This document discusses how the nmap scanner performs host discovery by default and explores customizing its behavior. It examines nmap's default discovery method which sends ICMP echo requests and TCP packets to target hosts and looks for responses. The document uses a DMZ network with varying firewall rulesets to demonstrate how the default method works in different scenarios. It shows that while the default method is sufficient when rules are very open, more specific rules may require customizing nmap's options to more accurately discover live hosts on the network.
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
The document discusses various scan types available in the nmap port scanner program. It describes TCP connect scans which actively connect to ports, SYN stealth scans which send SYN packets to identify open and closed ports without fully establishing connections, and less common FIN, NULL and XMAS scans. It also covers ping scans to identify online systems, UDP scans, and options for customizing scans to avoid detection like altering timing and using decoys. The goal is to help users understand different scan techniques and how to choose scans suited to different target types or detection avoidance needs.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Nmap is an open source tool that scans networks to identify devices, services, and operating systems. It works by crafting custom IP packets with different flags using raw sockets to elicit responses that provide information not otherwise available. Nmap can perform various types of scans, identify hosts and services, detect firewalls and IDS, and determine operating systems through detailed analysis of responses. It provides flexible output options and techniques for advanced scanning, packet alteration, and timing control.
This document provides an overview of Nmap Scripting Engine (NSE) for security researchers looking to build NSE scripts. It covers the anatomy of an NSE script including required components like metadata, categories, portrules and actions. It also provides tips for scriptors like specifying the script directory, using debugging mode, and updating the script database. The goal is to provide a kickstart for researchers to learn how to create NSE scripts and proofs-of-concept.
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
The document discusses various scan types available in the nmap port scanner program. It describes TCP connect scans which actively connect to ports, SYN stealth scans which send SYN packets to identify open and closed ports without fully establishing connections, and less common FIN, NULL and XMAS scans. It also covers ping scans to identify online systems, UDP scans, and options for customizing scans to avoid detection like altering timing and using decoys. The goal is to help users understand different scan techniques and how to choose scans suited to different target types or detection avoidance needs.
The document discusses different nmap scanning techniques including SYN scans, FIN scans, ACK scans, and window scans. It provides pros and cons of each technique. It then details a mission to penetrate SCO's firewall and discern open ports on a target system using different scan types. Another mission works to locate webservers on the Playboy network offering free images, optimizing the scan by getting timing information and scanning faster without DNS lookups. Several IP addresses with port 80 open are identified.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
Nmap is a free and open-source tool for network discovery and security auditing. It can be used to discover hosts and services on a computer network by scanning target hosts and performing port scanning, version detection, and OS detection. System administrators, network engineers, and auditors use Nmap for security auditing, compliance testing, asset management, and network/system inventory. While Nmap provides useful information for hardening network security, it can also be used maliciously for reconnaissance, so permission should be obtained before using it on networks.
Nmap is a popular port scanning tool used to discover open ports and services on a target system. It works by sending packets with different TCP flags like SYN, ACK, FIN to determine if ports are open or closed. Some scanning techniques used by Nmap include SYN scanning, stealth scanning, Xmas scanning, FIN scanning, and NULL scanning. These techniques allow the user to discover vulnerabilities and compromise target systems by exploiting open ports.
Nmap is an open source tool that scans networks to identify devices, services, and operating systems. It works by crafting custom IP packets with different flags using raw sockets to elicit responses that provide information not otherwise available. Nmap can perform various types of scans, identify hosts and services, detect firewalls and IDS, and determine operating systems through detailed analysis of responses. It provides flexible output options and techniques for advanced scanning, packet alteration, and timing control.
This document provides an overview of Nmap Scripting Engine (NSE) for security researchers looking to build NSE scripts. It covers the anatomy of an NSE script including required components like metadata, categories, portrules and actions. It also provides tips for scriptors like specifying the script directory, using debugging mode, and updating the script database. The goal is to provide a kickstart for researchers to learn how to create NSE scripts and proofs-of-concept.
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
www.lifein01.com - for more info
Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network,
services (application name and version) those hosts are offering,
operating systems (and OS versions) they are running,
type of packet filters/firewalls are in use, and dozens of other characteristics.
The document discusses Nmap, a free and open source tool for network discovery and security auditing. It describes Nmap's scanning techniques like SYN scans, ping scans, UDP scans, and version detection. It also covers options for detecting the operating system, specifying hosts and ports to include or exclude from scans, getting real-time information through verbose mode and packet tracing, and logging scan results in different formats.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Nmap is a network exploration tool that collects information about target hosts including open ports, services, OS detection, and running scripts. It offers various host discovery techniques like ICMP ping, TCP and UDP ping to find active systems on the network. Once hosts are identified, nmap performs port scanning using TCP SYN, ACK, and UDP scans to determine open and closed ports. It can also detect services, versions, and OS on each host. Nmap scripts provide additional information gathering capabilities for vulnerabilities and exploits.
Nmap is a free and open source tool for network discovery and security auditing. It was written by Fyodor and allows users to identify hosts on a network, determine services and operating systems running on them, and discover vulnerabilities. The document outlines the basic anatomy of a scan, describing the DNS lookup, ping, reverse DNS lookup, and scan steps. It also covers different scan types like TCP SYN, connect, ping, and UDP scans as well as useful options for excluding or including targets, specifying port numbers, and adjusting ping behavior. Later modules discuss operating system and version detection, stealth scanning techniques, timing options, and randomizing scans.
Zenmap is a graphical frontend for the Nmap security scanner that aims to make Nmap easier for beginners and experienced users to use. It provides features like saving frequently used scans as profiles, comparing scan results, and storing recent scans in a searchable database. The purpose of Zenmap is not to replace Nmap but to enhance its usability. It allows interactive viewing of scan results and topology mapping.
Nmap is a security scanning tool used to discover hosts and services on a computer network. It sends specially crafted packets to target hosts and analyzes the responses to perform functions like host discovery, port scanning, version detection, and operating system detection. The document provides 20 examples of Nmap commands, such as commands to scan a single host or IP address, scan multiple addresses or ranges, perform specific scans like OS detection or version detection, and save scan output to files.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Nmap has several hidden options that provide little value. 8 options are useless except for naughty users or elementary school children. Nmap can only detect one type of malware, the Mydoom worm, through service scanning at high intensity levels. In summary, most of the "hidden truths" about Nmap options provide little practical benefit to users.
Nmap is a free and open source security scanning tool used to discover hosts and services on a computer network. It was originally written by Gordon Lyon and first published in 1997. Nmap uses raw IP packets to determine what hosts are available on the network, what services they offer, and what operating systems they are running. It has features like host discovery, port scanning, version detection, OS detection, and scriptable interaction. Nmap is commonly used for network inventory, auditing security, and identifying vulnerabilities, though some uses may be considered illegal without authorization.
