Showing posts with label dns. Show all posts
Showing posts with label dns. Show all posts

Tuesday, May 25, 2010

Adding and using hostmap.rb to BT4

The next is hostmap.rb a ruby script for DNS
This tool is available at http://hostmap.lonerunners.net/

So to get started visit the above link, download and save the tarball.

root@dorkness:/tmp/# tar xvf hostmap-0.2.2.tar

Remove the tarball, move the directory to /pentest/enumeration/hostmap-0.2.2/

root@dorkness:/tmp/# rm -rf hostmap-0.2.2.tar*


root@dorkness:pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb -h

Usage: hostmap.rb [options] -t [target]
Target options:
-t, --target [STRING] set target domain
Discovery options:
--with-zonetransfer
enable DNS zone transfer check
--without-bruteforce
disable DNS bruteforcing
--without-dnsexpansion
disable DNS TLD expansion
--bruteforce-level [STRING]
set bruteforce aggressivity, values are lite, custom or full (default is lite)
--without-be-paranoid
don't check the results consistency
--http-ports [STRING]
set a comma separated list of custom HTTP ports to check
--only-passive
passive discovery, don't make network activity to the target network
--timeout [STRING]
set plugin timeout
--threads [STRING]
set concurrent threads number
Networking options:
-d, --dns [STRING] set a comma separated list of DNS servers IP addresses to use instead of system defaults
Output options:
--print-maltego
set output formatted for Maltego
-v, --verbose set verbose mode
Misc options:
--without-update
skip update check
-h, --help show this help message

root@dorkness:pentest/enumeration/hostmap-0.2.2#


Note: You will need to give an IP address, you can not use domain names.

An example of usage is as follows:

root@dorkness:/pentest/enumeration/hostmap-0.2.2# ruby hostmap.rb --only-passive --without-update -t 80.65.162.250
hostmap 0.2.2 codename truppola
Coded by Alessandro `jekil` Tanasi

[2010-05-25 22:41] Skipping SSL because only passive checks are enabled
[2010-05-25 22:41] Found new hostname queer.ba
[2010-05-25 22:41] Found new domain queer.ba
[2010-05-25 22:41] Found new hostname diocletian.httpool.ba
[2010-05-25 22:41] Found new domain httpool.ba
[2010-05-25 22:41] Found new nameserver ns.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new hostname www.queer.ba
[2010-05-25 22:41] Found new nameserver ns02.europronet.ba
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks
[2010-05-25 22:41] Found new mail server mx2.europronet.ba
[2010-05-25 22:41] Found new mail server mx3.europronet.ba
[2010-05-25 22:41] Found new mail server mx1.europronet.ba
[2010-05-25 22:41] Found new nameserver ns1.httpool.com
[2010-05-25 22:41] Found new nameserver ns2.httpool.com
[2010-05-25 22:41] Skipping DNS Zone transfer because it is enabled only passive checks.
[2010-05-25 22:41] Skipping DNS bruteforce because it is enabled only passive checks

Results for 80.65.162.250
Served by name server (probably)
ns2.httpool.com
ns1.httpool.com
ns.queer.ba
ns02.europronet.ba
Served by mail exchange (probably)
mx1.europronet.ba
mx3.europronet.ba
mx2.europronet.ba
Hostnames:
www.queer.ba
diocletian.httpool.ba
queer.ba
root@dorkness:/pentest/enumeration/hostmap-0.2.2#


Note: I used the --only-passive flag, the --without-update flags this should be self explanatory. -t is for target

As you can see there are several other options to work with. Those I will leave up to you to work with.

