Reconnaissance&ScanningAPNIC42

Colombo,SriLanka28September–5October2016

Contributor:ShahadatHossain(GrameenPhone)

Didyouevergethacked?

https://haveibeenpwned.com/

SessionFlow

• AdvanceSearchTechnique• Google• Bing• Shodan Search

• DataCollection• Pastebin• Zone-H

• AdvanceTechniqueforNetworkScanning• Nmap

• Challenges

LiveIPDiscoveryTechnique:GoogleSearch

• WhatisGoogle• WhyGoogle• BasicFeatureofGoogle• Automatic&Query• AutomaticExclusionofCommonWords• Capitalization• SpellChecker

• GoogleSearchOperators• BasicOperators• AdvanceOperators

WhatisGoogle?

WhyGoogle?

• ReasonsWhyGoogleSearch• Directory• TheirMapSearch• TheTrust• EasytoUse

BasicFeaturesofGoogleSearch

• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.Thereisnoneedtoinclude“AND”betweenterms.

• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.

BasicFeaturesofGoogleSearch

• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,“Apnic”and“apnic”willallretrievethesameresults.

• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”

DifferentSearchOperators

• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches

• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck

AdvancedOperators

• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:

operator:search_term

• There’snospacebetweentheoperator,thecolon,andthesearchterm!

AdvancedOperatorsataGlance

Operators Purpose

intitle Searchpage titleallintitle Searchpage titleinurl SearchURLallinurl SearchURLfiletype Search specificfilesallintext Searchtextof pageonlysite Search specificsitelink Searchfor linkstopagesinanchor Searchlink anchortext

Operators Purpose

numrange Locate numberdaterange Searchin daterangeauthor Groupauthor searchgroup Groupname searchinsubject Groupsubject searchmsgid Groupmsgid search

AdvancedGoogleSearching

SITE:

INURL:

FILETYPE:

Someoperatorssearchoverlappingareas.Considersite,inurl andfiletype.

Inurl cansearchthewholeURL,includingportandfiletype Filetype canonlysearchfile

extension,whichmaybehardtodistinguishinlongURLs.

Sitecannotsearchport.

AdvancedGoogleSearching

Exercise:AdvancedGoogleSearching

1. Howmanywebserversareliveininternetofyourorganization?2. AnyuserloginpageavailableinIPsfoundinexercise-1?3. Anyadminloginpageavailable?4. Any.docfilewhichcontainsword“Confidential”?

Bing:WhatExtra?

• VirtualHosting• NameBased• IPBased

• BingcanidentifyNamebasedvirtualhosting• Operator:IP

Exercise:Bing

• Anyvirtualhostingexistinyourorganizationwebserver?• Whythisinformationisworthtoapentester?

SHODANSearchTechnique

• WhatisShodan• Shodan isasearchdevelopedbyJohnMatherly• DifferentthancontentsearchenginelikeGoogle,Bing• CanidentifyIPbaseddevicesconnectedtotheinternet• Itusesservicebanners• Itcanidentify

• OperatingSystem• Services• OpenPorts• Version

• Itcanfiltersearchby• Country• City

• Firefoxadd-onisavailable

https://www.shodan.io/

Shodan BasicSearchOperators

country Filtersresultsbytwolettercountrycodehostname Filters resultsbyspecifiedtextinthe

hostnameordomainnet FiltersresultsbyaspecificIPrangeorsubnetos Searchforspecificoperating systemsport NarrowthesearchforspecificservicesServiceName FiltertheresultbyservicenameDeviceName Filtertheresultsbasedonthedevicename

Exercise:Shodan

1. FindouthowmanyIPisliveinyourcountry2. Findouthowmanyapacheserversarerunninginyourcounty3. Findouthowmanyapacheserversrunningversion2.2.3inyourcity4. Findoutanyapacheserversarerunningin.nist.gov andmicorsoft.com

domain5. FindouthowmanyIIS-5.0serversarerunninginUSA&AU6. TakegoogleIPblockandfindhowmanyIPsareliveingoogle7. HowmanyLinuxserverisrunninginyahoo8. Howmanyhostsareliveininternetwhichhastelnetopen

Pastebin (http://pastebin.com/)

• Apastebin isatypeofwebapplicationwhereuserscanstoreplaintext.• Theyaremostcommonlyusedtoshareshortsourcecodesnippetsforcodereview.• Butpeoplealsoshareconfidentialdata.• Youcanalsoaddaltersforspecifickeyword

Exercise:Pastebin

• Searchforthetext/documentsrelatedtoyourorganization/domain.• Doasearchon“.com.au password”.Whatinformationyouaregetting?

Zone-H(http://zone-h.net/)

• Zone-Hisanarchiveofdefacedwebsites.• Itisthelargestwebintrusionsarchive.• OnceadefacedwebsiteissubmittedtoZone-H,itismirroredontheZone-Hservers,itisthenmoderatedbytheZone-Hstafftocheckifthedefacementwasfake.

