3 scanning-ger paoctes-pub

2,689 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,689
On SlideShare
0
From Embeds
0
Number of Embeds
1,812
Actions
Shares
0
Downloads
50
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

3 scanning-ger paoctes-pub

  1. 1. Laboratório do Curso de Segurança Ofensiva Scanning de Portas e Gerador de pacotes 1. NMAP Opções Básicas -sT = Scaneia portas apenas do protocolo TCP. -sU = Scaneia portas apenas do protocolo UDP. -sS = Scaneia usando pacotes tcp com o flag SYN ativado. -sA = Scaneia usando pacotes tcp com o flago ACK ativado. Ótimo para burlar a segurança de programas firewalls e descobrir suas regras de filtragem. -sP = Scan de ping. Varre uma grande faixa de ips usando mensagens icmp echo request para determinar os hosts ativos("alive") na(s) rede(s). -P0 = Não disparar o ping em scans. Serve para scannear máquinas que bloqueiam tráfego do protocolo icmp. -O = Finger printing. Usado para obter informações remotas sobre o sistema operacional da vitima. -sV = Obtém informações do tipo de serviço rodando em uma porta específica que esteja aceitando conexões. Essa opção é muito útil para saber se é uma versão antiga que possa ser remotamente explorada com o uso de exploits para invasão do sistema ou outros objetivos. -p = Especifica uma faixa de portas, ou uma única porta de serviço a ser scaneada. Ver: http://www.vivaolinux.com.br/artigos/impressora.php?codigo=13548 Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 1
  2. 2. Sem parâmetros root@bt:~# nmap Nmap 5.61TEST4 ( http://nmap.org ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Arquivos importantes em /usr/local/share/nmap Escanear 172.16.50.40 (Windows2003-XAMP-ENG) root@bt:~# nmap 172.16.50.40 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 17:48 BRT Nmap scan report for 172.16.50.40 Host is up (1.0s latency). Not shown: 991 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 514/tcp filtered shell 1025/tcp open NFS-or-IIS 3306/tcp open mysql Nmap done: 1 IP address (1 host up) scanned in 94.39 seconds root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 2
  3. 3. Banners root@bt:~# nmap -sV 172.16.50.40 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:21 BRT Nmap scan report for 172.16.50.40 Host is up (0.00077s latency). Not shown: 992 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.32 beta 80/tcp open http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 443/tcp open ssl/http Apache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0) 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql MySQL (unauthorized) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at http://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 13.70 seconds detecção de S.O root@bt:~# nmap -O 172.16.50.40 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:20 BRT Nmap scan report for 172.16.50.40 Host is up (0.0011s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3306/tcp open mysql Device type: general purpose Running: Microsoft Windows 2003 OS CPE: cpe:/o:microsoft:windows_server_2003 OS details: Microsoft Windows Server 2003 SP1 or SP2 Network Distance: 2 hops OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 3.07 seconds root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 3
  4. 4. Ping em rede root@bt:~# nmap -sP 172.16.49.0/24 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:13 BRT Nmap scan report for 172.16.49.1 Host is up (0.00025s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 172.16.49.2 Host is up (0.00027s latency). MAC Address: 00:50:56:F3:86:20 (VMware) Nmap scan report for 172.16.49.130 Host is up. Nmap scan report for 172.16.49.254 Host is up (0.00025s latency). MAC Address: 00:50:56:E2:64:64 (VMware) Nmap done: 256 IP addresses (4 hosts up) scanned in 4.19 seconds root@bt:~# Subir o serviço SSH no firewall na porta 60000 - editar arq /etc/ssh/sshd.conf e rebootar serviço root@ubuntu:~# more /etc/ssh/sshd_config # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 60000 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 root@ubuntu:~# /etc/init.d/ssh restart Rather than invoking init scripts through /etc/init.d, use the service(8) utility, e.g. service ssh restart Since the script you are attempting to invoke has been converted to an Upstart job, you may also use the restart(8) utility, e.g. restart ssh ssh start/running, process 10398 root@ubuntu:~# netstat -natp | grep ssh tcp 0 0 0.0.0.0:60000 0.0.0.0:* LISTEN 10398/sshd tcp6 0 0 :::60000 :::* LISTEN 10398/sshd root@ubuntu:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 4