Enjoy
Posted by at 1 comment:
Labels: , , , , ,

Adding more DNS tools to BT4 part 3

The next tool is subdomainer.py

To get it, download the .tar here

http://www.edge-security.com/subdomainer.php
Again you can save it wherever, I chose /pentest/enumeration/
untar the package cd to the directory chmod +x the subdomainer.pyand then you are set to go.
To untar the package tar xvf subd*
Deleted the tarball rm -rf subdomainer.tar

Generic usage is:

root@dorkness:/pentest/enumeration/subdomainer# python subdomainer.py

*************************************
*Subdomainer Ver. 1.3b *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies2k@yahoo.com.ar *
*************************************

usage: subdomainer.py options

-d: domain to search
-l: limit of results to work with. (msn and yahoo goes in 10 to 10
google in 100's, and pgp does not need this option)
-m: data source (msn, yahoo, google, pgp-veridis, all)

-o: output to html file. (optional, good for long lists.)

Example:
subdomainer.py -d microsoft.com -l 200 -m google

subdomainer.py -d microsoft.com -l 100 -m all -o microsoft.html

root@dorkness:/pentest/enumeration/subdomainer#




Due to the length of the results I will leave it to you to run them.
Posted by at 2 comments:
Labels: , , ,

Adding more DNS tools to BT4 part 2

DNSbf.py
Ok again this is a simple copy and paste.
Get the source here:
https://docs.google.com/View?docid=dg23j87b_213fh46kgfp

EDIT: Since the above google doc seems to no longer be valid, I will leave it to the user to find it by searching google. Frankly as I stated in the comments below if you can't find this or any other tool I write about then you probably shouldn't be using them since it's obvious you don't know what you are doing.

Copy and paste to wherever you want. I used the same directory as before.
The name is dnsbf.py The purpose of the tools is to use DNS and find hostnames in a subnet.
save and give execute permissions.

Generic usage with no flags set.

root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

wrong number of arguments

exemple: ./dnsbf.py 192.168.1.0/24

root@dorkness:/pentest/enumeration/dnsenum#


This time we have some targets to scan.
root@dorkness:/pentest/enumeration/dnsenum# ./dnsbf.py 80.65.162.0/24

*****************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.2 02/13/2010 *
* using dns, find hostnames in a subnet *
*****************************************

begin search...

80.65.162.2 bbr-gtz.europronet.ba
80.65.162.201 fa11_ssw-gadzo01.europronet.ba
80.65.162.202 smtps.bihgap.ba
80.65.162.205 fa05_ssw-sa02.europronet.ba
80.65.162.206 hotcasino03.europronet.ba
80.65.162.209 fa23_ssw-sa01.europronet.ba
80.65.162.210 ulk-srv01.linux.org.ba
80.65.162.213 fa15_ssw-sa01.europronet.ba
80.65.162.214 voip-gw01.europronet.ba
80.65.162.217 fa32_ssw-sa01.europronet.ba
80.65.162.218 yellow.europronet.ba
80.65.162.221 fa42_ssw-sa01.europronet.ba
80.65.162.225 fa06_ssw-sa02.europronet.ba
80.65.162.226 hotcasino2.europronet.ba
80.65.162.250 queer.ba
80.65.162.229 fa13_ssw-sa01.europronet.ba
80.65.162.230 mx2.europronet.ba
80.65.162.233 fa07_ssw-sa02.europronet.ba
80.65.162.234 hotcasinogb.europronet.ba
80.65.162.237 fa31_ssw-sa01.europronet.ba
80.65.162.241 fa34_ssw-sa01.europronet.ba
80.65.162.242 mail.triptih.europronet.ba
80.65.162.245 fa36_ssw-sa01.europronet.ba
80.65.162.1 fe08_asw-sa01.europronet.ba
80.65.163.78 mailsrvsa.octas.com
80.65.163.81 rg-ice.europronet.ba
80.65.163.108 terme-centrala.europronet.ba
80.65.163.162 mail2.procreditbank.ba
80.65.163.194 ip-65-163-194.europronet.ba
80.65.163.254 robot-vgw.europronet.ba
80.65.162.70 ns.queer.ba
80.65.162.34 posao.ba
80.65.162.35 mposao.ba

end of search
511 ip tested, 33 names found, in 11 s

root@dorkness:/pentest/enumeration/dnsenum#


So there you go another cool tool to add to BT for your
reconaissance efforts.
Posted by at 2 comments:
Labels: , , , ,

Adding more DNS tools to BT4 part 1

So here is a write up on adding some tools to the BT4 DNS collection.
I will first show how to install and give a brief usage of each tool.
They are not hard to install and are simple to use. The power lies in what they can do.
These tools are ones that I found, and credit goes to their authors. Also note that since the tools are not included in BT by default you are on your own if something goes wrong. However since they are simple python and or ruby scripts with no real dependencies things should work just fine.
NOTE: Most output info has been slightly modified.