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
Nmap is a security scanning tool that can discover open ports, scan for services, and determine operating systems on a network. It works by sending packets to IP addresses and analyzing the responses to infer information about the target system, such as which ports are open or closed and what services are running. Nmap displays this information to the user and can be run from both graphical and command line interfaces on many operating systems. While useful for security auditing, Nmap could also enable hacking if used without permission on a network.
Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.
This document discusses client-side exploits and tools used for testing them in a controlled network environment. It covers using Metasploit on Kali Linux to generate and encode a Meterpreter reverse TCP payload, deploying it on a Windows client virtual machine, and using Meterpreter post-exploitation commands to maintain access including disabling antivirus and establishing persistence. The goal is to achieve a low detection payload and compromise the client while evading detection, though the document notes that no method is foolproof and antivirus vendors adapt.
Assessment Questions and Answers1. What are the diff.docxfredharris32
Assessment Questions and Answers
1. What are the differences between ZeNmap GUI (Nmap) and Nessus?
Nessus is a vulnerability scanner whereas Nmap is used for mapping a network’s hosts and the hosts’ open ports. Nmap discovers active IP hosts and gathers information about the open ports. Nessus scans ports just like Nmap, however it will notify if the open ports have potential security vulnerabilities attached to them.
2. Which scanning application is better for performing a network discovery reconnaissance probing of an IP network infrastructure?
Nmap is better for performing a network discovery reconnaissance probing of an IP network infrastructure.
3. Which scanning application is better for performing a software vulnerability assessment with suggested remediation steps?
Nessus is better for performing a software vulnerability assessment.
4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap GUI perform?
There are 36 scripts loaded for scanning.
5. From the ZenMap GUI pdf report page 6, what ports and services are enabled on the Cisco Security Appliance device?
Port 443 and ssl/http service are enabled on the Cisco Security Appliance device.
6. What is the source IP address of the Cisco Security Appliance device (refer to page 6 of the PDF report)?
The IP address is 172.30.0.1
7. How many IP hosts were identified in the Nessus® vulnerability scan? List them.
There are 7 IP host. They are:
172.16.20.1
172.17.20.1
172.18.20.1
172.19.20.1
172.20.20.1
172.30.0.10
172.30.0.66
8. While Nessus provides suggestions for remediation steps, what else does Nessus provide that can help you assess the risk impact of the identified software vulnerability?
Beside remediation steps, Nessus also provides devices and software on the network that are not authorized or indicate a network compromise.
9. Are open ports necessarily a risk? Why or why not?
Of course open ports are a risk, because the attacker can use these ports to exploit the vulnerabilities such as use Trojan to make a screenshot and then send a screenshot back to the attacker.
10. When you identify a known software vulnerability, where can you go to assess the risk impact of the software vulnerability?
Common Vulnerability Scoring System (CVSS) is a place where we can go to assess the risk impact of the software vulnerability. This is a classification system for the exploitability of software vulnerabilities and exposures.
11. If Nessus provides a pointer in the vulnerability assessment scan report to look up CVE-2009-3555 when using the CVE search listing, specify what this CVE is, what the potential exploits are, and assess the severity of the vulnerability.
CVE is a list of information security vulnerabilities and exposures that provides common names for publicity known problems. CVE also helps to share data across separate vulnerability capabilities easily.
12. Explain how the CVE search listing can be a tool for security practi ...
This document provides instructions on how to conduct a port scan of an entire country to map out its internet infrastructure and identify vulnerable systems. It describes obtaining a list of the country's IP address ranges, selecting important services to scan for, using nmap and custom Python and C scripts to perform a fast initial scan for open ports followed by a slower scan to identify service versions. The results are stored in a database and visualized in a custom web application for analysis. Distributed scanning is implemented using a Raspberry Pi cluster. The purpose is presented as security research, but instructions are also given on how an attacker could use the same techniques to cause damage or steal information.
Nmap (Network Mapper} is and an Open Source utility which can quickly scan broad ranges of devices and provide valuable information about the devices on your network.It can be used for IT auditing and asset discovery as well as security profiling of the network.
www.lifein01.com - for more info
Nmap uses raw IP packets in novel ways to determine what
hosts are available on the network,
services (application name and version) those hosts are offering,
operating systems (and OS versions) they are running,
type of packet filters/firewalls are in use, and dozens of other characteristics.
The document discusses Nmap, a free and open source tool for network discovery and security auditing. It describes Nmap's scanning techniques like SYN scans, ping scans, UDP scans, and version detection. It also covers options for detecting the operating system, specifying hosts and ports to include or exclude from scans, getting real-time information through verbose mode and packet tracing, and logging scan results in different formats.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Nmap is a network exploration tool that collects information about target hosts including open ports, services, OS detection, and running scripts. It offers various host discovery techniques like ICMP ping, TCP and UDP ping to find active systems on the network. Once hosts are identified, nmap performs port scanning using TCP SYN, ACK, and UDP scans to determine open and closed ports. It can also detect services, versions, and OS on each host. Nmap scripts provide additional information gathering capabilities for vulnerabilities and exploits.
Nmap is a free and open source tool for network discovery and security auditing. It was written by Fyodor and allows users to identify hosts on a network, determine services and operating systems running on them, and discover vulnerabilities. The document outlines the basic anatomy of a scan, describing the DNS lookup, ping, reverse DNS lookup, and scan steps. It also covers different scan types like TCP SYN, connect, ping, and UDP scans as well as useful options for excluding or including targets, specifying port numbers, and adjusting ping behavior. Later modules discuss operating system and version detection, stealth scanning techniques, timing options, and randomizing scans.
Zenmap is a graphical frontend for the Nmap security scanner that aims to make Nmap easier for beginners and experienced users to use. It provides features like saving frequently used scans as profiles, comparing scan results, and storing recent scans in a searchable database. The purpose of Zenmap is not to replace Nmap but to enhance its usability. It allows interactive viewing of scan results and topology mapping.
Nmap is a security scanning tool used to discover hosts and services on a computer network. It sends specially crafted packets to target hosts and analyzes the responses to perform functions like host discovery, port scanning, version detection, and operating system detection. The document provides 20 examples of Nmap commands, such as commands to scan a single host or IP address, scan multiple addresses or ranges, perform specific scans like OS detection or version detection, and save scan output to files.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
Nmap has several hidden options that provide little value. 8 options are useless except for naughty users or elementary school children. Nmap can only detect one type of malware, the Mydoom worm, through service scanning at high intensity levels. In summary, most of the "hidden truths" about Nmap options provide little practical benefit to users.