  5. 5. Realizar scaneamento normalmente root@bt:~# nmap 172.16.49.100 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:32 BRT Nmap scan report for 172.16.49.100 Host is up (0.00040s latency). Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 3128/tcp open squid-http 8888/tcp open sun-answerbook MAC Address: 00:0C:29:FB:E5:B6 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds root@bt:~# Realizar scaneamento em todas as portas root@bt:~# nmap -p 1-65535 -sV 172.16.49.100 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 18:34 BRT Nmap scan report for 172.16.49.100 Host is up (0.00075s latency). Not shown: 65530 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.0 80/tcp open http Apache httpd 2.2.16 ((Ubuntu)) 3128/tcp open http-proxy Squid webproxy 3.1.6 8888/tcp open http-proxy Tinyproxy 1.8.2 60000/tcp open ssh OpenSSH 5.5p1 Debian 4ubuntu6 (protocol 2.0) MAC Address: 00:0C:29:FB:E5:B6 (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:kernel Service detection performed. Please report any incorrect results at http://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 123.86 seconds root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 5
  6. 6. Scanning UDP root@bt:~# nmap -sU -vv -p1-200 172.16.50.20 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-25 23:57 BRT Initiating Ping Scan at 23:57 Scanning 172.16.50.20 [4 ports] Completed Ping Scan at 23:57, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:57 Completed Parallel DNS resolution of 1 host. at 23:57, 0.05s elapsed Initiating UDP Scan at 23:57 Scanning 172.16.50.20 [200 ports] Discovered open port 123/udp on 172.16.50.20 Discovered open port 137/udp on 172.16.50.20 Completed UDP Scan at 23:57, 1.25s elapsed (200 total ports) Nmap scan report for 172.16.50.20 Host is up (0.0041s latency). Scanned at 2012-06-25 23:57:10 BRT for 1s Not shown: 196 closed ports PORT STATE SERVICE 123/udp open ntp 137/udp open netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp Read data files from: /usr/local/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds Raw packets sent: 206 (6.089KB) | Rcvd: 199 (11.364KB) Scanear uma porta root@bt:~# nmap -p T:139 172.16.50.20-40 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:00 BRT Nmap scan report for 172.16.50.20 Host is up (0.0021s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Nmap scan report for 172.16.50.40 Host is up (0.0032s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Nmap done: 21 IP addresses (2 hosts up) scanned in 2.69 seconds root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 6
  7. 7. Grepable - facilita a manipulação root@bt:~# nmap -p T:139 172.16.50.20-40 -oG smb.txt Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:04 BRT Nmap scan report for 172.16.50.20 Host is up (0.0018s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Nmap scan report for 172.16.50.40 Host is up (0.0012s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Nmap done: 21 IP addresses (2 hosts up) scanned in 2.64 seconds root@bt:~# ls Desktop lab_bash-script lab_DNS output.txt rota.sh smb.txt teste.txt teste.txt~ root@bt:~# more smb.txt # Nmap 5.61TEST4 scan initiated Tue Jun 26 00:04:24 2012 as: nmap -p T:139 -oG smb.txt 172.16.50.20-40 Host: 172.16.50.20 () Status: Up Host: 172.16.50.20 () Ports: 139/open/tcp//netbios-ssn/// Host: 172.16.50.40 () Status: Up Host: 172.16.50.40 () Ports: 139/open/tcp//netbios-ssn/// # Nmap done at Tue Jun 26 00:04:27 2012 -- 21 IP addresses (2 hosts up) scanned in 2.64 seconds root@bt:~# grep open smb.txt Host: 172.16.50.20 () Ports: 139/open/tcp//netbios-ssn/// Host: 172.16.50.40 () Ports: 139/open/tcp//netbios-ssn/// root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 7
  8. 8. Scripting engine (4.2) - brute force - info gather - vulnerability scaning - etc Diretório de Configuração - /usr/local/share/nmap/scripts/ ver smb-enum-users.nse (procurar por usage) root@bt:/usr/local/share/nmap/scripts# more smb-enum-users.nse Credit goes out to the <code>enum.exe</code>, <code>sid2user.exe</code>, and <code>user2sid.exe</code> programs. The code I wrote for this is largely based on the techniques used by them. ]] ---- @usage -- nmap --script smb-enum-users.nse -p445 <host> -- sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host> root@bt:/usr/local/share/nmap/scripts# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 8
  9. 9. Enumerar Usuários do Windows 2000 root@bt:# nmap --script smb-enum-users.nse -p139 172.16.50.50 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:22 BRT Nmap scan report for 172.16.50.50 Host is up (0.011s latency). PORT STATE SERVICE 139/tcp open netbios-ssn Host script results: | smb-enum-users: | WIN2KSQL01Administrator (RID: 500) | Description: Built-in account for administering the computer/domain | Flags: Password does not expire, Normal user account | WIN2KSQL01backup (RID: 1006) | Full name: backup | Flags: Password does not expire, Normal user account | WIN2KSQL01Guest (RID: 501) | Description: Built-in account for guest access to the computer/domain | Flags: Password not required, Password does not expire, Account disabled, Normal user account | WIN2KSQL01IUSR_SRV2 (RID: 1002) | Full name: Internet Guest Account | Description: Built-in account for anonymous access to Internet Information Services | Flags: Password not required, Password does not expire, Normal user account | WIN2KSQL01IWAM_SRV2 (RID: 1003) | Full name: Launch IIS Process Account | Description: Built-in account for Internet Information Services to start out of process applications | Flags: Password not required, Password does not expire, Normal user account | WIN2KSQL01sqlusr (RID: 1005) | Full name: sqlusr | Flags: Normal user account | WIN2KSQL01TsInternetUser (RID: 1000) | Full name: TsInternetUser | Description: This user account is used by Terminal Services. |_ Flags: Password not required, Password does not expire, Normal user account Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds root@bt:# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 9
