scanning · 2017-09-09 · scanning Matsuzaki‘maz’ Yoshinobu Stole slides from ... •File...

scanningMatsuzaki ‘maz’Yoshinobu

<maz@iij.ad.jp>Stoleslidesfrom

Fakrul Alam andShahadatHossain

1

BasicFeaturesofGoogleSearch

• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.• Thereisnoneedtoinclude“AND”betweenterms.

• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.

2

BasicFeaturesofGoogleSearch

• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,• “Apnic”and“apnic”willallretrievethesameresults.

• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”

3

DifferentSearchOperators

• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches

• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck

4

AdvancedOperators

• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:

operator:search_term• There’snospacebetweentheoperator,thecolon,andthesearchterm!

5

AdvancedOperatorsataGlance

Operators Purpose

intitle Searchpagetitle

allintitle Searchpagetitle

inurl SearchURL

allinurl SearchURL

filetype Searchspecificfiles

allintext Searchtextofpageonly

site Searchspecificsite

link Searchforlinkstopages

inanchor Searchlinkanchortext

Operators Purpose

numrange Locatenumber

daterange Searchindaterange

author Groupauthorsearch

group Groupnamesearch

insubject Groupsubjectsearch

msgid Groupmsgid search

6

AdvancedGoogleSearching

Someoperatorssearchoverlappingareas.Considersite,inurl andfiletype.

7

Exercise:

1. Findwebserversthatuseyourorganizationaldomainname

2. Anyadminloginpageavailable?3. Any.docfilewhichcontainsword“Confidential”?

8

nmap (https://nmap.org)

• Nmap isafreeandopensourcenetworkexplorationandsecurityauditingtool• Nmap wascreatedbyGordonLyon,a.k.a.FyodorVaskovich,andfirstpublishedin1997.• Workingcross-platformalthoughbestworkingonLinux-typeenvironments• ItusesrawIPpacketstodetermine• Whathostsareavailableonthenetwork• Whatservices(applicationnameandversion)• Guessestheoperationalsystem,uptimeandothercharacteristics

9

EthicalIssue

• Canbeusedforhacking-todiscovervulnerableports• Systemadminscauseittocheckthatsystemsmeetsecuritystandards• UnauthorizeduseofNmap onasystemcouldbeillegal.• Makesureyouhavepermissionbeforeusingthistool.• Thereisnorightwaytodothewrongthings

10

Nmap :Howitworks

• DNSlookup-matchesnamewithIP• Nmap pingstheremotetargetwith0(zero)bytepacketstoeachport• Ifpacketsarenotreceivedback,portisopen• Ifpacketsarereceived,portisclosed• Firewallcaninterferewiththisprocess

11

Nmap :ScanningTechniques

• HostDiscoveryandTargetSpecification• PortScanningTechnique,Specificationandorder• OS,ServiceandVersionDetection• namp ScriptingEngine• TimingandPerformance• Firewall,IDSEvasionandSpoofingTechnique• ScanReport

12

Nmap:Scan

Usage:nmap [ScanType(s)][Options]{targetspecification}

TARGETSPECIFICATION:

Canpasshostnames,IPaddresses,networks,etc.

Ex:scanme.nmap.org,microsoft.com/24,192.168.0.1;10.0.0-255.1-254

-iL <inputfilename>:Inputfromlistofhosts/networks

-iR <num hosts>:Chooserandomtargets

--exclude<host1[,host2][,host3],...>:Excludehosts/networks

--excludefile <exclude_file>:Excludelistfromfile

OSDETECTION:-O:EnableOSdetection--osscan-limit:LimitOSdetectiontopromisingtargets--osscan-guess:GuessOSmoreaggressively

13

Nmap:Scan

HOSTDISCOVERY:

-sL:ListScan- simplylisttargetstoscan

-sn:PingScan- disableportscan

-Pn:Treatallhostsasonline-- skiphostdiscovery

-PS/PA/PU/PY[portlist]:TCPSYN/ACK,UDPorSCTPdiscoverytogivenports

-PE/PP/PM:ICMPecho,timestamp,andnetmaskrequestdiscoveryprobes

-PO[protocollist]:IPProtocolPing

-n/-R:NeverdoDNSresolution/Alwaysresolve[default:sometimes]

--dns-servers<serv1[,serv2],...>:SpecifycustomDNSservers

--system-dns:UseOS'sDNSresolver

--traceroute:Tracehoppathtoeachhost

14

Nmap:Scan

SCANTECHNIQUES:

-sS/sT/sA/sW/sM:TCPSYN/Connect()/ACK/Window/Maimon scans

-sU:UDPScan

-sN/sF/sX:TCPNull,FIN,andXmasscans

--scanflags <flags>:CustomizeTCPscanflags

-sI <zombiehost[:probeport]>:Idlescan

-sY/sZ:SCTPINIT/COOKIE-ECHOscans

-sO:IPprotocolscan

-b<FTPrelayhost>:FTPbouncescan

15

Exercise1:Hostdiscovery

• ssh toworkshop@10.0.0.x• Note:xisyour group#• Note:password isiij/2497

• $nmap -sP 10.0.2.0/24

16

Exercise1:Hostdiscovery

• ssh toworkshop@10.0.0.x• Note:xisyour group#• Note:password isiij/2497

• $nmap -sP 10.0.1.0/24

17

Exercise2:OpeningPorts

• ScanthehostfoundinExercise1

• $nmap <$ip>

18

Exercise3:OSFingerprint

• GuesstheOSfoundinExercise1

• $nmap -O<ip>

19

Exercise4:Scanyourclient

• donotscanothers’

• $nmap <yourIP>

• What’skindofservicerunningthere?• Letnmap guessyourOS

20

Exercise5:Version

• $nmap -sV 10.0.2.1

21