Nmap is a free and open source security scanning tool used to discover hosts and services on a computer network. It was originally written by Gordon Lyon and first published in 1997. Nmap uses raw IP packets to determine what hosts are available on the network, what services they offer, and what operating systems they are running. It has features like host discovery, port scanning, version detection, OS detection, and scriptable interaction. Nmap is commonly used for network inventory, auditing security, and identifying vulnerabilities, though some uses may be considered illegal without authorization.
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
Nmap is a security scanning tool that can discover open ports, scan for services, and determine operating systems on a network. It works by sending packets to IP addresses and analyzing the responses to infer information about the target system, such as which ports are open or closed and what services are running. Nmap displays this information to the user and can be run from both graphical and command line interfaces on many operating systems. While useful for security auditing, Nmap could also enable hacking if used without permission on a network.
Nmap is an open source tool that can scan networks to discover available hosts, services on hosts, operating systems and versions running on hosts, types of firewalls and filters in place, and other network details. It works across Linux, Windows, and other platforms. Nmap uses raw IP packets to gather this information, which can help identify security issues but also be used by attackers for reconnaissance. The tool supports various types of scans with different tradeoffs between stealthiness and information discovered. While Nmap has both command line and GUI interfaces, advanced usage requires command line expertise.
This document discusses client-side exploits and tools used for testing them in a controlled network environment. It covers using Metasploit on Kali Linux to generate and encode a Meterpreter reverse TCP payload, deploying it on a Windows client virtual machine, and using Meterpreter post-exploitation commands to maintain access including disabling antivirus and establishing persistence. The goal is to achieve a low detection payload and compromise the client while evading detection, though the document notes that no method is foolproof and antivirus vendors adapt.
Assessment Questions and Answers1. What are the diff.docxfredharris32
Assessment Questions and Answers
1. What are the differences between ZeNmap GUI (Nmap) and Nessus?
Nessus is a vulnerability scanner whereas Nmap is used for mapping a network’s hosts and the hosts’ open ports. Nmap discovers active IP hosts and gathers information about the open ports. Nessus scans ports just like Nmap, however it will notify if the open ports have potential security vulnerabilities attached to them.
2. Which scanning application is better for performing a network discovery reconnaissance probing of an IP network infrastructure?
Nmap is better for performing a network discovery reconnaissance probing of an IP network infrastructure.
3. Which scanning application is better for performing a software vulnerability assessment with suggested remediation steps?
Nessus is better for performing a software vulnerability assessment.
4. How many total scripts (i.e., test scans) does the Intense Scan using ZenMap GUI perform?
There are 36 scripts loaded for scanning.
5. From the ZenMap GUI pdf report page 6, what ports and services are enabled on the Cisco Security Appliance device?
Port 443 and ssl/http service are enabled on the Cisco Security Appliance device.
6. What is the source IP address of the Cisco Security Appliance device (refer to page 6 of the PDF report)?
The IP address is 172.30.0.1
7. How many IP hosts were identified in the Nessus® vulnerability scan? List them.
There are 7 IP host. They are:
172.16.20.1
172.17.20.1
172.18.20.1
172.19.20.1
172.20.20.1
172.30.0.10
172.30.0.66
8. While Nessus provides suggestions for remediation steps, what else does Nessus provide that can help you assess the risk impact of the identified software vulnerability?
Beside remediation steps, Nessus also provides devices and software on the network that are not authorized or indicate a network compromise.
9. Are open ports necessarily a risk? Why or why not?
Of course open ports are a risk, because the attacker can use these ports to exploit the vulnerabilities such as use Trojan to make a screenshot and then send a screenshot back to the attacker.
10. When you identify a known software vulnerability, where can you go to assess the risk impact of the software vulnerability?
Common Vulnerability Scoring System (CVSS) is a place where we can go to assess the risk impact of the software vulnerability. This is a classification system for the exploitability of software vulnerabilities and exposures.
11. If Nessus provides a pointer in the vulnerability assessment scan report to look up CVE-2009-3555 when using the CVE search listing, specify what this CVE is, what the potential exploits are, and assess the severity of the vulnerability.
CVE is a list of information security vulnerabilities and exposures that provides common names for publicity known problems. CVE also helps to share data across separate vulnerability capabilities easily.
12. Explain how the CVE search listing can be a tool for security practi ...
This document provides instructions on how to conduct a port scan of an entire country to map out its internet infrastructure and identify vulnerable systems. It describes obtaining a list of the country's IP address ranges, selecting important services to scan for, using nmap and custom Python and C scripts to perform a fast initial scan for open ports followed by a slower scan to identify service versions. The results are stored in a database and visualized in a custom web application for analysis. Distributed scanning is implemented using a Raspberry Pi cluster. The purpose is presented as security research, but instructions are also given on how an attacker could use the same techniques to cause damage or steal information.
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
An analysis was presented on how to conduct port scanning of an entire country to map out its attack surface and find vulnerable systems. The process involved obtaining the country's IP ranges, selecting important ports and services to scan, using tools like Nmap, Scapy and custom scripts to perform fast TCP and UDP scans, and developing a command center to analyze the results. Distributed scanning was demonstrated using a Raspberry Pi cluster. The presentation also covered using the Shodan search engine to find exposed devices and services online.
Nmap is a free and open-source tool used for network discovery and security auditing. It can discover hosts and services on a computer network by sending packets and analyzing responses. Some key capabilities of Nmap include host discovery, port scanning, service and OS detection. It has a variety of scan types and options that allow users to customize scans for different needs such as speed or stealth. Nmap also includes Nmap Scripting Engine (NSE) which provides scripts for tasks like vulnerability detection and service enumeration.
IP network scanning involves gathering information about devices on a network such as which hosts are active and which services and ports are open. The document discusses common scanning techniques including ping sweeps to discover active hosts, port scanning to identify open ports, and methods for detecting operating systems and software versions running on remote hosts. It provides examples using the free and open-source nmap tool, which is considered the standard for port scanning and network discovery.
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
Here are a few things you can typically get from SNMP queries:
- System information - OS name, version, uptime, hardware details
- Network configuration - IP addresses, subnet masks, default gateways
- Interface statistics - traffic volumes, errors
- Storage information - disk space usage, volumes
- Processor load and usage
- Memory usage
- Running services and processes
- Temperature, fan speeds (for hardware devices)
SNMP exposes a wealth of system monitoring data that can provide insights into what's running and how devices are configured. However, it's generally not a good idea to run unauthenticated SNMP scans, as it could reveal sensitive information or even enable configuration changes if default community strings are used.
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
Nmap is an open source network scanning tool that can discover available hosts on a network, the services running on them, operating systems and firewalls in use. It uses raw IP packets to map out devices and collect valuable information for both network management and security profiling. Nmap runs on Linux, Windows and other platforms, and offers various scan types from stealthy to more aggressive depending on the information needed. Both command line and GUI interfaces allow users to quickly get started with basic scans, while advanced features require more technical expertise.
