfer Protocol, 80/tcp, 443/tcp if using SSL/TLS  IMAP, Internet Message Access Protocol, 143/tcp  Telnet, 23/tcp, terminal emulation  TFTP, Trivial File Transfer Protocol, 69/udp  POP3, Post Office Protocol, 110/tcp  SNMP, Simple Network Management Protocol, 161/udp  SSH, 22/tcp, like telnet but encrypted, SFTP rides on top of it  SMTP, Simple Mail Transfer Protocol, 25/tcp

59 1. SYN 2. SYN/ACK 3. ACK 1. SYN 2. SYN/ACK3. RST 4. RST/ACK Connect Scan (-sT) Against Open Port SYN Scan (-sS) Against Open Port

60 1. SYN 2. RST/ACK Connect Scan (-sT) Against Closed Port SYN Scan (-sS) Against Closed Port 1. SYN 2. RST/ACK

61 Ground work for OS detection  ACK to closed or open port, linux or windows = RST  Xmas scan (URG,PSH,FIN) on open or close port  Linux= No response  Windows = RST, ACK  Osfuscate uscate-change-your-windows-os-tcp-ip-fingerprint- to-confuse-p0f-networkminer-ettercap-nmap-and- other-os-detection-tools uscate-change-your-windows-os-tcp-ip-fingerprint- to-confuse-p0f-networkminer-ettercap-nmap-and- other-os-detection-tools

62  Closed  ICMP port unreachable error (type 3, code 3)  Filtered  ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13)  Open/Filtered  No response  Open  Any response  Version detection may help

63  Examples nmap nmap –sS

64  Wildcards *.*  Range  Mask Notation(CIDR) /16 Classless Inter-Domain Routing Not all of the above range would be valid DecimalBinary / Binary AND the above together

65  --exclude Exclude some hosts  -iL Obtain targets from a file  --excludefile  All ports but 0  nmap -PN -p- egadz.metasploit.com  Include 0  nmap -PN -p egadz.metasploit.com

66  For this class  “My” site  hackme.irongeek.com  Every TCP port open  egadz.metasploit.com  Provided by Nmap.org  scanme.nmap.org

67  Default “Ping”  ARP if on same subnet, and that’s it, otherwise:  ICMP Echo  SYN to 443 (https)  ACK to 80 (http)  ICMP Timestamp Request  And then in reverse

68  -sn No port scan  -PRARP Ping  -PnNo ping (can be slow, ARP always done)  -POProtocol List Scan (Default ICMP (1), IGMP (2), & IP-in-IP (4))  -PSSYN Ping, default 80, can set with something like -PS22-25  -PIICMP Echo Ping  -PB-PT+-PI  -PEICMP Echo Ping  -PMICMP Address Mask Ping  -PPICMP Timestamp Ping  -PAMuch like SYN Ping, but with ACK  -PUUDP Ping  -PTTCP Ping  -PYSCTP Ping

69  Just discovery nmap -sn * nmap -Pn *  Ports: nmap * nmap nmap /24 -p 80 nmap -sS -sU * -p T:80,U:80

70  -hNmap help  -sSTCP SYN scan  -sTTCP connect() scan  -sUUDP port scans  -vVerbose output  -vvVery verbose output  -O Detect Operating System (TCP/IP fingerprinting)  -sVService version detection  -PN Don't ping, just scan  -A Aggressive Options  -TParanoid|Sneaky|Polite|Normal|Aggressive|Insane  -pChoose your ports (scan all ports with )  -FFast Scan:Scans only ports in the nmap-services file  -nDon't do reverse DNS lookup

71  Examples: nmap -O * nmap -sV * nmap -A *

72

73  -oN Human readable, looks like normal Nmap output printed to the screen  -oX XML output (--webxml for online stylesheet)  -oG Grepable log  -oS S|

74  -sA ACK Scan, useful on non-stateful firewalls for mapping out rule sets  -sF FIN Scan, just uses bare FIN packets  -sX XMAS (as in "all lit up like a Christmas tree") Scan, sends packets with the FIN, URG, and PSH flags turned on  -sN NULL Scan, sends packets with all flags turned off

75  Example nmap * -oA somenameforlog cat somenameforlog.gnmap grep 80/open/tcp some.gnmap nmap * --open

76  -sI Idlescan, an advance scan that relies on sequential or predictable IPIDs, it “bounces” an attack off of another box, allowing for extra stealth and maybe the ability to get past firewalls Open: idle-scan.swfidle-scan.swf  -b FTP bounce attack, can be used with badly configured FTP servers to use the FTP daemon as a sort of proxy  -D Add decoy IPs to confuse the target's logs  -f Fragment Packets

77 -sO IP protocol scans, find what IP protocols are supported (TCP, UDP, ICMP, etc.) --send_eth Send packets using raw Ethernet instead of raw socket --randomize_hosts Randomizes the order in which hosts are scanned --spoof_mac Allows you to choose a different MAC than your normal one, use 0 if you want Nmap to just choose a random MAC (DEADBEEFCAFE) -sL Just do a DNS lookup but nothing else, great for foot printing -n Never do a DNS lookup -PR ARP ping, only works if you are on the same subnet -e Specify network interface --source_port Specify source port, may be useful for getting around non-stateful firewalls

78  List scan nmap -sL *

79  -sC Performs a script scan using the default set of scripts.  --script | | |all  Categories: safe, intrusive, malware, version, discovery, vuln, auth, default  C:\Program Files\Nmap\scripts C:\Program Files\Nmap\scripts

80 Nmap NSE/LUA Scripts  -sC Performs a script scan using the default set of scripts.  --script | | |all  Categories: safe, intrusive, malware, version, discovery, vuln, auth, default  Fyodor did a talk at Defcon 18 on the subject Metasploit  If you can learn Ruby, write your own script and add it to auxiliary

81 description = [[ Let's try to print something. Based this on the pptp script ]] -- rev 0.1 ( ) author = "Adrian Crenshaw" license = "Same as Nmap--See categories = {“safe"} require "comm" require "shortport" portrule = shortport.version_port_or_service(9100) action = function(host, port) local payload = "Did I print?\n\n\027"; -- Just print this comm.exchange(host, port, payload, {timeout=5000}) return ("Hope for the best") end Test with: nmap --script printsomething localhost ncat -l -p 9100 NSE docs:

82 Derbycon Sept 24th-28th, Others Photo Credits to KC (devauto) Derbycon Art Credits to DigiP

83 42


Download ppt "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."

Similar presentations


Ads by Google