  10. 10. Verificar Vulnerabilidades SMB root@bt:~# nmap -v --script=smb-check-vulns 172.16.50.40 Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-06-26 00:31 BRT NSE: Loaded 1 scripts for scanning. Initiating Ping Scan at 00:31 Scanning 172.16.50.40 [4 ports] Discovered open port 135/tcp on 172.16.50.40 Discovered open port 21/tcp on 172.16.50.40 Discovered open port 443/tcp on 172.16.50.40 Discovered open port 80/tcp on 172.16.50.40 Discovered open port 3306/tcp on 172.16.50.40 Discovered open port 1025/tcp on 172.16.50.40 Discovered open port 445/tcp on 172.16.50.40 Discovered open port 3389/tcp on 172.16.50.40 Discovered open port 139/tcp on 172.16.50.40 Completed SYN Stealth Scan at 00:31, 1.34s elapsed (1000 total ports) NSE: Script scanning 172.16.50.40. Initiating NSE at 00:31 Completed NSE at 00:31, 0.08s elapsed Nmap scan report for 172.16.50.40 Host is up (0.0014s latency). Not shown: 991 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 3306/tcp open mysql 3389/tcp open ms-term-serv Host script results: | smb-check-vulns: | MS08-067: VULNERABLE | Conficker: Likely CLEAN | regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run) | SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run) | MS06-025: CHECK DISABLED (remove 'safe=1' argument to run) |_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run) Testar o uso de todos os scripts nmap --script=all 172.16.50.50 (anon ftp, smb users , password policy, netbios vulnerabilidade etc) Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 10
  11. 11. 2. HPING3 (gerador de pacotes) root@bt:~# hping3 -c 1 -V -I eth0 -1 172.16.50.40 using eth0, addr: 172.16.49.130, MTU: 1500 HPING 172.16.50.40 (eth0 172.16.50.40): icmp mode set, 28 headers + 0 data bytes len=46 ip=172.16.50.40 ttl=127 id=44550 tos=0 iplen=28 icmp_seq=0 rtt=0.9 ms --- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.9/0.9/0.9 ms root@bt:~# -c = count -V = verbose -I = Network Interface to use -1 = ICMP packet root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -S 172.16.50.40 using eth0, addr: 172.16.49.130, MTU: 1500 HPING 172.16.50.40 (eth0 172.16.50.40): S set, 40 headers + 0 data bytes len=46 ip=172.16.50.40 ttl=127 id=44554 tos=0 iplen=44 sport=80 flags=SA seq=0 win=64240 rtt=3.1 ms seq=3096103240 ack=1389621577 sum=dcf8 urp=0 --- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 3.1/3.1/3.1 ms root@bt:~# -s = source port -p = destination port -S = set the SYN flag in the packet Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 11
  12. 12. No flags root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 172.16.50.40 using eth0, addr: 172.16.49.130, MTU: 1500 HPING 172.16.50.40 (eth0 172.16.50.40): NO FLAGS are set, 40 headers + 0 data bytes len=46 ip=172.16.50.40 ttl=127 id=44559 tos=0 iplen=40 sport=80 flags=RA seq=0 win=0 rtt=1.4 ms seq=0 ack=1775632469 sum=4d67 urp=0 --- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 1.4/1.4/1.4 ms root@bt:~# Flag FIN set root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 53 -F 172.16.50.40 using eth0, addr: 172.16.49.130, MTU: 1500 HPING 172.16.50.40 (eth0 172.16.50.40): F set, 40 headers + 0 data bytes len=46 ip=172.16.50.40 ttl=127 id=44566 tos=0 iplen=40 sport=53 flags=RA seq=0 win=0 rtt=1.5 ms seq=0 ack=2031154861 sum=d561 urp=0 --- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 1.5/1.5/1.5 ms root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -F 172.16.50.40 using eth0, addr: 172.16.49.130, MTU: 1500 HPING 172.16.50.40 (eth0 172.16.50.40): F set, 40 headers + 0 data bytes len=46 ip=172.16.50.40 ttl=127 id=44567 tos=0 iplen=40 sport=80 flags=RA seq=0 win=0 rtt=1.4 ms seq=0 ack=2070067822 sum=a79b urp=0 --- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 1.4/1.4/1.4 ms root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 12
  13. 13. ACK set root@bt:~# hping3 -c 1 -V -I eth0 -s 8765 -p 80 -A 172.16.50.40 using eth0, addr: 172.16.49.130, MTU: 1500 HPING 172.16.50.40 (eth0 172.16.50.40): A set, 40 headers + 0 data bytes len=46 ip=172.16.50.40 ttl=127 id=44571 tos=0 iplen=40 sport=80 flags=R seq=0 win=0 rtt=6.7 ms seq=120690317 ack=120690317 sum=b96 urp=0 --- 172.16.50.40 hping statistic --1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 6.7/6.7/6.7 ms root@bt:~# Solution Consultoria e Treinamento www.solution-rj.com.br Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ. Email: solution@solution-rj.com.br/Tel: 021 8732-9993 13

×