Professional Documents
Culture Documents
Dokumen - Tips - Scanning Columbia University Smbclassess09l21pdf Nmap Scanning The Basics
Dokumen - Tips - Scanning Columbia University Smbclassess09l21pdf Nmap Scanning The Basics
Scanning
Goals
Useful Tools
The Basics
NMAP
Google Hacking
Scanning
1 / 39
Scanning
Scanning
Scanning ■ Suppose you’re an attacker
Goals
Useful Tools ■ You want to attack a site
The Basics ■ How do you proceed?
NMAP
Google Hacking
2 / 39
Goals
Scanning
Scanning ■ Find an interesting (or vulnerable) machine
Goals
Useful Tools ■ Find a vulnerable service
The Basics ■ Attack. . .
NMAP
Google Hacking
3 / 39
Useful Tools
Scanning
Scanning ■ Ping
Goals
Useful Tools ■ Arp
The Basics ■ Dig
NMAP
Google Hacking
■ Nmap
■ rpcinfo; showmount
■ Tcpdump
■ Others, for special purposes
4 / 39
Scanning
The Basics
Getting Started
What are the Hosts?
What Happened?
Enumerating Hosts
Other Information in
the DNS
What Hosts Really
Exist?
How About a
Broadcast ping? The Basics
Off-LAN Broadcasts
ARP
NMAP
Google Hacking
5 / 39
Getting Started
Scanning
The Basics
■ What’s the first thing we know about the
Getting Started
What are the Hosts?
target?
What Happened?
Enumerating Hosts
■ The domain name!
Other Information in
the DNS
■ Your probably know at least one host, too:
What Hosts Really
Exist? www.domainname
How About a
Broadcast ping?
Off-LAN Broadcasts
■ There’s more in the DNS
ARP
NMAP
Google Hacking
6 / 39
What are the Hosts?
Scanning
The Basics
■ Most hosts have DNS entries — can we list
Getting Started
What are the Hosts?
them?
What Happened?
Enumerating Hosts
■ First try — do “zone transfer”
Other Information in
the DNS
■ Use dig ns cs.columbia.edu to learn the
What Hosts Really
Exist? name servers
How About a
Broadcast ping? ■ Pick one, then
Off-LAN Broadcasts
ARP
NMAP
$ dig axfr cs.columbia.edu @dns2.itd.umich.edu
Google Hacking
The Basics
■ It’s possible to configure a name server to
Getting Started
What are the Hosts?
reject unauthorized zone transfer requests
What Happened?
Enumerating Hosts
■ But most sites have multiple name servers;
Other Information in
the DNS
frequently, some are under different
What Hosts Really
Exist? management (including 3 of 5 cs.columbia.edu
How About a
Broadcast ping?
Off-LAN Broadcasts
name servers)
ARP ■ Not everyone has the same policy. . .
NMAP
Google Hacking
8 / 39
Enumerating Hosts
Scanning
The Basics
■ Learn the IP address of one host:
Getting Started
What are the Hosts?
www.cs.columbia.edu is 128.59.18.180
What Happened?
Enumerating Hosts
■ Use dig -x on other IP addresses in the range:
Other Information in
the DNS
What Hosts Really
Exist?
How About a
Broadcast ping?
for i in ‘seq 1 254‘
Off-LAN Broadcasts
ARP
do
NMAP dig -x 128.59.18.$i
Google Hacking
done
The Basics
■ HINFO:
Getting Started
What are the Hosts?
What Happened?
Enumerating Hosts
$ dig hinfo play.cs.columbia.edu.
Other Information in
the DNS
m83.cs.columbia.edu. 3600 IN HINFO "AMD Athlon"
What Hosts Really
Exist?
"Ubuntu5.10"
How About a
Broadcast ping?
Off-LAN Broadcasts
■ More: see WKS records, TXT records,
ARP NAPTR records, etc.
NMAP
Google Hacking
The Basics
■ The DNS lists what you think you have
Getting Started
What are the Hosts?
■ What do you really have?
What Happened?
Enumerating Hosts
■ You can ping IP addresses
Other Information in
the DNS
What Hosts Really
Exist?
How About a
Broadcast ping?
for i in ‘seq 1 254‘
Off-LAN Broadcasts
ARP
do
NMAP ping 128.59.23.$i
Google Hacking
done
11 / 39
How About a Broadcast ping?
