Dokumen - Tips - Scanning Columbia University Smbclassess09l21pdf Nmap Scanning The Basics

Scanning
Scanning
Goals
Useful Tools
The Basics
NMAP
Google Hacking
Scanning
1 / 39
Scanning
Scanning
Scanning ■ Suppose you’re an attacker
Goals
Useful Tools ■ You want to attack a site
The Basics ■ How do you proceed?
NMAP
Google Hacking
2 / 39
Goals
Scanning
Scanning ■ Find an interesting (or vulnerable) machine
Goals
Useful Tools ■ Find a vulnerable service
The Basics ■ Attack. . .
NMAP
Google Hacking
3 / 39
Useful Tools
Scanning
Scanning ■ Ping
Goals
Useful Tools ■ Arp
The Basics ■ Dig
NMAP
Google Hacking
■ Nmap
■ rpcinfo; showmount
■ Tcpdump
■ Others, for special purposes
4 / 39
Scanning
The Basics
Getting Started
What are the Hosts?
What Happened?
Enumerating Hosts
Other Information in
the DNS
What Hosts Really
Exist?
How About a
Broadcast ping? The Basics
Off-LAN Broadcasts
ARP
NMAP
Google Hacking
5 / 39
Getting Started
Scanning
The Basics
■ What’s the first thing we know about the
Getting Started
What are the Hosts?
target?
What Happened?
Enumerating Hosts
■ The domain name!
the DNS
■ Your probably know at least one host, too:
What Hosts Really
Exist? www.domainname
How About a
Broadcast ping?
Off-LAN Broadcasts
■ There’s more in the DNS
ARP
NMAP
Google Hacking
6 / 39
What are the Hosts?
Scanning
The Basics
■ Most hosts have DNS entries — can we list
Getting Started
What are the Hosts?
them?
What Happened?
Enumerating Hosts
■ First try — do “zone transfer”
the DNS
■ Use dig ns cs.columbia.edu to learn the
What Hosts Really
Exist? name servers
How About a
Broadcast ping? ■ Pick one, then
Off-LAN Broadcasts
ARP
NMAP
$ dig axfr cs.columbia.edu @dns2.itd.umich.edu
Google Hacking
; <<>> DiG 9.3.2 <<>> axfr cs.columbia.edu @dns2

; (1 server found)
;; global options: printcmd
; Transfer failed.
■ But a different name server worked. . .

7 / 39
What Happened?
Scanning
The Basics
■ It’s possible to configure a name server to
Getting Started
What are the Hosts?
reject unauthorized zone transfer requests
What Happened?
Enumerating Hosts
■ But most sites have multiple name servers;
the DNS
frequently, some are under different
What Hosts Really
Exist? management (including 3 of 5 cs.columbia.edu
How About a
Broadcast ping?
Off-LAN Broadcasts
name servers)
ARP ■ Not everyone has the same policy. . .
NMAP
Google Hacking
8 / 39
Enumerating Hosts
Scanning
The Basics
■ Learn the IP address of one host:
Getting Started
What are the Hosts?
www.cs.columbia.edu is 128.59.18.180
What Happened?
Enumerating Hosts
■ Use dig -x on other IP addresses in the range:
the DNS
What Hosts Really
Exist?
How About a
Broadcast ping?
for i in ‘seq 1 254‘
Off-LAN Broadcasts
ARP
do
NMAP dig -x 128.59.18.$i
Google Hacking
done
■ Some sites give useless answers; 135.207.23.32

is H-135-207-23-32.research.att.com
■ Another caveat: watch out for smaller or larger
nets
9 / 39
Other Information in the DNS
Scanning
The Basics
■ HINFO:
Getting Started
What are the Hosts?
What Happened?
Enumerating Hosts
$ dig hinfo play.cs.columbia.edu.
the DNS
m83.cs.columbia.edu. 3600 IN HINFO "AMD Athlon"
What Hosts Really
Exist?
"Ubuntu5.10"
How About a
Broadcast ping?
Off-LAN Broadcasts
■ More: see WKS records, TXT records,
ARP NAPTR records, etc.
NMAP
Google Hacking
$ dig wks cs.columbia.edu

cs.columbia.edu. 3600 IN WKS
128.59.16.20 6 13 17 21 23 25 37 42 53 79
111 119 67 69 161 162
■ Of course, those might be wrong. . .