So without further delay the first up is
DNSDic.py
Code is here:
https://docs.google.com/View?docid=dg23j87b_214cdwmbjfx

So copy and paste the code from the link to a file named dnsdic.py and make the file executable. I added these tools to the following directory to keep things somewhat organised.
The script will need a dictionary when running. A good one and the one the author recommends is located in the dnsenum directory.

root@dorkness:/pentest/enumeration/#


Again executable is
root@dorkness:/pentest/enumeration/# chmod +x dnsdic.py


Generic run with no options:


root@dorkness:/pentest/enumeration/#python dnsdic.py

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

wrong number of arguments

exemple: dnsdic.py -f ./dico.txt infond.blogspot.com



Ok now a run with some actual usage and results.
root@dorkness:/pentest/enumeration/# python dnsdic.py -f ./dns.txt exampleweb.ba

***************************************************
* program created by t0ka7a *
* http://infond.blogspot.com *
* under GNU 3.0 licence *
* v0.1 02/14/2010 *
* dns dictionnary search of hostnames in a subnet *
***************************************************

begin search...

exampleweb.ba ['ftp.exampleweb.ba'] ['81.61.112.150']
mail.exampleweb.ba [] ['81.61.112.10']
ns.exampleweb.ba [] ['81.61.112.70']
exampleweb.ba ['www.exampleweb.ba'] ['81.61.112.250']

end of search
95 names tested, 4 hostnames found, in 16.110284 s

root@dorkness:/pentest/enumeration/#
Posted by at No comments:
Labels: , , ,

Sunday, January 13, 2008

How To Using DNS-Ptr

How To Using DNS-Ptr

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!


DNS-PTR Is a tool that allows you to learn DNS names of IP address' This is like doing a reverse DNS lookup.
You have the IP address but want to know if there is a domain name associated with it.
Using this tool will allow us to do mass lookups rather quickly.
This is a very simple tool to use.

To access this tool K>Backtrack>InformationGathering>All>DNS-Ptr

OK opening this will give the following
Code:
Usage : ./Allhosts  
Mass DNS Query program for vicy, by crisk
bt dns-ptr #
OK so for some background for those that don't know. DNS the Domain Name System translates Domain Names like www.yourexampleofadomain.com into 192.168.1.100
Of course this address is for "internal or private use only".
Now we can use lots of tools to gain this info I will leave that alone.
If you have maybe the IP address and want to find a domain name that may be associated with the IP we can use DNS-Ptr
Using the IP to find an associated Domain name is called a Reverse DNS lookup.

To use the tool on the command line type the IP address that you want to lookup.

Code:
Usage : ./Allhosts  
Mass DNS Query program for vicy, by crisk
bt dns-ptr # dns-ptr 192.168.1.1

The output will show us.

Code:
Beginning DNS lookups
192.1.168.1.1
Ending DNS lookups.
bt dns-ptr #
If we want to see if other IP address' close to our start IP are associated then we can set the End IP and run it again.

