An analysis was presented on how to conduct port scanning of an entire country to map out its attack surface and find vulnerable systems. The process involved obtaining the country's IP ranges, selecting important ports and services to scan, using tools like Nmap, Scapy and custom scripts to perform fast TCP and UDP scans, and developing a command center to analyze the results. Distributed scanning was demonstrated using a Raspberry Pi cluster. The presentation also covered using the Shodan search engine to find exposed devices and services online.
Here are a few things you can typically get from SNMP queries:
- System information - OS name, version, uptime, hardware details
- Network configuration - IP addresses, subnet masks, default gateways
- Interface statistics - traffic volumes, errors
- Storage information - disk space usage, volumes
- Processor load and usage
- Memory usage
- Running services and processes
- Temperature, fan speeds (for hardware devices)
SNMP exposes a wealth of system monitoring data that can provide insights into what's running and how devices are configured. However, it's generally not a good idea to run unauthenticated SNMP scans, as it could reveal sensitive information or even enable configuration changes if default community strings are used.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
The document discusses various scan types available in the nmap port scanner program. It describes TCP connect scans which actively connect to ports, SYN stealth scans which send SYN packets to identify open and closed ports without fully establishing connections, and less common FIN, NULL and XMAS scans. It also covers ping scans to identify online systems, UDP scans, and options for customizing scans to avoid detection like altering timing and using decoys. The goal is to help users understand different scan techniques and how to choose scans suited to different target types or detection avoidance needs.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
Developers and researchers are confronted with a huge number of tools and technologies in their daily work, each of which has its own pros and cons. This realization is important for network devices intended to stop attacks — they should be “omnivores” with regard to network protocols. The speaker’s passion is to study and recreate various hacker attacks, exploits and tactics at the network level in order to develop reliable detection techniques for intrusion detection systems. While working on lots of attacks he noticed some tiny network conditions when a packet sequence slip away from IDS system but get to the target. Will your IDS system detect data network connection was broken? Using nc and a Linux machine, the speaker will demonstrate 4 CVEs he found for bypassing IDS systems, based on the example of the popular Suricata IDS.
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Nmap is an open source tool that scans networks to identify devices, services, and operating systems. It works by crafting custom IP packets with different flags using raw sockets to elicit responses that provide information not otherwise available. Nmap can perform various types of scans, identify hosts and services, detect firewalls and IDS, and determine operating systems through detailed analysis of responses. It provides flexible output options and techniques for advanced scanning, packet alteration, and timing control.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
Here are a few things you can typically get from SNMP queries:
- System information - OS name, version, uptime, hardware details
- Network configuration - IP addresses, subnet masks, default gateways
- Interface statistics - traffic volumes, errors
- Storage information - disk space usage, volumes
- Processor load and usage
- Memory usage
- Running services and processes
- Temperature, fan speeds (for hardware devices)
SNMP exposes a wealth of system monitoring data that can provide insights into what's running and how devices are configured. However, it's generally not a good idea to run unauthenticated SNMP scans, as it could reveal sensitive information or even enable configuration changes if default community strings are used.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
The document discusses various scan types available in the nmap port scanner program. It describes TCP connect scans which actively connect to ports, SYN stealth scans which send SYN packets to identify open and closed ports without fully establishing connections, and less common FIN, NULL and XMAS scans. It also covers ping scans to identify online systems, UDP scans, and options for customizing scans to avoid detection like altering timing and using decoys. The goal is to help users understand different scan techniques and how to choose scans suited to different target types or detection avoidance needs.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
Developers and researchers are confronted with a huge number of tools and technologies in their daily work, each of which has its own pros and cons. This realization is important for network devices intended to stop attacks — they should be “omnivores” with regard to network protocols. The speaker’s passion is to study and recreate various hacker attacks, exploits and tactics at the network level in order to develop reliable detection techniques for intrusion detection systems. While working on lots of attacks he noticed some tiny network conditions when a packet sequence slip away from IDS system but get to the target. Will your IDS system detect data network connection was broken? Using nc and a Linux machine, the speaker will demonstrate 4 CVEs he found for bypassing IDS systems, based on the example of the popular Suricata IDS.
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Nmap is an open source tool that scans networks to identify devices, services, and operating systems. It works by crafting custom IP packets with different flags using raw sockets to elicit responses that provide information not otherwise available. Nmap can perform various types of scans, identify hosts and services, detect firewalls and IDS, and determine operating systems through detailed analysis of responses. It provides flexible output options and techniques for advanced scanning, packet alteration, and timing control.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
Nmap is a network exploration tool that collects information about target hosts including open ports, services, OS detection, and running scripts. It offers various host discovery techniques like ICMP ping, TCP and UDP ping to find active systems on the network. Once hosts are identified, nmap performs port scanning using TCP SYN, ACK, and UDP scans to determine open and closed ports. It can also detect services, versions, and OS on each host. Nmap scripts provide additional information gathering capabilities for vulnerabilities and exploits.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
Nmap is a security scanning tool used to discover hosts and services on a computer network. It sends specially crafted packets to target hosts and analyzes the responses to perform functions like host discovery, port scanning, version detection, and operating system detection. The document provides 20 examples of Nmap commands, such as commands to scan a single host or IP address, scan multiple addresses or ranges, perform specific scans like OS detection or version detection, and save scan output to files.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Nmap is a free and open source tool for network discovery and security auditing. It was written by Fyodor and allows users to identify hosts on a network, determine services and operating systems running on them, and discover vulnerabilities. The document outlines the basic anatomy of a scan, describing the DNS lookup, ping, reverse DNS lookup, and scan steps. It also covers different scan types like TCP SYN, connect, ping, and UDP scans as well as useful options for excluding or including targets, specifying port numbers, and adjusting ping behavior. Later modules discuss operating system and version detection, stealth scanning techniques, timing options, and randomizing scans.
