#! /opt/cpg/bin/do-mgp %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%deffont "standard" tfont "comic.ttf" %deffont "standard" tfont "times.ttf" %deffont "thick" tfont "arial.ttf" %deffont "typewriter" xfont "courier new-bold-r" %deffont "type2writer" xfont "arial narrow-bold-r" %% %% Default settings per each line numbers. %% %default 1 leftfill, size 2, fore "gold", back "black", font "thick" %default 1 bimage "bg-parallel.jpg" 1024x768 %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "darkgreen", vgap 30 %default 4 size 5, fore "lemon chiffon", vgap 30, prefix " ", font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 4, vgap 40, prefix " ", icon arc "tomato" 40 %tab 2 size 4, vgap 20, prefix " ", icon box "spring green" 40 %tab 3 size 3, vgap 20, prefix " ", icon delta3 "white" 40 %% %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %size 7, font "thick", fore "gold", bimage "bg-parallel.jpg" 1024x768 %%area 90 10 3 3 %center Advanced Network Reconnaissance %size 4 by Fyodor fyodor@insecure.org http://www.insecure.org/presentations/CanSecWest03 CanSecWest; April, 2003 %image "images/Insecurelogo-eye-blackbg-229x123.gif" %left %image "images/mx.chi.playboy.packettrace.gif" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Disclaimers: %%tab 1 size 6, vgap 40, prefix " ", icon arc "tomato" 40 Real hostnames and IP addresses are used %%tab 1 size 6, vgap 40, prefix " ", icon arc "tomato" 40 We start with the basics as a foundation for more advanced techniques %size 5 [No hosts were harmed or rooted in the making of this presentation ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Step 1: Locating the Proper IP Networks %%tab 1 size 6, vgap 40, prefix " ", icon arc "tomato" 40 Ask the company? %cont, fore "red" Sure, but independently verify! %fore "lemon chiffon" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DNS -- A Scout's Best Friend! Grab the low-hanging fruit of MX, NS records: %size 4 dig @ns1.atstake.com atstake.com. any in [ ... ] ;; ANSWER SECTION: atstake.com. 1H IN SOA ns1.atstake.com. hostmaster.atstake.com. ( 2002092401 ; serial [ ... ] atstake.com. 1H IN NS ns1.atstake.com. atstake.com. 1H IN NS ns2.atstake.com. atstake.com. 1H IN TXT "Where security and business intersect" atstake.com. 1H IN MX 1 porfidio.atstake.com. atstake.com. 10S IN A 63.251.138.37 atstake.com. 10S IN A 63.251.138.36 ;; ADDITIONAL SECTION: ns1.atstake.com. 1H IN A 63.168.6.80 ns2.atstake.com. 1H IN A 63.251.138.33 porfidio.atstake.com. 1H IN A 63.168.6.70 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Zone Transfers It is always worth requesting a zone transfer from each name server (see previous slide), as they can be very valuable: Provides many IPs for further investigation The names and CNAMEs give important clues as to the function of machines Sometimes contain personal machines (vanity names) and other far-flung normally hard-to-find boxes. Negligently administered nameservers often provide internal names, unreachable hosts behind the firewall, etc. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Zone File Availability But does anyone still allow zone transfers? I tried every authoritative nameserver for each of the following domains: %size 4 Evil Empire: Microsoft.com, Msft.net, Msn.net, Hotmail.com Tech Titans: Cisco.com, Sun.com Porn: Playboy.com, Sex.com Security: Cert.org, Sans.org, Giac.net, Defcon.org, Symantec.com, Securityfocus.com, Atstake.com %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Only Securityfocus is Willing to Share > dig @ns1.securityfocus.com securityfocus.com. axfr in %size 3 [... ] securityfocus.com. 86400 IN A 205.206.231.13 gw.securityfocus.com. 86400 IN A 205.206.231.1 mail.securityfocus.com. 86400 IN A 205.206.231.9 backup.securityfocus.com. 86400 IN A 205.206.231.21 db.securityfocus.com. 86400 IN A 205.206.231.72 wwwdev.securityfocus.com. 86400 IN A 205.206.231.16 sfcm.securityfocus.com. 86400 IN A 205.206.231.8 downloads.securityfocus.com. 86400 IN A 205.206.231.24 lists.securityfocus.com. 86400 IN A 205.206.231.19 lists.securityfocus.com. 86400 IN MX 0 lists.securityfocus.com. www.securityfocus.com. 86400 IN A 205.206.231.10 www1.securityfocus.com. 86400 IN A 205.206.231.11 media.securityfocus.com. 86400 IN A 205.206.231.14 beta.securityfocus.com. 86400 IN A 205.206.231.73 bugzilla.securityfocus.com. 86400 IN A 205.206.231.82 outgoing.securityfocus.com. 2 IN A 205.206.231.26 custadmin.securityfocus.com. 86400 IN A 205.206.231.68 calgary.securityfocus.com. 86400 IN A 205.206.231.9 upload.securityfocus.com. 86400 IN A 205.206.231.74 alerts.securityfocus.com. 86400 IN A 205.206.231.22 predictor.securityfocus.com. 86400 IN A 205.206.231.25 tms.securityfocus.com. 86400 IN A 205.206.231.71 online.securityfocus.com. 86400 IN A 205.206.231.10 datafeeds.securityfocus.com. 86400 IN A 205.206.231.7 adserver.securityfocus.com. 3600 IN A 205.206.231.6 betatms.securityfocus.com. 3600 IN A 205.206.231.73 demo.securityfocus.com. 86400 IN A 205.206.231.70 analyzer.securityfocus.com. 86400 IN A 205.206.231.70 [ ... ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DNS Version Request dig @[NAME_SERVER] version.bind txt chaos Corrolate with: http://www.isc.org/products/BIND/bind-security.html [ And also check Bind CHANGELOG ] Some companies run an interesting "version" of Bind: Playboy.Com (209.247.228.135) "Move on, I'm already patched. kthxbye." Altria.Com (216.255.129.249) "You are not cleared for that information" Sans.Org/Giac.Net (66.129.1.102) "All accesses are logged" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Netcraft: Another Valuable Resource Netcraft "Webserver Search" at http://news.netcraft.com Allows searching for webservers in a given domain Examples Searches: ".microsoft." 378 sites ".atstake" 5 sites, including UK and German sites ".playboy." 63 sites Can find similarly named domains (e.g. playboystore.com, playboyenterprises.com) Can drill down to see rough OS guess, hosting history, uptime graph, etc. All without setting off any alarms at target company! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Geographical IP Registries Geographical IP registries such as ARIN, RIPE, and APNIC are a gold mine for scouting: Look up owners of "seed" IPs discovered earlier to learn netblock range, owners, administrators, routing AS Numbers, etc. Then lookup up all netblocks owned by the same company, administrated by the same contacts, etc. Repeat, until you stop finding new IPs Collect phone numbers, office addresses, and emails while you're at it. Decide whether to include corporate siblings, subsidiaries, partnerships, etc. For example, racingusa.playboy.com is operated by Penn National Gaming. ARIN whois help screens: whois -h whois.arin.net \? whois -h rr.arin.net %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Arin Example #1 whois -h whois.arin.net "@microsoft.com" %size 3 Abuse (ABUSE231-ARIN) abuse@microsoft.com +1-425-882-8080 Anderson, Doug (DA404-ARIN) douga@microsoft.com +1-425-706-4411 Beers, Andy (AB114-ARIN) abeers@microsoft.com +1-425-703-5595 Beers, Richard (RB827-ARIN) rbeers@microsoft.com +1-206-936-8080 Beher, Mukeshkumar (MB1154-ARIN) mukeshb@microsoft.com +1-425-869-1177 Bowman, Steve (SBO3-ARIN) stevebow@microsoft.com +1-425-703-5989 Bray, Brian (BB72-ARIN) brianbr@microsoft.com +1-604-688-4548 Brent, Drew (DB1593-ARIN) abrent@microsoft.com +1-781-684-5262 Bui, Quoc (QB4-ARIN) quoc@microsoft.com +1-972-473-8731 Butler, Lee (LB141-ARIN) leebu@microsoft.com +1-303-882-3769 Bye, Pamela (PB935-ARIN) timsmith@microsoft.com +1-949-955-4900 Carmichael, Hal (HC146-ARIN) halcar@microsoft.com +1-408-253-5647 Carter, Cale (CC618-ARIN) calec@microsoft.com +1-775-746-4086 Davidson, Bob (BD162-ARIN) bobd@microsoft.com +1-206-644-8062 de Leon, Arnold (AD147-ARIN) arnold@microsoft.com +1-650-693-0538 Dochstader, Kevin (KD369-ARIN) v-kevdoc@microsoft.com +1-905-568-0434 Dunn, Matthew (MD1192-ARIN) matthewd@microsoft.com +1-206-936-7190 Emery, Jason (JE208-ARIN) v-jemery@microsoft.com +1-303-967-6562 Feldstein, Adam (AF79-ARIN) adamf@microsoft.com +1-425-703-5647 Ferguson, Robert (RF47-ARIN) robertfe@microsoft.com +1-206-284-5407 Furman, Greg (GF564-ARIN) gregfu@microsoft.com +1-425-882-8080 Global NOC, Microsoft (MG96-ARIN) noc@microsoft.com +1-425-936-4200 Gortner, David (DG3629-ARIN) davidgor@microsoft.com +1-425-936-2808 Guggenheimer, Steve (SG603-ARIN) stevengu@microsoft.com +1-206-936-5990 Hagger, Paul (PH421-ARIN) paulhag@microsoft.com +1-425-885-3553 Hain, Anthony (AT80-ARIN) tonyhain@microsoft.com +1-206-703-6619 Hamlin, JC (JH1011-ARIN) jchamlin@microsoft.com +1-425-895-1628 Hanson, RJ (RH584-ARIN) a_rayf@microsoft.com +1-425-936-1060 [ ... ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Arin Example #2 %size 6 > whois -h whois.arin.net n playboy %size 4 Playboy EACT-CUST-CHUTLER (NET-216-80-23-104-1) 216.80.23.104 - 216.80.23.111 Playboy EACT-CUST-JEDB (NET-207-229-165-80-1) 207.229.165.80 - 207.229.165.87 Playboy Enterprises EACT-CUST-LIZWW (NET-216-80-21-72-1) 216.80.21.72 - 216.80.21.79 Playboy Enterprises EACT-C1-KAL (NET-216-80-43-240-1) 216.80.43.240 - 216.80.43.247 Playboy Enterprises PLAYBOY-BLK-1 (NET-216-163-128-0-1) 216.163.128.0 - 216.163.143.255 Playboy Enterprises, Inc. EACT-CUST-RLODGE (NET-216-80-23-160-1) 216.80.23.160 - 216.80.23.167 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Interesting Playboy Netblocks Through the techniques discussed previously, this Playboy address space was discovered (certain blocks excluded): 216.163.128.0/20 209.247.228.0/24 216.80.23.104/29 207.229.165.80/29 216.80.21.72/29 216.80.43.240/29 216.80.23.160/29 195.244.204.101-105 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The Cautious Approach: List Scan %size 4 nmap -sL -oN nmap/playboy-listscan-040303.nmap 216.163.128.0/20 209.247.228.0/24 216.80.23.104/29 207.229.165.80/29 216.80.21.72/29 216.80.43.240/29 216.80.23.160/29 195.244.204.101-105 [ ... ] Host unknown.Level3.net (209.247.228.200) not scanned Host free-chi.playboy.com (209.247.228.201) not scanned Host cyber-chi.playboy.com (209.247.228.202) not scanned Host move-chi.playboy.com (209.247.228.203) not scanned Host network-chi.playboy.com (209.247.228.204) not scanned Host store.playboy.com (209.247.228.205) not scanned Host virt.playboy.com (209.247.228.206) not scanned Host secure.playboy.com (209.247.228.207) not scanned Host unknown.Level3.net (209.247.228.208) not scanned Host www.playboyenterprises.com (209.247.228.209) not scanned Host ads-chi.peiecommerce.com (209.247.228.210) not scanned Host store.spicetv.com (209.247.228.211) not scanned Host unknown.Level3.net (209.247.228.212) not scanned [ ... ] Nmap run completed -- 4397 IP addresses (0 hosts up) scanned in 314.046 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Next Step: Ping scan %size 5 nmap -sP -PS22,25,53,80,113,31338 -PA80,113,21000 -PU53,19000 -PE -PM -g 53 -oA nmap/playboy-pingscan-040403 [playboynetblocks] %size 4 [ ... ] Host bigip-chi.playboy.com (209.247.228.130) appears to be up. Host bigip1-chi.playboy.com (209.247.228.131) appears to be up. Host bigip2-chi.playboy.com (209.247.228.132) appears to be up. Host threed-chi.peiecommerce.com (209.247.228.133) appears to be up. Host ns1-chi.playboy.com (209.247.228.135) appears to be up. Host dev-chi.peiecommerce.com (209.247.228.137) appears to be up. Host devdb-chi.peiecommerce.com (209.247.228.138) appears to be up. Host staging-chi.peiecommerce.com (209.247.228.140) appears to be up. Host STAGING2.PLAYBOY.COM (209.247.228.141) appears to be up. [ ... ] Nmap run completed -- 4397 IP addresses (950 hosts up) scanned in 752.776 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Always verify your results Previous scan claimed 950 hosts up out of 4397, including entire hundreds of consecutive IPs which look like: Host: 216.163.140.210 () Status: Up Host: 216.163.140.211 () Status: Up Host: 216.163.140.212 () Status: Up Host: 216.163.140.213 () Status: Up Host: 216.163.140.214 () Status: Up Host: 216.163.140.215 () Status: Up Host: 216.163.140.216 () Status: Up Host: 216.163.140.217 () Status: Up Host: 216.163.140.218 () Status: Up Real hosts or relic of load balancer/firewall? Let's find out! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What are the Hosts Responding To? nmap -sP -PS22,25,53,80,113,31338 -PA80,113,21000 -PU53,19000 -PE -PM -g 53 --packet_trace 216.163.140.226 %size 3 Starting nmap 3.21 ( www.insecure.org/nmap/ ) at 2003-04-04 13:14 PST SENT (0.0130s) ICMP 0.0.0.0 > 216.163.140.226 Echo request (type=8/code=0) ttl=44 id=55447 iplen=28 SENT (0.0140s) ICMP 0.0.0.0 > 216.163.140.226 Address mask request (type=17/code=0) ttl=41 id=35344 iplen=32 SENT (0.0150s) UDP 64.71.184.55:53 > 216.163.140.226:53 ttl=38 id=0 iplen=28 SENT (0.0150s) UDP 64.71.184.55:53 > 216.163.140.226:19000 ttl=40 id=0 iplen=28 SENT (0.0150s) TCP 64.71.184.55:53 > 216.163.140.226:80 A ttl=51 id=51861 iplen=40 seq=2443182083 win=4096 ack=2443182083 SENT (0.0190s) TCP 64.71.184.55:53 > 216.163.140.226:113 A ttl=43 id=24275 iplen=40 seq=3476553731 win=4096 ack=3476553731 SENT (0.0190s) TCP 64.71.184.55:53 > 216.163.140.226:21000 A ttl=51 id=53772 iplen=40 seq=4066902019 win=4096 ack=4066902019 SENT (0.0240s) TCP 64.71.184.55:53 > 216.163.140.226:22 S ttl=47 id=14381 iplen=40 seq=2107113475 win=4096 SENT (0.0290s) TCP 64.71.184.55:53 > 216.163.140.226:25 S ttl=49 id=37975 iplen=40 seq=310378499 win=2048 SENT (0.0330s) TCP 64.71.184.55:53 > 216.163.140.226:53 S ttl=39 id=20252 iplen=40 seq=2434269187 win=4096 SENT (0.0330s) TCP 64.71.184.55:53 > 216.163.140.226:80 S ttl=59 id=7756 iplen=40 seq=1702363139 win=4096 SENT (0.0330s) TCP 64.71.184.55:53 > 216.163.140.226:113 S ttl=54 id=11084 iplen=40 seq=2351955971 win=3072 SENT (0.0380s) TCP 64.71.184.55:53 > 216.163.140.226:31338 