In this example I used 5 (remember leave a space)

Code:
Usage : ./Allhosts  
Mass DNS Query program for vicy, by crisk
bt dns-ptr # dns-ptr 192.168.1.1 5
Code:
Beginning DNS lookups
192.1.168.1.1  : fac34-7-yourexampleofadomain.com
192.1.168.1.2  : fac34-7-yourexampleofadomain.com
192.1.168.1.3  : fac34-7-yourexampleofadomain.com
192.1.168.1.4  : fac34-7-yourexampleofadomain.com
192.1.168.1.5  : someotherexampleofadomain.com
Ending DNS lookups.
bt dns-ptr #
As you can see the first 4 IPs belong to www.yourexampleofadomain.com, but the 5th one belongs to someone else.
Again this is a simple tool to use.
Posted by at 2 comments:
Labels: , , , , , ,

Sunday, January 6, 2008

Multipart PortScanning Tutorial Part 4

In part four of our "scanning journey" we are looking at FIN scans against our target box.
I am going to show you various combinations of the FIN scan and the resulting output.
If you have not done so you may need to brush up on the other lessons.

Part1
Part2
Part3

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP Address' MAC Address' etc. have been munged!


This is our standard FIN Scan. Again this is a TCP SCAN NOT UDP. I am using the Insane scan because it is a local network with the firewall and IDS turned off! So no need to worry about that.
Remember if you are doing this on a network that is not yours outside of the legality issues remember the faster you go the more likely you will be discovered by IDS/IPS (Intrusion Detection Systems/ Intrusion Prevention Systems). If a firewall was turned on then we probably won't get much in the way of information. However we will see that a little later on in this lesson.


OK on a FIN scan we are only sending FIN or "Finished packets" to our target. This tells the target who we prior to our scan did not actually "talk" to so in essence we are "finishing a conversation" or connection that never took place. This will normally net us some weird results. Sometimes the target can get confused and tell us more than it should! Sometimes it will not say anything and that it what a good hardened target box should do!

These probes are only using the default port list not the entire range of ports. All Scans listed are with the "-vv" very verbose and
"-T5" Insane speed level.

Code:
bt~# nmap -sV -T5 -vv 192.168.102
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
All 1697 scanned ports on 192.168.1.102 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)

Nmap finished: 1 IP address (1 host up) scanned in 36.649 seconds
We didn't get much in the way of info with just the basic scan so we are moving on. This time using the version probe and the OS detection
Our command looks like this:
Code:
nmap -sF -sV -O -T5 -vv 192.168.1.102
And our output is as follows.

Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 11:43
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 11:43, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:43
Completed Parallel DNS resolution of 1 host. at 11:43, 0.05s elapsed
Initiating FIN Scan at 11:43
Scanning 192.168.1.102 [1697 ports]
Completed FIN Scan at 11:44, 2.31s elapsed (1697 total ports)
Initiating Service scan at 11:44
Warning:  OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.102
Host 192.168.1.102 appears to be up ... good.
All 1697 scanned ports on 192.168.1.102 are closed
MAC Address:00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows 2003 Server SP1, Microsoft Windows Server 2003 Enterprise Edition 64-Bit SP1 (firewall disabled)
OS Fingerprint:
OS:SCAN THIS PART WAS INTENTIONALLY REMOVED BY ME!!

Network Distance: 5  hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 2.880 seconds
            Raw packets sent: 1839 (74.156KB) | Rcvd: 1704 (78.744KB)

An now the same scan with a firewall in place.
Code:
Starting Nmap 4.20 ( http://insecure.org ) at 2008
Initiating ARP Ping Scan at 12:05
Scanning 192.168.1.102 [1 port]
Completed ARP Ping Scan at 12:05, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:05
Completed Parallel DNS resolution of 1 host. at 12:05, 0.05s elapsed
Initiating FIN Scan at 12:05
Scanning 192.168.1.102 [1697 ports]
Completed FIN Scan at 12:05, 18.93s elapsed (1697 total ports)
Initiating Service scan at 12:05
Scanning 1689 services on 192.168.1.102
Service scan Timing: About 6.42% done; ETC: 12:13 (0:07:17 remaining)
Completed Service scan at 12:12, 425.24s elapsed (1697 services on 1 host)
Warning:  OS detection for 192.168.1.102 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against 192.168.1.102
Host 192.168.1.102 appears to be up ... good.
All 1697 scanned ports on 192.168.1.102 are open|filtered
MAC Address: 00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint by osscan system #2:
SCAN(P=i686-pc-linux-gnu)
U1(R=N)
IE(R=N)
Network Distance: 5 hops

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 445.304 seconds
            Raw packets sent: 3419 (139.138KB) | Rcvd: 1 (42B)
Notice this time in the first scan we went from a possible Windows 2003 Server type box to a possible Linux box. The only difference was the addition of a firewall that was thrown in the mix. This can make a HUGE difference when we are looking for attack vectors!