www.lifein01.com - for more info
Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network,
services (application name and version) those hosts are offering,
operating systems (and OS versions) they are running,
type of packet filters/firewalls are in use, and dozens of other characteristics.
This document discusses packet sniffing and ways to detect and prevent it. Packet sniffing involves using a packet sniffer tool to analyze network traffic. While switches make sniffing more difficult than hubs by only sending packets to their intended recipients, there are still sniffing attacks possible like ARP spoofing. The document outlines techniques for sniffing detection such as ARP cache poisoning and tools like Arpwatch. It also recommends prevention methods including port security, authentication, encryption, and secure protocols.
Nmap is a security scanning tool that can discover open ports, scan for services, and determine operating systems on a network. It works by sending packets to IP addresses and analyzing the responses to infer information about the target system, such as which ports are open or closed and what services are running. Nmap displays this information to the user and can be run from both graphical and command line interfaces on many operating systems. While useful for security auditing, Nmap could also enable hacking if used without permission on a network.
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
This utility calculates MOS scores for audio streams in .pcap files, optionally decoding the audio to .wav files. It runs on Linux, macOS, and OpenWRT, requires no database, and supports several common codecs. The user provides a .pcap file path and can choose json output or audio saving. The utility then extracts and analyzes RTP streams, calculating MOS scores and statistics and printing the results.
The document discusses Nmap, a free and open source tool for network discovery and security auditing. It describes Nmap's scanning techniques like SYN scans, ping scans, UDP scans, and version detection. It also covers options for detecting the operating system, specifying hosts and ports to include or exclude from scans, getting real-time information through verbose mode and packet tracing, and logging scan results in different formats.
Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
Nmap is a network scanning tool that can discover hosts and services on a network. It can scan TCP and UDP ports, perform OS and version detection, and has both command line and GUI interfaces. Nmap allows specification of target hosts by IP address, CIDR notation for subnets, or hostname. It provides information about open ports and common services, and can detect vulnerabilities.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
This document provides an introduction to using data science in cybersecurity. It discusses BinaryEdge, an organization that uses data science and machine learning to analyze cybersecurity data and detect anomalies. The document outlines BinaryEdge's image analysis workflow and how they use tools like logo detection, face detection, and optical character recognition on images. It also discusses some challenges of applying machine learning in cybersecurity and good use cases. Examples of BinaryEdge's data visualization and microservices APIs are shown.
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
The document discusses real-time analysis and visualization of streaming data using Anubis Networks' StreamForce platform. It describes how StreamForce collects security events from various feeds, processes them using Node.js applications to aggregate and store the information in MongoDB and Redis. The stored data can then be queried and used to generate reports on infected machines, botnets, countries and other metrics.
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
Nmap is a network exploration tool that collects information about target hosts including open ports, services, OS detection, and running scripts. It offers various host discovery techniques like ICMP ping, TCP and UDP ping to find active systems on the network. Once hosts are identified, nmap performs port scanning using TCP SYN, ACK, and UDP scans to determine open and closed ports. It can also detect services, versions, and OS on each host. Nmap scripts provide additional information gathering capabilities for vulnerabilities and exploits.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
Nmap is a security scanning tool used to discover hosts and services on a computer network. It sends specially crafted packets to target hosts and analyzes the responses to perform functions like host discovery, port scanning, version detection, and operating system detection. The document provides 20 examples of Nmap commands, such as commands to scan a single host or IP address, scan multiple addresses or ranges, perform specific scans like OS detection or version detection, and save scan output to files.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Nmap is a free and open source tool for network discovery and security auditing. It was written by Fyodor and allows users to identify hosts on a network, determine services and operating systems running on them, and discover vulnerabilities. The document outlines the basic anatomy of a scan, describing the DNS lookup, ping, reverse DNS lookup, and scan steps. It also covers different scan types like TCP SYN, connect, ping, and UDP scans as well as useful options for excluding or including targets, specifying port numbers, and adjusting ping behavior. Later modules discuss operating system and version detection, stealth scanning techniques, timing options, and randomizing scans.
www.lifein01.com - for more info
Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network,
services (application name and version) those hosts are offering,
operating systems (and OS versions) they are running,
type of packet filters/firewalls are in use, and dozens of other characteristics.
