COMP265 --Pentesting Tools nmap

Tons of Tools Top 125 Network Security Tools – “I also point newbies to this site whenever they write me saying “I don't know where to start”. “Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with.”

Types of Tools Function –Scanners –Sniffers –Monitors –Viewers –Crackers –Root kits –Access servers –Packet insertion –...

Types of Tools (cont.) Roles Tools for each phase of a Pentest/Cracking –Foot Printing/Reconnaissance –Scanning –Enumeration –Gaining Access –Escalating Privilege –Creating Backdoors/Maintaining Access –Covering Your Tracks

Types of Tools (cont.) Standalone tools –Nmap, wireshark, netcat,... Frameworks –Metasploit Live CD's: cd-distros-pen-test-forensics-recovery/ cd-distros-pen-test-forensics-recovery/ –Backtrack (Now Kali) –Operator –Knoppix STD –Helix –... –We use Kali

Kali Based on Debian Over 300 tools FHS compliant – GPG signed packages and repositories Gnome based GUI

Vulnerability Assessment Outline Pre-Inspection Visit Network Footprinting (Reconnaissance)‏ Discovery & Probing - Scanning Enumeration Vulnerability Assessment ( Penetration – Gaining access)‏ Reporting

Scanning –This is where we want to assess our opponent's systems. –What operating system do they use? –What ports are they listening on? –We are looking for vulnerable places to enter into their systems.

Step 1: What systems are there that are alive? Use ping-like tools –Fping –nping –Hping(2,3) –Nmap –Netcat –TCPtraceroute –0trace –Lots of others

Ping-like tools TCPtraceroute, 0trace –We might look at these later Netcat –Very general purpose and familiar Nping –Packet assembler form the nmap team

Fping, Hping, Hping2, Hping3 Hping Command-line oriented TCP/IP packet assembler/analyzer Ping like interface Hping2, 3 –Interactive upgrade –Hping3 is scriptable Fping fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping

Step2: What services are running Port scanners –Netcat –Nmap –Masscan Very fast port scanner –Firewalk Tries to traceroute through firewall Finds out what ports are open in the firewall –Others IP protocol scanner –Protos

Step3: What software is running? OS/Service Fingerprinting Ass –Autonomous System Scanner –Finds routers P0f –Passive OS fingerprinting tool –Works by observing traffic –Useful to inventory systems for defensive purposes also

Step3: What software is running? OS/Service Fingerprinting SinFP –OS fingerprinting on a per-TCP port basis xprobe2 –relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database NMAP SNMP Others

NMAP Tool for network exploration and security auditing Rapidly scan large networks Determine: –hosts available –services hosts are offering –operating systems and OS versions –packet filters/firewalls in use –other characteristics

NMAP Almost the only tool you need for scanning phase Open source Yet well documented Complicated Command line has many many options –Tools is versatile after all Nice output –Targets –Ports –OS info

Options Summary Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, ; iL : Input from list of hosts/networks -iR : Choose random targets --exclude : Exclude hosts/networks --excludefile : Exclude list from file HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sP: Ping Scan - go no further than determining if host is online -PN: Treat all hosts as online -- skip host discovery -PS/PA/PU[portlist]: TCP SYN/ACK or UDP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping... Goes on for 100 lines total !

Port States Open –Actively accepting TCP connections or UDP packets Closed –Receives and responds to Nmap probe packets –No application listening Filtered –Packet filtering prevents probes from reaching the port. Unfiltered –Accessible, but unable to determine whether open or closed (ack scan). Open|filtered –Unable to determine whether open or filtered. Closed|filtered –Unable to determine whether closed or filtered (Idle scan)

NMAP scans Lots of different types nmap -sS –TCP SYN scan –Fast –Relatively unobtrusive and stealthy, –Clear, reliable differentiation between the open, closed, and filtered states. –Send a SYN then wait for a response

