advanced network reconnaissance with nmap · advanced network reconnaissance with nmap by fyodor...

Insecure.OrgInsecure.Org

AdvancedNetworkReconnaissancewithNmap

[email protected]

http://www.insecure.org/presentations/Shmoo06/ShmooCon;Jan14,2006


Mission#1

PenetrateSCO'sFirewalltodiscernalltheopenTCPportson

Docsrv.Caldera.Com


SYNScanagainstDocSRV#nmapsST4docsrv.caldera.comStartingNmap3.97Shmoo(http://www.insecure.org/nmap/)Interestingportsondocsrv.caldera.com(216.250.128.247):(The1669portsscannedbutnotshownbelowareinstate:filtered)PORTSTATESERVICE80/tcpopenhttp113/tcpclosedauth507/tcpopencrs

Nmapfinished:1IPaddress(1hostup)scannedin24.490seconds


ACKScanagainstDocSRV#nmapsAT4docsrv.caldera.comStartingNmap3.97ShmooInterestingportsondocsrv.caldera.com(216.250.128.247):(The1669portsscannedbutnotshownbelowareinstate:UNfiltered)PORTSTATESERVICE135/tcpfilteredmsrpc1434/tcpfilteredmssqlm32777/tcpfilteredsometimesrpc17

Nmapfinished:1IPaddress(1hostup)scannedin3.134seconds


WindowScanagainstDocSRV#nmapsWpT4docsrv.caldera.comStartingNmap3.97Shmoo(http://www.insecure.org/nmap/)Interestingportsondocsrv.caldera.com(216.250.128.247):(The65479portsscannedbutnotshownbelowareinstate:closed)PORTSTATESERVICE7/tcpopenecho9/tcpopendiscard11/tcpopensystat13/tcpopendaytime15/tcpopennetstat19/tcpopenchargen21/tcpopenftp22/tcpopenssh23/tcpopentelnet25/tcpopensmtp37/tcpopentime79/tcpopenfinger80/tcpopenhttp110/tcpopenpop3111/tcpopenrpcbind135/tcpfilteredmsrpc143/tcpopenimap


Mission#2

SneakpastalloftheNmaprelatedSnortIDSRules


NmapSpecificSnortRules~/snortrulespr2.4/rules>egrepi'alert.*nmap'*.rulesicmp.rules:alerticmp$EXTERNAL_NETany>$HOME_NETany(msg:"ICMPPINGNMAP";dsize:0;itype:8;reference:arachnids,162;classtype:attemptedrecon;sid:469;rev:3;)scan.rules:alerttcp$EXTERNAL_NETany>$HOME_NETany(msg:"SCANnmapXMAS";flow:stateless;flags:FPU,12;reference:arachnids,30;classtype:attemptedrecon;sid:1228;rev:7;)webattacks.rules:alerttcp$EXTERNAL_NETany>$HTTP_SERVERS$HTTP_PORTS(msg:"WEBATTACKSnmapcommandattempt";flow:to_server,established;content:"nmap%20";nocase;classtype:webapplicationattack;sid:1361;rev:5;)deleted.rules:alerttcp$EXTERNAL_NETany>$HOME_NETany(msg:"SCANnmapTCP";ack:0;flags:A,12;flow:stateless;reference:arachnids,28;classtype:attemptedrecon;sid:628;rev:7;)deleted.rules:alerttcp$EXTERNAL_NETany>$HOME_NETany(msg:"SCANnmapfingerprintattempt";flags:SFPU;flow:stateless;reference:arachnids,05;classtype:attemptedrecon;sid:629;rev:6;)


FlowportscanFixedWindow~/snort2.2.0/etc>grep'scannerfixed'snort.conf#scannerfixedthreshold15\#scannerfixedwindow15\


DefeatingFixedWindowScanDetection#foreachtarget(205.217.153.53205.217.153.54205.217.153.55)foreach?nmapscan_delay1075max_retries0max_hostrgoup1P0p21,22,23,25,53$targetforeach?usleep1075000foreach?end