This document discusses packet sniffing and ways to detect and prevent it. Packet sniffing involves using a packet sniffer tool to analyze network traffic. While switches make sniffing more difficult than hubs by only sending packets to their intended recipients, there are still sniffing attacks possible like ARP spoofing. The document outlines techniques for sniffing detection such as ARP cache poisoning and tools like Arpwatch. It also recommends prevention methods including port security, authentication, encryption, and secure protocols.
Nmap is a security scanning tool that can discover open ports, scan for services, and determine operating systems on a network. It works by sending packets to IP addresses and analyzing the responses to infer information about the target system, such as which ports are open or closed and what services are running. Nmap displays this information to the user and can be run from both graphical and command line interfaces on many operating systems. While useful for security auditing, Nmap could also enable hacking if used without permission on a network.
Port scanning is the process of examining IP addresses to determine what services are running on a network. It can be used by administrators to verify security policies and by attackers to identify vulnerabilities. Nmap is one of the most popular port scanners that adds features like OS detection. Shadow Security Scanner is a port scanning tool that audits services like FTP, SSH, SMTP, and supports expanding capabilities through an open ActiveX architecture. To prevent attacks, network devices should implement IP spoofing and firewalls should only allow necessary traffic while detecting and blocking potentially malicious behavior over time.
This utility calculates MOS scores for audio streams in .pcap files, optionally decoding the audio to .wav files. It runs on Linux, macOS, and OpenWRT, requires no database, and supports several common codecs. The user provides a .pcap file path and can choose json output or audio saving. The utility then extracts and analyzes RTP streams, calculating MOS scores and statistics and printing the results.
The document discusses Nmap, a free and open source tool for network discovery and security auditing. It describes Nmap's scanning techniques like SYN scans, ping scans, UDP scans, and version detection. It also covers options for detecting the operating system, specifying hosts and ports to include or exclude from scans, getting real-time information through verbose mode and packet tracing, and logging scan results in different formats.
Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.
Port scanning involves sending packets to ports on a target system to discover which ports are open and may be exploited. There are several common port scanning techniques like TCP connect scanning, SYN scanning, FIN scanning, and UDP scanning. Port scanners try to avoid detection by scanning slowly, spoofing packets, or fragmenting packets. Systems can detect port scans through signatures like many connections to different ports from the same source in a short time.
Nmap is a network scanning tool that can discover hosts and services on a network. It can scan TCP and UDP ports, perform OS and version detection, and has both command line and GUI interfaces. Nmap allows specification of target hosts by IP address, CIDR notation for subnets, or hostname. It provides information about open ports and common services, and can detect vulnerabilities.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
This document provides an introduction to using data science in cybersecurity. It discusses BinaryEdge, an organization that uses data science and machine learning to analyze cybersecurity data and detect anomalies. The document outlines BinaryEdge's image analysis workflow and how they use tools like logo detection, face detection, and optical character recognition on images. It also discusses some challenges of applying machine learning in cybersecurity and good use cases. Examples of BinaryEdge's data visualization and microservices APIs are shown.
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
The document discusses real-time analysis and visualization of streaming data using Anubis Networks' StreamForce platform. It describes how StreamForce collects security events from various feeds, processes them using Node.js applications to aggregate and store the information in MongoDB and Redis. The stored data can then be queried and used to generate reports on infected machines, botnets, countries and other metrics.
O documento descreve um workshop sobre o framework Metasploit. Apresenta o que é o Metasploit, seus diferentes modos de uso como MSFconsole e Web GUI, e os tipos de módulos como exploits, payloads, auxiliares e scanners. Também discute o uso prático do Metasploit através da máquina virtual Metasploitable 2, que contém várias vulnerabilidades intencionais.
Country domination - Causing chaos and wrecking havocTiago Henriques
This document discusses using the search engine Shodan to find exposed devices and systems online. It provides example search queries that can be used on Shodan to find devices by port, banner contents, or country. It also discusses how information can be gathered from devices using SNMP and how Nmap can be used with Shodan search results to take screenshots of websites with no authentication. The document suggests some potentially concerning searches related to SCADA systems and critical infrastructure.
Este documento resume as discussões de uma mesa redonda sobre segurança da informação em 2013. Os tópicos discutidos incluem projetos como a conferência Bsides Lisboa 2013, o projeto Portugal Seguro para melhorar a segurança de roteadores, e um campeonato nacional de Capture the Flag para promover habilidades em segurança cibernética. O documento também discute ideias para aumentar a conscientização do público sobre segurança da informação e melhorar a interação com os meios de comunicação sobre esses tópicos.
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
This document outlines an approach to integrating security into the software development lifecycle (SDLC) using automation and gamification. It describes objectives to stimulate developers towards security and make it interesting and rewarding. It then details problems with a previous approach being too manual and outlines solutions focusing on automation. It proposes an SDLC model and describes security checks at each stage, including developer education, coding, testing, deployment, and post-production monitoring. Checklists are suggested for both developers and security teams to help integrate security comprehensively.