10 / 39
What Hosts Really Exist?
Scanning
The Basics
■ The DNS lists what you think you have
Getting Started
What are the Hosts?
■ What do you really have?
What Happened?
Enumerating Hosts
■ You can ping IP addresses
the DNS
What Hosts Really
Exist?
How About a
Broadcast ping?
for i in ‘seq 1 254‘
Off-LAN Broadcasts
ARP
do
NMAP ping 128.59.23.$i
Google Hacking
done
11 / 39
How About a Broadcast ping?
Scanning
The Basics # ping -L -r -w 100 128.59.23.255

Getting Started
What are the Hosts?
PING 23-net.cs.columbia.edu (128.59.23.255): 56 data
What Happened? 64 bytes from 128.59.18.102: icmp_seq=0 ttl=255 time
Enumerating Hosts
Other Information in 64 bytes from 128.59.20.155: icmp_seq=0 DUP! ttl=64
the DNS
What Hosts Really 64 bytes from 128.59.22.252: icmp_seq=0 DUP! ttl=64
Exist?
How About a 64 bytes from 128.59.18.133: icmp_seq=0 DUP! ttl=64
Broadcast ping?
Off-LAN Broadcasts
64 bytes from 128.59.18.134: icmp_seq=0 DUP! ttl=64
ARP 64 bytes from 128.59.22.7: icmp_seq=0 DUP! ttl=64 ti
NMAP
Google Hacking
12 / 39
Off-LAN Broadcasts
Scanning
The Basics # ping -L -r -w 100 128.59.23.255

Getting Started
What are the Hosts?
PING 23-net.cs.columbia.edu (128.59.23.255): 56 data
What Happened? ping: sendto: Network is unreachable
Enumerating Hosts
the DNS
What Hosts Really
Exist?
■ “Directed broadcasts” are blocked to prevent
How About a
Broadcast ping? Smurf attacks
Off-LAN Broadcasts
ARP ■ Smurf attack: send a ping packet to a
NMAP
broadcast address, with the (forged) source
Google Hacking
address of your victim
■ Many hosts will send back to it, using up lots
of the victim’s bandwidth
13 / 39
ARP
Scanning
The Basics
■ If we’re on the same LAN, we can learn more
Getting Started via ARP:
What are the Hosts?
What Happened?
Enumerating Hosts
the DNS
# arp -a
What Hosts Really
Exist?
mudd-edge-1.net.columbia.edu (128.59.16.1) at 00
How About a
Broadcast ping?
dynasty.cs.columbia.edu (128.59.16.5) at 00:03:b
Off-LAN Broadcasts disco.cs.columbia.edu (128.59.16.7) at 08:00:20:
ARP
NMAP
razor.cs.columbia.edu (128.59.16.8) at 00:01:02:
Google Hacking
■ Note that the first three bytes of the MAC
address tell who manufactured the card:
00:d0:06 is Cisco, 00:03:ba and 08:00:20 are
Sun, etc.
14 / 39
Scanning
The Basics
NMAP
The Network Map
Tool
Finding Hosts
Finding Hosts on a
LAN
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
NMAP
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
15 / 39
The Network Map Tool
Scanning
The Basics
■ General-purpose scanner
NMAP ■ Does everything I’ve described and more
The Network Map
Tool
Finding Hosts
■ Practically point-and-click scanning (but it’s
Finding Hosts on a
LAN
command-line)
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
16 / 39
Finding Hosts
Scanning
The Basics # nmap -sP 128.59.23.0/21

NMAP Host mudd-edge-1.net.columbia.edu (128.59.16.1) appe
The Network Map
Tool Host dynasty.cs.columbia.edu (128.59.16.5) appears t
Finding Hosts
Finding Hosts on a
Host mailswitch.cs.columbia.edu (128.59.16.6) appear
LAN
Port-Scanning
Host disco.cs.columbia.edu (128.59.16.7) appears to
The Real Truth
About CS.. . .
Host razor.cs.columbia.edu (128.59.16.8) appears to
Trying it From
Home
...
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
17 / 39
Finding Hosts on a LAN
Scanning
The Basics # nmap -sP 128.59.23.0/21

