Escolar Documentos
Profissional Documentos
Cultura Documentos
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
Module 3: Scanning and
89
Assessment
y6
Ninja-Sec.com
br
om
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
Network Enumeration and
89
Mapping
y6
Ninja-Sec.com
br
Network Enumeration Goals
om
Identify live hosts on customer network ranges and the services, or
l.c
applications, running on those hosts.
Steps for network enumeration are the same for both internal and
ai
external assessments.
gm
Try to identify live hosts first.
Then use scanning techniques to gain additional information that
1@
can aid in uncovering sensitive hosts and further exploitation.
Port Scanning
89
Version Scanning
Service Enumeration
y6
OS Fingerprinting
br
om
We will list several tools that can be used for network
l.c
enumeration, however Nmap will be the primary one we
focus on.
ai
Reasons:
gm
Nmap is capable of every type of network enumeration we cover.
1@
Runs on a command line or a GUI.
Runs on both Windows and *nix.
With Nmap we will only have to cover one interface.
89
Nmap is one of the only network enumeration tools that is
consistently updated.
y6
om
First type of scanning performed on customer network ranges.
l.c
Can be combined with port scanning, however can be performed
on by itself to speed up subsequent scanning.
ai
Called ping sweeping, although good network mapping
gm
doesnt just use pings (ICMP echo reply messages)
Used to determine network issues as well as judging latency.
1@
Can be important for planning for scan timings and thoroughness.
Determine whether the assessment team will assess the all target
89
hosts or a sample set.
y6
br
334
Network Mapping
om
A host may not respond to a ping request due to multiple
l.c
factors:
A network device, usually a firewall, may be preventing the
ai
responses.
gm
The host may be configured to not respond to pings through local
settings or software firewalls.
1@
Can often be determined by a discussion with the client.
89
y6
br
335
Network Mapping Using Nmap
om
When Nmap is used to ping sweep, it actually sends out 3
l.c
packets:
ai
ICMP Ping
TCP port 80 SYN scan.
gm
TCP port 443 SYN scan.
Used to attempt to get through firewalls
1@
On a local network, Nmap sends ARP requests to every IP
For very fast scanning.
89
336
Network Mapping with Nmap
om
nmap -sn <IP range> - standard ICMP, TCP 80 and TCP 443
l.c
scan
ai
gm
1@
89
y6
br
337
Network Mapping
om
Types of Network Mapping Probes
l.c
Various ICMP messages
Echo Reply most common
ai
Various TCP Ports and Flags
gm
SYN scans to common ports probably best
A Few Network Mapping Tools
Nmap (most common)
1@
Hping (allows a lot of customization)
89
Foundstones Superscan (older)
y6
Fping
Angry IP Scanner (nice GUI)
br
om
Tracerouting is a technique to determine the network path
l.c
from your host to the target host.
Designed as a troubleshooting tool, but useful for penetration
ai
testers for mapping.
gm
Conducting traceroutes can tell you a few things:
1@
Possible multiple paths to the customer network.
Subnets that are physically close together (probably)
Layer 3 network devices in the customer network
89
Where boundary and filtering devices reside.
y6
om
Operates by sending packets with low Time-To-Live (TTL)
l.c
values and incrementing values successively to each network
devices in the path.
ai
Traceroutes can use any type of payload packet because the
gm
TTL is in the IP header.
ICMP, TCP or UDP (or anything really)
1@
89
y6
br
340
Example Traceroute Using
VisualRoute
om
l.c
ai
gm
1@
89
y6
br
342
om
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
Network scanning
89
Ninja-Sec.com
y6
br
Port Scanning
om
TCP / UDP ports are what applications use to listen on the
l.c
network.
When an application is listening to serve client requests, its
ai
called a service.
gm
At the most basic level, port scanning is just identifying the
services listening on live hosts on the network.
1@
Some implementations and options provide greatly enhanced
speed.
89
But can decrease accuracy.
There are many different ways to attempt to bypass filters.
y6
344
Port Scanning
om
Types of Port Scanning
l.c
TCP Scanning
Connect Scanning
ai
TCP SYN Scanning
gm
Other TCP Flags
UDP Scanning
*Asynchronous Scanning 1@
Very fast scan technique, but limited accuracy
89
A Few Network Mapping Tools
y6
Nmap
SuperScan
br
om
TCP Connect Scanning
l.c
Full TCP Handshake
ai
Because it is conducting a full handshake, very accurate
Generally uses the OS call to open port
gm
It can be run it without administrative privileges
Can be much slower than other TCP scans
1@
89
y6
br
346
Types of Port Scans
om
TCP Half-Open (SYN) Scan
l.c
The most common type of port scanning.
ai
Much faster than a Connect scan and can be paralyzed.