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
In this talk we will present some techniques that we use on a day to day basis in our research, where we combine our internet-wide data scanning and acquisition platform with ML/Data science techniques which allows us to find things faster or extract results in a more automated way. We will focus on practical cases and examples that even our audience at home will be able to use if they want. A couple of examples we will look at is how to classify images such as VNC screenshots, we will look at network scans and using machine learning to classify them and also the use of natural language processing to analyze CVEs. We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used.
We will start by giving a very brief entry to the data science world and talk about:
Technologies
Techniques
How these relate to infosec
Algorithms and how they can be used
How people can come into the world of data and machine learning
Data visualization techniques and what are the best choices for different types of data
A couple of examples we will look at is how to classify images such as VNC or x11 screenshots, OCR, we will look at network scans and using machine learning to classify them and also the use of natural language processing to analyze CVEs. We will look at scoring and classification algorithms and how they can be used on ip addresses and we will talk about the use of learning and how we are applying it in real life.
We will also talk a bit about a data analysis and classification pipeline architecture, we will look at the different technologies and what they do and how they can be used. Some specific examples of our research that should give you an idea of some things we will talk about can be seen here:
https://blog.binaryedge.io/2015/11/10/ssh/
https://blog.binaryedge.io/2015/09/30/vnc-image-analysis-and-data-science/
https://blog.binaryedge.io/2015/08/10/data-technologies-and-security-part-1/
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
The document summarizes the state of cybersecurity in Switzerland. It finds that most major Swiss banks, insurance companies, and pharmaceutical firms have implemented key security headers, though some banks' e-banking sites are still lacking protections. Data leaks have exposed millions of records from Swiss financial and insurance firms. Overall, Switzerland has strong cybersecurity practices but some sectors like cantonal banks could still strengthen their online defenses.
This document provides an overview of computer forensics, including what it involves, the tools and techniques used, and why someone may want to pursue a career in this field. It discusses how computer forensics investigations differ from their portrayal on television and focuses on accuracy over speed. Key aspects covered include the forensic process, types of evidence examined, hardware and software tools used, and challenges like hidden data and encryption.
Hardware hacking involves analyzing and modifying electronic devices at the hardware level. It is important because secure software relies on secure underlying hardware, but hardware is often overlooked from a security perspective. Hardware hacking requires some basic electronics knowledge as well as tools like a multimeter, logic analyzer, and oscilloscope. Common hardware hacking techniques involve identifying chip components, reading datasheets, probing pins to analyze protocols, and modifying hardware configurations. The document provides an overview of hardware hacking concepts and demonstrations of hardware attacks.
This document provides instructions on how to conduct a port scan of an entire country to map out its internet infrastructure and identify vulnerable systems. It describes obtaining a list of the country's IP address ranges, selecting important services to scan for, using nmap and custom Python and C scripts to perform a fast initial scan for open ports followed by a slower scan to identify service versions. The results are stored in a database and visualized in a custom web application for analysis. Distributed scanning is implemented using a Raspberry Pi cluster. The purpose is presented as security research, but instructions are also given on how an attacker could use the same techniques to cause damage or steal information.
This document discusses how to use tcpdump and Linux utilities like grep, awk and sed to analyze network traffic for incident response. It provides examples of basic tcpdump syntax and using BPF filters to profile traffic. Specific techniques covered include hunting for suspicious DNS queries, mapping related infrastructure, finding unusual outbound connections, and automating tasks with scripting. The overall message is that security analysts should go beyond automated tools and learn to manually analyze network data to identify compromised systems that tools may miss.
IPLOG is an open source intrusion detection system (IDS) that provides beginner system administrators with actionable network intelligence without the complexity of more advanced IDS solutions. It detects common attacks such as port scans, ping floods, and bogus TCP flags through simple connection logging and generates syslog or text files with timestamps and details of detected activity. While easier to use than SNORT, it still allows filtering out common network noise and includes experimental NMAP scan evasion detection.
This document introduces IPLOG, an open source intrusion detection system (IDS) for beginners. IPLOG provides actionable network intelligence without the complexity of more advanced IDS solutions. It detects common attacks like port scans, ping floods, and invalid TCP flags. Logs are sent to syslog or text files with details of detected activity. While easier to use than Suricata, Snort, or packet analysis tools, IPLOG still identifies security threats in a timely manner for beginners to gain IDS experience. The presenter provides contact information to learn more about IPLOG and its newer version.
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
IPLOG is an open source intrusion detection system that provides beginner sysadmins with actionable network intelligence without the complexity of more advanced IDS solutions. It logs connection and scan data as well as attack detections in syslog or text files. While simpler than solutions like Suricata and SNORT, IPLOG detects common scans and attacks without the learning curve of configuring and maintaining a more robust IDS.
IPLOG is an open source intrusion detection system that provides beginner sysadmins with actionable network intelligence without the complexity of more advanced IDS solutions. It logs connection and scan data as well as attack detections in syslog or text files. While simpler than solutions like Suricata and SNORT, IPLOG detects common scans and attacks without the learning curve of configuring and maintaining a more complex IDS.