NMAP Host mudd-edge-1.net.columbia.edu (128.59.16.1) appe
The Network Map
Tool MAC Address: 00:D0:06:26:9C:00 (Cisco Systems)
Finding Hosts
Finding Hosts on a
Host dynasty.cs.columbia.edu (128.59.16.5) appears t
LAN
Port-Scanning
MAC Address: 00:03:BA:14:A3:68 (Sun Microsystems)
The Real Truth
About CS.. . .
Host mailswitch.cs.columbia.edu (128.59.16.6) appear
Trying it From
Home
MAC Address: 00:17:08:B5:41:00 (Hewlett Packard)
From CU Wireless ...
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
18 / 39
Port-Scanning
Scanning
The Basics
■ Find out what ports are open on a machine
NMAP ■ Better yet, find out what applications are
The Network Map
Tool
Finding Hosts
behind those ports
Finding Hosts on a
LAN
■ Extras: avoid detection, detect firewalls,
Port-Scanning
The Real Truth
bypass some firewalls, etc.
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
19 / 39
The Real Truth About CS.. . .
Scanning
The Basics # nmap -p 1-200 cs.columbia.edu

NMAP Not shown: 195 closed ports
The Network Map
Tool PORT STATE SERVICE
Finding Hosts
Finding Hosts on a
22/tcp open ssh
LAN
Port-Scanning
25/tcp open smtp
The Real Truth
About CS.. . .
53/tcp open domain
Trying it From
Home
111/tcp open rpcbind
From CU Wireless 139/tcp open netbios-ssn
This MAC Address: 00:03:BA:62:6A:39 (Sun Microsystems)
Detecting Filtered
Ports
ACK Scans
Avoiding Detection Nmap finished: 1 IP address (1 host up) scanned in 6
UDP Ports
Mapping Versions
Local Software
Learning Versions
Many fewer ports than in the WKS record. . .
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
20 / 39
Trying it From Home
Scanning
The Basics 7/tcp filtered echo

NMAP 9/tcp filtered discard
The Network Map
Tool 19/tcp filtered chargen
Finding Hosts
Finding Hosts on a
22/tcp open ssh
LAN
Port-Scanning
25/tcp open smtp
The Real Truth
About CS.. . .
53/tcp open domain
Trying it From
Home
111/tcp open rpcbind
From CU Wireless 135/tcp filtered msrpc
This 136/tcp filtered profile
Detecting Filtered
Ports 137/tcp filtered netbios-ns
ACK Scans
Avoiding Detection 138/tcp filtered netbios-dgm
UDP Ports
Mapping Versions
139/tcp filtered netbios-ssn
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
21 / 39
From CU Wireless
Scanning
The Basics # nmap -sA -p 1-200 www.cs.columbia.edu

NMAP PORT STATE SERVICE
The Network Map
Tool 135/tcp filtered msrpc
Finding Hosts
Finding Hosts on a
LAN
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
22 / 39
Sometimes It’s Like This
Scanning
The Basics 3/tcp filtered compressnet