FlowportscanSlidingWindow~/snort2.2.0/etc>grepscannerslidingsnort.conf#scannerslidingthreshold40\#scannerslidingwindow20\#scannerslidingscalefactor0.50\


DefeatingSnortSliding&FixedWindowDetectionfelix~#foreachtarget(205.217.153.53205.217.153.54205.217.153.55)foreach?nmapmin_parallelism15max_retries0P0p21,22,23,25,53$targetforeach?usleep23000000foreach?end


AnotherOption:JustExploittheThing

TrytheSnortBackOrificePreprocessorExploit:

http://www.frsirt.com/exploits/20051025.THCsnortbo.c.php


Don'tForgetDecoys(D)


AlsoDon'tForget

Exoticscanflags(scanflags) Sourceportmanipulation(g) Ipv6(6) IPIDIdleScanning(sI) Fragmentation(f,mtu) Proxies SourceRouting Etc.


Finally,HaveSomeFunWithIt


SingleServiceDiscovery


Mission#3

Locatewebserver(s)onthePlayboy.Comnetworkofferingfreeimages


Step1:FindNetworktoScanStep1:Findthenetworktoscan

core~>whoishwhois.arin.netnplayboy[...]OrgName:PlayboyOrgID:PLAYBOAddress:680N.LakeShoreDriveCity:ChicagoStateProv:ILPostalCode:60611Country:US

NetRange:216.163.128.0216.163.143.255CIDR:216.163.128.0/20[...]


InitialTrynmapP0p80oGpb.gnmap216.163.128.0/20Startingnmap3.81[...]Nmapruncompleted4096IPaddresses(4096hostsup)scannedin1236.309seconds


HelpNmapOutwithTimingInformation>hostwww.playboy.comwww.playboy.comhasaddress209.247.228.201

Mailservers(hosttmxplayboy.com):mx.la.playboy.com.10216.163.128.15mx.chi.playboy.com.5216.163.143.4


PingKnownHostsforRTTEstimates>pingc5mx.chi.playboy.comPINGmx.chi.playboy.com(216.163.143.4)56(84)bytesofdata.mx.chi.playboy.compingstatistics5packetstransmitted,0received,100%packetloss,time4000ms

>pingc5mx.la.playboy.comPINGmx.la.playboy.com(216.163.128.15)56(84)bytesofdata.mx.la.playboy.compingstatistics5packetstransmitted,0received,100%packetloss,time4011ms


PerhapsTCPPingWillWorkBetter#hping2synp25c5mx.chi.playboy.comHPINGmx.chi.playboy.com(eth0216.163.143.4)46bytesfrom216.163.143.4:flags=SA46bytesfrom216.163.143.4:flags=SA[cut]mx.chi.playboy.comhpingstatistic5packetstransmitted,5packetsreceivedroundtripmin/avg/max=56.8/58.0/61.8ms

#hping2synp25c5mx.la.playboy.comHPINGmx.la.playboy.com(eth0216.163.128.15)46bytesfrom216.163.128.15:flags=SA46bytesfrom216.163.128.15:flags=SA[cut]mx.la.playboy.comhpingstatistic5packetstransmitted,5packetsreceivedroundtripmin/avg/max=15.4/15.8/16.4ms


DesigningaFasterScannmapT4max_rtt_timeout200initial_rtt_timeout150min_hostgroup512P0p80oGpb2.gnmap216.163.128.0/20


ReLaunchtheScan#nmapT4max_rtt_timeout200initial_rtt_timeout150min_hostgroup512P0p80oGpb2.gnmap216.163.128.0/20Startingnmap3.81[...]Nmapruncompleted4096IPaddresses(4096hostsup)scannedin868.714seconds

Muchbetterthan1236s,butleavesroomforimprovement


Upgradeto3.97Shmoo+max_retries#nmapT4max_rtt_timeout200initial_rtt_timeout150min_hostgroup512max_retries0P0p80oGpb3.gnmap216.163.128.0/20Startingnmap3.97Shmoo[...]Nmapruncompleted4096IPaddresses(4096hostsup)scannedin289.579seconds

Under5Minutes!