This lesson shows you what FIN Scans look like. Remember that you can change some of the other options in Nmap to help evade and spoof IDS/IPS etc.
However right now we are only concerned with the basics.
In the next lesson we will be looking at a FIN|ACK scan.
Posted by at No comments:
Labels: , , , , , , , , , ,

Saturday, January 5, 2008

Multipart PortScanning Tutorial Part 3

We will now continue with our "scanning journey". In this installment we are going to look at another TCP scan using
BT2 as our target machine. I am also using the latest version of Nmap on a windows box.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

On our third installment we are going to look at out BT2 box. This is a fresh install of BT2 on a HDD. This will show exactly what it is others may see if you are running BT2 on your network. Now keep in mind things may be different for each individual setup possibility.

I used the latest version of Nmap it comes complete with a nice GUI if you are so inclined. I was since its on a windows box anyway! And yes you can get this for yourBT2 or 3 Box.
The only reason I did it that way is because I only have one BT Box setup right now and it was the easiest option for me. However If you have the option then go for it and post your results here as well!

So we used the same basic commands as before and it looks like:
Code:
 # nmap -A -v 192.168.1.102
Again this is still a TCP SYN Scan.
The output shows us the following:

Code:
 Starting Nmap 4.52 ( http://insecure.org ) at 2008-01-05 22:42
Initiating ARP Ping Scan at 22:42
Scanning 192.168.1.100 [1 port]
Completed ARP Ping Scan at 22:42, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:42
Completed Parallel DNS resolution of 1 host. at 22:42, 0.05s elapsed
Initiating SYN Stealth Scan at 22:42
Scanning 192.168.1.100 [1714 ports]
Discovered open port 6000/tcp on 192.168.1.102
Discovered open port 631/tcp on 192.168.1.102
Completed SYN Stealth Scan at 22:42, 0.19s elapsed (1714 total ports)
Initiating Service scan at 22:42
Scanning 2 services on 192.168.1.102
Completed Service scan at 22:43, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.102
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.102 appears to be up ... good.
Interesting ports on 192.168.1.102:
Not shown: 1712 closed ports
PORT     STATE SERVICE VERSION
631/tcp  open  ipp     CUPS 1.1
6000/tcp open  X11      (access denied)
MAC Address:  00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.23, Linux 2.6.20-15-server (Ubuntu 7.04 server, x86)
Uptime: 0.050 days (since Sat Jan 05 21:30:36 2008)
Network Distance: 12 hops
TCP Sequence Prediction: Difficulty=188 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix

Read data files from: G:\Nmap
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.822 seconds
       Raw packets sent: 1737 (78.040KB) | Rcvd: 1729 (79.864KB)
Now notice the output looks a little different, however all of the information is there. Since we used the "-A"
we get our services information in the output. This is some of the critical info that malicious users need in order to compromise a system.

Notice that we have TCP port 631 ipp open, with CUPS1.1 running.
Now for those that don't know this is the service for printing under *nixes.
This would allow users to print from the machine or remote users connect and print as well. Printing (with explicit permission) over a networked computer can be fun and malicious! A malicious user could connect to a networked printer and print out anything they wanted to.

We also see that we have TCP port 6000 open with X11 running but notice is say (access denied). This is the X Window System that allows out BT box to have a desktop.
This is a service because on *nix boxes we can have multiple users from multiple locations logged onto the box itself. And those other users can have a desktop and it can be customized to their liking. Also notice that our scan tells us what kernel we are running in this case 2.6.X

The OS details is for the Distro that we are running and this can and will be different. This data is not correct however because the "signatures that Nmap is using is not correct. At the end of the report we have an option to submit incorrect results to Nmap.

