#! /opt/cpg/bin/do-mgp %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%deffont "standard" tfont "comic.ttf" %deffont "standard" tfont "times.ttf" %deffont "thick" tfont "arial.ttf" %deffont "typewriter" xfont "courier new-bold-r" %deffont "type2writer" xfont "arial narrow-bold-r" %% %% Default settings per each line numbers. %% %default 1 leftfill, size 2, fore "gold", back "black", font "thick" %default 1 bimage "bg-parallel.jpg" 1024x768 %default 2 size 7, vgap 10, prefix " " %default 3 size 2, bar "darkgreen", vgap 30 %default 4 size 5, fore "lemon chiffon", vgap 30, prefix " ", font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 4, vgap 40, prefix " ", icon arc "tomato" 40 %tab 2 size 4, vgap 20, prefix " ", icon box "spring green" 40 %tab 3 size 3, vgap 20, prefix " ", icon delta3 "white" 40 %% %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %nodefault %size 7, font "thick", fore "gold", bimage "bg-parallel.jpg" 1024x768 %%area 90 10 3 3 %center Network Reconnaissance with Nmap %size 4 by Fyodor fyodor@insecure.org http://www.insecure.org/presentations/IT-Defense04/ IT-Defense Security Conference; January 2004 %image "images/Insecurelogo-eye-blackbg-229x123.gif" %left %image "images/mail.insecure.packettrace-noframe.gif" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Step 1: Locating the Proper IP Networks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DNS -- A Scout's Best Friend! Grab the low-hanging fruit of MX, NS records: %size 4 dig @ns1.atstake.com atstake.com. any in [...] ;; ANSWER SECTION: atstake.com. 1H IN SOA ns1.atstake.com. hostmaster.atstake.com. ( 2003103000 ; serial [...] atstake.com. 1H IN NS ns1.atstake.com. atstake.com. 1H IN NS ns2.atstake.com. atstake.com. 1H IN TXT "Where security and business intersect" atstake.com. 1H IN MX 1 porfidio.atstake.com. atstake.com. 10S IN A 63.251.138.37 atstake.com. 10S IN A 63.251.138.36 ;; ADDITIONAL SECTION: ns1.atstake.com. 1H IN A 63.168.6.80 ns2.atstake.com. 1H IN A 63.251.138.33 porfidio.atstake.com. 1H IN A 63.168.6.70 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Zone Transfers It is always worth requesting a zone transfer from each name server (see previous slide), as they can be very valuable: Provides many IPs for further investigation The names and CNAMEs give important clues as to the function of machines Sometimes contain personal machines (vanity names) and other far-flung normally hard-to-find boxes. Negligently administered nameservers often provide internal names, unreachable hosts behind the firewall, etc. Popular name servers (e.g. Bind) provide them by default %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Example usage > dig @ns1.securityfocus.com securityfocus.com. axfr in %size 3 [... ] securityfocus.com. 86400 IN A 205.206.231.13 gw.securityfocus.com. 86400 IN A 205.206.231.1 mail.securityfocus.com. 86400 IN A 205.206.231.9 backup.securityfocus.com. 86400 IN A 205.206.231.21 db.securityfocus.com. 86400 IN A 205.206.231.72 wwwdev.securityfocus.com. 86400 IN A 205.206.231.16 sfcm.securityfocus.com. 86400 IN A 205.206.231.8 downloads.securityfocus.com. 86400 IN A 205.206.231.24 lists.securityfocus.com. 86400 IN A 205.206.231.19 lists.securityfocus.com. 86400 IN MX 0 lists.securityfocus.com. www.securityfocus.com. 86400 IN A 205.206.231.10 www1.securityfocus.com. 86400 IN A 205.206.231.11 media.securityfocus.com. 86400 IN A 205.206.231.14 beta.securityfocus.com. 86400 IN A 205.206.231.73 bugzilla.securityfocus.com. 86400 IN A 205.206.231.82 outgoing.securityfocus.com. 2 IN A 205.206.231.26 custadmin.securityfocus.com. 86400 IN A 205.206.231.68 calgary.securityfocus.com. 86400 IN A 205.206.231.9 upload.securityfocus.com. 86400 IN A 205.206.231.74 alerts.securityfocus.com. 86400 IN A 205.206.231.22 predictor.securityfocus.com. 86400 IN A 205.206.231.25 tms.securityfocus.com. 86400 IN A 205.206.231.71 online.securityfocus.com. 86400 IN A 205.206.231.10 datafeeds.securityfocus.com. 86400 IN A 205.206.231.7 adserver.securityfocus.com. 3600 IN A 205.206.231.6 betatms.securityfocus.com. 3600 IN A 205.206.231.73 demo.securityfocus.com. 86400 IN A 205.206.231.70 analyzer.securityfocus.com. 86400 IN A 205.206.231.70 [ ... ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page DNS Version Request dig @[NAME_SERVER] version.bind txt chaos Or use new Nmap Version Scan (-sV) Corrolate with: http://www.isc.org/products/BIND/bind-security.html [ And also check Bind CHANGELOG ] Some companies run an interesting "version" of Bind: Playboy.Com "Move on, I'm already patched. kthxbye." Altria.Com "You are not cleared for that information" Sans.Org/Giac.Net "All accesses are logged" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Netcraft: Another Valuable Resource Netcraft "Webserver Search" at http://news.netcraft.com Allows searching for webservers in a given domain Examples Searches: ".microsoft." 500+ sites ".atstake" 5 sites, including UK and German sites ".yahoo." 500+ sites Can find similarly named domains Can drill down to see rough OS guess, hosting history, uptime graph, etc. All without setting off any alarms at target company. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Geographical IP Registries Geographical IP registries such as ARIN, RIPE, and APNIC are a gold mine for scouting: Look up owners of "seed" IPs discovered earlier to learn netblock range, owners, administrators, routing AS Numbers, etc. Then lookup up all netblocks owned by the same company, administrated by the same contacts, etc. Repeat, until you stop finding new IPs Collect phone numbers, office addresses, and emails while you're at it. Decide whether to include corporate siblings, subsidiaries, partnerships, etc. For example, racingusa.playboy.com is operated by Penn National Gaming. ARIN whois help screens: whois -h whois.arin.net \? whois -h rr.arin.net help %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Arin Example #1 whois -h whois.arin.net "@microsoft.com" %size 3 Abuse (ABUSE231-ARIN) abuse@microsoft.com +1-425-882-8080 Anderson, Doug (DA404-ARIN) douga@microsoft.com +1-425-706-4411 Beers, Andy (AB114-ARIN) abeers@microsoft.com +1-425-703-5595 Beers, Richard (RB827-ARIN) rbeers@microsoft.com +1-206-936-8080 Beher, Mukeshkumar (MB1154-ARIN) mukeshb@microsoft.com +1-425-869-1177 Bowman, Steve (SBO3-ARIN) stevebow@microsoft.com +1-425-703-5989 Bray, Brian (BB72-ARIN) brianbr@microsoft.com +1-604-688-4548 Brent, Drew (DB1593-ARIN) abrent@microsoft.com +1-781-684-5262 Bui, Quoc (QB4-ARIN) quoc@microsoft.com +1-972-473-8731 Butler, Lee (LB141-ARIN) leebu@microsoft.com +1-303-882-3769 Bye, Pamela (PB935-ARIN) timsmith@microsoft.com +1-949-955-4900 Carmichael, Hal (HC146-ARIN) halcar@microsoft.com +1-408-253-5647 Carter, Cale (CC618-ARIN) calec@microsoft.com +1-775-746-4086 Davidson, Bob (BD162-ARIN) bobd@microsoft.com +1-206-644-8062 de Leon, Arnold (AD147-ARIN) arnold@microsoft.com +1-650-693-0538 Dochstader, Kevin (KD369-ARIN) v-kevdoc@microsoft.com +1-905-568-0434 Dunn, Matthew (MD1192-ARIN) matthewd@microsoft.com +1-206-936-7190 Emery, Jason (JE208-ARIN) v-jemery@microsoft.com +1-303-967-6562 Feldstein, Adam (AF79-ARIN) adamf@microsoft.com +1-425-703-5647 Ferguson, Robert (RF47-ARIN) robertfe@microsoft.com +1-206-284-5407 Furman, Greg (GF564-ARIN) gregfu@microsoft.com +1-425-882-8080 Global NOC, Microsoft (MG96-ARIN) noc@microsoft.com +1-425-936-4200 Gortner, David (DG3629-ARIN) davidgor@microsoft.com +1-425-936-2808 Guggenheimer, Steve (SG603-ARIN) stevengu@microsoft.com +1-206-936-5990 Hagger, Paul (PH421-ARIN) paulhag@microsoft.com +1-425-885-3553 Hain, Anthony (AT80-ARIN) tonyhain@microsoft.com +1-206-703-6619 Hamlin, JC (JH1011-ARIN) jchamlin@microsoft.com +1-425-895-1628 Hanson, RJ (RH584-ARIN) a_rayf@microsoft.com +1-425-936-1060 [ ... ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Arin Example #2 %size 4 whois -h whois.arin.net n yahoo %size 3 Yahoo UCOM-YAHOO (NET-209-166-63-16-1) 209.166.63.16 - 209.166.63.31 Yahoo EC20-2-YAHOO5 (NET-216-136-232-0-1) 216.136.232.0 - 216.136.235.255 Yahoo EC20-2-YAHOO2 (NET-216-136-224-0-1) 216.136.224.0 - 216.136.227.255 Yahoo EC20-2-YAHOO1 (NET-216-136-172-0-1) 216.136.172.0 - 216.136.175.255 Yahoo EC20-2-YAHOO3 (NET-216-136-128-0-2) 216.136.128.0 - 216.136.131.255 Yahoo EC29-1-YAHOO1 (NET-216-109-94-0-1) 216.109.94.0 - 216.109.95.255 Yahoo EC17-2-YAHOO1 (NET-209-225-40-0-1) 209.225.40.0 - 209.225.40.255 Yahoo EC17-1-YAHOO1 (NET-64-58-76-0-1) 64.58.76.0 - 64.58.79.255 Yahoo EC20-2-YAHOO4 (NET-216-136-203-0-1) 216.136.203.0 - 216.136.203.255 Yahoo ECI-7-YAHOO1 (NET-216-32-74-0-1) 216.32.74.0 - 216.32.74.255 Yahoo EC20-2-YAHOO6 (NET-216-136-204-0-1) 216.136.204.0 - 216.136.204.255 Yahoo EC15-1-YAHOO1 (NET-64-41-224-0-1) 64.41.224.0 - 64.41.225.255 Yahoo A-YAHOO-US2 (NET-66-163-160-0-1) 66.163.160.0 - 66.163.191.255 Yahoo CW-YAHOO (NET-204-71-200-0-1) 204.71.200.0 - 204.71.203.255 Yahoo LVLT-YAHOO-NET2 (NET-64-157-4-0-1) 64.157.4.0 - 64.157.4.255 Yahoo LVLT-YAHOO-NET1 (NET-64-156-215-0-1) 64.156.215.0 - 64.156.215.255 Yahoo LVLT-YAHOO-NET3 (NET-209-247-158-0-1) 209.247.158.0 - 209.247.158.255 Yahoo ACCENTRIC-NET-1 (NET-209-132-98-0-1) 209.132.98.0 - 209.132.98.7 Yahoo ACCENTRIC-NET-3 (NET-209-132-98-8-1) 209.132.98.8 - 209.132.98.15 Yahoo HSBC-NET-1 (NET-216-188-25-96-1) 216.188.25.96 - 216.188.25.111 Yahoo Broadcast SBC208189204008031003 (NET-208-189-204-8-1) 208.189.204.8 - 208.189.204.15 YAHOO INC SBCIS-101103-174124 (NET-66-127-32-192-1) 66.127.32.192 - 66.127.32.199 Yahoo Inc SBC-06612705118429 (NET-66-127-51-184-1) 66.127.51.184 - 66.127.51.191 Yahoo Inc SBC063206099064021125 (NET-63-206-99-64-1) 63.206.99.64 - 63.206.99.71 Yahoo Inc SBC067122217120021211 (NET-67-122-217-120-1) 67.122.217.120 - 67.122.217.127 Yahoo Inc SBC063194072072021224 (NET-63-194-72-72-1) 63.194.72.72 - 63.194.72.79 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Other techniques Public route servers - http://www.traceroute.org Search engines (web pages, usenet, mailing lists, etc) SEC filings Social Engineering Etc... %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The Cautious Approach: List Scan %size 4 (Some IP's and hostnames slightly obscured) nmap -sL -oN nmap/foocorp-listscan-040303.nmap 216.163.128.0/20 200.247.228.0/24 216.80.23.104/29 207.229.165.80/29 216.80.21.72/29 216.80.43.240/29 216.80.23.160/29 195.244.204.101-105 [ ... ] Host unknown.Level3.net (200.247.228.200) not scanned Host free-chi.foocorp.com (200.247.228.201) not scanned Host cyber-chi.foocorp.com (200.247.228.202) not scanned Host move-chi.foocorp.com (200.247.228.203) not scanned Host network-chi.foocorp.com (200.247.228.204) not scanned Host store.foocorp.com (200.247.228.205) not scanned Host virt.foocorp.com (200.247.228.206) not scanned Host secure.foocorp.com (200.247.228.207) not scanned Host unknown.Level3.net (200.247.228.208) not scanned Host www.foocorpenterprises.com (200.247.228.209) not scanned Host ads-chi.foocorpcommerce.com (200.247.228.210) not scanned Host store.foocorptv.com (200.247.228.211) not scanned Host unknown.Level3.net (200.247.228.212) not scanned [ ... ] Nmap run completed -- 4397 IP addresses (0 hosts up) scanned in 314.046 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Next Step: Ping scan %size 5 nmap -sP -PS22,25,53,80,113,31338 -PA80,113,21000 -PU53,19000 -PE -PM -g 53 -oA nmap/foocorp-pingscan-040403 [foocorpnetblocks] %size 4 [ ... ] Host bigip-chi.foocorp.com (200.247.228.130) appears to be up. Host bigip1-chi.foocorp.com (200.247.228.131) appears to be up. Host bigip2-chi.foocorp.com (200.247.228.132) appears to be up. Host threed-chi.foocorpcommerce.com (200.247.228.133) appears to be up. Host ns1-chi.foocorp.com (200.247.228.135) appears to be up. Host dev-chi.foocorpcommerce.com (200.247.228.137) appears to be up. Host devdb-chi.foocorpcommerce.com (200.247.228.138) appears to be up. Host staging-chi.foocorpcommerce.com (200.247.228.140) appears to be up. Host STAGING2.FOOCORP.COM (200.247.228.141) appears to be up. [ ... ] Nmap run completed -- 4397 IP addresses (950 hosts up) scanned in 752.776 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Always verify your results Previous scan claimed 950 hosts up out of 4397, including hundreds of consecutive IPs which look like: Host: 216.163.140.210 () Status: Up Host: 216.163.140.211 () Status: Up Host: 216.163.140.212 () Status: Up Host: 216.163.140.213 () Status: Up Host: 216.163.140.214 () Status: Up Host: 216.163.140.215 () Status: Up Host: 216.163.140.216 () Status: Up Host: 216.163.140.217 () Status: Up Host: 216.163.140.218 () Status: Up Real hosts or relic of load balancer/firewall? Let's find out! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What are the Hosts Responding To? %size 4 nmap -sP -PS22,25,53,80,113,31338 -PA80,113,21000 -PU53,19000 -PE -PM -g 53 --packet_trace 216.163.140.226 %size 3 Starting nmap 3.21 ( www.insecure.org/nmap/ ) at 2003-04-04 13:14 PST SENT (0.0130s) ICMP 0.0.0.0 > 216.163.140.226 Echo request (type=8/code=0) ttl=44 id=55447 iplen=28 SENT (0.0140s) ICMP 0.0.0.0 > 216.163.140.226 Address mask request (type=17/code=0) ttl=41 id=35344 iplen=32 SENT (0.0150s) UDP 64.71.184.55:53 > 216.163.140.226:53 ttl=38 id=0 iplen=28 SENT (0.0150s) UDP 64.71.184.55:53 > 216.163.140.226:19000 ttl=40 id=0 iplen=28 SENT (0.0150s) TCP 64.71.184.55:53 > 216.163.140.226:80 A ttl=51 id=51861 iplen=40 seq=2443182083 win=4096 ack=2443182083 SENT (0.0190s) TCP 64.71.184.55:53 > 216.163.140.226:113 A ttl=43 id=24275 iplen=40 seq=3476553731 win=4096 ack=3476553731 SENT (0.0190s) TCP 64.71.184.55:53 > 216.163.140.226:21000 A ttl=51 id=53772 iplen=40 seq=4066902019 win=4096 ack=4066902019 SENT (0.0240s) TCP 64.71.184.55:53 > 216.163.140.226:22 S ttl=47 id=14381 iplen=40 seq=2107113475 win=4096 SENT (0.0290s) TCP 64.71.184.55:53 > 216.163.140.226:25 S ttl=49 id=37975 iplen=40 seq=310378499 win=2048 SENT (0.0330s) TCP 64.71.184.55:53 > 216.163.140.226:53 S ttl=39 id=20252 iplen=40 seq=2434269187 win=4096 SENT (0.0330s) TCP 64.71.184.55:53 > 216.163.140.226:80 S ttl=59 id=7756 iplen=40 seq=1702363139 win=4096 SENT (0.0330s) TCP 64.71.184.55:53 > 216.163.140.226:113 S ttl=54 id=11084 iplen=40 seq=2351955971 win=3072 SENT (0.0380s) TCP 64.71.184.55:53 > 216.163.140.226:31338 S ttl=58 id=5166 iplen=40 seq=3077570563 win=3072 %fore "red" RCVD (0.0940s) TCP 216.163.140.226:113 > 64.71.184.55:53 R ttl=48 id=24275 iplen=40 seq=2327314382 win=0 %size 3, fore "lemon chiffon" Host 216.163.140.226 appears to be up. Nmap run completed -- 1 IP address (1 host up) scanned in 0.437 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Perhaps the IPID will solve this mystery: %size 4 # hping2 -i 1 -p 113 -S 216.163.140.226 HPING 216.163.140.226 (eth0 216.163.140.226): S set, 40 headers + 0 data bytes 46 bytes from 216.163.140.226: flags=RA seq=0 ttl=48 %cont, fore "red" id=4793 %cont, fore "lemon chiffon" rtt=74.6 ms 46 bytes from 216.163.140.226: flags=RA seq=1 ttl=48 %cont, fore "red" id=57960 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.226: flags=RA seq=2 ttl=48 %cont, fore "red" id=9456 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.226: flags=RA seq=3 ttl=48 %cont, fore "red" id=30735 %cont, fore "lemon chiffon" rtt=74.6 ms 46 bytes from 216.163.140.226: flags=RA seq=4 ttl=48 %cont, fore "red" id=29779 %cont, fore "lemon chiffon" rtt=74.8 ms 46 bytes from 216.163.140.226: flags=RA seq=5 ttl=48 %cont, fore "red" id=18545 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.226: flags=RA seq=6 ttl=48 %cont, fore "red" id=57474 %cont, fore "lemon chiffon" rtt=74.7 ms # hping2 -i 1 -p 113 -S 216.163.140.227 HPING 216.163.140.227 (eth0 216.163.140.227): S set, 40 headers + 0 data bytes 46 bytes from 216.163.140.227: flags=RA seq=0 ttl=48 %cont, fore "red" id=53009 %cont, fore "lemon chiffon" rtt=75.0 ms 46 bytes from 216.163.140.227: flags=RA seq=1 ttl=48 %cont, fore "red" id=30087 %cont, fore "lemon chiffon" rtt=74.7 ms 46 bytes from 216.163.140.227: flags=RA seq=2 ttl=48 %cont, fore "red" id=63243 %cont, fore "lemon chiffon" rtt=74.6 ms 46 bytes from 216.163.140.227: flags=RA seq=3 ttl=48 %cont, fore "red" id=36291 %cont, fore "lemon chiffon" rtt=74.6 ms %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Perhaps Traceroute can help? %size 4 # traceroute mx.chi.foocorp.com traceroute to 216.163.143.2 (216.163.143.2), 30 hops max, 38 byte packets [ Cut ] 5 ae0-56.mp2.SanJose1.Level3.net (64.159.2.161) 2.081ms 2.220ms 2.108ms 6 so-0-0-0.mp1.Chicago1.Level3.net (200.247.9.78) 73.392ms 73.460ms 73.549ms 7 pos8-0.core1.Chicago1.Level3.net (200.247.10.162) 73.621ms 73.545ms 73.418ms 8 gigabitethernet6-1.ipcolo1.Chicago1.Level3.net (200.244.8.18) 73.582ms 73.720ms 73.656ms 9 ge1-0.br1.ord.foocorp.net (166.90.73.205) 73.582ms 73.621ms 74.083ms 10 f0-0.b1.chi.foocorp.com (200.247.228.247) 74.433ms 74.213ms 77.137ms 11 * * * 12 * * * 13 * * * %size 5 Can we do better than 10 hops? %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Custom Traceroute Against Open Port hping2 -t 5 --traceroute -p 25 -S mx.chi.foocorp.com %size 4 [ combined with results from hping2 -i 1 --ttl * -p 25 -S 216.163.143.2 ] 5->TTL 0 during transit from 64.159.2.97 (ae0-54.mp2.SanJose1.Level3.net) 6->TTL 0 during transit from 64.159.1.34 (so-3-0-0.mp2.Chicago1.Level3.net) 7->TTL 0 during transit from 200.247.10.170 (pos9-0.core1.Chicago1.level3.net) 8->TTL 0 during transit from 200.244.8.42 (gige6-0.ipcolo1.Chicago1.Level3.net) 9->TTL 0 during transit from 166.90.73.205 (ge1-0.br1.ord.foocorp.net) 10->TTL 0 during transit from 200.247.228.247 (f0-0.b1.chi.foocorp.com) 11->No response 12->TTL 0 during transit from 216.163.143.130 (fw.chi.foocorp.com) 13->46 bytes from 216.163.143.2: flags=SA seq=0 ttl=52 id=48957 rtt=75.8 ms %size 5 Much better! Reached target machine at hop 13. Helpful naming of mx.chi and fw.chi. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Another Custom Traceroute hping2 -t 5 --traceroute -p 113 -S mx.chi.foocorp.com %size 4 [ results augmented again ] 5->TTL 0 during transit from 64.159.2.97 (ae0-54.mp2.SanJose1.Level3.net) 6->TTL 0 during transit from 64.159.1.34 (so-3-0-0.mp2.Chicago1.Level3.net) 7->TTL 0 during transit from 200.247.10.170 (pos9-0.core1.Chicago1.level3.net) 8->TTL 0 during transit from 200.244.8.42 (gige6-0.ipcolo1.Chicago1.Level3.net) 9->TTL 0 during transit from 166.90.73.205 (ge1-0.br1.ord.foocorp.net) 10->TTL 0 during transit from 200.247.228.247 (f0-0.b1.chi.foocorp.com) 11->Nothing 12->46 bytes from 216.163.143.2: flags=RA seq=0 ttl=48 id=53414 rtt=75.0 ms %size 5 Response from Hop 12? That is fw.chi! Other hosts on the subnet also answer 113 from hop 12. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Repeating the Ping Scan W/O 113: %size 4 nmap -sP -PS22,25,53,80,31338 -PA80,21000 -PU53,19000 -PE -PM -T4 -g 53 -oA nmap/foocorp-pingscan-no113-04040 [netblocks] [...] [ Nmap run completed -- 4397 IP addresses (71 hosts up) scanned in 597.924 seconds ] 71 hosts is much easier to deal with than 950. Lets make a list of up hosts: > grep 'Status: Up' nmap/foocorp-pingscan-no113-040403.gnmap | cut "-d " -f2 > foocorp.ips.up [ Then I added the firewall we discovered -- fw.chi (216.163.143.130) ] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Version Detection %size 4 # nmap -A -T4 -F www.insecure.org Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 2003-09-06 19:49 PDT Interesting ports on www.insecure.org (205.217.153.53): (The 1206 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99) 25/tcp open smtp Qmail smtpd 53/tcp open domain ISC Bind 9.2.1 80/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_07-dev Perl/v5.6.1) 113/tcp closed auth Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 108.307 days (since Wed May 21 12:27:44 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 34.962 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page How It Works %size 3 # nmap -sV -p 25 --packet_trace mail.insecure.org Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-02 12:37 PST SENT (0.0260s) ICMP 63.202.174.201 > 205.217.153.50 Echo request (type=8/code=0) ttl=56 iplen=28 SENT (0.0280s) TCP 63.202.174.201:48502 > 205.217.153.50:80 A ttl=38 RCVD (0.0400s) ICMP 205.217.153.50 > 63.202.174.201 Echo reply (type=0/code=0) ttl=56 iplen=28 SENT (0.3320s) TCP 63.202.174.201:48481 > 205.217.153.50:25 S ttl=37 RCVD (0.3430s) TCP 205.217.153.50:25 > 63.202.174.201:48481 SA ttl=56 iplen=44 NSOCK (0.3520s) TCP connection requested to 205.217.153.50:25 (IOD #1) EID 8 NSOCK (0.3660s) Callback: CONNECT SUCCESS for EID 8 [205.217.153.50:25] NSOCK (0.3660s) Read request from IOD #1 [205.217.153.50:25] (timeout: 5000ms) EID 18 NSOCK (0.3990s) Callback: READ SUCCESS for EID 18 [205.217.153.50:25] (27 bytes): 220 core.lnxnet.net ESMTP.. NSOCK (0.3990s) Read request from IOD #1 [205.217.153.50:25] (timeout: 4965ms) EID 26 NSOCK (5.3690s) Callback: READ TIMEOUT for EID 26 [205.217.153.50:25] NSOCK (5.3690s) Write request for 6 bytes to IOD #1 EID 35 [205.217.153.50:25]: HELP.. NSOCK (5.3690s) Read request from IOD #1 [205.217.153.50:25] (timeout: 5000ms) EID 42 NSOCK (5.3750s) Callback: WRITE SUCCESS for EID 35 [205.217.153.50:25] NSOCK (5.3890s) Callback: READ SUCCESS for EID 42 [205.217.153.50:25] (55 bytes): 214 qmail home page: http://pobox.com/~djb/qmail.html.. Interesting ports on core.lnxnet.net (205.217.153.50): PORT STATE SERVICE VERSION 25/tcp open smtp qmail smtpd Nmap run completed -- 1 IP address (1 host up) scanned in 5.425 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Fast, Single-Service Sweep %size 3 Sometimes it is useful to scan a large range of IPs quickly for a single service. Nmap "turbo mode": # nmap -sSV -p22 -PS22 -iR 5000 |egrep -i -B2 "nmap| open ssh " |grep -v PORT Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-01 19:29 PST Interesting ports on ES216118069.user.veloxzone.com.br (200.216.118.69): 22/tcp open ssh OpenSSH 3.4p1 (protocol 2.0) -- Interesting ports on custom2.custom.com.br (200.198.125.190): 22/tcp open ssh OpenSSH 2.2.0p1 (protocol 1.99) -- Interesting ports on hansonandtilton.com (64.176.36.170): 22/tcp open ssh SSH 1.2.32 (protocol 1.5) -- Interesting ports on broccoli.socialecology.com (4.42.179.151): 22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99) -- Interesting ports on 202.83.90.60: 22/tcp open ssh OpenSSH 3.0.2p1 (protocol 2.0) -- Interesting ports on kothlis2.manquehue.net (200.74.172.211): 22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99) -- Interesting ports on 134.252.164.26: 22/tcp open ssh SSH 1.2.20 (protocol 1.5) [...] Nmap run completed -- 5000 IP addresses (141 hosts up) scanned in 573.545 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page More Intense Scanning %size 4 # nmap -P0 -sS -O --osscan_guess -T4 -p0- -iL foocorp.ips.up -oA [file] Interesting ports on f0-0.b1.chi.foocorp.net (216.163.143.129): (The 65534 