Nmap is a network scanning tool that can discover hosts and services on a network. It can scan TCP and UDP ports, perform OS and version detection, and has both command line and GUI interfaces. Nmap allows specification of target hosts by IP address, CIDR notation for subnets, or hostname. It provides information about open ports and common services, and can detect vulnerabilities.
Analysis of ESET Smart Security 6 personal firewall’s thresholds and detectio...Andrej Šimko
The main goal of this project is to observe attacks on ESET Smart Security 6’s firewall, to discover the ability to detect various attacks coming from the same LAN, and find out thresholds of triggering warning/detection relevant to those attacks.
This document provides instructions for using the ping and traceroute commands to test TCP/IP network connectivity. It describes pinging the local loopback address and default gateway to verify local IP stack functionality. Traceroute is used to identify the network path and devices between the local host and a remote server, and can help locate connectivity issues along the path. The lab demonstrates using these commands on the local host to test connectivity to on-link and off-link devices and networks.
The document discusses various network security tools including TCP/IP headers, tcpdump, ethereal, ntop, MRTG, network scanners like Nmap and Nessus. It provides examples of using these tools to analyze network traffic, scan for open ports, detect operating systems, and monitor network usage.
How To Install and Configure SNMP on RHEL 7 or CentOS 7VCP Muthukrishna
The document provides instructions on how to install and configure SNMP on RHEL 7. It describes downloading the required packages, editing the configuration file, opening the required port in the firewall, and testing SNMP queries locally and remotely. SNMP can be used to monitor devices and retrieve statistics on parameters like performance, usage, and storage. The three main versions of SNMP are also outlined, highlighting their features around security, querying, and remote configuration capabilities.
Nmap is an open source network scanning tool that can discover hosts on a network, services running on hosts, operating systems in use, and vulnerabilities. It uses raw IP packets to determine details about targets. Nmap runs on Linux, Windows, and other platforms and has both command line and graphical interfaces. Common scan types include TCP connect, SYN stealth, UDP scans, and operating system detection to reveal details about targets on a network.
CRM Analytics (free/open source):
https://opensource.com/business/14/7/top-5-open-source-crm-tools
http://www.crmsearch.com/top-10-open-source-crm-systems.php
Customer Relationship Management
http://www.datamation.com/open-source/80-open-source-replacements-for-really-expensive-applications-1.html
15. SugarCRM
Replaces Salesforce.com Enterprise ($125.00 per user per month), Microsoft Dynamics CRM($1,555.00 and up) Sage ACT! ($229.99 and up)
SugarCRM's customers include Coca-Cola, Avis, Chevrolet and many other companies. It offers management tools for sales, marketing and customer service, and it's available in both cloud and on-premise versions. See SugarForge.org for the free open source version. Operating System: OS Independent
16. vTiger
Replaces Salesforce.com Enterprise ($125.00 per user per month), Microsoft Dynamics CRM($1,555.00 and up) Sage ACT! ($229.99 and up)
vTiger boasts more than 100,000 customers for its SaaS product and 2.8 million downloads of the open source version. It provides sales and marketing, support, inventory management, project management, calendar, mobile apps, reports and analytics, private customer portals, document sharing, email integration, quotes and invoicing, and many other capabilities. Operating System: Windows, Linux
17. SplendidCRM
Replaces Salesforce.com Enterprise ($125.00 per user per month), Microsoft Dynamics CRM($1,555.00 and up) Sage ACT! ($229.99 and up)
SplendidCRM comes in three SaaS versions, commercially supported on-premise versions and the open source on-premise version. It can back up or import Salesforce.com data, and it can sync with iCloud, Google Apps or QuickBooks. Operating System: Windows.
18. ConcourseSuite
Replaces Salesforce.com Enterprise ($125.00 per user per month), Microsoft Dynamics CRM($1,555.00 and up) Sage ACT! ($229.99 and up)
Java-based ConcourseSuite claims to be "the first front office application suite to integrate customer relationship management (CRM), Web content management and team collaboration capabilities into a single, easy-to-use Web application." It comes in free and commercially supported versions for use on premise or in the cloud. Operating System: Windows, Linux, OS X.
nmap -sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172.30.0.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-31 13:36 Eastern Daylight Time
NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 13:36
Scanning 67 hosts [1 port/host]
Completed ARP Ping Scan at 13:36, 1.22s elapsed (67 total hosts)
Initiating Parallel DNS resolution of 67 hosts. at 13:36
Completed Parallel DNS resolution of 67 hosts. at 13:36, 13.03s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:36
Completed Parallel DNS resolution of 1 host. at 13:36, 13.00s elapsed
Initiating SYN Stealth Scan at 13:36
Scanning 4 hosts [1000 ports/host]
Discovered open port 1025/tcp on 172.30.0.10
Discovered open port 1025/tcp on 172.30.0.66
Discovered open port.
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
IPLOG is an open source intrusion detection system (IDS) that provides beginner system administrators with actionable network intelligence without the complexity of more advanced IDS solutions. It detects common attacks such as port scans, ping floods, and bogus TCP flags through simple connection logging and generates syslog or text files with timestamps and details of detected activity. While easier to use than SNORT, it still allows filtering out common network noise and includes experimental NMAP scan evasion detection.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
MySQL InnoDB Storage Engine: Deep Dive - MydbopsMydbops
This presentation, titled "MySQL - InnoDB" and delivered by Mayank Prasad at the Mydbops Open Source Database Meetup 16 on June 8th, 2024, covers dynamic configuration of REDO logs and instant ADD/DROP columns in InnoDB.
This presentation dives deep into the world of InnoDB, exploring two ground-breaking features introduced in MySQL 8.0:
• Dynamic Configuration of REDO Logs: Enhance your database's performance and flexibility with on-the-fly adjustments to REDO log capacity. Unleash the power of the snake metaphor to visualize how InnoDB manages REDO log files.
• Instant ADD/DROP Columns: Say goodbye to costly table rebuilds! This presentation unveils how InnoDB now enables seamless addition and removal of columns without compromising data integrity or incurring downtime.
Key Learnings:
• Grasp the concept of REDO logs and their significance in InnoDB's transaction management.
• Discover the advantages of dynamic REDO log configuration and how to leverage it for optimal performance.
• Understand the inner workings of instant ADD/DROP columns and their impact on database operations.