Scanning
Google Hacking
12 / 39
Off-LAN Broadcasts
Scanning
13 / 39
ARP
Scanning
The Basics
■ If we’re on the same LAN, we can learn more
Getting Started via ARP:
What are the Hosts?
What Happened?
Enumerating Hosts
Other Information in
the DNS
# arp -a
What Hosts Really
Exist?
mudd-edge-1.net.columbia.edu (128.59.16.1) at 00
How About a
Broadcast ping?
dynasty.cs.columbia.edu (128.59.16.5) at 00:03:b
Off-LAN Broadcasts disco.cs.columbia.edu (128.59.16.7) at 08:00:20:
ARP
NMAP
razor.cs.columbia.edu (128.59.16.8) at 00:01:02:
Google Hacking
■ Note that the first three bytes of the MAC
address tell who manufactured the card:
00:d0:06 is Cisco, 00:03:ba and 08:00:20 are
Sun, etc.
14 / 39
Scanning
The Basics
NMAP
The Network Map
Tool
Finding Hosts
Finding Hosts on a
LAN
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
NMAP
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
15 / 39
The Network Map Tool
Scanning
The Basics
■ General-purpose scanner
NMAP ■ Does everything I’ve described and more
The Network Map
Tool
Finding Hosts
■ Practically point-and-click scanning (but it’s
Finding Hosts on a
LAN
command-line)
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
16 / 39
Finding Hosts
Scanning
Google Hacking
17 / 39
Finding Hosts on a LAN
Scanning
Google Hacking
18 / 39
Port-Scanning
Scanning
The Basics
■ Find out what ports are open on a machine
NMAP ■ Better yet, find out what applications are
The Network Map
Tool
Finding Hosts
behind those ports
Finding Hosts on a
LAN
■ Extras: avoid detection, detect firewalls,
Port-Scanning
The Real Truth
bypass some firewalls, etc.
About CS.. . .
Trying it From
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
19 / 39
The Real Truth About CS.. . .
Scanning
Google Hacking
20 / 39
Trying it From Home
Scanning
Google Hacking
21 / 39
From CU Wireless
Scanning
Google Hacking
22 / 39
Sometimes It’s Like This
Scanning
Google Hacking
23 / 39
Detecting Filtered Ports
Scanning
The Basics
■ How does nmap detect a filtered service?
NMAP ■ A TCP SYN is normally answered with a
The Network Map
Tool
Finding Hosts
SYN+ACK or a RST
Finding Hosts on a
LAN
■ A filtered port generally returns nothing
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
24 / 39
ACK Scans
Scanning
The Basics
■ Send a packet with the ACK bit set
NMAP ■ Gets through packet filters!
The Network Map
Tool
Finding Hosts
■ Can’t distinguish between open and closed
Finding Hosts on a
LAN
services; can be used to map firewall rules
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
25 / 39
Avoiding Detection
Scanning
The Basics
■ If a program does a connect() call, the usual
NMAP 3-way TCP handshake will occur
The Network Map
Tool
Finding Hosts
■ The application can log the fact and source of
Finding Hosts on a
LAN
the connection
Port-Scanning
The Real Truth
■ Nmap hand-crafts SYN packets, and responds to
About CS.. . .
Trying it From any SYN+ACK with RST
Home
From CU Wireless
Sometimes It’s Like
■ The TCP open never completes, so the
This
Detecting Filtered
application never notices and can’t log
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
26 / 39
UDP Ports
Scanning
The Basics
■ Send a UDP packet
NMAP ■ Watch for a response or an ICMP Port
The Network Map
Tool
Finding Hosts
Unreachable
Finding Hosts on a
LAN
■ No answer at all may indicate a filtered port
Port-Scanning
The Real Truth
About CS.. . .
Trying it From
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
27 / 39
Mapping Versions
Scanning
The Basics
■ Why do we want to?
NMAP ■ Particular applications may have (security)
The Network Map
Tool
Finding Hosts
bugs
Finding Hosts on a
LAN
■ Particular versions of particular applications
Port-Scanning
The Real Truth
may have (security) bugs
About CS.. . .
Trying it From
Home
From CU Wireless
Sometimes It’s Like
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
28 / 39
Local Software
Scanning
Google Hacking
Service Info: OS: Unix
29 / 39
Learning Versions
Scanning
The Basics
■ How does nmap get that data?
NMAP
■ Many services announce it right away:
The Network Map
Tool
Finding Hosts
Finding Hosts on a
LAN
# telnet www.cs.columbia.edu 80
Port-Scanning Trying 128.59.23.100...
