Upload
lamcong
View
227
Download
1
Embed Size (px)
Citation preview
Reconnaissance&ScanningAPNIC42
Colombo,SriLanka28September–5October2016
Contributor:ShahadatHossain(GrameenPhone)
Didyouevergethacked?
https://haveibeenpwned.com/
SessionFlow
• AdvanceSearchTechnique• Google• Bing• Shodan Search
• DataCollection• Pastebin• Zone-H
• AdvanceTechniqueforNetworkScanning• Nmap
• Challenges
LiveIPDiscoveryTechnique:GoogleSearch
• WhatisGoogle• WhyGoogle• BasicFeatureofGoogle• Automatic&Query• AutomaticExclusionofCommonWords• Capitalization• SpellChecker
• GoogleSearchOperators• BasicOperators• AdvanceOperators
WhatisGoogle?
WhyGoogle?
• ReasonsWhyGoogleSearch• Directory• TheirMapSearch• TheTrust• EasytoUse
BasicFeaturesofGoogleSearch
• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.Thereisnoneedtoinclude“AND”betweenterms.
• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.
BasicFeaturesofGoogleSearch
• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,“Apnic”and“apnic”willallretrievethesameresults.
• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”
DifferentSearchOperators
• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches
• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck
AdvancedOperators
• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:
operator:search_term
• There’snospacebetweentheoperator,thecolon,andthesearchterm!
AdvancedOperatorsataGlance
Operators Purpose
intitle Searchpage titleallintitle Searchpage titleinurl SearchURLallinurl SearchURLfiletype Search specificfilesallintext Searchtextof pageonlysite Search specificsitelink Searchfor linkstopagesinanchor Searchlink anchortext
Operators Purpose
numrange Locate numberdaterange Searchin daterangeauthor Groupauthor searchgroup Groupname searchinsubject Groupsubject searchmsgid Groupmsgid search
AdvancedGoogleSearching
SITE:
INURL:
FILETYPE:
Someoperatorssearchoverlappingareas.Considersite,inurl andfiletype.
Inurl cansearchthewholeURL,includingportandfiletype Filetype canonlysearchfile
extension,whichmaybehardtodistinguishinlongURLs.
Sitecannotsearchport.
AdvancedGoogleSearching
Exercise:AdvancedGoogleSearching
1. Howmanywebserversareliveininternetofyourorganization?2. AnyuserloginpageavailableinIPsfoundinexercise-1?3. Anyadminloginpageavailable?4. Any.docfilewhichcontainsword“Confidential”?
Bing:WhatExtra?
• VirtualHosting• NameBased• IPBased
• BingcanidentifyNamebasedvirtualhosting• Operator:IP
Exercise:Bing
• Anyvirtualhostingexistinyourorganizationwebserver?• Whythisinformationisworthtoapentester?
SHODANSearchTechnique
• WhatisShodan• Shodan isasearchdevelopedbyJohnMatherly• DifferentthancontentsearchenginelikeGoogle,Bing• CanidentifyIPbaseddevicesconnectedtotheinternet• Itusesservicebanners• Itcanidentify
• OperatingSystem• Services• OpenPorts• Version
• Itcanfiltersearchby• Country• City
• Firefoxadd-onisavailable
https://www.shodan.io/
Shodan BasicSearchOperators
country Filtersresultsbytwolettercountrycodehostname Filters resultsbyspecifiedtextinthe
hostnameordomainnet FiltersresultsbyaspecificIPrangeorsubnetos Searchforspecificoperating systemsport NarrowthesearchforspecificservicesServiceName FiltertheresultbyservicenameDeviceName Filtertheresultsbasedonthedevicename
Exercise:Shodan
1. FindouthowmanyIPisliveinyourcountry2. Findouthowmanyapacheserversarerunninginyourcounty3. Findouthowmanyapacheserversrunningversion2.2.3inyourcity4. Findoutanyapacheserversarerunningin.nist.gov andmicorsoft.com
domain5. FindouthowmanyIIS-5.0serversarerunninginUSA&AU6. TakegoogleIPblockandfindhowmanyIPsareliveingoogle7. HowmanyLinuxserverisrunninginyahoo8. Howmanyhostsareliveininternetwhichhastelnetopen
Pastebin (http://pastebin.com/)
• Apastebin isatypeofwebapplicationwhereuserscanstoreplaintext.• Theyaremostcommonlyusedtoshareshortsourcecodesnippetsforcodereview.• Butpeoplealsoshareconfidentialdata.• Youcanalsoaddaltersforspecifickeyword
Exercise:Pastebin
• Searchforthetext/documentsrelatedtoyourorganization/domain.• Doasearchon“.com.au password”.Whatinformationyouaregetting?
Zone-H(http://zone-h.net/)
• Zone-Hisanarchiveofdefacedwebsites.• Itisthelargestwebintrusionsarchive.• OnceadefacedwebsiteissubmittedtoZone-H,itismirroredontheZone-Hservers,itisthenmoderatedbytheZone-Hstafftocheckifthedefacementwasfake.
Exercise:Zone-H
• Gotohttp://www.zone-h.org/• Checkwithyourorganizationdomainname• Howaboutwww.microsoft.com• http://www.zone-h.org/mirror/id/1246363
Nmap (https://nmap.org/)
• Nmap isafreeandopensourcenetworkexplorationandsecurityauditingtool• Nmap wascreatedbyGordonLyon,a.k.a.FyodorVaskovich,andfirstpublishedin1997.• Workingcross-platformalthoughbestworkingonLinux-typeenvironments• ItusesrawIPpacketstodetermine• Whathostsareavailableonthenetwork• Whatservices(applicationnameandversion)• Guessestheoperationalsystem,uptimeandothercharacteristics
Nmap inthemovies
https://nmap.org/movies/
EthicalIssue
• Canbeusedforhacking-todiscovervulnerableports• Systemadminscauseittocheckthatsystemsmeetsecuritystandards• UnauthorizeduseofNmap onasystemcouldbeillegal.• Makesureyouhavepermissionbeforeusingthistool.