This document discusses how the nmap scanner performs host discovery by default and explores customizing its behavior. It examines nmap's default discovery method which sends ICMP echo requests and TCP packets to target hosts and looks for responses. The document uses a DMZ network with varying firewall rulesets to demonstrate how the default method works in different scenarios. It shows that while the default method is sufficient when rules are very open, more specific rules may require customizing nmap's options to more accurately discover live hosts on the network.
Layer 8 and Why People are the Most Important Security ToolDamon Small
People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.
Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.
The document discusses network protocol analysis, including defining a protocol as rules determining data format and transmission. It describes network protocol analysis as decoding protocol headers and trailers to analyze network problems, detect intrusions, monitor usage, and gather statistics. The document lists potential users as programmers, network administrators, company managers, parents, and website owners wanting to check employee internet usage. It provides an overview of IP and TCP packet structures.
The document discusses network protocol analysis, including defining a protocol as rules determining data format and transmission. It describes network protocol analysis as decoding protocol headers and trailers to analyze network problems, detect intrusions, monitor usage, and gather statistics. The document lists potential users as programmers, network administrators, company managers, parents, and website owners wanting to monitor employee internet usage. It provides an overview of IP and TCP packet headers.
The document discusses network protocol analysis, including defining a protocol as rules determining data format and transmission. It describes network protocol analysis as decoding protocol headers and trailers to analyze network problems, detect intrusions, monitor usage, and gather statistics. The document lists potential users as programmers, network administrators, company managers, parents, and website owners wanting to monitor employee internet usage. It provides an overview of IP and TCP packet structures.
The document discusses network protocol analysis, including defining a protocol as rules determining data format and transmission. It describes network protocol analysis as decoding protocol headers and trailers to analyze network problems, detect intrusions, monitor usage, and gather statistics. The document lists potential users as programmers, network administrators, company managers, parents, and website owners wanting to monitor employee internet usage. It provides an overview of IP and TCP packet structures.
What we can learn from CDNs about Web Development, Deployment, and PerformanceSergeyChernyshev
CDNs have become a core part of internet infrastructure, and application owners are building them into development and product roadmaps for improved efficiency, transparency and performance.
In his talk, Hooman shares recent learnings about the world of CDNs, how they're changing, and how Devs, Ops, and DevOps can integrate with them for optimal deployment and performance.
Hooman Beheshti is VP of Technology at Fastly, where he develops web performance services for the world's smartest CDN platform. A pioneer in the application acceleration space, Hooman helped design one of the original load balancers while at Radware and has held senior technology positions with Strangeloop Networks and Crescendo Networks. He has worked on the core technologies that make the Internet work faster for nearly 20 years and is an expert and frequent speaker on the subjects of load balancing, application performance, and content delivery networks.
Honeypots - November 8th Misec presentationTazdrumm3r
A low-interaction honeypot was deployed in multiple cloud environments. Various malware samples were captured, including Conficker and other viruses. Analysis of IP addresses and packet captures revealed attempts to exploit Microsoft SQL Server, Windows shares, and RDP ports. The diverse environments allowed collection of malware from around the world.
Nmap is an open source network scanning tool that can discover available hosts on a network, the services running on them, operating systems and firewalls in use. It uses raw IP packets to map out devices and collect valuable information for both network management and security profiling. Nmap runs on Linux, Windows and other platforms, and offers various scan types from stealthy to more aggressive depending on the information needed. Both command line and GUI interfaces allow users to quickly get started with basic scans, while advanced features require more technical expertise.
Mr. Donald Rumsfeld, former Defence Secretary of USA, stated in his book "Known and Unknown: A Memoir" that "There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know." And to know that unknowns of the unknown, my journey with the APNIC honeynet project started and I am going to share my experiences here in this talk.
The document discusses cybersecurity issues related to IoT devices. It begins by describing the 2016 Mirai botnet attacks, which exploited vulnerabilities in IoT devices like IP cameras and DVRs to take down major websites. The document then analyzes the current security situations of IoT, finding that many devices have vulnerabilities due to a lack of focus on security by manufacturers. It also notes that IoT devices could potentially be used as "weapons of mass destruction" due to their ubiquity, connectivity and potential access to users' daily lives. The rest of the document examines common vulnerabilities and attack vectors in IoT devices.
The implementation of two telematic services. One is a web server and the other is a document manager server. Can show how make test and implements telematic services
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in IUT CTF G3t R00t
Slides from Bsides Lisbon 2023 about practical use cases for AI in cybersecurity - this presentation attempts to build the knowledge of cybersecurity professionals in the world of AI and present a set of tools and techniques they can use on their day to day.