NMAP 7/tcp filtered echo
The Network Map
Tool 36/tcp filtered unknown
Finding Hosts
Finding Hosts on a
116/tcp filtered ansanotify
LAN
Port-Scanning
132/tcp filtered cisco-sys
The Real Truth
About CS.. . .
135/tcp filtered msrpc
Trying it From
Home
147/tcp filtered iso-ip
From CU Wireless 157/tcp filtered knet-cmp
This 177/tcp filtered xdmcp
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Different paths? Or a scan failure? Unclear.
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
23 / 39
Detecting Filtered Ports
Scanning
The Basics
■ How does nmap detect a filtered service?
NMAP ■ A TCP SYN is normally answered with a
The Network Map
Tool
Finding Hosts
SYN+ACK or a RST
Finding Hosts on a
LAN
■ A filtered port generally returns nothing
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
24 / 39
ACK Scans
Scanning
The Basics
■ Send a packet with the ACK bit set
NMAP ■ Gets through packet filters!
The Network Map
Tool
Finding Hosts
■ Can’t distinguish between open and closed
Finding Hosts on a
LAN
services; can be used to map firewall rules
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
25 / 39
Avoiding Detection
Scanning
The Basics
■ If a program does a connect() call, the usual
NMAP 3-way TCP handshake will occur
The Network Map
Tool
Finding Hosts
■ The application can log the fact and source of
Finding Hosts on a
LAN
the connection
Port-Scanning
The Real Truth
■ Nmap hand-crafts SYN packets, and responds to
About CS.. . .
Trying it From any SYN+ACK with RST
Home
From CU Wireless
■ The TCP open never completes, so the
This
Detecting Filtered
application never notices and can’t log
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
26 / 39
UDP Ports
Scanning
The Basics
■ Send a UDP packet
NMAP ■ Watch for a response or an ICMP Port
The Network Map
Tool
Finding Hosts
Unreachable
Finding Hosts on a
LAN
■ No answer at all may indicate a filtered port
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
27 / 39
Mapping Versions
Scanning
The Basics
■ Why do we want to?
NMAP ■ Particular applications may have (security)
The Network Map
Tool
Finding Hosts
bugs
Finding Hosts on a
LAN
■ Particular versions of particular applications
Port-Scanning
The Real Truth
may have (security) bugs
About CS.. . .
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
28 / 39
Local Software
Scanning
The Basics # nmap -A -p 1-200 www.cs.columbia.edu

NMAP
The Network Map
Tool Starting Nmap 4.11 ( http://www.insecure.org/nmap/ )
Finding Hosts
Finding Hosts on a
Interesting ports on shadow.cs.columbia.edu (128.59.
LAN
Port-Scanning
Not shown: 196 closed ports
The Real Truth
About CS.. . .
PORT STATE SERVICE VERSION
Trying it From
Home
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
From CU Wireless 25/tcp open smtp Sendmail 8.12.10/8.12.10
This 80/tcp open http Apache httpd 1.3.33 ((Unix) mo
Detecting Filtered
Ports 111/tcp open rpcbind 2-4 (rpc #100000)
ACK Scans
Avoiding Detection MAC Address: 00:03:BA:C5:A0:DD (Sun Microsystems)
UDP Ports
Mapping Versions
Device type: general purpose
Local Software Running: Sun Solaris 8
Learning Versions
To Tell the Truth?
OS details: Sun Solaris 8
Fingerprinting Uptime 13.412 days (since Thu Oct 19 15:52:13 2006)
Evasive Action
Google Hacking
Service Info: OS: Unix
29 / 39
Learning Versions
Scanning
The Basics
■ How does nmap get that data?
NMAP
■ Many services announce it right away:
The Network Map
Tool
Finding Hosts
Finding Hosts on a
LAN
# telnet www.cs.columbia.edu 80
Port-Scanning Trying 128.59.23.100...
The Real Truth
About CS.. . . Connected to shadow.cs.columbia.edu.
Trying it From
Home Escape character is ’^]’.
From CU Wireless
Sometimes It’s Like GET / HTTP/1.0
This
Detecting Filtered
Ports
ACK Scans
HTTP/1.1 200 OK
Avoiding Detection Date: Thu, 02 Nov 2006 05:49:38 GMT
UDP Ports
Mapping Versions Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 Open
Local Software
Learning Versions
X-Powered-By: PHP/4.3.11
To Tell the Truth?
Fingerprinting
Evasive Action
■ In other cases, it uses heuristics
Google Hacking
30 / 39
To Tell the Truth?
Scanning
The Basics $ dig version.bind txt chaos @kedu.cc.columbia.edu