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 79/tcp open finger Remote operating system guess: Cisco IOS 11.3 - 12.0(11) Interesting ports on fw.chi.foocorp.com (216.163.143.130): (The 65530 ports scanned but not shown below are in state: filtered) Port State Service 264/tcp open bgmp 500/tcp open isakmp 18231/tcp open unknown 18232/tcp closed unknown 18262/tcp closed unknown 18264/tcp open unknown Remote operating system guess: Solaris 8 early access beta through actual release Uptime 183.426 days (since Thu Oct 3 19:22:34 2002) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Further Examples: %size 4 Interesting ports on bigip2-chi.foocorp.com (200.247.228.132): (The 65527 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 443/tcp open https 683/tcp open unknown 684/tcp open unknown 1313/tcp open unknown 1414/tcp open ibm-mqseries 1515/tcp open ifor-protocol 1616/tcp open unknown 4353/tcp open unknown Remote operating system guess: F5 labs BigIp Load balancer Kernel 4.1.1PTF-03 (X86) Uptime 533.526 days (since Thu Oct 18 18:14:58 2001) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page A Couple further examples %size 4 Interesting ports on ads-chi.foocorpcommerce.com (200.247.228.145): (The 65534 ports scanned but not shown below are in state: filtered) Port State Service 80/tcp open http 1521/tcp open oracle Remote operating system guess: Solaris 2.6 - 2.7 with tcp_strong_iss=2 Uptime 324.006 days (since Thu May 16 10:51:37 2002) Interesting ports on ipmon1.foocorp.ip-soft.net (200.247.228.246): (The 65531 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 80/tcp open http 81/tcp open hosts2-ns 1023/tcp open unknown 3306/tcp open mysql Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20 Uptime 79.066 days (since Thu Jan 16 12:32:17 2003) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Another example (output modified) %size 4 nmap -A -T4 www.example.com %size 3 Starting nmap 3.40PVT16 ( http://www.insecure.org/nmap/ ) at 2003-09-07 02:56 PDT Interesting ports on www.example.com (XX.X.XX.XXX): (The 1640 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21/tcp open ftp WU-FTPD wu-2.6.1-20 22/tcp open ssh OpenSSH 3.1p1 (protocol 1.99) 53/tcp open domain ISC Bind 9.2.1 79/tcp open finger Linux fingerd 111/tcp open rpcbind 2 (rpc #100000) 443/tcp open ssl/http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_04-dev [cut]) 515/tcp open printer 631/tcp open ipp CUPS 1.1 953/tcp open rndc? 6000/tcp open X11 (access denied) 8000/tcp open http-proxy Junkbuster webproxy 8080/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_04-dev [cut]) 8081/tcp open http Apache httpd 2.0.39 ((Unix) mod_perl/1.99_04-dev [cut]) Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 8.653 days (since Fri Aug 29 11:16:40 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 42.494 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page IPv6 Scanning First lets see an IPv4 example: %size 3 > nmap www.kame.net Starting nmap V. 3.10ALPHA1 ( www.insecure.org/nmap/ ) Interesting ports on kame220.kame.net (203.178.141.220): (The 1585 ports scanned but not shown below are in state: closed) Port State Service 19/tcp filtered chargen 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp filtered sunrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 513/tcp filtered login 514/tcp filtered shell 2049/tcp filtered nfs 2401/tcp open cvspserver 5999/tcp open ncd-conf 7597/tcp filtered qaz 31337/tcp filtered Elite Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page IPv6 Cont'd Now an IPv6 Scan Against the Same Machine > nmap -6 www.kame.net Starting nmap V. 3.10ALPHA1 ( www.insecure.org/nmap/ ) Interesting ports on 3ffe:501:4819:2000:210:f3ff:fe03:4d0: (The 1595 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 53/tcp open domain 80/tcp open http 111/tcp open sunrpc 2401/tcp open cvspserver Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Timing Options Nmap offers many command-line switches to affect timing: --max_parallelism --min_parallelism --min_rtt_timeout --max_rtt_timeout --initial_rtt_timeout --host_timeout --scan_delay To make your scans faster, simply pick exactly the right value for each of these confusing options :). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page A better way -- The -T Option The -T (same as --timing) switch offers 6 "canned" timing levels. From -T0 to -T5. Or you can use the long versions below: -T Paranoid -- 1 Probe every 5 minutes -T Sneaky -- 1 Probe every 15 Seconds -T Polite -- 0.4 seconds between -T Normal -T Aggressive -- Recommended when you're in a hurry -T Insane -- Warp speed! Be careful! %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Firewalled Hosts An example using slightly older version of Nmap and no -T: # /usr/bin/nmap -P0 www.insecure.org Starting nmap V. 3.15BETA2 ( www.insecure.org/nmap/ ) Interesting ports on www.insecure.org (64.71.184.53): (The 1600 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 556.479 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Firewalled Hosts A newer version improves upon this: # ./nmap -P0 www.insecure.org %size 4 Starting nmap 3.15BETA3 ( www.insecure.org/nmap/ ) at 2003-03-16 13:05 PST Interesting ports on www.insecure.org (64.71.184.53): (The 1605 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 228.477 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Speeding Your Scans -- Firewalled Hosts Now let's try with -T4 ("Aggressive"): # ./nmap -P0 -T4 www.insecure.org %size 4 Starting nmap 3.15BETA3 ( www.insecure.org/nmap/ ) at 2003-03-16 12:57 PST Interesting ports on www.insecure.org (64.71.184.53): (The 1605 ports scanned but not shown below are in state: filtered) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 8080/tcp closed http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 40.865 second %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Avoiding IDS: the new --scanflags option SYN Scan can often take extra flags -- even FIN: # nmap -sS --scanflags SYNFIN db.yuma.net %size 4 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-30 01:14 PDT Interesting ports on db.yuma.net (192.168.0.4): (The 1641 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 1024/tcp open kdm Nmap run completed -- 1 IP address (1 host up) scanned in 3.779 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Avoiding IDS: the new --scanflags option FIN Scan can take any combination of FIN, URG, and PSH # nmap -sF --scanflags PSHURG db.yuma.net %size 4 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-30 01:15 PDT Interesting ports on db.yuma.net (192.168.0.4): (The 1641 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 111/tcp open sunrpc 1024/tcp open kdm Nmap run completed -- 1 IP address (1 host up) scanned in 5.917 seconds %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Overloading the IDS: Decoy Scanning nmap -sS -D12.72.193.4,51.176.79.2,94.101.211.12,42.79.122.16,192.168.7.90,10.45.161.9,48.210.38.12,12.114.187.169,96.184.127.10,63.175.91.128,95.23.114.67,123.4.61.89,179.186.23.74,72.38.20.47,12.1.13.214,215.81.17.88,119.33.21.232,23.67.25.58,161.83.32.219,147.36.19.166.64 -n -p139,12345,1080,3128,6666 -O target.com %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Typical IDS Response %image "images/BlackICE_Decoys.gif" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page The Ultimate Stealth Scan: Idle Scanning %image "images/Idlescan_Technique.gif" See http://www.insecure.org/nmap/idlescan.html %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Questions? Any questions about Network Reconnaissance, Nmap, the Honeynet Project, or anything else?