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
We live in a Data-centric era. Nowadays we have at our disposal an enormous variety of services using data. Behind those services there are architectures supporting the flowing and processing of that data. BinaryEdge.io is no exception. Supporting our platform, we have a data architecture processing 1000s of events per second, which was built and is currently maintained by us. In this talk we are going to review the parts that compose a data architecture, and discuss which tools can be used at each step to arrive at a functional architecture. Note that the insights given will not be based of theoretical documents or truckloads of years of experience, but on our own experience of building and maintaining a large scale data infrastructure and architecture
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
Much like Eleven and the gang, we at BinaryEdge sometimes are confronted with real monsters. Unlike in the series "Stranger Things" however, the monsters we're faced with take different shapes. Our monsters are usually found in the shape of weird things people connect to the internet. Often we're asked "What is the craziest things you guys have found connected to the internet?" In this talk we intend to answer and show exactly that. If you've seen our previous talks and/or read our "World Security Report" for 2016 (ise.binaryedge.io) you know that we have found some of the weirdest things online. From water dams, to electricity grids, and nuclear laboratory sensors, people simply love connecting things to the internet. And in this talk, we are going to explore the top "things" we've found exposed, talk about the different protocols they use and also allow YOU live on talk to search for your own things! On this talk we will also release our 2017 report, where we show how we detected some of the NSA tools such as Double pulsar. We will also make an interesting reveal on this topic. :)
Bruno Morisson e Herman Duarte (http://pt.linkedin.com/in/morisson /http://pt.linkedin.com/in/hcoduarte)
Título: (ab)using SSH - Tips & Tricks for Pentesters and Sysadmins
The document provides an overview of secure coding principles for developers and code auditors. It discusses principles such as input/output validation, error handling, and authentication and authorization. Input/output validation is about validating data that enters and leaves the application. Error handling involves gracefully handling exceptions instead of revealing sensitive information. Authentication and authorization concerns implementing strong password policies, access control, and least privilege access. Following these secure coding principles can help protect against many common vulnerabilities.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Practical exploitation and social engineeringTiago Henriques
This document provides an overview of a presentation on practical exploitation and cyberstalking. The presentation introduces tools like Metasploit and Social Engineering Toolkit (SET) and demonstrates how they can be used for both legal and illegal purposes, like cyberstalking. It discusses how easy it is to profile and target individuals online to steal identities or spread misinformation. The document emphasizes that while hacking can be fun, the implications of cyberstalking should be taken seriously due to its potential real-world consequences.
This document provides instructions for a computer forensics workshop. Participants will be given a virtual machine image containing forensic analysis tools and a disk image to examine. The exercises start basic and increase in complexity, with each exercise providing hints to solve the next. Skills like file carving, hex editing, and analyzing file metadata will be practiced. Magic numbers and file headers are provided to aid in file type identification. The goal is to work through the exercises to ultimately recover a file containing an address for the meeting.
1. How to dominate a country
An analysis to the Portuguese
internet exposition to cyber-attacks
2. WHAT are you ?
We are:
• Security Researchers
• Security enthusiasts
• Students, corporate sheep (read: auditors),
programmers, pentesters
We are not :
• Lulzsec
• Anonymous
• Hacking group
• And no we wont help you hack you girlfriends
facebook!
3. Who are you ?
• Tiago Henriques • Tiago Martins
• Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec
• Pentester/Researcher @ 7Elements • Researcher
• @Balgan • @Gank_101
• Jean Figueiredo
• Filipe Reis • Network security researcher @
• Programmer @ PTCoreSec PTCoreSec
• Intern @ Layer8 • Netsec admin @ Tecnocom
• @fjdreis • @klinzter
4. Who are you ? @balgan
• Tiago Henriques
• 24
• BSc Software Engineering – University of Brighton
• MSc by Research Computer Security and Forensics – University of Bedfordshire
• Started a PhD but decided to drop out and go work in the industry...
• CEH
• CHFI
• Team founder @ PTCoreSec
• Currently a Pentester/Researcher @ 7Elements
• @Balgan
7. We are NOT
RESPONSIBLE FOR ANY ILLEGAL
ACTS OR ACTIONS PRACTICED BY
YOU OR ANYONE THAT LEARNS
SOMETHING FROM TODAY’S
PRESENTATION.
8. Causing Chaos.
Q:If you guys were an attacker that was
out to cause real damage or get
profit, how would you go on about it ?
A:This is what we would do, control as
many machines in that country,
penetrate critical systems and get as
much intel/info as possible.
10. How it all got started
We’re hackers! We love knowing how to break things and
how others would go on about breaking things!
The difference between us and others is simple:
• We want to break things legally and find a way to fix
things.
• We want to learn about new things and help people.
12. How it all got started
We saw some talks that really inspired us given by two great
people
HD Moore Fyodor
13. However…
We also ran into a bit of a problem…
Portscanning might or might not be illegal in Portugal!
No one is actually sure, and we talked with multiple people:
• Police
• Sysadmins
• Researchers
• Security professionals
14. What to do ?
• So, if you can’t port scan, how do u find out what ur
enemies attack surface is ?
• How do u know out if the entire infrastructure u rely on
everyday is vulnerable or safe?
• Security by obscurity? Right that works well….
15. What to do ?
• We went and did the portscans, on passive mode, no system
was penetrated in any way what so ever.
• We did it slowly, and with plenty of time between scans as
to not cause any DoS issues.