We also see the Uptime of 0.050 days, with a date. This can be very useful information for us. If we scan a box over several days or weeks we may learn that A. our computer is not very stable. B. It gets turned off at night or C. The computer is malfunctioning and needs to reboot.

This can be very useful when doing our pen testing.
A computer that is constantly rebooting may be having problems that we can take advantage of!

This scan gives you a chance to see what your BT box looks like on the net. This is how others may "see" you.

Stay tuned for more scanning in our next part we will look at a FIN Scan.

If this tutorial is helping you or hindering you let me know!

The other parts are located here if you need them:
Posted by at No comments:
Labels: , , , , , , , , , ,

Multipart PortScanning Part 2

We will now continue with our "scanning journey". In this installment we are going to look at another TCP scan using
BT2 as our target machine. I am also using the latest version of Nmap on a windows box.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

On our third installment we are going to look at out BT2 box. This is a fresh install of BT2 on a HDD. This will show exactly what it is others may see if you are running BT2 on your network. Now keep in mind things may be different for each individual setup possibility.

I used the latest version of Nmap it comes complete with a nice GUI if you are so inclined. I was since its on a windows box anyway! And yes you can get this for yourBT2 or 3 Box.
The only reason I did it that way is because I only have one BT Box setup right now and it was the easiest option for me. However If you have the option then go for it and post your results here as well!

So we used the same basic commands as before and it looks like:
Code:
 # nmap -A -v 192.168.1.102
Again this is still a TCP SYN Scan.
The output shows us the following:

Code:
 Starting Nmap 4.52 ( http://insecure.org ) at 2008-01-05 22:42
Initiating ARP Ping Scan at 22:42
Scanning 192.168.1.100 [1 port]
Completed ARP Ping Scan at 22:42, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:42
Completed Parallel DNS resolution of 1 host. at 22:42, 0.05s elapsed
Initiating SYN Stealth Scan at 22:42
Scanning 192.168.1.100 [1714 ports]
Discovered open port 6000/tcp on 192.168.1.102
Discovered open port 631/tcp on 192.168.1.102
Completed SYN Stealth Scan at 22:42, 0.19s elapsed (1714 total ports)
Initiating Service scan at 22:42
Scanning 2 services on 192.168.1.102
Completed Service scan at 22:43, 6.02s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.102
SCRIPT ENGINE: Initiating script scanning.
Host 192.168.1.102 appears to be up ... good.
Interesting ports on 192.168.1.102:
Not shown: 1712 closed ports
PORT     STATE SERVICE VERSION
631/tcp  open  ipp     CUPS 1.1
6000/tcp open  X11      (access denied)
MAC Address:  00:11:22:AA:BB:CC (Cisco-Linksys, LLC)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.23, Linux 2.6.20-15-server (Ubuntu 7.04 server, x86)
Uptime: 0.050 days (since Sat Jan 05 21:30:36 2008)
Network Distance: 12 hops
TCP Sequence Prediction: Difficulty=188 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix

Read data files from: G:\Nmap
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.822 seconds
        Raw packets sent: 1737 (78.040KB) | Rcvd: 1729 (79.864KB)
Now notice the output looks a little different, however all of the information is there. Since we used the "-A"
we get our services information in the output. This is some of the critical info that malicious users need in order to compromise a system.

Notice that we have TCP port 631 ipp open, with CUPS1.1 running.
Now for those that don't know this is the service for printing under *nixes.
This would allow users to print from the machine or remote users connect and print as well. Printing (with explicit permission) over a networked computer can be fun and malicious! A malicious user could connect to a networked printer and print out anything they wanted to.