SkipDNS#nmapT4max_rtt_timeout200initial_rtt_timeout150min_hostgroup512max_retries0nP0p80oGpb3.gnmap216.163.128.0/20Startingnmap3.97Shmoo[...]Nmapruncompleted4096IPaddresses(4096hostsup)scannedin46.052seconds


TimefortheResults!>grep80/openpb3.gnmap|awk'{print$2}'216.163.129.20216.163.136.21216.163.136.22216.163.136.27216.163.136.29216.163.136.30216.163.136.31216.163.137.3216.163.137.4216.163.137.5216.163.137.6216.163.137.7216.163.137.8216.163.137.9216.163.137.10216.163.137.11216.163.137.12216.163.137.13216.163.137.14216.163.137.15216.163.137.16216.163.137.17216.163.137.18216.163.137.19216.163.137.20216.163.137.21216.163.137.22216.163.137.23216.163.137.25216.163.137.26216.163.137.27216.163.140.20216.163.143.11


AddVersionDetection(sV)########mydoombackdoorPROBE###########ProbeTCPmydoomq|\\x0d\\x0d|ports31273198matchmydoomm|\\x04\\x5b\\0\\0\\0\\0\\0\\0|p/mydoom/v/v012604/


Nmap3.97Shmoo Downloadthegoodsfrom

http://www.insecure.org/presentations/Shmoo06/ FeaturesSince3.95:

RuntimeInteraction ParallelreverseDNS CorruptTCP/UDPchecksumoption(badsum) max_retries


FeaturesSince3.50 ARPScanningandSpoofing Rewrotecoreportscanningengine DietNmap Brandnewmanpage/referenceguide,in7

languagessofar HugeversiondetectionDBupdate(from1,000to

3,000signatures) VersiondetectionnowgathersOS,devicetype,

andhostname


FeaturesSince3.50(Cont'd) Versiondetectionrarity(version_light,

version_all,version_intensity) MassiveOSdetectionupdate(grewmorethan

50%to1,684fingerprints) DramaticWindowsperformanceimprovements

nowsendsviaNDISdriver. MACAddressPrinting 'l33tASCIIartinconfigurator XSLstylesheetforHTMLoutput


FeaturesSince3.50(Cont'd) open|filteredandclosed|filteredstates Completiontimeestimates NmapFEportedtoGTK2


TopNmapContributorsSince3.50AdamKerrison,AdamMorgan,AdrianoMonteiroMarques,AlanBishoff,AlanWilliamSomers,AlbertChin,AlokTangoankar,AmyHennings,AndersThulin,AndreiaGaita,AndyLutomirski,AnnaleeNewitz,ArturoBuanzoBusleiman,BartDopheide,BeirneKonarski,BenHarris,BillDale,BillPetersen,BillPollock,BoJiang,BrianHatch,ChadLoder,ChrisGibson,Christophe,CraigHumphrey,CurtisDoty,DanaEpp,DirkMueller,DougHoyte,DragosRuiu,DugSong,DuilioJ.Protti,EricS.Raymond,FelixGrbert,FlorianEbner,FyodorYarochkin,GangaBhavani,GisleVanem,GlynGeoghegan,GregA.Woods,GregDarke,GregTaleck,GwenoleBeauchesne,HDMoore,Jedi/SectorOne,JeffNathan,JesseBurns,JimCarras,JimHarrison,JonathanDieter,JosDomingos,JustinCranford,JustinMCacak,Krok,KX,LamontJones,LanceSpitzner,LaurentEstieux,LionelCons,LucienRaven,MadHat,MariusStrobl,MarkDavidMcLaughlin,MarkRuef,MartinMacok,MatthieuVerbert,MattSelsky,MaxSchubert,MeethuneBhowmick,Mephisto,MikeBasinger,MikeHatz,Murphy,Netris,OkanDemirmen,OleMortenGrodaas,OliverEikemeier,PascalTrouvin,PaulTarjan,PetrSalinger,PetterReinholdtsen,pijntrein,PingHuang,PiotrSobolewski,PriitLaes,PrincessNadia,RavenAlder,RichardBirkett,RichardMoore,RobertE.Lee,RobFoehl,RonakSutaria,RoyceWilliams,RuedigerRissmann,SaintXavier,Saravanan,ScottMansfield,SebastianWolfgarten,SethMaster,ShahidKhan,SimonBurr,SimpleNomad,SinaBahram,SolarDesigner,Srivatsan,StephaneLoeuillet,StephenBishop,SteveChristensen,SteveMartin,ThorstenHolz,TomDuffy,TomRuneFlo,TomSellers,TonyGolding,vanHauser,vlad902,WilliamMcVey,ZhaoLei


