phukd - Irongeek.com
advertisement
Adrian Crenshaw
http://Irongeek.com
I run Irongeek.com
I have an interest in InfoSec
education
I don’t know everything - I’m just a
geek with time on my hands
Sr. Information Security Consultant
at TrustedSec
Co-Founder of Derbycon
http://www.derbycon.com
http://Irongeek.com
Twitter: @Irongeek_ADC
Since ports are fairly standard, if port 80tcp is
listening on a host, more than likely it’s running
web services
By sending packets to these port numbers, you can
see what services are running on the host
Knowing what services are running lets you know
something about the potential attack surface
What about finger printing?
http://Irongeek.com
One of the most popular port scanners
Started by Gordon Lyon (Fyodor) back in 1997, as
an article for Phrack Magazine 51
Started as a fairly simple port scanner, and has
suffered some pretty serious feature creep since.
Multiplatform (Linux, Windows, BSD, OS X)
Open Source and available from http://nmap.org
http://Irongeek.com
To use an analogy, if IPs are an apartment
complex’s address, ports are the apartment
number
Both UDP and TCP use incoming and outgoing ports
Most IP based services listen on standard ports
(HTTP 80/TCP, SMTP 25/TCP, SMB 139/445/TCP,
DNS port 53/TCP and UDP)
http://Irongeek.com
http://Irongeek.com
http://Irongeek.com
MAC (Media Access Control) is the address on the NIC
(Network Interface Card)
Term is user in Ethernet, but the same concept apply
elsewhere
Burned in address should be unique, and if they ask on the
exam it is, but reality is sometimes different
http://Irongeek.com
48 bits (6 bytes) long, mostly represented in HEX
like this:
DE:AD:BE:EF:CA:FE
OUI (Organizationally Unique Identifier) is the part
in red above, extension identifier is in blue
See who is assigned what OUI here:
http://standards.ieee.org/develop/regauth/oui/oui.txt
http://Irongeek.com
64 byte MAC addesses
OUI is still 24
Not sure what uses these
http://Irongeek.com
IPv4 uses 32 bit addresses
Unusual represented as 4 octets :
(separated into it’s 4 bytes and written in decimal)
192.168.1.1
Dec: 3232235777 HEX: C0A80101
Binary: 11000000 10101000 00000001 0000000
232 addresses possible (more or less), so about 4.3
billion
Began running out of these, which is one reason for
IPv6 and NAT
http://Irongeek.com
Count from 0!
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Version of IP protocols, 4 in this case, bits 0-3.
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Internet Header Length, bits 4-7
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Set the priority of the packet
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Total length of the packet, min 20 max 65,535.
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Identification, used for fragmentation
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Flags, used for fragmentation
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Fragment Offset, used for fragmentation
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Should have been called “Hop Count” based on most
implementations. Seconds since packet was born by spec.
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
ICMP=1, TCP=6, UDP=17. Way more at:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
To detect errors in transmission
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Where did I come from?
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Where am I going?