Only sends first part of TCP handshake.
gm
Also often called a stealth scan.
1@
Full TCP connections often get logged on a host
However, SYN scans are obvious to an IDS.
89
y6
br
347
Types of Port Scans
om
TCP ACK Scan
l.c
Used to determine if port is behind a stateless firewall
Router ACLs, etc
ai
Works on the principle that the ACK bit set means a connection is
gm
already established.
Stateless firewall may let the packet through thinking it is part of
1@
an already established connection.
An unexpected ACK packet will generate a RST response.
89
TCP FIN Scan
y6
Another scan used for firewall/IDS evasion to avoid SYN port scan
detection
br
om
Nmap -sS <IP Range> - Standard SYN scan of top 1000 ports
l.c
ai
gm
1@
89
y6
br
349
Firewalking
om
A combination of port scanning and tracerouting techniques
l.c
designed to discover firewall rulesets.
Detects ports that forwarded by the firewall, but not
ai
responding hosts on internal network.
gm
Works by sending a probe with a Time to Live value one higher
than the route to the gateway.
1@
If forwarded by the gateway, the attacker will receive a
ICMP_Time_Exceeded reply.
89
y6
br
350
UDP Port Scanning
om
UDP is designed for speed, which means no connection setup
l.c
process.
Relies on ICMP Destination Unreachable messages to indicate
ai
closed ports.
gm
Usually filtered by firewall.
A port will only respond when sent a correctly formatted message
for that specific protocol. 1@
Means Open|Filtered response is given unless port scanner is
89
able to communicate with protocol in operation.
UDP usually takes much longer to scan due to increased
y6
timeout requirements.
br
om
l.c
ai
gm
1@
89
y6
br
352
Interpreting Nmap Output
om
NMAP Output Types
l.c
Normal Human readable format.
Greppable Results are presented at 1 host per line for analysis via
ai
grep.
gm
XML Results are in XML that can be universally used in other tools.
Dradis Framework
Armitage 1@
Results include:
89
Command Run
IP Addresses
y6
353
Interpreting Nmap Output Greppable Format
om
Grep is a very powerful command for extracting the useful bits
l.c
of information for an nmap scan.
Hosts Scanned
ai
Applications Running
gm
Statuses of Services
1@
Can be output to text files or to other commands for further
analysis via piping or output redirection operator.
wc l can be used in conjunction with grep to count how many
89
Example:
br
354
Fingerprinting Host Operating Systems
om
Many methods exist to determine the operating system of a
l.c
target host. Some methods can easily be accomplished by the
tester:
ai
Banner Grabbing Service banners can reveal specific
gm
information about a targets operating system (although they can
be faked)
1@
HINFO Records The DNS server may store HINFO records which
detail a host and its corresponding operating system
SNMP An unprotected SNMP server can yield much information
89
about a host
A legacy version of SNMP with default credentials is sometimes
y6
om
One of the most reliable methods to fingerprint an OS is by its
l.c
TCP/IP stack
This is because TCP protocol does not specify every aspect of how
ai
the protocol will operate
Leaves these areas up to interpretation to the operating system
gm
developers.
Field values and responses of the packets will help to determine OS
1@
Some fields that will generally vary between operating systems:
Initial packet size (16 bits)
Initial TTL (8 bits)
89
Window size (16 bits)
Max segment size (16 bits)
y6
om
Nmap -O <IP range> - Fingerprint the OS along with
l.c
portscanning
ai
gm
1@
89
y6
br
357
OS Fingerprinting Tools
om
OS Fingerprinting Techniques
l.c
Manual methods
Reading banners, records, SNMP
ai
TCP/IP Fingerprinting
gm
Active TCP/IP stack analysis
Passive TCP/IP stack analysis
Service enumeration 1@
Nmap
89
P0f (passive finger printer)
Xprobe2 (not updated anymore)
y6
br
358
Service Fingerprinting
om
Service fingerprinting is used to determine what the actual
l.c
application listening on a give port.
Hopefully the version of the application can be determined as
ai
well
gm
Some reasons to determine the service and version include:
Often the application running only runs on a certain OS (or states
1@
the OS it is running on), aiding in OS detection
Software vulnerabilities occur in specific versions of software.