Questions?AnyquestionsaboutNmap,NetworkReconnaissance,oranythingelse?

advanced network reconnaissance with nmap · advanced network reconnaissance with nmap by fyodor...

Documents

Understanding NMAP

COURSE OUTLINE · 2019-08-13 · 4.1.4 Google Hacking for Office Documents (4:19) 4.1.5 Perform Reconnaissance with theHarvester (4:51) 4.1.6 Perform Reconnaissance with Nmap (4:14)

Fyodor Dostoevsky’s - the-criterion.com

Nmap Scripting Engine - digitalwhisper.co.il · Nmap Scripting Engine bindh3x תאמ ¤ ® £ · ¤ םע טקיורפה לע זירכה fyodor ש זאמ ורבע הנש 20 טעמכ

Fyodor Dostoevsky - Poor Folk

Nmap Guide

nmap perintah

INF5290 Ethical Hacking Lecture 3: Network reconnaissance ... · Hping2, hping3 Besides nmap there are other port scanners like the hping family. • Firewall testing • Advanced

BlackHat-USA-2010-Fyodor-Fifield-NMAP-Scripting-Engine-wp (1).pdf

Fyodor Dostoyefski to Ypogeio

Network Reconnaissance using NMAP · • Simple network mapper used for port scanning, network discovery and vulnerability enumeration • Basic syntax (nmap -args)

Nmap Nessus

Fyodor Dostoevsky & Siberian Exile

Tutorial. Nmap IndiceEscanear nuestra Ip-----pag11 Programar nmap-----pag12. Introducción a Nmap Nmap (‘Network Mapper’), es una herramienta open source, diseñada para explorar

Fyodor Mikhailovich Dostoevsky 1

Varfolomeev fyodor rus

FYODOR MIKAHAILOVICH DOSTOEVSKY

Nmap basics

SOCIAL STRATIFICATION REFLECTED IN FYODOR fileperistiwa, dan diksi. Ketiga, alasan mengapa Fyodor Dostoyevsky mengangkat Ketiga, alasan mengapa Fyodor Dostoyevsky mengangkat stratifikasi

- Fyodor Dostoevsky

San Fyodor Fyodorovich Ushakov

Nmap basico

Fyodor Mikhaylovich Terentyev

Fyodor Dostoevsky (1)

The Idiot, Fyodor Dostoevsky

nmap Paper

syssec 06 network - EURECOMs3.eurecom.fr/~aurel/syssec/syssec_06_network.pdf · • nmap, hping2, netcat ... Reconnaissance • robtex.com → the Internet Swiss-army knife • GeoIP:

howto-linux-nmap - brazil.minnesota.edubrazil.minnesota.edu/examples/ex/howto-linux-nmap.pdf · This pdf shows the installation of nmap. basic nmap operation. and saving nmap output

Manual Nmap

Reconnaissance & Scanning - start [APNIC TRAINING WIKI] · Reconnaissance & Scanning APNIC42 Colombo ... --scanflags : Customize TCP scan flags ... Nmap done: 1 IP address

Fyodor A. Kondrashov

2011 hk fyodor-anthony_ppt

The New Nmap New Nmap Gordon “Fyodor ... 51 queries in 3.2 seconds from 51 ports with std dev 16099 ... 1 0.60 wap.nmap-int.org (192.168.0.6) [...] 6 9.74 151.164.251.42

Implementing network defence using deception in a wireless … · 2017-11-29 · Netstumbler (Milner, 2002), Network Mapper (NMAP) (Fyodor, 2003b) and Nessus (Deraison, 2003a). Kismet

Curso Nmap