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Extra options for the packet. Things like source routing would be here:
http://www.networksorcery.com/enp/protocol/ip.htm#Options
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
To make sure data starts on a 32 bit boundry
0
1
2
Version
3
4
5
6
IHL
7
8
9
1
0
1
1
1
2
1
3
1
5
1
6
1
7
1
8
Type of Service
Identification
Time to Live
1
4
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2 2
6 7
2
8
2
9
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
http://Irongeek.com
Padding
3
0
3
1
Networks have a Maximum Transmission Unit
(MTU) size, often 1500 bytes
Sometimes, packets must be broken up to fit, which
can be done by a router
IPID and Offset mentioned before are used to put
packets back together
MTU of the path can be discovered by setting the
Do Not Fragment flag and keep trying smaller sizes
till you do not get an ICMP “Fragmentation needed
and DF set” message back
http://Irongeek.com
128 bit addressees, 2128 possible addresses (In
technical terms: a shit load)
340 undecillion to use Yanks, 340 sextillion to Brits
(which sounds like a fancy orgy)
In some ways, IPv6 has a simpler header
http://Irongeek.com
40 bytes, 320 bits
0
0
3
2
6
4
1
2
3
Version
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
Traffic Class
2
0
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Flow Label
Payload Length
Next Header
Source Address
9
6
1
2
8
1
6
0
1
9
2
2
1
Destination Address
2
2
4
2
5
6
2
8
8
http://Irongeek.com
Hop Limit
3
0
3
1
Version is set to 6
Traffic Class and Flow Control are used for QoS
Payload Length is the size of the payload, not
including the IP heard itself
Next Header, points to the header of the
encapsulated protocol
Hop Limit, was TTL in old IPv4, this is a better name
Source and Destination Addresses
http://Irongeek.com
Stateless Auto Configuration eliminates the need for DHCP (though it is
still possible with DHCPv6, Stateful Auto Configuration )
IPv6 address is based on MAC address & IPv6 routing advertisements
fffe is added on to the MAC if it is 48 bit, can be used as is with EUI-64
MAC address that are already 64 bits
Uses : for notation in HEX, :: can substitute for a bunch of 0s (but only
once)
fe80::60c:ceff:fed7:ed7c
One above is a Link-Local address, notice the fe80, and can be used to
talk to other IPv6 on host on the network with out the Router
Universal/Local (U/L) set to 1 if burned in MAC address is overridden
http://Irongeek.com
Size maters
Name
Number of
hosts
Range
Leading
Bits
Class A
16,777,216
0.0.0.0 to 127.255.255.255
0
Class B
65,536
128.0.0.0 to 191.255.255.255
10
Class C
256
192.0.0.0 to 223.255.255.255
110
Class D
Undefined?
224.0.0.0 to 239.255.255.255
1110
Multicast
Class E
Undefined?
240.0.0.0 to 255.255.255.255
1111
Reserved
http://Irongeek.com
Notes
CIDR allows for less waste by splitting networks up
CIDER notation:
255.255.255.0 = /24
255.255.0.0 = /16
255.0.0.0 = /8
Could also be other others
http://Irongeek.com
Dickins Corp uses IP range 10.*.*.*
Assume a an example host is 10.69.69.69
Let’s say they use 255.255.240 (/20) for a subnet.
11111111.11111111.11110000.00000000
Red is network section, blue the host section
AND with host IP
00001010.01000101.01000101.01000101
11111111.11111111.11110000.00000000 =
00001010.01000101.01000000.00000000
If two different IPs ANDed with the same subnet mask give
the same result, they are on the same network
http://Irongeek.com
Address Resolution Protocol allows machines to find the
Layer 2 MAC address for a Layer 3 IP
That’s me!
If the computer has the IP, it can send a broadcast
message
My MAC Address
is
DE:AD:BE:FE:CA:FE
asking
Hey,who
who has
hasIPthis IP?
192.168.1.2?
Then communication can happen
RARP (Address Resolution Protocol) is the opposite and is
used by diskless workstations
Think about static ARP entries
http://Irongeek.com
TCP = Transmission Control Protocol
Considered a “reliable”, session based protocol
(though is is said to be on the Transport layer of
OSI, AKA Layer 4)
Starts with the three way handshake of:
Host 1: SYN
Host 2: SYN/ACK
Host 3: ACK
Has the concept of source and destination ports to
specify what service to connect to
http://Irongeek.com
IP Header is above this
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Think apartment numbers in a complex
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Foot fetish stuff
http://Irongeek.com
Padding
3
0
3
1
Keeps connection in sync and allow for knowing what packets got
through
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Ernest Borgnine Rule 34
http://Irongeek.com
Padding
3
0
3
1
Gives the size of the TCP header in 32bit words, at least 5, at max is 15
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Not all used currently, but maybe later?
These were added in 2001 and 2003 for congestion control:
CWR = Congestion Window Reduced
ECE = Explicit Congestion Notification Echo
NS = Nonce Sum
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserv
ed
N C E U A P R S F
S W C R C S S Y I
R E G K H T N N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U A P R S F
R C S S Y I
G K H T N N
Check Sum
Window
Urgent Pointer
Options
Padding
Porn, uhhh I mean data
URG = This is important, go look at the urgent field
ACK = Says the Acknowledgment field is important. Should be set on all
packets after the initial SYN
PSH = Asked to push the buffed data to the application
RST = Reset the connection
SYN = Hey! Synchronize Sequence Numbers!