We also see that we have TCP port 6000 open with X11 running but notice is say (access denied). This is the X Window System that allows out BT box to have a desktop.
This is a service because on *nix boxes we can have multiple users from multiple locations logged onto the box itself. And those other users can have a desktop and it can be customized to their liking. Also notice that our scan tells us what kernel we are running in this case 2.6.X

The OS details is for the Distro that we are running and this can and will be different. This data is not correct however because the "signatures that Nmap is using is not correct. At the end of the report we have an option to submit incorrect results to Nmap.

We also see the Uptime of 0.050 days, with a date. This can be very useful information for us. If we scan a box over several days or weeks we may learn that A. our computer is not very stable. B. It gets turned off at night or C. The computer is malfunctioning and needs to reboot.

This can be very useful when doing our pen testing.
A computer that is constantly rebooting may be having problems that we can take advantage of!

This scan gives you a chance to see what your BT box looks like on the net. This is how others may "see" you.
Posted by at No comments:
Labels: , , , , , , , , , ,

Friday, January 4, 2008

Multipart PortScanning Tutorial part 1

This is not so much a "How To" but rather a "What Is" The tutorials come latter.

Today we will be talking about Port Scanning and what it is.

Disclaimer: This information is for educational purposes only and not to commit a crime!
If you do something that causes you to hose your box don't come kicking and screaming on the forums!

Port Scanning is like a car thief walking around a busy parking lot and trying to find cars that are unlocked.
However on our computer or network. This can sometimes be bad if we leave the "doors" (ports) "unlocked" (open). When we leave ports open on the Internet it is not "if" someone will find it but "when". Port scanning software like [url=http://insecure.org/nmap/]Nmap[/url] Allows anyone to scan computers connected to a network. This can be done simply by the program sending out a request to connect to a target computer. Then it waits to see which port(s) responds or seems to be open so that it can be studied latter more in depth. Sometimes a computer doesn't respond and this information can be useful too. We will cover that more in depth latter.

When a scanner is looking for ports on a target computer it has two choices for port type. First is TCP which is the Transmission Control Protocol.This is simply the "rule set" by which data is exchanged over a network. This data exchange is bytes of data that are called packets. These packets normally consist of a "Header" and a "body". The header is the "address" of where the packet is going to. This is used by routers on a network to send the data along its way. The "body" is the information that has been sent. Think of it as a letter to grandma first you have the envelope which is the packet. You have the address to grandma which is the header, And finally you have the letter itself, which is the body of the packet. It doesn't really matter which order these packets arrive at its destination because the computer on the receiving end can put them back together in the right order.

Now UDP on the other hand does not guarantee reliability or ordering in the way that TCP does. This means that the packets can arrive out of order, they can be duplicated or become missing without notice. This sometimes makes UDP faster than TCP. We will talk more about UDP later on.

Back to port scanning. When we scan ports we have up to 65,535 to choose from. This is the same for TCP and UDP. Thats a lot of doors for us to lock and make sure they stay locked.

The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS.
The Registered Ports are those in the range 1024–49151.
The Dynamic and/or Private Ports are those in the range 49152–65535. Randomly chosen port numbers out of this range are called ephemeral ports. These ports are not permanently assigned to any publicly defined application.

If a port scan is being done with malicious intent, an attacker normally wants to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. To get around this an attacker can do the port scan in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than blanket scanning all 65535 ports. Stealth scanning uses techniques such as slowing the scan down. By scanning the ports over a much longer period of time we can better evade IDS. Although this is not always the case!

By setting different TCP flags or sending different types of packets a port scan can generate different results or locate open ports in different ways. A SYN scan will tell the port scanner which ports are listening and which are not depending on the type of response generated. This is normally accomplished by a Three-Way Handshake.
First we have the Syn Packet sent from a computer wishing to connect to another saying "let's connect". Then the computer we wish to connect to says with a SYN-ACK "ok let's connect".Then we would send another ACK back saying "ok". At this point the two computers would be "connected". If the port however was closed then we normally wouldn't get any response back.

In the next few segments we will be looking at the output of some various scans on our target machine. We will be using nmap to do this.
So until then go and read up on nmap so that you have a basic understanding of the tool.
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)