89
Knowing the specific version allows the tester to research
discovered vulnerabilities specifically associated with it
y6
om
Fingerprinting Methods
l.c
Many services are simply fingerprinting by the banner displayed
This can be dangerous because banners can be easily spoofed
ai
Some tools (such as Nmap) can attempt to match a service
gm
against a fingerprint database
Various algorithms can be used to identify specific services, but
1@
generally these tools have to be specific to that service
Ike-scan, etc
89
The most common and easiest method is to fingerprint with
Nmap
y6
br
360
Service Fingerprinting with Nmap
om
Nmap -sV <Host> -
l.c
Aggressive scan, do OS
ai
fingerprinting, service
gm
fingerprinting and
limited NSE scripts
(covered later)
1@
89
y6
br
361
Network Enumeration Considerations
om
Network architecture issues:
l.c
High latency Due to mis-configuration of devices and route
management
ai
Firewalls Firewalls may be configured so as not to allow traffic
gm
through the network, which may prevent discovery.
Timing
1@
Depending on network latency and the amount of data collected,
scanning will take different levels of time.
Being cognizant of these limitations will factor into the
89
engagement time management.
Problem Results:
y6
om
Speed vs. thoroughness
l.c
Depending on network latency and architecture, adjustments to
scanning may be required:
ai
Timing How fast scans will be delivered to the targets.
gm
Parallelism How many scans will be performed at once.
Retries If a scan fails, the number of attempts will be retried to
scan the targets.
1@
Timeout How long the port scanner will wait for a response from
the target.
89
ai
Course
gm
1@
Vulnerability Identification and
89
Assessment
y6
Ninja-Sec.com
br
Vulnerability Identification
om
Vulnerability identification is the last step necessary prior to
l.c
exploiting customer hosts.
Technically, vulnerability identification isnt required
ai
Exploits could just be sent randomly or based on informed
gm
guesses.
However, would have a pretty low chance of success.
1@
The goal is to identify as specifically as possible the OS and
application software and software versions running on
89
customer systems
y6
380
Vulnerability Identification Methods
om
Several methods can be used:
l.c
Identifying software and software versions in use by the customer
during information gathering.
ai
Reference the Information Gathering Section.
gm
Identifying software versions based on host responses during
network enumeration (OS and service fingerprinting).
1@
Already covered in the Network Enumeration section.
Conducting network checks for certain vulnerabilities (limited
89
vulnerability scanning).
Conducting full vulnerability scans against hosts on the network.
y6
381
Network Checks for Vulnerabilities
om
Checking for vulnerabilities over the network provides a very
l.c
limited capability for identification.
Most network vulnerabilities cant be identified without at least
ai
causing a DoS condition.
gm
Vulnerabilities in software that doesnt listen on the network
(client-side) will not be identified.
1@
A vulnerability scanner used without credentials will only
check for network vulnerabilities.
89
Although, Nmap with the Nmap Scripting Engine can provide
the same capability.
y6
br
382
Nmap Scripting Engine (NSE)
om
Powerful and flexible Lua scripting engine that greatly extends the
l.c
functionality of Nmap.
Provides much more functionality than just network vulnerability
ai
identification.
gm
NSE provides several features:
Increased Network Discovery Capabilities
Additional service enumeration
1@
More Sophisticated Version Detection
Additional probes and service interactions
89
Vulnerability Detection
Checks for known vulnerabilities, generally non-intrusive
y6
Backdoor Detection
Reliably detect more complex backdoors
br
om
NSE has a very large (and constantly growing) number of
l.c
scripts.
Currently there are 221 scripts.
ai
Some notable scripts include:
gm
Citrix enumeration scripts
1@
Database enumeration scripts
DNS enumeration scripts (zone transfers, etc)
Various HTTP enumeration scripts
89
Enumeration scripts for several database variants
Sniffer detection
y6
om
nmap -A <host> | nmap -sC <host> - Execute all scripts listed
l.c
as default against the services with open ports
nmap --script=<script name> - Execute a specific script
ai
gm
1@
89
y6
br
385
Vulnerability Scanners
om
Several vulnerability scanners out there, but in essence they
l.c
all do the same thing
ai
gm
1@
When given the right credentials and configuration,
vulnerability scanners can comprehensively identify almost all
89
known vulnerabilities
For example, Nessus has over 30,000 checks
y6
br
386
Use of Vulnerability Scanners for Penetration Tests
om
Many penetration testers think of using vulnerability scanners
l.c
as cheating.
Many customers think they are not getting a true
ai
penetration test if vulnerability scanners are used.
gm
Some reasons include:
They are very loud
1@
To get meaningful results, they require administrative credentials,
which a real attacker wouldnt have.
89
387
Use of Vulnerability Scanners for Penetration Tests
om
A penetration test should assess:
l.c
Actual risk presented by the vulnerabilities.