FIN = We done son, tear down the connection
http://Irongeek.com
3
0
3
1
Tells how much data you can send for flow control
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Used for error checking
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Offset from the Sequence Number to the last urgent data byte
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Size is determined by the Data Offset field, too many to list so see
https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Makes sure the header stops at a 32bit boundary
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
Here is the data
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
2
7
2
8
2
9
Destination Port
Source Port
Sequence Number
Acknowledgment Number
Data
Offset
Reserved
U
R
G
A
C
K
P
S
H
R
S
T
S
Y
N
F
I
N
Check Sum
Window
Urgent Pointer
Options
Porn, uhhh I mean data
http://Irongeek.com
Padding
3
0
3
1
During the SYN, SYN/ACK, ACK handshake, the two
parties make up their own sequence numbers to
exchange
As data is passed, each increments the other’s
sequence number and passes it back to
acknowledge that a packet was received
ACKs are used throughout, and a FIN used at the
end to tear down the connections (sometimes a
RST)
http://Irongeek.com
UDP=User Datagram Protocol
Considered connectionless, “unreliable”, fire and
forget
Meant for when speed and low overhead is more
important than reliability, and data passed can be
lossy
NTP
VoIP
DNS
Streaming Video
http://Irongeek.com
Pretty simple
Checksum is optional
0
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
7
1
8
1
9
2
0
2
1
2
2
2
3
2
4
2
5
2
6
Source Port
Destination Port
Length
Checksum
Date: VoIP phone sex
http://Irongeek.com
2
7
2
8
2
9
3
0
3
1
16 bit port fields allow for 0 to 65535, or 65536
ports
1023 and lower are reserved ports
(May need to be root to open)
1024 are ephemeral ports
(Most apps will source from these ports)
Common ports:
HTTP=80/tcp, HTTPS=443/tcp, SMTP=25/tcp,
SSH=22/tcp, Telnet=23/tcp, DNS=53/udp & tcp
http://Irongeek.com
ICMP is Internet Control Message Protocol and
helps out the other protocols
Considered to be layer 3, despite IP being layer 3
and ICMP riding on it
Used for troubleshooting (like ping) and reporting
errors
Uses types and codes instead of ports
http://Irongeek.com
Type 8 = Echo
Type 0 = Echo Reply
All of Type 3 is Destination Unreachable
Type 3, Code 0 = Network Unreachable
Type 3, Code 1 = Host Unreachable
Type 3, Code 4 = Fragmentation Needed and Don't
Fragment was Set
Type 11, Code 0 = Time to Live exceeded in Transit
Type 11, Code10 = Fragment Reassembly Time
Exceeded
http://Irongeek.com
PING is a tool using ICMP Echo Requests and Echo
Replies
Named for the sound of sonar, but the backronym
is Packet Internet Groper
Used to see if a host is up
Not so reliable now as so many organizations block
various ICMP packets with firewalls
http://Irongeek.com
Traceroute sends packets with the TTL field Incremented each time to
determine the path of packets on the network
Steps:
1.
2.
3.
4.
5.