• Gain valuable insights into the row versioning mechanism that empowers instant column modifications.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
2. 2
Table of Contents
Host Discovery with nmap .............................................................................. 1
1. Introduction......................................................................................... 3
1.1 What is Host Discovery?..................................................................... 4
2. Exploring nmap’s Default Behavior ........................................................ 6
2.1 Scenario 1 – Firewall With No Filtering............................................ 7
2.2 Scenario 2 – Firewall With a Generic Ruleset ................................... 8
2.3 Scenario 3 – Firewall With Specific Rules......................................... 9
2.4 Scenario 4 – Stateful Firewall with Specific Rules........................... 10
3. Understanding nmap’s Discovery Options ............................................ 11
3.1 Customizing TCP Pings................................................................. 11
3.2 Customizing ICMP Messages ........................................................ 13
3.3 Bringing It All Together................................................................ 14
4. Conclusion...................................................................................... 16
3. 3
1. Introduction
As a Computer Security Engineer that regularly conducts external penetration
tests, a recurring challenge seems to arise when assessing organizations with a
large allocation of IP address space. What does one do when faced with multiple
class B’s, a few class C’s, and a limited amount of time? Do you stick all of the
address space in your favorite scanner and hit the Go button, wait till it’s done
and hope the results are accurate? How can you be sure that your scanner
found all the hosts that are accessible? Do you even know the method your
scanner uses to discover which hosts are alive?
This document attempts to answer the above questions, and will illustrate (at a
very technical level) the methodology that I use to accurately discover which
hosts are accessible prior to conducting port scanning or a vulnerability
assessment.
Note: Some may say that unless one performs a scan on all 65535 TCP and UDP
ports on every possible IP address in the range, that the penetration tester isn’t
being thorough enough. While I do agree that in order to be completely
thorough, one must perform a scan as stated, but I have rarely, if ever had the
luxury of performing such a scan, as it usually takes a considerable amount of
time. An underlying theme about Information Security is about striking a
balance and weighing the pros and cons. If being absolutely thorough and time
is of no consideration, you’ll more than likely want to run a full, blind scan on all
IP addresses. If however, a balance can be struck between being thorough and
completing the project on time, read on – you may learn some techniques to
improve both the accuracy and efficiency of your scans.
4. 4
1.1 What is Host Discovery?
Host discovery is a term I’ll use to describe a certain phase of a penetration test,
where one attempts to determine the accessible hosts on a network. Many times
if a firewall ruleset is written explicitly, it is difficult to accurately determine the
number of hosts that are behind a firewall. A colleague of mine recently ran a
high-priced commercial scanner against a class C and found only one host.
Using the techniques outlined in this paper, I was able to determine that there
was not just one, but seventeen hosts in this particular DMZ. This commercial
scanner has very few options for host discovery, and is not very configurable
when it comes to fine tuning the discovery method.
Since this paper is about nmap and host discovery, we’ll talk specifically about
how nmap does its discovery, and we’ll learn how to use nmap’s options to
improve the discovery phase of a penetration test or vulnerability assessment.
To start off, let’s dissect the following very basic nmap command:
nmap –sS –O 172.26.1.0/29
There are three distinct phases with the above nmap command. They are:
1) Host discovery
2) Port scanning
3) OS fingerprinting
Since this paper is focused on host discovery, we will take an in-depth look at
the first phase of the above nmap command, skipping the latter two.
Note: It is possible to disable the discovery phase of the scan (with the –P0
option), and tell nmap to move directly on to the port scan phase.
5. 5
In this paper we will use a DMZ environment with a variety of different firewall
rulesets to illustrate the best methods for discovering hosts behind a firewall.
The DMZ architecture we will use throughout this paper is depicted in the
following image.
Here we have a typical DMZ with a firewall filtering inbound traffic. In our
scenarios we will use “pseudo-rulesets” to keep the rules readable. The actual
syntax from the rules are a mix between PF and engrish, so don’t get hung up on
the accuracy of them – they just need to be readable. Also, the version of nmap
I used for this testing was 3.00
Our scanning host sits on the 192.168.5.0/24 network and has the IP address of
192.168.5.20.
Unless otherwise stated, we will use the following nmap command for all
discovery scans:
nmap –sP 172.26.1.0/29
The –sP option specifies that only a discovery will performed, and is the same
discovery method used in a default nmap scan.
6. 6
2. Exploring nmap’s Default Behavior
Before we learn how and why it may be necessary to modify nmap’s behavior,
we should have a solid understanding of the default behavior, and how it may be
insufficient in performing host discovery.
When a port scan (nmap –sS target) or a “ping sweep” (nmap –sP target) is run
against a target network or host, nmap simultaneously sends out ICMP echo
request packets and “TCP pings” to all targets within the scope of the scan. The
term “TCP ping” can be described as a TCP packet with the ACK flag set,
destined for port 80 of the target host(s). The desired response from an
accessible host is either a TCP packet with the RST flag set, or an ICMP echo
reply, indicating that the host is alive. No response would indicate that the host
is not alive, or is being protected by a firewall, and is therefore unreachable on
port 80.
Only when nmap has determined that the host is in fact reachable does it
attempt to portscan the target. The default nmap discovery method works well
in certain circumstances, but should not be completely relied upon to determine
the accessible hosts. Fortunately, nmap is very flexible and allows us to
customize just about every aspect of the discovery.
The following depicts a default nmap discovery of one host.
Our command:
Nmap –sP 172.26.1.1
tcpdump Output:
09:26:49.324016 192.168.5.20 > 172.26.1.1: ICMP: echo request
09:26:49.324083 192.168.5.20.40435 > 172.26.1.1.http: . ack 1942297083 win 3072
Above we see the ICMP ping and the TCP ping being sent.
7. 7
2.1 Scenario 1 – Firewall With No Filtering
Our first scenario will demonstrate how the discovery process works with no
filtering being performed by the firewall. (i.e. the firewall is simply acting as a
router).