Remember:Thereisnorightwaytodothewrongthings
Nmap :Howitworks
• DNSlookup-matchesnamewithIP• Nmap pingstheremotetargetwith0(zero)bytepacketstoeachport• Ifpacketsarenotreceivedback,portisopen• Ifpacketsarereceived,portisclosed• Firewallcaninterferewiththisprocess
Nmap :ScanningTechniques
• HostDiscoveryandTargetSpecification• PortScanningTechnique,Specificationandorder• OS,ServiceandVersionDetection• namp ScriptingEngine• TimingandPerformance• Firewall,IDSEvasionandSpoofingTechnique• ScanReport
GoodpresentationbyFyodoron“Nmap :ScanningtheInternet”https://www.youtube.com/watch?v=Hk-21p2m8YY
Nmap :Scan
TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254 -iL <inputfilename>: Input from list of hosts/networks -iR <num hosts>: Choose random targets --exclude <host1[,host2][,host3],...>: Exclude hosts/networks --excludefile <exclude_file>: Exclude list from file
OS DETECTION: -O: Enable OS detection --osscan-limit: Limit OS detection to promising targets --osscan-guess: Guess OS more aggressively
Nmap :Scan
HOST DISCOVERY: -sL: List Scan - simply list targets to scan -sn: Ping Scan - disable port scan -Pn: Treat all hosts as online -- skip host discovery -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes -PO[protocol list]: IP Protocol Ping -n/-R: Never do DNS resolution/Always resolve [default: sometimes] --dns-servers <serv1[,serv2],...>: Specify custom DNS servers --system-dns: Use OS's DNS resolver --traceroute: Trace hop path to each host
Nmap :Scan
SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idle scan -sY/sZ: SCTP INIT/COOKIE-ECHO scans -sO: IP protocol scan -b <FTP relay host>: FTP bounce scan
Namp :TimingandPerformance
• --min-parallelism <numprobes>; --max-parallelism <numprobes>• Adjustprobeparallelization
• --max-retries <numtries> • Specifythemaximumnumberofportscanproberetransmissions
• --scan-delay <time>; --max-scan-delay <time>• Adjustdelaybetweenprobes
• -T paranoid|sneaky|polite|normal|aggressive|insane• Setatimingtemplate
Letslookatsomeexamples
Installnmap andwecangoalongwiththeexample
HostDiscovery
fakrul@console# nmap -sP 202.125.96.0/24Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:48 AESTNmap scan report for 202.125.96.1Host is up (0.00071s latency).Nmap scan report for 202.125.96.10Host is up (0.00012s latency).Nmap scan report for 202.125.96.15Host is up (0.00048s latency).Nmap scan report for 202.125.96.40...............Nmap scan report for 202.125.96.254Host is up (0.00062s latency).
Nmap done: 256 IP addresses (15 hosts up) scanned in 8.61 seconds
HostDiscoverywithtraceroute
root@console:/home/fakrul# nmap -sP www.apnic.net --traceroute
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:52 AESTNmap scan report for www.apnic.net (203.119.102.244)Host is up (0.018s latency).
TRACEROUTE (using proto 1/icmp)HOP RTT ADDRESS1 0.15 ms 202.125.96.12 0.21 ms 202.125.96.2253 0.30 ms ip-169.232.255.49.VOCUS.net.au (49.255.232.169)4 14.48 ms as4608.qld.ix.asn.au (218.100.76.36)5 17.72 ms squiz-proxy.apnic.net (203.119.102.244)Nmap done: 1 IP address (1 host up) scanned in 13.90 seconds
TargetSpecification
root@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds
TargetIPscanbelistedinatexttileseparatedbyspaceandcanbespecifiedusing“-iL”
root@console:/home/fakrul# nmap -T4 -p 1-1024 –iL iplist.txt
TargetSpecificationwithOSFingerprint
root@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORT STATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)
Device type: general purposeRunning: Linux 3.X|4.XOS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4OS details: Linux 3.2 - 4.0Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
TCPThree-WayHandshake
SYN[seq=A]
SYN-ACK[seq=B,ack=A+1]
ACK[seq=A+1,ack=B+1]
• PortsareassociatedatOSILayer4• 2mainprotocols
• TCP&UDP• TCPisconnectionorientedunlikeUDP• ToInitiateaTCPconnectionitusesTCP3WHS• TCPhas6flags(actually8)
PortState&TCPBehavior
• IfnoconnectionexistsbetweentwohoststhenSYNistheonlyvalidandexpectedpacketallotherpacketswillbeconsideredasinvalid.
SYNSYN/ACKRST
SYN
RST
SYN
dropped
• open• Willacceptconnections
• filtered• Firewallorothernetworkobstacleiscoveringport
• unfiltered or closed• Determinedtobeclosedwithnoobstaclesorinterference
CheckwhetherhostrunningDNSServer
root@console:/home/fakrul# nmap -sU -p 53 202.125.96.42
Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 11:08 AESTNmap scan report for 202.125.96.42Host is up (0.00017s latency).PORT STATE SERVICE53/udp open domainMAC Address: 00:16:3E:25:39:FD (Xensource)
Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds
Nmap :Exercise
Task Answer1.Howtoscanknowopenportfornetworkrange192.168.30.0/272.Isthere anywebservicerunningonIP192.168.30.55.Whatistheapplicationname?3.WhatistheIPaddressofWindows2003Serverinthenetwork192.168.30.0/27