The Real Truth
About CS.. . . Connected to shadow.cs.columbia.edu.
Trying it From
Home Escape character is ’^]’.
From CU Wireless
Sometimes It’s Like GET / HTTP/1.0
This
Detecting Filtered
Ports
ACK Scans
HTTP/1.1 200 OK
Avoiding Detection Date: Thu, 02 Nov 2006 05:49:38 GMT
UDP Ports
Mapping Versions Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 Open
Local Software
Learning Versions
X-Powered-By: PHP/4.3.11
To Tell the Truth?
Fingerprinting
Evasive Action
■ In other cases, it uses heuristics
Google Hacking
30 / 39
To Tell the Truth?
Scanning
Google Hacking
31 / 39
Fingerprinting
Scanning
The Basics
■ Various heuristics can be used to identify OS
NMAP and version
The Network Map
Tool
Finding Hosts
■ Example: look at initial sequence number
Finding Hosts on a
LAN
patterns, support for TCP options, initial
Port-Scanning
The Real Truth
window size, etc.
About CS.. . .
Trying it From ■ Get uptime from TCP timestamp option
Home
From CU Wireless
Sometimes It’s Like
■ Evaluate sequence number and IPid field
This
Detecting Filtered
predictability
Ports
ACK Scans ■ But good guys need version numbers for site
Avoiding Detection
UDP Ports management
Mapping Versions
Local Software ■ Net result: hiding version numbers tends to
Learning Versions
To Tell the Truth? hurt the good guys more than the bad guys
Fingerprinting
Evasive Action
Google Hacking
32 / 39
Evasive Action
Scanning
The Basics
■ Nmap has many techniques to avoid detection
NMAP ■ Example: randomized scan orders, decoy hosts,
The Network Map
Tool
Finding Hosts
zombies, bounce attacks, etc.
Finding Hosts on a
LAN
■ Nasty example: --badsum
Port-Scanning
The Real Truth
■ Send packet with a bad TCP checksum
About CS.. . .
Trying it From ■ Hosts will drop such packets — but some IDS
Home
From CU Wireless
Sometimes It’s Like
won’t. . .
This
Detecting Filtered
Ports
ACK Scans
Avoiding Detection
UDP Ports
Mapping Versions
Local Software
Learning Versions
To Tell the Truth?
Fingerprinting
Evasive Action
Google Hacking
33 / 39
Scanning
The Basics
NMAP
Google Hacking
Google Hacking
The Santy Worm
Picking Out Versions
Interesting Files
Conclusions
Google Hacking
34 / 39
Google Hacking
Scanning
The Basics
■ Many web sites are insecure
NMAP ■ Probable insecurity is often detectable just by
Google Hacking
Google Hacking
seeing what files are on the site, i.e.,
The Santy Worm
Picking Out Versions
known-bad scripts
Interesting Files
Conclusions
■ Google knows all. . .
35 / 39
The Santy Worm
Scanning
The Basics
■ Use Google to find sites running the PHP
NMAP Bulletin Board (phpBB)
Google Hacking
Google Hacking
■ Take over the site via flaws in (some versions
The Santy Worm
Picking Out Versions
of) phpBB
Interesting Files
Conclusions
■ Repeat. . .
36 / 39
Picking Out Versions
Scanning
The Basics
■ Sometimes, only a particular version of code is
NMAP vulnerable
Google Hacking
Google Hacking
■ Include the version in the search string
The Santy Worm
Picking Out Versions
■ Example: "Powered by Gallery v1.4.4"
Interesting Files
Conclusions
37 / 39
Interesting Files
Scanning
The Basics
■ filetype:lit lit (books|ebooks) will
NMAP find Ebooks
Google Hacking
Google Hacking
■ Database passwords inside PHP scripts:
The Santy Worm
Picking Out Versions
filetype:inc intext:mysql connect
Interesting Files
Conclusions
■ Your favorite company’s name for closely-held
documents: filetype:doc "XXXX company
confidential"
■ Other queries will find password files, credit
card numbers, etc.
38 / 39
Conclusions
Scanning
The Basics
■ Scanning is a very powerful attack technique
NMAP ■ It’s very hard to hide from a clever scanning
Google Hacking
Google Hacking
program
The Santy Worm
Picking Out Versions
Interesting Files
Conclusions
39 / 39