16. Port scanning
• Tools of the trade:
• Nmap
• Wkhtmltoimage
• Python
• Scapy
• Linux
• NodeJS
• MongoDB
• C
• Redbull + Lots of nights awake +
Frustration
17. Port scanning - Process
1. Get Portugal CIDRs
2. Decide on a set of services you consider important
3. Check which ips have those ports open
Actual scanning.
4. Check versions running of those services
18. Port scanning - Process
1. Get Portugal’s CIDRs
There are two places where you can get these:
• http://software77.net/geo-ip/
• ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
2.80.0.0/14 62.48.192.0/18 81.90.48.0/20
5.43.0.0/18 62.169.64.0/18 81.92.192.0/20
5.44.192.0/20 62.249.0.0/19 81.92.208.0/20
5.158.0.0/18 77.54.0.0/16 81.193.0.0/16
5.159.216.0/21 77.91.200.0/21 82.102.0.0/18
5.172.144.0/21 78.29.128.0/18 82.154.0.0/15
31.22.128.0/17 78.130.0.0/17 83.132.0.0/16
37.28.192.0/18 78.137.192.0/18 83.144.128.0/18
37.189.0.0/16 79.168.0.0/15 83.174.0.0/18
46.50.0.0/17 80.172.0.0/16 83.223.160.0/19
46.182.32.0/21 80.243.80.0/20 83.240.128.0/17
46.189.128.0/17 81.20.240.0/20 84.18.224.0/19
62.28.0.0/16 81.84.0.0/16 84.23.192.0/19
62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
19. Port scanning - Process
2. Decide on a set of services you consider important
Port 11 1900UDP UPNP
ID Number TCP/UDP Service 12 2869TCP UPNP
1 80TCP http 13 5353UDP MDNS
2 443TCP https 14 137TCP Netbios
3 8080TCP http alternative 15 25TCP SMTP
4 21TCP FTP 16 110TCP POP3
5 22TCP SSH 17 143TCP IMAP
6 23TCP Telnet 18 3306TCP Mysql
7 53UDP DNS 19 5900TCP VNC Server
8 445TCP Samba 20 17185UDP VoIP
9 139TCP Samba 21 3389TCP Rdesktop
10 161UDP SNMP 22 8082TCP TR 069
20. Port scanning - Process
3. Check which ip’s have those port’s open
4. Check versions running of those services
This is where it get’s tricky!
21. Port scanning - Process
• Portugal on the internet….
5,822,240 allocated ip’s
Dynamic ips
GPRS
22. Port scanning - Process
• So as we mentioned, we devided the actual scanning into two
parts! And you might be wondering why…
Common nmap scan for TCP
nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN
The problem of this, is that DNS resolution and –sV (Service detection) are very slow.
So how do we solve this problem? We obviously want the domains the ips are
associated with, and the versions of the services running.
23. Port scanning - Process
• Do the fast things on the 6 mil ips and then do the slow stuff
merely on the ips that are running the service we want to
analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -
sS -p21 -T5 -PN --host-timeout 1501 –
min-hostgroup 400 --min-parallelism
10 -n
• Then we will have the list of ips that have FTP running on port
21 on 3 files:
• Port21-FTP.xml
• Port21-FTP.gnmap
• Port21-FTP.nmap
• Extract ips from gnmap:
cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' >
IPSWITHFTP.TXT
24. Port scanning - Process
• Do the show things only the ips that have our service running.
• nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5
-PN --host-timeout 1501 –min-hostgroup 400 --min-
parallelism 10
• Then we will have the list of ips that have FTP running on port
21 AND the version of those services on 3 files:
• Port21-FTP-FINAL.xml
• Port21-FTP-FINAL.gnmap
• Port21-FTP-FINAL.nmap
25. Port scanning - Process
• However…we still have UDP… and let me tell u….
26. Port scanning - Process
Nmap also has a UDP mode… -sU however it doesn’t work very
well without -sV (read: its shit!), when testing it on our lab we
noticed that most of the times nmap wasn’t able to detect if
there was a service running or not.
The reason for this is: “UDP scanning is slow as open/filtered
ports typically don't respond so nmap has to time out and then
retransmit whilst closed ports will send a ICMP port
unreachable error, which systems typically rate limit.”
When we started, it took us around 4 Weeks to scan UDP on
the entire country on 1 port….
27. Port scanning - Process
Solution ?
SCAPY!
Server
Client
Service running on
port:11111
28. Port scanning - Process
Result of that script ?
On lab testing….
29. Port scanning - Process
Result of that script ?
On internet testing….
30. Port scanning - Process
When we started, it took us around +4 Weeks to scan UDP on the entire country on 1
port using NMap…. -We took this as a baseline first run to improve…
Our second run, we used python+scapy and it went down!!
1 week – well not bad for a second run, but 1 week for a port ?
Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days –
and this was the best we brought it down to without bringing in the big guns (read:
“asking HD Moore for help”)
Forth run – C
Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
31. Port scanning - Process
So... At this point we can do UDP in 5 minutes. As you can guess... We now love UDP
scanning again...