Exercise:Zone-H

• Gotohttp://www.zone-h.org/• Checkwithyourorganizationdomainname• Howaboutwww.microsoft.com• http://www.zone-h.org/mirror/id/1246363

Nmap (https://nmap.org/)

• Nmap isafreeandopensourcenetworkexplorationandsecurityauditingtool• Nmap wascreatedbyGordonLyon,a.k.a.FyodorVaskovich,andfirstpublishedin1997.• Workingcross-platformalthoughbestworkingonLinux-typeenvironments• ItusesrawIPpacketstodetermine• Whathostsareavailableonthenetwork• Whatservices(applicationnameandversion)• Guessestheoperationalsystem,uptimeandothercharacteristics

Nmap inthemovies

https://nmap.org/movies/

EthicalIssue

• Canbeusedforhacking-todiscovervulnerableports• Systemadminscauseittocheckthatsystemsmeetsecuritystandards• UnauthorizeduseofNmap onasystemcouldbeillegal.• Makesureyouhavepermissionbeforeusingthistool.

Remember:Thereisnorightwaytodothewrongthings

Nmap :Howitworks

• DNSlookup-matchesnamewithIP• Nmap pingstheremotetargetwith0(zero)bytepacketstoeachport• Ifpacketsarenotreceivedback,portisopen• Ifpacketsarereceived,portisclosed• Firewallcaninterferewiththisprocess

Nmap :ScanningTechniques

• HostDiscoveryandTargetSpecification• PortScanningTechnique,Specificationandorder• OS,ServiceandVersionDetection• namp ScriptingEngine• TimingandPerformance• Firewall,IDSEvasionandSpoofingTechnique• ScanReport

GoodpresentationbyFyodoron“Nmap :ScanningtheInternet”https://www.youtube.com/watch?v=Hk-21p2m8YY

Nmap :Scan

TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file

OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively

Nmap :Scan

HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host

Nmap :Scan

SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan

Namp :TimingandPerformance

• --min-parallelism <numprobes>; --max-parallelism <numprobes>• Adjustprobeparallelization

• --max-retries <numtries> • Specifythemaximumnumberofportscanproberetransmissions

• --scan-delay <time>; --max-scan-delay <time>• Adjustdelaybetweenprobes

• -T paranoid|sneaky|polite|normal|aggressive|insane• Setatimingtemplate

Letslookatsomeexamples

Installnmap andwecangoalongwiththeexample

HostDiscovery

fakrul@console# nmap -sP 202.125.96.0/24Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:48 AESTNmap scan report for 202.125.96.1Host is up (0.00071s latency).Nmap scan report for 202.125.96.10Host is up (0.00012s latency).Nmap scan report for 202.125.96.15Host is up (0.00048s latency).Nmap scan report for 202.125.96.40...............Nmap scan report for 202.125.96.254Host is up (0.00062s latency).

Nmap done: 256 IP addresses (15 hosts up) scanned in 8.61 seconds

HostDiscoverywithtraceroute

root@console:/home/fakrul# nmap -sP www.apnic.net --traceroute

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:52 AESTNmap scan report for www.apnic.net (203.119.102.244)Host is up (0.018s latency).

TRACEROUTE (using proto 1/icmp)HOP RTT ADDRESS1 0.15 ms 202.125.96.12 0.21 ms 202.125.96.2253 0.30 ms ip-169.232.255.49.VOCUS.net.au (49.255.232.169)4 14.48 ms as4608.qld.ix.asn.au (218.100.76.36)5 17.72 ms squiz-proxy.apnic.net (203.119.102.244)Nmap done: 1 IP address (1 host up) scanned in 13.90 seconds

TargetSpecification

root@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)

Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

TargetIPscanbelistedinatexttileseparatedbyspaceandcanbespecifiedusing“-iL”

root@console:/home/fakrul# nmap -T4 -p 1-1024 –iL iplist.txt

TargetSpecificationwithOSFingerprint

root@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)

Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.0Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds

TCPThree-WayHandshake

SYN[seq=A]

SYN-ACK[seq=B,ack=A+1]

ACK[seq=A+1,ack=B+1]

• PortsareassociatedatOSILayer4• 2mainprotocols

• TCP&UDP• TCPisconnectionorientedunlikeUDP• ToInitiateaTCPconnectionitusesTCP3WHS• TCPhas6flags(actually8)

PortState&TCPBehavior

• IfnoconnectionexistsbetweentwohoststhenSYNistheonlyvalidandexpectedpacketallotherpacketswillbeconsideredasinvalid.

SYNSYN/ACKRST

SYN

RST

SYN

dropped

• open• Willacceptconnections

• filtered• Firewallorothernetworkobstacleiscoveringport

• unfiltered or closed• Determinedtobeclosedwithnoobstaclesorinterference

CheckwhetherhostrunningDNSServer

root@console:/home/fakrul# nmap -sU -p 53 202.125.96.42

Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 11:08 AESTNmap scan report for 202.125.96.42Host is up (0.00017s latency).PORT STATE SERVICE53/udp open domainMAC Address: 00:16:3E:25:39:FD (Xensource)

Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds

Nmap :Exercise

Task Answer1.Howtoscanknowopenportfornetworkrange192.168.30.0/272.Isthere anywebservicerunningonIP192.168.30.55.Whatistheapplicationname?3.WhatistheIPaddressofWindows2003Serverinthenetwork192.168.30.0/27