Send packet with a TTL of 1
First router decrements the TTL of the packet, sees that it is now 0 and
drops it
Router sends a ICMP Time Exceeded message back to the original host
since this message has the IP of the router it can be used to identify it
Original host takes note of the first hop, then sends another packet with
the TTL set to 2
Repeat until the destination is reached or whatever the default max is,
incrementing TTL each time
Also not as reliably as it once was
Windows users ICMP packets, *nix uses UDP
Both usually send three packets back to back for each hop
http://Irongeek.com
TTL
Exceeded
TTL
Exceeded
TTL
Exceeded
http://Irongeek.com
BOOTP, Bootstrap Protocol, server port 67/udp, client port 68/udp used by diskless
workstations
DHCP, Dynamic Host Configuration Protocol, server port 67/udp, client port 68/udp
DNS, Domain Name System, 53/udp & 53/tcp, DNSSEC uses PKI to add integrity, but
not confidentiality
FTP, File Transfer Protocol, 21/tcp (control) 20/tcp (data in active FTP)
HTTP/HTTPS, Hyper Text Transfer Protocol, 80/tcp, 443/tcp if using SSL/TLS
IMAP, Internet Message Access Protocol, 143/tcp
Telnet, 23/tcp, terminal emulation
TFTP, Trivial File Transfer Protocol, 69/udp
POP3, Post Office Protocol, 110/tcp
SNMP, Simple Network Management Protocol, 161/udp
SSH, 22/tcp, like telnet but encrypted, SFTP rides on top of it
SMTP, Simple Mail Transfer Protocol, 25/tcp
http://Irongeek.com
Connect Scan (-sT) Against Open Port
1. SYN
2. SYN/ACK
4. RST/ACK
3. ACK
SYN Scan (-sS) Against Open Port
1. SYN
3. RST
2. SYN/ACK
http://Irongeek.com
Connect Scan (-sT) Against Closed Port
1. SYN
2. RST/ACK
SYN Scan (-sS) Against Closed Port
1. SYN
2. RST/ACK
http://Irongeek.com
Ground work for OS detection
ACK to closed or open port, linux or windows = RST
Xmas scan (URG,PSH,FIN) on open or close port
Linux= No response
Windows = RST, ACK
Osfuscate
http://www.irongeek.com/i.php?page=security/osf
uscate-change-your-windows-os-tcp-ip-fingerprintto-confuse-p0f-networkminer-ettercap-nmap-andother-os-detection-tools
http://Irongeek.com
Closed
Filtered
No response
Open
ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13)
Open/Filtered
ICMP port unreachable error (type 3, code 3)
Any response
Version detection may help
http://Irongeek.com
Examples
nmap 10.0.0.1
nmap –sS 10.0.0.1
http://Irongeek.com
Wildcards
192.168.*.*
Range
192.168.0-255.0-255
Mask Notation (CIDR)
192.168.0.0/16
Classless Inter-Domain Routing
Decimal
Binary
192.168.1.1
11000000.10101000.00000001.00000001
/16
11111111.11111111.00000000.00000000
Binary AND the
above together
11000000.10101000.00000000.00000000
192.168.0.0
11000000.10101000.00000000.00000000
192.168.255.255 11000000.10101000.11111111. 11111111
Not all of the above range would be valid
http://Irongeek.com
--exclude <host1>
Exclude some hosts
-iL <inputfilename>
Obtain targets from a file
--excludefile <exclude_file>
All ports but 0
nmap -PN -p- egadz.metasploit.com
Include 0
nmap -PN -p 0-65535 egadz.metasploit.com
http://Irongeek.com
For this class
“My” site
Every TCP port open
hackme.irongeek.com
egadz.metasploit.com
Provided by Nmap.org
scanme.nmap.org
http://Irongeek.com
Default “Ping”
ARP if on same subnet, and that’s it, otherwise:
ICMP Echo
SYN to 443 (https)
ACK to 80 (http)
ICMP Timestamp Request
And then in reverse
http://Irongeek.com
-sn
-PR
-Pn
-PO
-PS
-PI
-PB
-PE
-PM
-PP
-PA
-PU
-PT
-PY
No port scan
ARP Ping
No ping (can be slow, ARP always done)
Protocol List Scan (Default ICMP (1), IGMP (2), & IP-in-IP (4))
SYN Ping, default 80, can set with something like -PS22-25
ICMP Echo Ping
-PT+-PI
ICMP Echo Ping
ICMP Address Mask Ping
ICMP Timestamp Ping
Much like SYN Ping, but with ACK
UDP Ping
TCP Ping
SCTP Ping
http://Irongeek.com
Just discovery
nmap -sn 10.0.0.*
nmap -Pn 10.0.0.*
Ports:
nmap 10.0.0.*
nmap 10.0.0.3
nmap 10.0.0.0/24 -p 80
nmap -sS -sU 10.0.0.* -p T:80,U:80