S ttl=58 id=5166 iplen=40 seq=3077570563 win=3072 %size 4 RCVD (0.0940s) TCP 216.163.140.226:113 > 64.71.184.55:53 R ttl=48 id=24275 iplen=40 seq=2327314382 win=0 %size 3, fore "lemon chiffon" Host 216.163.140.226 appears to be up. Nmap run completed -- 1 IP address (1 host up) scanned in 0.437 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Perhaps the IPID will solve this mystery: %size 4 # hping2 -i 1 -p 113 -S 216.163.140.226 HPING 216.163.140.226 (eth0 216.163.140.226): S set, 40 headers + 0 data bytes 46 bytes from 216.163.140.226: flags=RA seq=0 ttl=48 %cont, fore "red" id=4793 %cont, fore "lemon chiffon" rtt=74.6 ms 46 bytes from 216.163.140.226: flags=RA seq=1 ttl=48 %cont, fore "red" id=57960 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.226: flags=RA seq=2 ttl=48 %cont, fore "red" id=9456 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.226: flags=RA seq=3 ttl=48 %cont, fore "red" id=30735 %cont, fore "lemon chiffon" rtt=74.6 ms 46 bytes from 216.163.140.226: flags=RA seq=4 ttl=48 %cont, fore "red" id=29779 %cont, fore "lemon chiffon" rtt=74.8 ms 46 bytes from 216.163.140.226: flags=RA seq=5 ttl=48 %cont, fore "red" id=18545 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.226: flags=RA seq=6 ttl=48 %cont, fore "red" id=57474 %cont, fore "lemon chiffon" rtt=74.7 ms # hping2 -i 1 -p 113 -S 216.163.140.227 HPING 216.163.140.227 (eth0 216.163.140.227): S set, 40 headers + 0 data bytes 46 bytes from 216.163.140.227: flags=RA seq=0 ttl=48 %cont, fore "red" id=53009 %cont, fore "lemon chiffon" rtt=75.0 ms 46 bytes from 216.163.140.227: flags=RA seq=1 ttl=48 %cont, fore "red" id=30087 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.227: flags=RA seq=2 ttl=48 %cont, fore "red" id=63243 %cont, fore "lemon chiffon" rtt=74.6 ms 46 bytes from 216.163.140.227: flags=RA seq=3 ttl=48 %cont, fore "red" id=36291 %cont, fore "lemon chiffon" rtt=74.6 ms %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Perhaps Traceroute can help? %size 4 # traceroute mx.chi.playboy.com traceroute to 216.163.143.2 (216.163.143.2), 30 hops max, 38 byte packets [ Cut ] 5 ae0-56.mp2.SanJose1.Level3.net (64.159.2.161) 2.081ms 2.220ms 2.108ms 6 so-0-0-0.mp1.Chicago1.Level3.net (209.247.9.78) 73.392ms 73.460ms 73.549ms 7 pos8-0.core1.Chicago1.Level3.net (209.247.10.162) 73.621ms 73.545ms 73.418ms 8 gigabitethernet6-1.ipcolo1.Chicago1.Level3.net (209.244.8.18) 73.582ms 73.720ms 73.656ms 9 ge1-0.br1.ord.playboy.net (166.90.73.205) 73.582ms 73.621ms 74.083ms 10 f0-0.b1.chi.playboy.com (209.247.228.247) 74.433ms 74.213ms 77.137ms 11 * * * 12 * * * 13 * * * %size 5 Can we do better than 10 hops? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Custom Traceroute Against Open Port hping2 -t 5 --traceroute -p 25 -S mx.chi.playboy.com %size 4 [ combined with results from hping2 -i 1 --ttl * -p 25 -S 216.163.143.2 ] 5->TTL 0 during transit from 64.159.2.97 (ae0-54.mp2.SanJose1.Level3.net) 6->TTL 0 during transit from 64.159.1.34 (so-3-0-0.mp2.Chicago1.Level3.net) 7->TTL 0 during transit from 209.247.10.170 (pos9-0.core1.Chicago1.level3.net) 8->TTL 0 during transit from 209.244.8.42 (gige6-0.ipcolo1.Chicago1.Level3.net) 9->TTL 0 during transit from 166.90.73.205 (ge1-0.br1.ord.playboy.net) 10->TTL 0 during transit from 209.247.228.247 (f0-0.b1.chi.playboy.com) 11->No response 12->TTL 0 during transit from 216.163.143.130 (fw.chi.playboy.com) 13->46 bytes from 216.163.143.2: flags=SA seq=0 ttl=52 id=48957 rtt=75.8 ms %size 5 Much better! Reached target machine at hop 13. Helpful naming of mx.chi and fw.chi. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Side note on Hostnames Even though Playboy has kindly provided informative hostnames, you can't always count on that. For example: %size 5 > telnet bugzilla.securityfocus.com Trying 205.206.231.82... Connected to bugzilla.securityfocus.com. Escape character is '^]'. Raptor Firewall Secure Gateway. Hostname: [I typed] secrethost.internal.securityfocus.com Access denied. Connection closed by foreign host. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Another Custom Traceroute hping2 -t 5 --traceroute -p 113 -S mx.chi.playboy.com %size 4 [ results augmented again ] 5->TTL 0 during transit from 64.159.2.97 (ae0-54.mp2.SanJose1.Level3.net) 6->TTL 0 during transit from 64.159.1.34 (so-3-0-0.mp2.Chicago1.Level3.net) 7->TTL 0 during transit from 209.247.10.170 (pos9-0.core1.Chicago1.level3.net) 8->TTL 0 during transit from 209.244.8.42 (gige6-0.ipcolo1.Chicago1.Level3.net) 9->TTL 0 during transit from 166.90.73.205 (ge1-0.br1.ord.playboy.net) 10->TTL 0 during transit from 209.247.228.247 (f0-0.b1.chi.playboy.com) 11->Nothing 12->46 bytes from 216.163.143.2: flags=RA seq=0 ttl=48 id=53414 rtt=75.0 ms %size 5 Response from Hop 12? That is fw.chi! Other hosts on the subnet also answer 113 from hop 12. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Repeating the Ping Scan W/O 113: %size 4 nmap -sP -PS22,25,53,80,31338 -PA80,21000 -PU53,19000 -PE -PM -T4 -g 53 -oA nmap/playboy-pingscan-no113-04040 [netblocks] [...] [ Nmap run completed -- 4397 IP addresses (71 hosts up) scanned in 597.924 seconds ] 71 hosts is much easier to deal with than 950. Lets make a list of up hosts: > grep 'Status: Up' nmap/playboy-pingscan-no113-040403.gnmap | cut "-d " -f2 > playboy.ips.up [ Then I added the firewall we discovered -- fw.chi (216.163.143.130) ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Fast, Single-Service Sweep Sometimes (e.g. a new Sendmail hole), it is useful to scan a large range of IPs quickly for a single service. Nmap "turbo" mode: nmap -PS80 -sS -p80 -oA [filename] [ Netblocks ] %size 3 [...] Interesting ports on STAGING2.PLAYBOY.COM (209.247.228.141): Port State Service 80/tcp open http The 1 scanned port on mailhost-chi.playboy.com (209.247.228.143) is: closed Interesting ports on ads-chi.peiecommerce.com (209.247.228.145): Port State Service 80/tcp open http Interesting ports on ipartner.playboy.com (209.247.228.147): Port State Service 80/tcp open http [...] Nmap run completed -- 4397 IP addresses (50 hosts up) scanned in 59.196 seconds ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Internet-wide Single-port Sweep Nmap has a random-input flag for thost times you want to find hosts anywhere on the Internet running a certain service: # nmap -iR 10000 -sS -PS80 -p 80 -oM- | grep Interesting %size 3 Interesting ports on lucus.creativepresence.com (216.181.159.18): Interesting ports on 64.96.235.88: Interesting ports on pddafb6.ykhmac00.ap.so-net.ne.jp (218.221.175.182): Interesting ports on marudmz2-broadcast.interq.or.jp (210.172.130.199): Interesting ports on rn068058189.dcmdw.dcma.mil (131.68.58.189): Interesting ports on 208.167.47.3: Interesting ports on 66-224-4-78.atgi.net (66.224.4.78): Interesting ports on 225.245.70.200.ppp.nuria.net.ar (200.70.245.225): Interesting ports on www.fortcollins.caddbase.com (65.127.93.15): Interesting ports on 207.106.191.83: Interesting ports on dsl-64-34-112-223.telocity.com (64.34.112.223): Interesting ports on 64.119.66.83: Interesting ports on arizonashomesonline.com.criticalpath.net (209.231.209.73): Interesting ports on www.renavigator.net (217.170.39.157): Interesting ports on 200.21.137.18: Interesting ports on fornosenigaglia.it (209.227.205.157): Interesting ports on BSN-250-18-26.dsl.siol.net (213.250.18.26): [...] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page More Intense Scanning %size 4 # nmap -P0 -sS -O --osscan_guess -T4 -p0- -iL playboy.ips.up -oA [file] Interesting ports on f0-0.b1.chi.playboy.net (216.163.143.129): (The 65534 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 79/tcp open finger Remote operating system guess: Cisco IOS 11.3 - 12.0(11) Interesting ports on fw.chi.playboy.com (216.163.143.130): (The 65530 ports scanned but not shown below are in state: filtered) Port State Service 264/tcp open bgmp 500/tcp open isakmp 18231/tcp open unknown 18232/tcp closed unknown 18262/tcp closed unknown 18264/tcp open unknown Remote operating system guess: Solaris 8 early access beta through actual release Uptime 183.426 days (since Thu Oct 3 19:22:34 2002) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Further Examples: %size 4 Interesting ports on bigip2-chi.playboy.com (209.247.228.132): (The 65527 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 443/tcp open https 683/tcp open unknown 684/tcp open unknown 1313/tcp open unknown 1414/tcp open ibm-mqseries 1515/tcp open ifor-protocol 1616/tcp open unknown 4353/tcp open unknown Remote operating system guess: F5 labs BigIp Load balancer Kernel 4.1.1PTF-03 (X86) Uptime 533.526 days (since Thu Oct 18 18:14:58 2001) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page A Couple last examples %size 4 Interesting ports on ads-chi.peiecommerce.com (209.247.228.145): (The 65534 ports scanned but not shown below are in state: filtered) Port State Service 80/tcp open http 1521/tcp open oracle Remote operating system guess: Solaris 2.6 - 2.7 with tcp_strong_iss=2 Uptime 324.006 days (since Thu May 16 10:51:37 2002) Interesting ports on ipmon1.playboy.ip-soft.net (209.247.228.246): (The 65531 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 81/tcp open hosts2-ns 1023/tcp open unknown 3306/tcp open mysql Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 79.066 days (since Thu Jan 16 12:32:17 2003) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page IPv6 Scanning First lets see an IPv4 example: %size 3 > nmap www.kame.net Starting nmap V. 3.10ALPHA1 ( www.insecure.org/nmap/ ) Interesting ports on kame220.kame.net (203.178.141.220): (The 1585 ports scanned but not shown below are in state: closed) Port State Service 19/tcp filtered chargen 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp filtered sunrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 513/tcp filtered login 514/tcp filtered shell 2049/tcp filtered nfs 2401/tcp open cvspserver 5999/tcp open ncd-conf 7597/tcp filtered qaz 31337/tcp filtered Elite Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page IPv6 Cont'd Now an IPv6 Scan Against the Same Machine > nmap -6 www.kame.net Starting nmap V. 3.10ALPHA1 ( www.insecure.org/nmap/ ) Interesting ports on 3ffe:501:4819:2000:210:f3ff:fe03:4d0: (The 1595 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open sunrpc 2401/tcp open cvspserver Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Timing Options Nmap offers many command-line switches to affect timing: --max_parallelism --min_parallelism --min_rtt_timeout --max_rtt_timeout --initial_rtt_timeout --host_timeout --scan_delay Quite confusing! But there is an easier way. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- The -T Option The -T (same as --timing) switch offers 6 "canned" timing levels. From -T0 to -T5. Or you can use the long versions below: -T Paranoid -- 1 Probe every 5 minutes -T Sneaky -- 1 Probe every 15 Seconds -T Polite -- 0.4 seconds between -T Normal -T Aggressive -- Recommended when you're in a hurry -T Insane -- Warp speed! Be careful! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Firewalled Hosts An example using slightly older version of Nmap and no -T: # /usr/bin/nmap -P0 www.insecure.org Starting nmap V. 3.15BETA2 ( www.insecure.org/nmap/ ) Interesting ports on www.insecure.org (64.71.184.53): (The 1600 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 556.479 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Firewalled Hosts A newer version improves upon this: # ./nmap -P0 www.insecure.org %size 4 Starting nmap 3.15BETA3 ( www.insecure.org/nmap/ ) at 2003-03-16 13:05 PST Interesting ports on www.insecure.org (64.71.184.53): (The 1605 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 228.477 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Firewalled Hosts Now let's try with -T4 ("Aggressive"): # ./nmap -P0 -T4 www.insecure.org %size 4 Starting nmap 3.15BETA3 ( www.insecure.org/nmap/ ) at 2003-03-16 12:57 PST Interesting ports on www.insecure.org (64.71.184.53): (The 1605 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 40.865 second %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Avoiding IDS: the new --scanflags option SYN Scan can often take extra flags -- even FIN: # nmap -sS --scanflags SYNFIN db.yuma.net Starting nmap V. 3.10ALPHA7 ( www.insecure.org/nmap/ ) Interesting ports on db.yuma.net (192.168.0.4): (The 1602 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 1024/tcp open kdm Nmap run completed -- 1 IP address (1 host up) scanned in 4.808 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Avoiding IDS: the new --scanflags option FIN Scan can take any combination of FIN, URG, and PSH # nmap -sF --scanflags PSHURG db.yuma.net %size 4 Starting nmap 3.21CSW ( www.insecure.org/nmap/ ) at 2003-04-07 18:45 PDT Interesting ports on db.yuma.net (192.168.0.4): (The 1617 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 1024/tcp open kdm Nmap run completed -- 1 IP address (1 host up) scanned in 6.253 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Overloading the IDS: Decoy Scanning nmap -sS -D12.72.193.4,51.176.79.2,94.101.211.12,42.79.122.16,192.168.7.90,10.45.161.9,48.210.38.12,12.114.187.169,96.184.127.10,63.175.91.128,95.23.114.67,123.4.61.89,179.186.23.74,72.38.20.47,12.1.13.214,215.81.17.88,119.33.21.232,23.67.25.58,161.83.32.219,147.36.19.166.64 -n -p139,12345,1080,3128,6666 -O target.com %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Typical IDS Response %image "images/BlackICE_Decoys.gif" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The Ultimate Stealth Scan: Idle Scanning %image "images/Idlescan_Technique.gif" See http://www.insecure.org/nmap/idlescan.html or CSW CD %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Questions? Any questions about Network Reconnaissance, Nmap, or anything else?