#! /opt/cpg/bin/do-mgp %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%deffont "standard" tfont "comic.ttf" # %deffont "standard" tfont "times.ttf" # %deffont "thick" tfont "arial.ttf" %deffont "standard" xfont "courier new-bold-r" %deffont "thick" xfont "arial narrow-bold-r" %deffont "typewriter" xfont "courier new-bold-r" %deffont "type2writer" xfont "arial narrow-bold-r" %% %% Default settings per each line numbers. %% %default 1 leftfill, size 2, fore "gold", back "black", font "thick" %default 1 bimage "bg-parallel.jpg" 1024x768 %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "darkgreen", vgap 30 %default 4 size 5, fore "lemon chiffon", vgap 30, prefix " ", font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 4, vgap 40, prefix " ", icon arc "tomato" 40 %tab 2 size 4, vgap 20, prefix " ", icon box "spring green" 40 %tab 3 size 3, vgap 20, prefix " ", icon delta3 "white" 40 %% %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %size 7, font "thick", fore "gold", bimage "bg-parallel.jpg" 1024x768 %%area 90 10 3 3 %center Nmap Hacking %size 4 by Fyodor fyodor@insecure.org http://www.insecure.org/presentations/CanSecWest05/ CanSecWest; May 2005 %image "images/Insecurelogo-eye-blackbg-229x123.gif" %left %image "images/mail.insecure.packettrace-noframe.gif" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Host Discovery %size 6 TCP SYN probe (-PS) TCP ACK probe (-PA) UDP probe (-PU) ICMP Echo Request/Ping (-PE) ICMP Timestamp Request (-PP) ICMP Netmask Request (-PM) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Most Valuable TCP "Ping" Ports 80 (http) 25 (smtp) 22 (ssh) 443 (https) 21 (ftp) 113 (auth) 23 (telnet) 53 (domain) 554 (rtsp) 3389 (ms-term-server) 1723 (pptp) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page TCP SYN or ACK probes? BOTH! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Most Valuable UDP "Ping" Ports Simply pick a high numbered one. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Most Valuable ICMP Ping types Echo request (-PE) and either Timestamp (-PP) or Netmask (-PM) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Intense Discovery Combo -PE -PP -PS21,22,23,25,80,113,21339 -PA80,113,443,10042 --source_port 53 (13 probes rather than 2) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Results Comparison -- Default Discovery %size 4 \# nmap -sP -n -T4 -iL 50K_IPs Starting nmap 3.82.2CSW ( http://www.insecure.org/nmap/ ) [...] Host 167.154.239.120 appears to be up. Host 67.8.112.96 appears to be up. Host 143.169.56.108 appears to be up. Nmap finished: 50000 IP addresses ( %cont, fore "red" 1770 hosts up %cont, fore "lemon chiffon" ) scanned in 1867.977 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Results Comparison - Intense Discovery %size 4 \# nmap -sP -PE -PP -PS21,22,23,25,80,113,21339 -PA80,113,443,10042 --source_port 53 -n -T4 -iL 50K_IPs [...] Host 143.169.56.108 appears to be up. Host 143.79.104.9 appears to be up. Host 68.221.219.76 appears to be up. Nmap finished: 50000 IP addresses ( %cont, fore "red" 2698 hosts up %cont, fore "lemon chiffon" ) scanned in 7796.971 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ARP Scanning! Faster and more reliable than any other scan type on a local LAN Implemented in 3.82CSW with -PR %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Single Service Discovery %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Mission Statement Locate webserver(s) on the Playboy.Com network offering free images %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Step 1: Find the network to scan core~> whois -h whois.arin.net n playboy [...] OrgName: Playboy OrgID: PLAYBO Address: 680 N. Lake Shore Drive City: Chicago StateProv: IL PostalCode: 60611 Country: US NetRange: 216.163.128.0 - 216.163.143.255 CIDR: %cont, fore "red" 216.163.128.0/20 %cont, fore "lemon chiffon" [...] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Initial Try %size 4 nmap -P0 -p80 -oG pb.gnmap 216.163.128.0/20 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in %cont, fore "red" 1236.309 seconds %cont, fore "lemon chiffon" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Help Nmap out with timing information. > host www.playboy.com www.playboy.com has address 209.247.228.201 Mail servers (host -t mx playboy.com): mx.la.playboy.com. 10 216.163.128.15 mx.chi.playboy.com. 5 216.163.143.4 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Ping known servers for RTT estimates %size 4 > ping -c5 mx.chi.playboy.com PING mx.chi.playboy.com (216.163.143.4) 56(84) bytes of data. --- mx.chi.playboy.com ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4000ms > ping -c5 mx.la.playboy.com PING mx.la.playboy.com (216.163.128.15) 56(84) bytes of data. --- mx.la.playboy.com ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4011ms %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Perhaps TCP ping will work better %size 3 \# hping2 --syn -p 25 -c 5 mx.chi.playboy.com HPING mx.chi.playboy.com (eth0 216.163.143.4) 46 bytes from 216.163.143.4: flags=SA 46 bytes from 216.163.143.4: flags=SA [cut] --- mx.chi.playboy.com hping statistic --- 5 packets transmitted, 5 packets received round-trip min/avg/max = 56.8/58.0/ %cont, fore "red" 61.8 ms %cont, fore "lemon chiffon" \# hping2 --syn -p 25 -c 5 mx.la.playboy.com HPING mx.la.playboy.com (eth0 216.163.128.15) 46 bytes from 216.163.128.15: flags=SA 46 bytes from 216.163.128.15: flags=SA [cut] --- mx.la.playboy.com hping statistic --- 5 packets transmitted, 5 packets received round-trip min/avg/max = 15.4/15.8/ %cont, fore "red" 16.4 ms %cont, fore "lemon chiffon" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Designing a faster scan nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 -P0 -p80 -oG pb2.gnmap 216.163.128.0/20 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Re-Launch the scan %size 4 nmap -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 -P0 -p80 -oG pb2.gnmap 216.163.128.0/20 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in %cont, fore "red" 868.714 seconds %cont, fore "lemon chiffon" Much better than 1236s, but leaves room for improvement. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Yet again, but without DNS %size 4 nmap -n -T4 --max_rtt_timeout 200 --initial_rtt_timeout 150 --min_hostgroup 512 -P0 -p80 -oG pb2.gnmap 216.163.128.0/20 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) [...] Nmap run completed -- 4096 IP addresses (4096 hosts up) scanned in %cont, fore "red" 192.968 seconds %cont, fore "lemon chiffon" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Results: Only 2 Webservers Found %size 4 \# egrep '[^0-9]80/open' pb.gnmap Host: 216.163.140.20 Ports: 80/open/tcp//http/// Host: 216.163.142.135 Ports: 80/open/tcp//http/// %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Add Version Detection (-sV) to the Mix %size 4 \######## mydoom backdoor PROBE ########### Probe TCP mydoom q|\\x0d\\x0d| ports 3127-3198 match mydoom m|\\x04\\x5b\\0\\0\\0\\0\\0\\0| v/mydoom/v012604// %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Defeating Firewalls %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Mission Statement %size 4 Discern the open TCP ports on Docsrv.Caldera.Com. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SYN Scan against Docsrv %size 4 \# nmap -sS -T4 docsrv.caldera.com Starting nmap 3.76 ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1660 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 113/tcp closed auth 507/tcp open crs Nmap run completed -- 1 IP address (1 host up) scanned in 28.624 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page FIN Scan of Docsrv %size 2 \# nmap -sF -T4 docsrv.caldera.com Starting nmap 3.76 ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1624 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open|filtered echo 9/tcp open|filtered discard 11/tcp open|filtered systat 13/tcp open|filtered daytime 15/tcp open|filtered netstat 19/tcp open|filtered chargen 21/tcp open|filtered ftp 22/tcp open|filtered ssh 23/tcp open|filtered telnet 25/tcp open|filtered smtp 37/tcp open|filtered time 79/tcp open|filtered finger 80/tcp open|filtered http 110/tcp open|filtered pop3 111/tcp open|filtered rpcbind 135/tcp open|filtered msrpc 143/tcp open|filtered imap 360/tcp open|filtered scoi2odialog 389/tcp open|filtered ldap 465/tcp open|filtered smtps 507/tcp open|filtered crs 512/tcp open|filtered exec 513/tcp open|filtered login 514/tcp open|filtered shell 515/tcp open|filtered printer 636/tcp open|filtered ldapssl 712/tcp open|filtered unknown 955/tcp open|filtered unknown 993/tcp open|filtered imaps 995/tcp open|filtered pop3s 1434/tcp open|filtered ms-sql-m 2000/tcp open|filtered callbook 2766/tcp open|filtered listen 3000/tcp open|filtered ppp 3306/tcp open|filtered mysql 6112/tcp open|filtered dtspc 32770/tcp open|filtered sometimes-rpc3 32771/tcp open|filtered sometimes-rpc5 32772/tcp open|filtered sometimes-rpc7 Nmap run completed -- 1 IP address (1 host up) scanned in 7.635 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page ACK Scan against Docsrv %size 4 \# nmap -sA -T4 docsrv.caldera.com Starting nmap 3.77 ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1661 ports scanned but not shown below are in state: UNfiltered) PORT STATE SERVICE 135/tcp filtered msrpc 1434/tcp filtered ms-sql-m Nmap run completed -- 1 IP address (1 host up) scanned in 7.207 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Window Scan %right, fore "red" (Hi Window!) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Window Scan Technique Explained RST with Zero Window -- Port Closed RST with Positive Window -- Port Open %right, fore "red" (How about returning raw sockets to XP?) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Window Scan against Docsrv %size 2 \# nmap -sW -T4 docsrv.caldera.com Starting nmap 3.76 ( http://www.insecure.org/nmap/ ) Interesting ports on docsrv.caldera.com (216.250.128.247): (The 1624 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 7/tcp open echo 9/tcp open discard 11/tcp open systat 13/tcp open daytime 15/tcp open netstat 19/tcp open chargen 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 143/tcp open imap 360/tcp open scoi2odialog 389/tcp open ldap 465/tcp open smtps 507/tcp open crs 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 636/tcp open ldapssl 712/tcp open unknown 955/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 1434/tcp filtered ms-sql-m 2000/tcp open callbook 2766/tcp open listen 3000/tcp open ppp 3306/tcp open mysql 6112/tcp open dtspc 32770/tcp open sometimes-rpc3 32771/tcp open sometimes-rpc5 32772/tcp open sometimes-rpc7 Nmap run completed -- 1 IP address (1 host up) scanned in 7.304 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Recent Nmap features %size 4 ARP Scanning, ASCII art, etc. (3.82CSW) "open|filtered" and "closed|filtered" states (3.81) Huge OS fingerprint and version DB updates (3.75) New port scanning engine (3.70) Estimated Time of Completion in Verbose Mode (-v) (3.70) SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining) --exclude option MAC Address printing (3.55) Version detection [-sV] (3.45) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Features for the next CanSecWest %size 4 ARP scan spoofing and other improvements More raw ethernet support New OS Detection Engine --reason Many version detection improvements and DB updates Proxy/Socks scanning %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Questions? Any questions about Nmap, Network Reconnaissance, or anything else?