Our next objective became to speed up our TCP scanning. For you to understand
what we did you need first to understand how nmap works:
25000
20000
15000
Time
10000 Packets per second Nmap
5000
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
32. Port scanning - Process
What we did, is write our own TCP scanner. And the result is the following:
25000
20000
15000
Time
Packets per second
10000 PTCoreSecTCP
5000
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
33. Port scanning - End
So we had our kick ass
friends, send us our kick ass
raw results… now what do
we do with them ?
34. Port scanning - End
Terminals are fun, BUT we want an easier
way to look at our data…
So…. We wrote a tool:
PTCoreSec Command Center!
47. Port scanning – How does it work?
Step 1 – PTCoreSec admins request a job
(scan) on the backend.
Step 2 – Server side checks current
number of live raspi minions.
Step 3 – Server divides de CIDRS by the
different clients and sends them over.
Step 4 – Clients (minions) do the scans
and XMLRPC send them back to the
server.
Step 5 – Server imports these scans into
the MongoDB backend.
53. Business
And that’s all really neat and
pretty, however there are 2 problems
with that! These guys don’t give a
f***.
Management Blackhats
54. Management
Cares about:
• Money
• Money
• Money
Does:
• Will lie for PCI DSS/ISO27001/{Compliance}
This gives us, security
• Approves every single thing even if it
peeps, headaches!
doesn’t match security department goals
but gets them moneys.
55. I ask onLY ONE thing of u
Leave your whitehats at home, and
56. SHODAN
SHODAN is a search engine that lets you find specific computers
(routers, servers, etc.) using a variety of filters. Some have also described it as
a public port scan directory or a search engine of banners.
Another way of putting it would be:
63. SHODAN
Accessing that website will give u a bar, where you can type queries
and obtain results.
Your queries, can ask for PORTS, Countries, strings contained in the
banners, and all sorts of other things
Following is a sample set of queries that can lead to some interesting
results:
78. SHODAN QUERIES OF AWESOMENESS
port:23 country:PT
Username:admin
Password:smcadmin
79. SHODAN QUERIES OF AWESOMENESS
port:23 list of built-in commands
Worldwide
Not a big number, however just telnet in and you get shell…
80. SHODAN QUERIES OF AWESOMENESS
port:161 country:PT
Worldwide
Portugal
81. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2
• Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2
• Windows SYSTEM INFO 1.3.6.1.2.1.1.1
• Windows HOSTNAME 1.3.6.1.2.1.1.5
• Windows DOMAIN 1.3.6.1.4.1.77.1.4.1
• Windows UPTIME 1.3.6.1.2.1.1.3
• Windows USERS 1.3.6.1.4.1.77.1.2.25
• Windows SHARES 1.3.6.1.4.1.77.1.2.27
• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3
• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1
• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
82. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2
• Linux SYSTEM INFO 1.3.6.1.2.1.1.1
• Linux HOSTNAME 1.3.6.1.2.1.1.5
• Linux UPTIME 1.3.6.1.2.1.1.3
• Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3
• Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4
• Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
• Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
83. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8
• Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2
• Cisco SYSTEM INFO 1.3.6.1.2.1.1.1
• Cisco HOSTNAME 1.3.6.1.2.1.1.5
• Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4
• Cisco UPTIME 1.3.6.1.2.1.1.3
• Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1
• Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18
• Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2
• Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5
• Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5
• Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2
• Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
95. Projecto Portugal Seguro - PTCoresec
• 29 Janeiro 2013 – released a study which showed
new flaws on UPNP and numbers on the devices
replying to UPNP.
• PTCoreSec under the scope of project Portugal
Seguro proceeded to help ISP’s with this problem
• We sent an email to all isp’s that resulted in the
following
97. Projecto Portugal Seguro
• Resultado
– Some ISP’s we noticed changes in order of 80% in
the number of ips that stopped responding to
UPNP in less then 1 week.
– Quicker and faster response contacts so that we
can improve even further on this in case of next
event.
110. A little tip…
If you want to quickly check for
stuff (web related) that has no
authentication, use NMAP!
111. A little tip…
First, let’s get wkhtmltoimage:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-
i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
cp wkhtmltoimage-i386 /usr/local/bin/
Next, let’s get and install the Nmap module:
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap --script-updatedb
112. A little tip…
Then, do your shodan search and use:
This automatically exports a list of ips
u can import into nmap
122. Shodan – the bad part
• Imports nmap scans from their servers
on a rotational basis, so its not always
100% updated! Confirmed this by
correlating some of the shodan results
with our personal results!
• For example on mysql servers, Shodan
would find 785, where our results
showed 3000+
123. Shodan – the good part
• Good querying system
• If port scanning is illegal in your
country, you’re out of trouble if
u use shodan, because ur just
querying data acquired by them.
124. Resources
http://secanalysis.com/interesting-shodan-searches/
blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-
services.html
http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010
SHODAN for Penetration Testers Michael Schearer
http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore –
Empirical Exploitation
http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild
West
--host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
--host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.