Protection (tools)

www.insecure.org Home of nmap Evaluation of many security tools

The “sniffer” of the Internet “packet” capture The “sniffer” of the Internet

“The network Swiss army knife” Netcat “The network Swiss army knife” http://joncraton.org/files/nc111nt.zip

Netcat Open a TCP session with a server Open a TCP server and a client nc 131.178.34.22 80 Open a TCP server and a client nc -l -p 5000 nc 192.168.4.35 5000 Open a IDP server and a client nc -l -u -p 2222 nc -u 127.0.0.1 2222 Port scanning nc -vzu 192.168.25.1 80-90 File transfer nc -l -p 3333 > archivoDestino.txt nc 192.168.25.34 3333 < archivoOrigen.txt Remote command execution nc -l -p 7777 -e /bin/sh nc 192.168.45.234 7777

Nmap (Network Mapper)

Nmap (Zenmap)

Nmap (Zenmap)

Nmap (Zenmap)

Nmap PORT STATE SERVICE The default scan verifies the 1000 most used ports (TCP and UDP) STATE Open Responding in active form Closed Responds actively to the explration but it doesn't have a service running (listening to that port) Filtered Protected by a firewall Unfiltered The scanninjg knows if the port is open or closed Open/Filtered Closed/Filtered

Nmap explorations Multiple machines A range of IP addresses 10.17.42.10 10.17.42.11 10.17.42.16 10.17.42.10,11,16 A range of IP addresses 10.17.42.1-100 192.168.1-100.* A complete subnet 192.168.10.1/24 A list nmap -iL lista.txt Random targets nmap -IR n Excluding some machines nmap 192.168.10.0/24 –exclude 192.168.10.100 nmap 192.168.10.0/24 –exclude 192.168.10.100-105

Options for discovery Before doing an exploration nmap attempts sending echo requests to see if the target is alive But the firewalls can block ICMP The nmap attempts to connect to ports 80, 139 and 443 But with protected systems this is not enough.....

Options for discovery -PN -sP Do not do ping first Just skip the echo-request in case there is a firewall -sP Do a ping to each target Useful to know which machines are alive It also sends back the MAC addresses

Options for discovery -PS -PA ping SYN TCP Send segments SYN Port 80 is the default Other ports can be used -PS22,80,443,etc -PA ping ACK TCP Send segments ACK -PA22,80,443,etc

Options for discovery -PU -PY Ping UDP Sends segments UDP waiting for any answer Default port # is 40125 Other ports can be used -PU53,1021,5000,etc -PY Ping SCTP INIT Default port # is 80 -PY22,80,443,etc

Options for discovery -PE -PP -PM Ping echo ICMP Sends a normal ping It is the default option -PP Ping timestamp ICMP In case only the echo-requests are being blocked -PM Ping Address Mask ICMP

Options for discovery -PO -PR Ping with IP protocol Using layer 4 protocols 1, 2 y 4 are used by default Others can be used PO1,2,4, etc -PR Ping with ARP It is default in a local network It is a lot faster than other methods Machines do not block this, even if they are behind a firewall

Options for discovery --traceroute -R -n Normal traceroute output Functionality is superior (?) -R Inverse DNS resolution It is useful when a block is being analized It throws relevant information (?) It has an impact in the exploration time -n Disable DNS inverse resolution When scanning several machines, it reduces considerable the exploration time

Advanced options for scanning -sS TCP SYN scan Default for root user Sends SYN segments to the target and waits for any answer It is an stealthy scan because does not try a complete connection with the target and many systems will not log the attempt The stealthy part is not guaranteed

Advanced options for scanning -sT TCP Connect scan The default for normal users Open the connection and abort it inmediately Slower than the stealthy

Advanced options for scanning -sU UDP scan Eventhough the typical try is look for TCP services TCP NULL scan Segments with all the flags off (0) Tries to fool the firewall -sF TCP FIN scan FIN flag on (1)

Advanced options for scanning -sX Xmas scan URG, FIN and PSH flags on (1) Tries to fool the firewall --scanflags Custom TCP scan Turn on any flag --scanflags FINACK (without spaces) -sA TCP ACK scan Looks for RST answers If it does not receive any answer the target is supposedly filtered by a firewall Answer is filtered or unfiltered (no open/closed)

Advanced options for scanning -sO IP scan Displays which protocols are being used by the target It is useful identifying which protocols can be used in subsequent scans --send-eth Sends raw ethernet frames

Port options -F -p Fast scan By default the 1000 most popular ports are scanned, this options reduces the number to 100 -p Specific ports scan Separated by comas or specified as a range -p 25,53,80-200 Port names can be also used -p smtp,http Also protocols can be specified -p U:53, T:25 -p “*” all the ports

Port options --top-ports -r -sV Scan the n most used ports --top-ports 10 --top-ports 2000 -r Secuencial scan The default is a random order (obvious reasons) The output is ordered anyways -sV Detection of version and manufacturer

Operating System detection Based in the type of answer obtained It is called TCP/IP fingerprinting -O OS detection option -v more information (verbosity) If the OS is not detected, the finferprint is displayed. You can send it to nmap sauying which OS is --osscan-guess Tries to guess --fuzzy synonim with previous option

Exploración de puertos (“Idle scan”)(-sI) Fuente: Insecure.org

Exploración de puertos (“Idle scan”)(-sI) Fuente: Insecure.org

Exploración de puertos (“Idle scan”)(-sI) Fuente: Insecure.org

Vulnerabilities assesment Nessus Vulnerabilities assesment

Determine which machines are reachable and active Exploration Determine which machines are reachable and active Ping scanning What services are active Port scanning Versions of the services What Operating Systems the machines are using OS identification (OS fingerprinting) Client/server They can be in the same machine