Our Command:
nmap –sP 172.26.1.0/29
Firewall Ruleset:
pass from any to any
tcpdump Output:
08:59:58.840249 192.168.5.20 > 172.26.1.0: ICMP: echo request
08:59:58.840667 192.168.5.20.60923 > 172.26.1.0.http: . ack 2990889584 win 3072
08:59:58.840726 192.168.5.20 > 172.26.1.1: ICMP: echo request
08:59:58.840764 192.168.5.20.60923 > 172.26.1.1.http: . ack 1015938099 win 3072
08:59:58.840801 192.168.5.20 > 172.26.1.2: ICMP: echo request
08:59:58.840838 192.168.5.20.60923 > 172.26.1.2.http: . ack 1228729075 win 3072
08:59:58.840876 192.168.5.20 > 172.26.1.3: ICMP: echo request
08:59:58.840914 192.168.5.20.60923 > 172.26.1.3.http: . ack 1769982015 win 3072
08:59:58.840952 192.168.5.20 > 172.26.1.4: ICMP: echo request
08:59:58.840989 192.168.5.20.60923 > 172.26.1.4.http: . ack 1859940754 win 3072
08:59:58.841027 192.168.5.20 > 172.26.1.5: ICMP: echo request
08:59:58.841064 192.168.5.20.60923 > 172.26.1.5.http: . ack 1596045207 win 3072
08:59:58.841103 192.168.5.20 > 172.26.1.6: ICMP: echo request
08:59:58.841140 192.168.5.20.60923 > 172.26.1.6.http: . ack 550856434 win 3072
08:59:58.841178 192.168.5.20 > 172.26.1.7: ICMP: echo request
08:59:58.841215 192.168.5.20.60923 > 172.26.1.7.http: . ack 2476756145 win 3072
08:59:58.841886 172.26.1.2 > 192.168.5.20: ICMP: echo reply
08:59:58.842149 172.26.1.4 > 192.168.5.20: ICMP: echo reply
08:59:58.842377 172.26.1.2.http > 192.168.5.20.60923: R
1228729075:1228729075(0) win 0 (DF)
08:59:58.842699 192.168.5.5 > 192.168.5.20: ICMP: echo reply
08:59:58.842905 172.26.1.4.http > 192.168.5.20.60923: R
1859940754:1859940754(0) win 0 (DF)
08:59:58.843263 172.26.1.6 > 192.168.5.20: ICMP: echo reply
08:59:58.843487 172.26.1.6.http > 192.168.5.20.60923: R 550856434:550856434(0)
win 0 (DF)
Results:
All hosts found.
In the above tcpdump output we can see exactly how nmap does its job. It
sends out the ICMP and TCP packets to all hosts within scope (172.26.1.0/29)
and waits for replies. The replies from the accessible hosts are highlighted in
yellow.
8. 8
2.2 Scenario 2 – Firewall With a Generic Ruleset
This scenario illustrates how the default discovery method works with a rather
generic ruleset.
Our Command:
nmap –sP 172.26.1.0/29
Firewall Ruleset:
pass from any to any proto tcp port 80
pass from any to any proto tcp port 53
pass from any to any proto tcp port 25
drop all
tcpdump Output:
09:12:21.505016 192.168.5.20 > 172.26.1.0: ICMP: echo request
09:12:21.505125 192.168.5.20.60212 > 172.26.1.0.http: . ack 3755150488 win 3072
09:12:21.505166 192.168.5.20 > 172.26.1.1: ICMP: echo request
09:12:21.505204 192.168.5.20.60212 > 172.26.1.1.http: . ack 4073218537 win 3072
09:12:21.505242 192.168.5.20 > 172.26.1.2: ICMP: echo request
09:12:21.505280 192.168.5.20.60212 > 172.26.1.2.http: . ack 3464075465 win 3072
09:12:21.505318 192.168.5.20 > 172.26.1.3: ICMP: echo request
09:12:21.505355 192.168.5.20.60212 > 172.26.1.3.http: . ack 962650084 win 3072
09:12:21.505393 192.168.5.20 > 172.26.1.4: ICMP: echo request
09:12:21.505430 192.168.5.20.60212 > 172.26.1.4.http: . ack 337683576 win 3072
09:12:21.505468 192.168.5.20 > 172.26.1.5: ICMP: echo request
09:12:21.505505 192.168.5.20.60212 > 172.26.1.5.http: . ack 1839298263 win 3072
09:12:21.505544 192.168.5.20 > 172.26.1.6: ICMP: echo request
09:12:21.505581 192.168.5.20.60212 > 172.26.1.6.http: . ack 1701634905 win 3072
09:12:21.505619 192.168.5.20 > 172.26.1.7: ICMP: echo request
09:12:21.505656 192.168.5.20.60212 > 172.26.1.7.http: . ack 4287112447 win 3072
09:12:21.506577 172.26.1.2.http > 192.168.5.20.60212: R 3464075465:3464075465(0) win 0 (DF)
09:12:21.506830 172.26.1.6.http > 192.168.5.20.60212: R 1701634905:1701634905(0) win 0 (DF)
09:12:21.507104 172.26.1.4.http > 192.168.5.20.60212: R 337683576:337683576(0) win 0 (DF)
Results:
All hosts found.
This firewall ruleset is pretty poor, but not that uncommon. It is not stateful, so
our TCP pings get through without a problem. Our ICMP packets however, do
not get through due to the “cleanup” rule at the end.
9. 9
2.3 Scenario 3 – Firewall With Specific Rules
This scenario illustrates how the default discovery method works with a more
specific ruleset.
Our Command:
nmap -sP 172.26.1.0/29
Firewall Ruleset:
pass from any to 172.26.1.2 proto tcp port 80
pass from any to 172.26.1.4 proto tcp port 53
pass from any to 172.26.1.6 proto tcp port 25
drop all
tcpdump Output:
08:05:07.733225 192.168.5.20 > 172.26.1.0: ICMP: echo request
08:05:07.733334 192.168.5.20.44273 > 172.26.1.0.http: . ack 1621467562 win 2048
08:05:07.733375 192.168.5.20 > 172.26.1.1: ICMP: echo request
08:05:07.733412 192.168.5.20.44273 > 172.26.1.1.http: . ack 1213996683 win 2048
08:05:07.733450 192.168.5.20 > 172.26.1.2: ICMP: echo request
08:05:07.733487 192.168.5.20.44273 > 172.26.1.2.http: . ack 3921129299 win 2048
08:05:07.733525 192.168.5.20 > 172.26.1.3: ICMP: echo request
08:05:07.733561 192.168.5.20.44273 > 172.26.1.3.http: . ack 193217699 win 2048
08:05:07.733598 192.168.5.20 > 172.26.1.4: ICMP: echo request
08:05:07.733635 192.168.5.20.44273 > 172.26.1.4.http: . ack 3130918107 win 2048
08:05:07.733672 192.168.5.20 > 172.26.1.5: ICMP: echo request
08:05:07.733709 192.168.5.20.44273 > 172.26.1.5.http: . ack 638273071 win 2048
08:05:07.733746 192.168.5.20 > 172.26.1.6: ICMP: echo request
08:05:07.733783 192.168.5.20.44273 > 172.26.1.6.http: . ack 4151673259 win 2048
08:05:07.733820 192.168.5.20 > 172.26.1.7: ICMP: echo request
08:05:07.733856 192.168.5.20.44273 > 172.26.1.7.http: . ack 228721671 win 2048
08:05:07.734611 172.26.1.2.http > 192.168.5.20.44273: R 3921129299:3921129299(0) win 0 (DF)
Results:
1 host found.
Since our filtering is now specific, the default nmap discovery method is not
sufficient. The only packet that gets through the firewall is the TCP ping
destined for the WWW server.
10. 10
2.4 Scenario 4 – Stateful Firewall with Specific Rules
In this scenario our firewall performs stateful inspection, and our firewall ruleset
is very specific.
