বুধবার, ২২ জুন, ২০১১

ScanLine

ScanLine from Foundstone is arguably the fastest, most robust port-scanning tool ever built. The tool has a myriad of options, but one of its most valuable features is its ability
to scan very large ranges quickly and to include both TCP and UDP scanning in a single
run of the product. Take a look at this example:
C:\ >sl -t 21,22,23,25 -u 53,137,138 192.168.0.1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2010
http://www.foundstone.com
Scan of 1 IP started at Fri Nov 22 23:09:34 2010
----------------------------------------------------------
192.168.0.1
Responded in 0 ms.
1 hop away
Responds with ICMP unreachable: No
TCP ports: 21 23
UDP ports:
----------------------------------------------------------
Scan finished at Fri Nov 22 23:09:46 2002
1 IP and 7 ports scanned in 0 hours 0 mins 12.07 secs

সোমবার, ১৩ জুন, ২০১১

Netcat Port Scanning

Despite the “old school” nature of this raw tool, another excellent utility is netcat (or nc),
written by Hobbit. This utility can perform so many tasks that everyone in the industry
calls it the Swiss Army knife of security.nc provides basic TCP and UDP port-scanning capabilities.
The –v and –vv options provide verbose and very verbose output, respectively. The –z
option provides zero mode I/O and is used for port scanning, and the –w2 option
provides a timeout value for each connection. By default, nc will use TCP ports. Therefore,
we must specify the –u option for UDP scanning, as a example shown next:

[root] nc -v -z -w2 192.168.1.1 1-140

[192.168.1.1] 139 (?) open
[192.168.1.1] 135 (?) open
[192.168.1.1] 110 (pop-3) open
[192.168.1.1] 106 (?) open
[192.168.1.1] 81 (?) open
[192.168.1.1] 80 (http) open
[192.168.1.1] 79 (finger) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 42 (?) open
[192.168.1.1] 25 (smtp) open
[192.168.1.1] 21 (ftp) open
[192.168.1.1] 135 (ntportmap) open
[192.168.1.1] 123 (ntp) open
[192.168.1.1] 53 (domain) open
[192.168.1.1] 42 (name) open

বুধবার, ৮ জুন, ২০১১

udp_scan

Because strobe covers only TCP scanning, we can use udp_scan, originally from SATAN
(Security Administrator Tool for Analyzing Networks), written by Dan Farmer and
Wietse Venema in 1995. Although SATAN is a bit dated, its tools still work quite well. In
addition, newer versions of SATAN, now called SAINT, have been released at http://
wwdsilx.wwdsi.com. Many other utilities perform UDP scans; however, to this day we
have found that udp_scan is one of the most reliable UDP scanners available. We should
point out that although udp_scan is reliable, it does have a nasty side effect of triggering
a SATAN scan message on major IDS products. Therefore, it is not one of the more
stealthy tools you could employ. Typically, we will look for all well-known ports below
1024 and specific high-risk ports above 1024. Here’s an example:
[root] udp_scan 192.168.1.1 1-1024
42:UNKNOWN:
53:UNKNOWN:
123:UNKNOWN:
135:UNKNOWN:

রবিবার, ৫ জুন, ২০১১

Port-scanning by strobe

strobe is a venerable TCP port-scanning utility written by Julian Assange (http://linux
.maruhn.com/sec/strobe.html). It has been around for some time and is one of the fastest
and most reliable TCP scanners available. Some of strobe’s key features include the
ability to optimize system and network resources and to scan the target system in an
efficient manner. In addition to being efficient, strobe (version 1.04 and later) will actually
grab the associated banner (if available) of each port it connects to. This may help identify
both the operating system and the running service.
The strobe output lists each listening TCP port:

[root] strobe 192.168.1.10
strobe 1.03 (c) 1995 Julian Assange (proff@suburbia.net).
192.168.1.10 echo 7/tcp Echo [95,JBP]
192.168.1.10 discard 9/tcp Discard [94,JBP]
192.168.1.10 sunrpc 111/tcp rpcbind SUN RPC
192.168.1.10 daytime 13/tcp Daytime [93,JBP]
192.168.1.10 chargen 19/tcp ttytst source
192.168.1.10 ftp 21/tcp File Transfer [Control]
[96,JBP]
192.168.1.10 exec 512/tcp remote process execution;
192.168.1.10 login 513/tcp remote login a la telnet;
192.168.1.10 cmd 514/tcp shell like exec, but automatic
192.168.1.10 ssh 22/tcp Secure Shell
192.168.1.10 telnet 23/tcp Telnet [112,JBP]
192.168.1.10 smtp 25/tcp Simple Mail Transfer [102,JBP]
192.168.1.10 nfs 2049/tcp networked file system
192.168.1.10 lockd 4045/tcp
192.168.1.10 unknown 32772/tcp unassigned
192.168.1.10 unknown 32773/tcp unassigned
192.168.1.10 unknown 32778/tcp unassigned
192.168.1.10 unknown 32799/tcp unassigned
192.168.1.10 unknown 32804/tcp unassigned


Although strobe is highly reliable, you need to keep in mind some of its limitations:
it is a TCP scanner only and does not provide UDP scanning capabilities. Therefore, in
the preceding scan we are only looking at half the picture. For additional scanning
techniques beyond what strobe can provide, we must dig deeper into our toolkit.

শুক্রবার, ৩ জুন, ২০১১

Different kind of scan

Port scanning is the process of sending packets to TCP and UDP ports on the target
system to determine what services are running or are in a LISTENING state. Identifying
listening ports is critical to determining the services running, and consequently the
vulnerabilities present from your remote system. Additionally, you can determine the
type and version of the operating system and applications in use. Active services that are
listening are akin to the doors and windows of your house. They are ways into the
domicile. Depending on the type of path in (a window or door), it may allow an
unauthorized user to gain access to systems that are misconfigured or running a version
of software known to have security vulnerabilities.

• TCP connect scan This type of scan connects to the target port and completes
a full three-way handshake (SYN, SYN/ACK, and ACK), as the TCP RFC
(Request for Comments) states. It is easily detected by the target system. Figure
2-4 provides a diagram of the TCP three-way handshake.
• TCP SYN scan This technique is called half-open scanning because a full TCP
connection is not made. Instead, only a SYN packet is sent to the target port.
If a SYN/ACK is received from the target port, we can deduce that it is in the
LISTENING state. If an RST/ACK is received, it usually indicates that the
port is not listening. An RST/ACK will be sent by the system performing the
port scan so that a full connection is never established. This technique has the
advantage of being stealthier than a full TCP connect, and it may not be logged
by the target system. However, one of the downsides of this technique is that
this form of scanning can produce a denial of service condition on the target by
opening a large number of half-open connections. But unless you are scanning
the same system with a high number of these connections, this technique is
relatively safe.
• TCP FIN scan This technique sends a FIN packet to the target port. Based on
RFC 793 (http://www.ietf.org/rfc/rfc0793.txt), the target system should send
back an RST for all closed ports. This technique usually only works on UNIXbased
TCP/IP stacks.• TCP Xmas Tree scan This technique sends a FIN, URG, and PUSH packet to
the target port. Based on RFC 793, the target system should send back an RST
for all closed ports.
• TCP Null scan This technique turns off all fl ags. Based on RFC 793, the target
system should send back an RST for all closed ports.
• TCP ACK scan This technique is used to map out fi rewall rulesets. It can
help determine if the fi rewall is a simple packet fi lter allowing only established
connections (connections with the ACK bit set) or a stateful fi rewall performing
advance packet fi ltering.
• TCP Windows scan This technique may detect open as well as fi ltered/
nonfi ltered ports on some systems (for example, AIX and FreeBSD) due to an
anomaly in the way the TCP windows size is reported.
• TCP RPC scan This technique is specifi c to UNIX systems and is used to
detect and identify Remote Procedure Call (RPC) ports and their associated
program and version number.
• UDP scan This technique sends a UDP packet to the target port. If the target
port responds with an “ICMP port unreachable” message, the port is closed.
Conversely, if you don’t receive an “ICMP port unreachable” message, you can
deduce the port is open. Because UDP is known as a connectionless protocol,
the accuracy of this technique is highly dependent on many factors related to
the utilization and fi ltering of the target network. In addition, UDP scanning is
a very slow process if you are trying to scan a device that employs heavy packet
fi ltering. If you plan on doing UDP scans over the Internet, be prepared for
unreliable results.
Certain IP implementations have the unfortunate distinction of sending back reset
(RST) packets for all ports scanned, regardless of whether or not they are listening.
Therefore, your results may vary when performing these scans; however, SYN and
connect() scans should work against all hosts.