http://Irongeek.com
-h
-sS
-sT
-sU
-v
-vv
-O
-sV
-PN
-A
-T
-p
-F
-n
Nmap help
TCP SYN scan
TCP connect() scan
UDP port scans
Verbose output
Very verbose output
Detect Operating System (TCP/IP fingerprinting)
Service version detection
Don't ping, just scan
Aggressive Options
Paranoid|Sneaky|Polite|Normal|Aggressive|Insane
Choose your ports (scan all ports with 0-65535)
Fast Scan:Scans only ports in the nmap-services file
Don't do reverse DNS lookup
http://Irongeek.com
Examples:
nmap -O 10.0.0.*
nmap -sV 10.0.0.*
nmap -A 10.0.0.*
http://Irongeek.com
http://Irongeek.com
-oN
Human readable, looks like normal Nmap output printed to the screen
-oX
XML output (--webxml for online stylesheet)
-oG
Grepable log
-oS
S|<ipT kiDd|3
-oA
All logs but s|<ipT kiDd|3
--resume
Resumes scan from a normal (-oN) or grepable (-oG) log file
http://Irongeek.com
-sA
ACK Scan, useful on non-stateful firewalls for
mapping out rule sets
-sF
FIN Scan, just uses bare FIN packets
-sX
XMAS (as in "all lit up like a Christmas tree") Scan,
sends packets with the FIN, URG, and PSH flags
turned on
-sN
NULL Scan, sends packets with all flags turned off
http://Irongeek.com
Example
nmap 10.0.0.* -oA somenameforlog
cat somenameforlog.gnmap
grep 80/open/tcp some.gnmap
nmap 10.0.0.* --open
http://Irongeek.com
-sI
Idlescan, an advance scan that relies on sequential or
predictable IPIDs, it “bounces” an attack off of another
box, allowing for extra stealth and maybe the ability to
get past firewalls
Open: idle-scan.swf
-b
FTP bounce attack, can be used with badly configured
FTP servers to use the FTP daemon as a sort of proxy
-D
Add decoy IPs to confuse the target's logs
-f
Fragment Packets
http://Irongeek.com
-sO
IP protocol scans, find what IP protocols are supported (TCP, UDP, ICMP, etc.)
--send_eth
Send packets using raw Ethernet instead of raw socket
--randomize_hosts
Randomizes the order in which hosts are scanned
--spoof_mac
Allows you to choose a different MAC than your normal one, use 0 if you want
Nmap to just choose a random MAC (DEADBEEFCAFE)
-sL
Just do a DNS lookup but nothing else, great for foot printing
-n
Never do a DNS lookup
-PR
ARP ping, only works if you are on the same subnet
-e
Specify network interface
--source_port
Specify source port, may be useful for getting around non-stateful firewalls
http://Irongeek.com
List scan
nmap -sL 10.0.0.*
http://Irongeek.com
-sC
Performs a script scan using the default set of
scripts.
--script <script-categories>
|<directory>|<filename>|all
Categories: safe, intrusive, malware, version,
discovery, vuln, auth, default
C:\Program Files\Nmap\scripts
http://Irongeek.com
Nmap NSE/LUA Scripts
-sC
Performs a script scan using the default set of scripts.
--script <script-categories> |<directory>|<filename>|all
Categories: safe, intrusive, malware, version, discovery,
vuln, auth, default
Fyodor did a talk at Defcon 18 on the subject
Metasploit
If you can learn Ruby, write your own script and add it to
auxiliary
http://Irongeek.com
description = [[
Let's try to print something. Based this on the pptp script
]]
-- rev 0.1 (08-23-2010)
author = "Adrian Crenshaw"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {“safe"}
require "comm"
require "shortport"
portrule = shortport.version_port_or_service(9100)
action = function(host, port)
local payload = "Did I print?\n\n\027"; -- Just print this
comm.exchange(host, port, payload, {timeout=5000})
return ("Hope for the best")
end
Test with:
nmap --script printsomething localhost
ncat -l -p 9100
NSE docs: http://nmap.org/nsedoc/
http://Irongeek.com
Derbycon
Sept 24th-28th, 2014
Derbycon Art Credits to DigiP
Photo Credits to KC (devauto)
http://www.derbycon.com
Others
http://www.louisvilleinfosec.com
http://skydogcon.com
http://hack3rcon.org
http://outerz0ne.org
http://phreaknic.info
http://notacon.org
http://Irongeek.com
42
Twitter: @Irongeek_ADC
http://Irongeek.com