Our Command:
nmap -sP 172.26.1.0/29
Firewall Ruleset:
pass from any to 172.26.1.2 proto tcp port 80 keep state
pass from any to 172.26.1.4 proto tcp port 53 keep state
pass from any to 172.26.1.6 proto tcp port 25 keep state
drop all
tcpdump Output:
08:46:23.548456 192.168.5.20.44390 > 172.26.1.2.http: . ack 3476163011 win 2048
08:46:23.548468 192.168.5.20 > 172.26.1.3: ICMP: echo request
08:46:23.548501 192.168.5.20.44390 > 172.26.1.3.http: . ack 1149703540 win 2048
08:46:23.548559 192.168.5.20 > 172.26.1.4: ICMP: echo request
08:46:23.548596 192.168.5.20.44390 > 172.26.1.4.http: . ack 1314586500 win 2048
08:46:23.548635 192.168.5.20 > 172.26.1.5: ICMP: echo request
08:46:23.548673 192.168.5.20.44390 > 172.26.1.5.http: . ack 2068473993 win 2048
08:46:23.548712 192.168.5.20 > 172.26.1.6: ICMP: echo request
08:46:23.548749 192.168.5.20.44390 > 172.26.1.6.http: . ack 2732407633 win 2048
08:46:23.548789 192.168.5.20 > 172.26.1.7: ICMP: echo request
08:46:23.548825 192.168.5.20.44390 > 172.26.1.7.http: . ack 2518875875 win 2048
Results:
No hosts found.
Above we see the standard TCP pings and ICMP packets are sent, but this time
we receive no reply from the hosts, as the “cleanup” rule drops the ICMP and the
firewall drops the TCP ACK packets (TCP pings) because they are not part of a
previously established connection.
It should now be clear why nmap’s default discovery method is insufficient with a
firewall such as this one.
11. 11
3. Understanding nmap’s Discovery Options
In the preceding section we can see that nmap’s default discovery options are
not sufficient in two of the four scenarios. In order to become confident in using
nmap to discover hosts, we must learn to use some of its advanced options.
3.1 Customizing TCP Pings
The default TCP ping uses a TCP packet with the ACK flag set with a destination
port of 80 (WWW). Upon receiving this packet, a stateful firewall will look in its
state table to see if the packet is part of a previously established connection.
Once it finds that this is a rogue TCP packet, it will promptly discard the packet,
preventing us from discovering the host. Firewalls that do not perform stateful
inspection but have a specific ruleset will only pass the TCP ping through to
authorized hosts. It is therefore necessary to customize the TCP ping.
Nmap allows us to customize most options within the TCP ping. The first thing
one might want to do is set the SYN flag instead of the ACK flag. This is easily
achieved by using the –PS option. A complete command might look like:
nmap –sP –PS 172.26.1.2
tcpdump Output:
10:48:13.656653 192.168.5.20.50992 > 172.26.1.2.http: S 3312451587:3312451587(0) win 2048
The above command still uses the default port 80, but will be passed by the
stateful firewall (unless another rule prohibits it) due to the SYN flag being set.
By adding a destination port to the –PS option, nmap allows you to further
customize the discovery. A fully customized nmap discovery may look like:
nmap –sP –PS25 172.26.1.2
tcpdump Output:
10:49:50.436438 192.168.5.20.63376 > 172.26.1.2.smtp: S 948961283:948961283(0) win 4096
This command sends the TCP ping (with the SYN flag set) to port 25 instead of
the default of port 80.
Another option one may consider when customizing TCP Pings is setting a
specific source port on your TCP packets. This may not always work, but is
surely worth a try. This will only work with very poorly written firewall rules, but
consider the following pseudo ruleset:
12. 12
pass from any to 172.26.1.2 proto tcp port 80 keep state
pass from any to 172.26.1.4 proto tcp port 53 keep state
pass from any to 172.26.1.6 proto tcp port 25 keep state
pass from any port 53 to any keep state
drop all
Our Command:
nmap -sP 172.26.1.0/29 –g 53
tcpdump Output:
10:52:02.083065 192.168.5.20 > 172.26.1.0: ICMP: echo request
10:52:02.083260 192.168.5.20.domain > 172.26.1.0.http: . ack 2177885259 win 3072
10:52:02.083301 192.168.5.20 > 172.26.1.1: ICMP: echo request
10:52:02.083346 192.168.5.20.domain > 172.26.1.1.http: . ack 2684323392 win 3072
10:52:02.083384 192.168.5.20 > 172.26.1.2: ICMP: echo request
10:52:02.083421 192.168.5.20.domain > 172.26.1.2.http: . ack 1438652920 win 3072
10:52:02.083459 192.168.5.20 > 172.26.1.3: ICMP: echo request
10:52:02.083496 192.168.5.20.domain > 172.26.1.3.http: . ack 771338950 win 3072
10:52:02.083534 192.168.5.20 > 172.26.1.4: ICMP: echo request
10:52:02.083570 192.168.5.20.domain > 172.26.1.4.http: . ack 3541039396 win 3072
10:52:02.083608 192.168.5.20 > 172.26.1.5: ICMP: echo request
10:52:02.083645 192.168.5.20.domain > 172.26.1.5.http: . ack 2586779353 win 3072
10:52:02.083683 192.168.5.20 > 172.26.1.6: ICMP: echo request
10:52:02.083719 192.168.5.20.domain > 172.26.1.6.http: . ack 45434507 win 3072
10:52:02.083757 192.168.5.20 > 172.26.1.7: ICMP: echo request
10:52:02.083794 192.168.5.20.domain > 172.26.1.7.http: . ack 1886752887 win 3072
10:52:02.084616 172.26.1.2.http > 192.168.5.20.domain: R 1438652920:1438652920(0) win 0 (DF)
10:52:02.084845 172.26.1.4.http > 192.168.5.20.domain: R 3541039396:3541039396(0) win 0 (DF)
10:52:02.085219 172.26.1.6.http > 192.168.5.20.domain: R 45434507:45434507(0) win 0 (DF)
Here we have a stateful firewall with specific rules, and also what appears to be
a very harmless rule that permits DNS traffic from anywhere to any host in the
DMZ. As indicated in the above tcpdump output, this rule does permit DNS
traffic but also permits TCP packets from other sources to probe and scan the
DMZ. Logic errors and vague rules in firewall rulesets are not uncommon, and
can prove to be very useful in host discovery.
13. 13
3.2 Customizing ICMP Messages
Though many firewalls will discard ICMP echo request messages, they may
permit other types of ICMP traffic to pass unhindered. In addition to ICMP echo
request messages, recent versions of nmap allow two other types of ICMP
messages to be sent.
Using the –PP option, nmap will send ICMP timestamp requests (type 13) and
expects ICMP timestamp replies (type 14) in return. Of course if a type 14 ICMP
packet is received then nmap assumes the host is alive.