মঙ্গলবার, ৩১ মে, ২০১১

Hacking start ICMP Queries

Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg when it comes
to ICMP information about a system. You can gather all kinds of valuable information
about a system simply by sending an ICMP packet to it. For example, with the UNIX tool
icmpquery (http://packetstormsecurity.org/UNIX/scanners/icmpquery.c) or icmpush
(http://packetstormsecurity.org/UNIX/scanners/icmpush22.tgz), you can request the
time on the system (to see the time zone the system is in) by sending an ICMP type 13
message (TIMESTAMP). Also, you can request the netmask of a particular device with
the ICMP type 17 message (ADDRESS MASK REQUEST). The netmask of a network
card is important because you can determine all the subnet of the target, and thereby
understand its default gateway and broadcast address. With the default gateway
identified you can target router attacks. And with the broadcast address you can target
denial of service attacks (DoS). With knowledge of the subnets, you can also orient your
attacks to only particular subnets and avoid hitting broadcast addresses, for example.
icmpquery has both a timestamp and an address mask request option:


icmpquery <-query> [-B] [-f fromhost] [-d delay] [-T time] targets where
is one of:
-t : icmp timestamp request (default)
-m : icmp address mask request
The delay is in microseconds to sleep between packets.
targets is a list of hostnames or addresses
-T specifies the number of seconds to wait for a host to respond.
The default is 5.
-B specifies ‘broadcast’ mode. icmpquery will wait for timeout seconds
and print all responses.
If you’re on a modem, you may wish to use a larger -d and –T

To use icmpquery to query a router’s time (typically in Greenwich Mean Time), you
can run this command:

[root] icmpquery -t 192.168.1.1
192.168.1.1 : 11:36:19


To use icmpquery to query a router’s netmask, you can run this command



[root] icmpquery -m 192.168.1.1
192.168.1.1 : 0xFFFFFFE0
Not all routers and systems allow an ICMP TIMESTAMP or NETMASK response, so
your mileage with icmpquery and icmpush may vary greatly from host to host.

রবিবার, ২৯ মে, ২০১১

Determining If The System Is Alive By Network Ping Sweeps

One of the most basic steps in mapping out a network is performing an automated ping
sweep on a range of IP addresses and network blocks to determine if individual devices
or systems are alive. Ping is traditionally used to send ICMP ECHO (ICMP Type 8)
packets to a target system in an attempt to elicit an ICMP ECHO_REPLY (ICMP Type 0)
indicating the target system is alive. Although ping is acceptable to determine the number
of systems alive in a small-to-midsize network (Class C is 254 and Class B is 65,534
potential hosts), it is inefficient for larger, enterprise networks. Scanning larger Class A
networks (16,277,214 potential hosts) can take hours if not days to complete. You must
learn a number of ways for discovering live systems.
Network pinging is the act of sending certain types of traffic to a target and analyzing
the results (or lack thereof). Typically, pinging utilizes ICMP (Internet Control Message
Protocol) and, although not the only packets available for this function, ICMP tends to be
the most heavily supported. Alternatively, one could use either TCP or UDP as well to
perform the same function of finding a host that is alive on the network.
To perform an ICMP ping sweep, you can use a myriad of tools available for both
UNIX and Windows. One of the tried-and-true techniques of performing ping sweeps in
the UNIX world is to use fping. Unlike more traditional ping sweep utilities, which
wait for a response from each system before moving on to the next potential host, fping
is a utility that will send out massively parallel ping requests in a round-robin fashion.
Thus, fping will sweep many IP addresses significantly faster than ping. fping can be
used in one of two ways: you can feed it a series of IP addresses from standard input
(stdin) or you can have it read from a file. Having fping read from a file is easy; simply
create your file with IP addresses on each line:
192.168.51.1
192.168.51.2
192.168.51.3
...
192.168.51.253
192.168.51.254

Then use the –f parameter to read in the file:

[root]$ fping –a –f in.txt
192.168.1.254 is alive
192.168.1.227 is alive
192.168.1.224 is alive
...
192.168.1.3 is alive
192.168.1.2 is alive
192.168.1.1 is alive
192.168.1.190 is alive

The –a option of fping will show only systems that are alive. You can also combine
it with the –d option to resolve hostnames if you choose. We prefer to use the –a option
with shell scripts and the –d option when we are interested in targeting systems that
have unique hostnames. Other options such as –f may interest you when scripting ping
sweeps. Type fping –h for a full listing of available options. Another utility is nmap from Fyodor.