NMAP version.bind. 0 CH TXT "9.2.6-P1"
The Network Map
Tool $ dig version.bind txt chaos @cs.columbia.edu
Finding Hosts
Finding Hosts on a
VERSION.BIND. 0 CH TXT "surely you must be joking"
LAN
Port-Scanning
The Real Truth
About CS.. . . Hiding the version helps less than you might think
Trying it From
Home
From CU Wireless
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
31 / 39
Fingerprinting
Scanning
The Basics
■ Various heuristics can be used to identify OS
NMAP and version
The Network Map
Tool
Finding Hosts
■ Example: look at initial sequence number
Finding Hosts on a
LAN
patterns, support for TCP options, initial
Port-Scanning
The Real Truth
window size, etc.
About CS.. . .
Trying it From ■ Get uptime from TCP timestamp option
Home
From CU Wireless
■ Evaluate sequence number and IPid field
This
Detecting Filtered
predictability
Ports
ACK Scans ■ But good guys need version numbers for site
Avoiding Detection
UDP Ports management
Mapping Versions
Local Software ■ Net result: hiding version numbers tends to
Learning Versions
To Tell the Truth? hurt the good guys more than the bad guys
Fingerprinting
Evasive Action
Google Hacking
32 / 39
Evasive Action
Scanning
The Basics
■ Nmap has many techniques to avoid detection
NMAP ■ Example: randomized scan orders, decoy hosts,
The Network Map
Tool
Finding Hosts
zombies, bounce attacks, etc.
Finding Hosts on a
LAN
■ Nasty example: --badsum
Port-Scanning
The Real Truth
■ Send packet with a bad TCP checksum
About CS.. . .
Trying it From ■ Hosts will drop such packets — but some IDS
Home
From CU Wireless
won’t. . .
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
33 / 39
Scanning
The Basics
NMAP
Google Hacking
Google Hacking
The Santy Worm
Picking Out Versions
Interesting Files
Conclusions
Google Hacking
34 / 39
Google Hacking
Scanning
The Basics
■ Many web sites are insecure
NMAP ■ Probable insecurity is often detectable just by
Google Hacking
Google Hacking
seeing what files are on the site, i.e.,
The Santy Worm
known-bad scripts
Interesting Files
Conclusions
■ Google knows all. . .
35 / 39
The Santy Worm
Scanning
The Basics
■ Use Google to find sites running the PHP
NMAP Bulletin Board (phpBB)
Google Hacking
Google Hacking
■ Take over the site via flaws in (some versions
The Santy Worm
of) phpBB
Interesting Files
Conclusions
■ Repeat. . .
36 / 39
Scanning
The Basics
■ Sometimes, only a particular version of code is
NMAP vulnerable
Google Hacking
Google Hacking
■ Include the version in the search string
The Santy Worm
■ Example: "Powered by Gallery v1.4.4"
Interesting Files
Conclusions
37 / 39
Interesting Files
Scanning
The Basics
■ filetype:lit lit (books|ebooks) will
NMAP find Ebooks
Google Hacking
Google Hacking
■ Database passwords inside PHP scripts:
The Santy Worm
filetype:inc intext:mysql connect
Interesting Files
Conclusions
■ Your favorite company’s name for closely-held
documents: filetype:doc "XXXX company
confidential"
■ Other queries will find password files, credit
card numbers, etc.
38 / 39
Conclusions
Scanning
The Basics
■ Scanning is a very powerful attack technique
NMAP ■ It’s very hard to hide from a clever scanning
Google Hacking
Google Hacking
program
The Santy Worm
Interesting Files
Conclusions
39 / 39

Dokumen - Tips - Scanning Columbia University Smbclassess09l21pdf Nmap Scanning The Basics

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dokumen - Tips - Scanning Columbia University Smbclassess09l21pdf Nmap Scanning The Basics

Uploaded by

Copyright:

Available Formats

Scanning

; <<>> DiG 9.3.2 <<>> axfr cs.columbia.edu @dns2

■ But a different name server worked. . .

■ Some sites give useless answers; 135.207.23.32

$ dig wks cs.columbia.edu

■ Of course, those might be wrong. . .

The Basics # ping -L -r -w 100 128.59.23.255

The Basics # ping -L -r -w 100 128.59.23.255

The Basics # nmap -sP 128.59.23.0/21

The Basics # nmap -sP 128.59.23.0/21

The Basics # nmap -p 1-200 cs.columbia.edu

The Basics 7/tcp filtered echo

The Basics # nmap -sA -p 1-200 www.cs.columbia.edu

The Basics 3/tcp filtered compressnet

The Basics # nmap -A -p 1-200 www.cs.columbia.edu

The Basics $ dig version.bind txt chaos @kedu.cc.columbia.edu

You might also like