NMAP scans nmap -sT –TCP connect scan –Default TCP type when SYN scan is not an option –Asks the O/S to establish connection –Slower, more noticeable –Doesn't use raw packets

NMAP scans nmap -sU –UDP scans –Sends an empty (no data) UDP header –ICMP port unreachable or other error –Maybe a response

NMAP scans nmap -sN(FS) –TCP NULL, FIN, and Xmas scans –Exploit a subtle loophole in the TCP RFC –Differentiate between open and closed ports –Any packet not containing SYN, RST, or ACK Return RST if the port is closed No response if the port is open

NMAP scans nmap -sN; -sF; -sX –Null scan (-sN) Does not set any bits (TCP flag header is 0) –FIN scan (-sF) Sets just the TCP FIN bit. –Xmas scan (-sX) Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

NMAP scans NMAP -sA –TCP ACK scan –Used to map out firewall rulesets –Whether stateful or not –Which ports are filtered –Only the ACK flag set Unfiltered systems, open and closed will return a RST Filtered systems don't respond or return certain ICMP error messages

NMAP scans NMAP -sW –TCP Window scan –Same as ACK scan except... –Differentiates open ports from closed ones by examining the TCP Window field of the RST packets –On some systems, Open ports use a positive window size Closed ones have a zero window.

NMAP scans NMAP-sO –IP protocol scan –Determine IP protocols (TCP, ICMP, IGMP, etc.) –Isn't technically a port scan –Cycles through IP protocol numbers –Similar to UDP scan –Sends IP packet headers and iterates through the eight-bit IP protocol field –Looking for ICMP protocol unreachable messages –Any response marks that protocol open –Protocol unreachable marked as closed –Other unreachable errors marked filtered Though they prove that ICMP is open too –No response marked open|filtered

NMAP scans NMAP -sI [: ] – Idle scan –Allows for a truly blind TCP port scan –No packets are sent to the target from your IP address –Scan is bounced off a dumb "zombie host" –Exploits predictable IP fragmentation ID sequence generation on the zombie host –Permits mapping out IP-based trust relationships between machines –Shows open ports from the perspective of the zombie host

Idle scan IP packets have a fragment identification number (IP ID) –Probing the IPID tells how many packets have been sent since the last probe Send a SYN to target, spoofing zombie's address as source –SYN/ACK if the port is open, Zombie responds to unsolicited SYN/ACK packet with RST. –RST if the port is closed Unsolicited RST ignored

Idle scan Probe the zombie's IP ID Forge a SYN packet from the zombie and send it to the desired port on the target Reaction may or may not cause the zombie's IP ID to be incremented. Probe the zombie's IP ID again IP ID should have increased by either one or two

Idle Scan

Fingerprinting Version detection NMAP -sV –--allports Database contains probes for querying various services and match expressions to recognize and parse responses Tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP) The application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), The version number, hostname, device type (e.g. printer, router) The OS family (e.g. Windows, Linux) Sometimes miscellaneous details like whether an X server is open to connections Most services don't provide all of this information

OS Detection TCP/IP stack fingerprinting Sends a series of TCP and UDP packets Examines practically every bit in the responses Such as TCP ISN (initial sequence number) sampling, TCP options support and ordering, IP ID sampling, initial window size Compares results to database of more than a thousand known OS fingerprints Prints out the OS details if there is a match

Some Options -F –Fast scan. 100 likeliest ports rather than version-light –Faster but less accurate OS fingerprint option --host-timeout time –Give up on slow target hosts --min-parallelism numprobes; --max-parallelism numprobes -n (No DNS resolution)

NMAP – Good News There is a GUI –ZENMAP Shows you the command line as you choose options Then runs the command Shows you the output

NMAP Some links htmlhttp:// html

Today's Lab Scan the internal network Detect and categorize the machines Fingerprint the OS and other software Explain the command line options –You may use Zenmap to generate the commands –But run them from the command line