[root] nmap –sP 192.168.1.0/24

Starting nmap V. 4.68 by fyodor@insecure.org (www.insecure.org/nmap/)

Host (192.168.1.0) seems to be a subnet broadcast
address (returned 3 extra pings).
Host (192.168.1.1) appears to be up.
Host (192.168.1.10) appears to be up.
Host (192.168.1.11 ) appears to be up.
Host (192.168.1.15) appears to be up.
Host (192.168.1.20) appears to be up.
Host (192.168.1.50) appears to be up.
Host (192.168.1.101) appears to be up.
Host (192.168.1.102) appears to be up.
Host (192.168.1.255) seems to be a subnet broadcast
address (returned 3 extra pings).
Nmap run completed -- 256 IP addresses (10 hosts up) scanned in 21 seconds

For the Windows-inclined, we like the tried-and-true freeware product SuperScan
from Foundstone. It is one of the fastest ping sweep utilities
available. Like fping, SuperScan sends out multiple ICMP ECHO packets (in addition
to three other types of ICMP) in parallel and simply waits and listens for responses. Also like
fping, SuperScan allows you to resolve hostnames and view the output in an HTML file.
For those technically minded, here’s a brief synopsis of the different types of ICMP
packets that can be used to ping a host.

The primary ICMP types are
• Message Type: 0 – Echo Reply
• Message Type: 3 – Destination Unreachable
• Message Type: 4 – Source Quench
• Message Type: 5 – Redirect
• Message Type: 8 – Echo
• Message Type: 11 – Time Exceeded
• Message Type: 12 – Parameter Problem
• Message Type: 13 – Timestamp
• Message Type: 14 – Timestamp Reply
• Message Type: 15 – Information Request
• Message Type: 16 – Information Reply

Any of these ICMP message types could potentially be used to discover a host on the
network; it just depends on the target’s ICMP implementation and how it responds to
these packet types. How the different operating systems respond or don’t respond to the
various ICMP types also aids in remote OS detection.
You may be wondering what happens if ICMP is blocked by the target site. Good
question. It is not uncommon to come across a security-conscious site that has blocked
ICMP at the border router or firewall. Although ICMP may be blocked, some additional
tools and techniques can be used to determine if systems are actually alive. However,
they are not as accurate or as efficient as a normal ping sweep.
When ICMP traffic is blocked, port scanning is the first alternate technique to determine
live hosts. By scanning for common ports on every potential IP address, we can determine which hosts are alive
if we can identify open or listening ports on the target system. This technique can be
time-consuming, but it can often unearth rogue systems or highly protected systems.
For Windows, the tool we recommend is SuperScan. As discussed earlier, SuperScan
will perform both host and service discovery using ICMP and TCP/UDP, respectively.
Using the TCP/UDP port scan options, you can determine whether a host is alive or
not—without using ICMP at all. As you can simply select the check box
for each protocol you wish to use and the type of technique you desire, and you are off
to the races.
Another tool used for this host discovery technique is the UNIX/Windows tool
nmap. The Windows version, which is nmap with the Windows wrapper called Zenmap,
is now well supported so, for the truly command line challenged amongst you, you can
easily download the latest Windows version at nmap.org and get scanning quickly. Of
course, the product installs WinPcap so be prepared: if you haven’t installed this
application before on your Windows system, you should know that this is a packet filter
driver that allows nmap to read and write raw packets from and to the wire. nmap for Windows allows for a number of ping options
to discover hosts on a network. These host discovery options have long been available to
the UNIX world, but now Windows users can also leverage them.
As mentioned previously, nmap does provide the capability to perform ICMP sweeps.
However, it offers a more advanced option called TCP ping scan. A TCP ping scan is
initiated with the –PT option and a port number such as 80. We use 80 because it is a
common port that sites will allow through their border routers to systems on their
demilitarized zone (DMZ), or even better, through their main firewall(s). This option will
spew out TCP ACK packets to the target network and wait for RST packets indicating
the host is alive. ACK packets are sent because they are more likely to get through a
nonstateful firewall such as Cisco IOS. Here’s an example:

[root] nmap -sP -PT80 192.168.1.0/24
TCP probe port is 80
Starting nmap V. 4.68
Host (192.168.1.0) appears to be up.
Host (192.168.1.1) appears to be up.
Host shadow (192.168.1.10) appears to be up.
Host (192.168.1.11) appears to be up.
Host (192.168.1.15) appears to be up.
Host (192.168.1.20) appears to be up.
Host (192.168.1.50) appears to be up.
Host (192.168.1.101) appears to be up.
Host (192.168.1.102) appears to be up.
Host (192.168.1.255) appears to be up.
Nmap run completed (10 hosts up ) scanned in 5 seconds

As you can see, this method is quite effective in determining if systems are alive,
even if the site blocks ICMP. It is worth trying a few iterations of this type of scan with
common ports such as SMTP (25), POP (110), AUTH (113), IMAP (143), or other ports
that may be unique to the site.
For the advanced technical reader, Hping2 from www.hping.org is an amazing TCP
ping utility for UNIX that should be in your toolbox. With additional TCP functionality
beyond nmap, Hping2 allows the user to control specific options of the UDP, TCP, or
Raw IP packet that may allow it to pass through certain access control devices.
To perform a simple TCP ping scan, set the TCP destination port with the –p option.
By doing this you can circumvent some access control devices similar to the traceroute
technique. Hping2 can be used to perform TCP and UDP ping
sweeps, and it has the ability to fragment packets, potentially bypassing some access
control devices. Here’s an example:

[root]# hping2 192.168.0.2 -S -p 80 -f
HPING 192.168.0.2 (eth0 192.168.0.2): S set , 40 data bytes
60 bytes from 192.168.0.2: flags = SA seq=0 ttl=64 id=418 win=5840 time=3.2 ms
60 bytes from 192.168.0.2: flags=SA seq=1 ttl=64 id=420 win=5840 time=2.1 ms
60 bytes from 192.168.0.2: flags=SA seq=2 ttl=64 id=422 win=5840 time=2.0 ms

--- 192.168.0.2 hping statistic ---
3 packets tramitted, 3 packets received , 0% packet loss

In some cases, simple access control devices cannot handle fragmented packets
correctly, thus allowing our packets to pass through and determine if the target system
is alive. Notice that the TCP SYN (S) flag and the TCP ACK (A) flag are returned whenever
a port is open (flags=SA). Hping2 can easily be integrated into shell scripts by using the
–cN packet count option, where N is the number of packets to send before moving on.
Although this method is not as fast as some of the ICMP ping sweep methods mentioned
earlier, it may be necessary given the configuration of the target network.
The final tool we will analyze is icmpenum, from Simple Nomad. This UNIX utility
is a handy ICMP enumeration tool that allows you to quickly identify systems that are
alive by sending the traditional ICMP ECHO packets as well as ICMP TIMESTAMP
REQUEST and ICMP INFO REQUEST (similar to SuperScan). Thus, if ingress (inbound)
ICMP ECHO packets are dropped by a border router or firewall, it may still be possible
to identify systems using one of these alternate ICMP types:

[shadow] icmpenum –i 2 -c 192.168.1.0
192.168.1.1 is up
192.168.1.10 is up
192.168.1.11 is up
192.168.1.15 is up
192.168.1.20 is up
192.168.1.103 is up

In this example, we enumerated the entire 192.168.1.0 Class C network using an
ICMP TIME STAMP REQUEST. However, the real power of icmpenum is to identify
systems using spoofed packets to avoid detection. Spoofed packets means they do not
contain the true, legitimate IP address as its source address, thereby making it look like
the scan is coming from another host on the network. This technique is possible because
icmpenum supports the ability to spoof packets with the -s option and passively listen
for responses with the –p switch.
To summarize, this step allows us to determine exactly what systems are alive via
ICMP or through selective port scans. Out of 255 potential addresses within the Class C
range, we have determined that several hosts are alive and have now become our targets
for subsequent interrogation.