Our Command:
nmap –sP -PP 172.26.1.4
tcpdump Output:
13:32:05.780376 192.168.5.20 > 172.26.1.4: icmp: time stamp query id 47345 seq 0 (DF)
13:32:05.781066 172.26.1.4 > 192.168.5.20: icmp: time stamp reply id 47345 seq 0 : org 0x0
recv 0x3c339bd xmit 0x3c339bd
The –PM option sends ICMP address mask (netmask) requests (type 17) and
expects an ICMP address mask reply (type 18) in return. Once again, if a type
18 packet is received, the host is alive.
Our Command:
nmap –sP -PM 172.26.1.4
tcpdump Output:
13:37:11.452204 192.168.5.20 > 172.26.1.4: icmp: address mask request (DF)
Note: Even if the firewall does pass these custom ICMP packets, not every
operating system will comply with the request and may silenty discard the
packet. Typically only routers will comply with netmask requests.
14. 14
3.3 Bringing It All Together
Now that we have an understanding of how a default nmap discovery works, and
how to further customize and use other features in nmap, we’ll wrap it up with a
final scenario. We’ll use scenario four from above as our “worse case” situation,
and will go through methods for determining all the hosts on the DMZ.
Firewall Ruleset
pass from any to 172.26.1.2 proto tcp port 80 keep state
pass from any to 172.26.1.4 proto tcp port 53 keep state
pass from any to 172.26.1.6 proto tcp port 25 keep state
drop all
Our command:
nmap –sP –PS80 172.26.1.0/29
tcpdump Output:
11:03:11.198359 192.168.5.20.49989 > 172.26.1.0.http: S 3857711107:3857711107(0) win 1024
11:03:11.198465 192.168.5.20.49989 > 172.26.1.1.http: S 3508535339:3508535339(0) win 1024
11:03:11.198506 192.168.5.20.49989 > 172.26.1.2.http: S 1017118803:1017118803(0) win 1024
11:03:11.198544 192.168.5.20.49989 > 172.26.1.3.http: S 832045179:832045179(0) win 1024
11:03:11.198582 192.168.5.20.49989 > 172.26.1.4.http: S 2873622691:2873622691(0) win 1024
11:03:11.198620 192.168.5.20.49989 > 172.26.1.5.http: S 1101529291:1101529291(0) win 1024
11:03:11.198658 192.168.5.20.49989 > 172.26.1.6.http: S 99614963:99614963(0) win 1024
11:03:11.198696 192.168.5.20.49989 > 172.26.1.7.http: S 3741843739:3741843739(0) win 1024
11:03:11.199453 172.26.1.2.http > 192.168.5.20.49989: S 92167158:92167158(0) ack
1017118804 win 5840 <mss 1460> (DF)
As expected, only our web server (172.26.1.2) replies. Now we’ll change the
destination port on the TCP Ping to 25.
Our command:
nmap –sP –PS25 172.26.1.0/29
tcpdump Output:
11:05:06.000617 192.168.5.20.38849 > 172.26.1.0.smtp: S 3544186883:3544186883(0) win 2048
11:05:06.000720 192.168.5.20.38849 > 172.26.1.1.smtp: S 4056940587:4056940587(0) win 2048
11:05:06.000759 192.168.5.20.38849 > 172.26.1.2.smtp: S 3272605779:3272605779(0) win 2048
11:05:06.000797 192.168.5.20.38849 > 172.26.1.3.smtp: S 4168614011:4168614011(0) win 2048
11:05:06.000835 192.168.5.20.38849 > 172.26.1.4.smtp: S 586154147:586154147(0) win 2048
11:05:06.000872 192.168.5.20.38849 > 172.26.1.5.smtp: S 3571974347:3571974347(0) win 2048
11:05:06.000910 192.168.5.20.38849 > 172.26.1.6.smtp: S 667418867:667418867(0) win 2048
11:05:06.000948 192.168.5.20.38849 > 172.26.1.7.smtp: S 902824219:902824219(0) win 2048
11:05:06.001909 172.26.1.6.smtp > 192.168.5.20.38849: S 203047548:203047548(0) ack
667418868 win 5840 <mss 1460> (DF)
15. 15
Now we see that SMTP server (172.26.1.6) replies. Again, let’s change the
destination TCP port to 53 to probe for our DNS server.
Our command:
nmap –sP –PS53 172.26.1.0/29
tcpdump Output:
11:06:52.601522 192.168.5.20.51592 > 172.26.1.0.domain: S 2862088195:2862088195(0) win 4096
11:06:52.601623 192.168.5.20.51592 > 172.26.1.1.domain: S 3921149995:3921149995(0) win 4096
11:06:52.601662 192.168.5.20.51592 > 172.26.1.2.domain: S 3150970963:3150970963(0) win 4096
11:06:52.601699 192.168.5.20.51592 > 172.26.1.3.domain: S 4262985851:4262985851(0) win 4096
11:06:52.601736 192.168.5.20.51592 > 172.26.1.4.domain: S 3247440035:3247440035(0) win 4096
11:06:52.601773 192.168.5.20.51592 > 172.26.1.5.domain: S 1634730187:1634730187(0) win 4096
11:06:52.601811 192.168.5.20.51592 > 172.26.1.6.domain: S 947388659:947388659(0) win 4096
11:06:52.601848 192.168.5.20.51592 > 172.26.1.7.domain: S 2042102043:2042102043(0) win 4096
11:06:52.602957 172.26.1.4.domain > 192.168.5.20.51592: S 328239288:328239288(0) ack
3247440036 win 5840 <mss 1460> (DF)
Our DNS server (172.26.1.4) has replied, so now all of our hosts are accounted
for. But wait a minute. Since we know all of the hosts and their services on our
DMZ, we were able to know which ports we should send our TCP pings. When
conducting an external assessment, it is highly unlikely that the client will tell you
the systems and services available, making it difficult, but not impossible to
discover the hosts.
What one must do to perform a complete discovery against a firewall such as the
one above is to use TCP Ping sweeps with a variety of different destination and
source ports. Destination ports of the most common Internet services would be
a good start. Some good source ports to use would be 20, and 53. A script can
be written to automate these tasks and parse the data. A proof of concept perl
script can be found at http://www.moonpie.org/tools/discover.tgz
16. 16
4. Conclusion
Hopefully this paper has provided some useful information and has caused you
to question, or more closely examine your methodology for discovering hosts.
It should also serve as an awareness guide for firewall administrators in how to
develop explicit rules to hide Internet accessible hosts as much as possible.
Many thanks go to Fyodor for his efforts in creating the most powerful open
source port scanner, nmap. More information on nmap can be found at
http://www.nmap.org and http://www.insecure.org.