Impacts of successful compromises,.
ai
NOT how fast testers can get into the system.
gm
If time a factor, vulnerability scanning allows testers to focus
on identifying real risks.
1@
Instead of poking around for vulnerabilities.
89
y6
br
388
Use of Vulnerability Scanners for Penetration Tests
om
Credentialed scans:
l.c
Use administrative credentials to log into a device.
Verify the device has appropriate patch/configuration applied.
ai
Un-credentialed scans only detect vulnerabilities in network
gm
facing services.
1@
No checks for user installed and non-networked software (i.e.
Internet Explorer).
Are a best guess for network services.
89
Version strings in banners can easily be faked.
y6
om
Windows Server 2008 R2 Enterprise Example
l.c
ai
gm
1@
CentOS 5.5 (Linux) Example
89
y6
br
390
What is Needed for Credentialed Scans
om
Administrative Credentials
l.c
Recommend customer create a separate user, ex. NinjaTest, and
enable the account only during testing.
ai
Linux \ UNIX
gm
Secure Shell access (SSH) & root or sudo password.
Network Devices
1@
SSH access and device admin credentials.
89
y6
br
391
What is Needed for Credentialed Scans
om
Windows
l.c
Configure to authenticate remote access as local user (typically
only requires admin rights on the host)
ai
Test account must have local admin rights.
gm
The Windows Management Interface (WMI) service should be
enabled for thorough results.
1@
Remote Registry service must be enabled.
File & Printer Sharing must be enabled.
Ports 139 and 445 must be accessible to the scanner.
89
User Access Control (UAC) should be disabled (Windows Vista,
y6
om
For some systems, it is very difficult to identify vulnerabilities.
l.c
Systems that do not respond well to scanning (mainframes, etc)
Highly specialized systems
ai
Various odd, or old, operating systems
gm
The only way to identify vulnerabilities in these systems is
through manual review.
1@
Manual reviews can also check for configuration weaknesses
sometimes missed by scanners.
89
This is very much not a penetration testing activity.
Although, penetration testers can very likely find themselves
y6
doing them.
The only way to thoroughly cover this type of activity is to
br
393
follow a vendor guide (or sometimes industry best practice).
Analyzing Vulnerability Results for Exploitation
om
Goal: Identify risk associated with specific vulnerabilities
l.c
Customer-specific concerns should be taken into account
ai
Are there specific protocols that the client is using that is insecure?
Do they want you to demonstrate the effect of vulnerabilities on a
gm
specific hosts?
1@
Vulnerabilities can be given statistics:
How many web servers/printers/Windows hosts/Unix hosts/network
devices are available in the network?
89
How many systems do not seem to be patched regularly?
How many hosts affected by X vulnerability?
y6
hosts). 394
Analyzing Vulnerability Results for Exploitation
om
Devise attack scenarios for approval by the customer.
l.c
Ensure that they are approved or signed prior to initiating.
ai
Look for publically available exploits for particular vulnerabilities.
Consider alerting the client to critical findings as soon as possible.
gm
Presence of backdoor software.
1@
Client-specific concerns.
89
y6
br
395
om
l.c
CODENAME: Samurai Skills
ai
Course
gm
1@
Evasion and Avoidance
89
Techniques
y6
Ninja-Sec.com
br
Determine Web Server Version with Third Party
om
Tools
l.c
ai
gm
1@
89
y6
br
366
Limited Port Scanning with Third Party
om
Tools
l.c
ai
gm
1@
89
y6
br
367
Netcraft Reporter
om
l.c
ai
gm
1@
89
y6
br
368
Many Intel Gathering Activities can be Conducted
Online
om
l.c
ai
gm
1@
89
y6
br
369
Evading Detection During Network Enumeration
om
Any IDS or Monitoring Capability has a noise threshold for
l.c
alerts, especially for network enumeration
The trick is to conduct any scanning beneath the threshold, or
ai
raise the threshold above the level of your activities
gm
Some methods to evade detection:
Slow down scans
Scan with decoys
1@
Fragmenting packets
89
Modifying standard scan packets
y6
om
Nmap has probably the largest number of options for
l.c
adjusting scan timing.
Using default timing templates is the quickest way to adjust
ai
settings.
gm
-T3 (Normal) is the default option.
Using option -T1 (Sneaky) or -T0 (Paranoid) will likely evade most
1@
IDS, however scans will take very long.
89
y6
br
371
Fragmenting Packets
om
Fragmenting packets involves splitting normal IP packets into
l.c
very small chunks (often payloads of no more that 8 bytes).
Can aid in evading some IDS.
ai
Some IDS cant process the large volume of fragments because of
gm
the overhead caused and simply drop the packets.
Fragments will be assembled at the distant endpoint.
1@
Can be a very noisy attack. IP packets are not often fragmented.
Be careful, because it can cause a DoS condition.
89
Nmaps -f option will fragment scans into 8-byte chunks.
The tool Fragroute will fragment all outbound traffic.
y6
br
373
Avoiding Filtering During Network Enumeration
om
Bypassing network filters allows you to map internal network
l.c
resources, identify attack vectors and potentially launch
additional attacks.
ai
Some methods to bypass network filters:
gm
Scan from a specific source port.
UDP scanning
Source Routing 1@
Some methods to map network filters:
89
Firewalk
Bad checksums
y6
om
Some (possibly mis-configured) filtering devices will let any
l.c
source port through.
Firewalls that maintain a state table should not be vulnerable.
ai
Specifying a source port for all outbound packets can bypass
gm
these filters.
Possible candidate ports include:
1@
TCP and UDP port 53 (DNS)
89
TCP port 20 (FTP)
TCP port 80 (HTTP)
y6
om
Fewer services listen on UDP ports than TCP ports.
l.c
These ports can be overlooked by firewall administrators.
ai
Or allowed through because they are not seen as dangerous.
gm
As discussed in the Network Protocols section, UDP scanning
is much slower than TCP scanning.
1@
Best bet is to scan for only a relatively few well known ports.
Some candidate ports could include
89
Port 53 DNS
Port 88 Kerberos
y6
376
Nmaps -sU will scan UDP ports.
Bad Checksums
om
TCP and UDP both have checksums on their packets to allow
l.c
the end system to know the packet has not been corrupted.
All endpoint systems will drop packets with bad checksums,
ai
thinking the packet was corrupted.
gm
However, some filtering devices will not calculate the
checksums to increase throughput.
1@
Instead responding to the packet.
Intentionally sending packets with bad checksums then can
89
377
Port Scanning Using Decoys
om
Scanning using decoys can confuse IDS monitors by generating
l.c
a (potentially very) large number of alerts, concealing real
scanning activity.
ai
nmap -D RND:10 -p 21,23,25,80,110,53,3306,3389,135,139,445
gm
192.168.23.131
1@
Scanning using decoys has the potential to generate a very
large number of packets.
89
10 decoys x 1 class C x 65,000 ports x 3 retries = 549,120,000
y6
packets.
Network resources could get quickly overloaded, so be careful.
br
372
Evading firewall options :
om
l.c
ai
gm
1@
89
y6
br
Network Enumeration and Mapping - References
om
SuperScan: http://www.mcafee.com/us/downloads/free-
l.c
tools/superscan3.aspx
Angry IP Scanner: http://www.angryip.org/w/Home
ai
Scanrand: http://it.toolbox.com/wiki/index.php/Scanrand
gm
Xprobe2: http://sourceforge.net/news/?group_id=30984
1@
89
y6
br
601
Network Scanning References
om
Online Port Scanners
l.c
http://www.t1shopper.com/tools/port-scan/
http://nmap-online.com/
ai
http://www.hashemian.com/tools/port-scanner.php
gm
Nmap: http://nmap.org/
From the Nmap Book:
1@
Scanning Types: http://nmap.org/book/man-port-scanning-
89
techniques.html
Scanning Performance: http://nmap.org/book/man-
y6
performance.html
Version Scanning: http://nmap.org/book/vscan-technique.html
br
OS Fingerprinting: 600
http://nmap.org/book/osdetect.html#osdetect-intro
Vulnerability Assessment and Identification - References
om
NSE Script Repository: http://nmap.org/nsedoc/index.html
l.c
NSE Guide: http://nmap.org/book/nse.html
NSE Usage: http://nmap.org/book/nse-usage.html#nse-
ai
categories
gm
Nexpose: http://www.rapid7.com/products/vulnerability-
management.jsp
1@
Nessus: http://www.tenable.com/products/nessus
Ncircle: http://www.ncircle.com/index.php?s=products_ip360
89
y6
br
613
Evasion and Avoidance Techniques- References
om
Nmap Evasion Guide: http://nmap.org/book/man-bypass-
l.c
firewalls-ids.html
Loose Source Routing Discussion:
ai
http://www.synacklabs.net/OOB/LSR.html
gm
LSRTunnel: http://www.synacklabs.net/projects/lsrtunnel/
LSRScan: http://www.synacklabs.net/projects/lsrscan/
1@
89
y6
br
608