Download presentation
Presentation is loading. Please wait.
Published byKayley Hipps Modified over 10 years ago
1
Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS
2
Finding Vulnerabilities After footprinting a service Need to lookup CVE See if vulnerability is related to running software See if exploits are “in the wild” Tedious and error prone
3
Nessus – vulnerability scanner – CVE database – Highlights weaknesses Saves looking for CVE – Once service is footprinted Database needs constant updates – Commercial service – $1200/yr Was based on nmap http://www.nessus.org/nessus/
4
Nessus license Home use No really fancy features –Virtual appliance –Compliance checks –PCI, NIST, CIS, etc. –Scada plugins –Support Do get real time vulnerability updates
5
OpenVas Vulnerability Assessment Scanner Forked from formally open source Nessus software Open source –Free –Supported by German Federal Office for Information Security (BSI) –And others Daily updated feed of Network Vulnerability Tests
6
Saint Like nessus Also commercial Has free trial and academic license –Without vulnerability database http://www.saintcorporation.com/
7
Retina Another commercial vulnerability scanner Works poorly without credentials More suitable for compliance audit than pentesting http://www.aavextechnology.com/retina.htm
8
Other CVE products http://cve.mitre.org/compatible/compatible.html Mostly commercial Due to cost of maintaining CVE database http://sectools.org/vuln-scanners.html
9
Nitko Another type of vulnerability scanner Nikto Open Source (GPL) web server scanner perl Performs tests for –Over 3500 potentially dangerous files/CGIs, versions on over 900 servers, –Version specific problems on over 250 servers http://www.cirt.net/nikto2
10
w3af http://w3af.sourceforge.net/ Web Application Attack and Audit Framework, Sponsored by Bonsai and Rapid7 Author Andrés Riancho, founder of Bonsai Rapid7 also sponsors Metasploit “find and exploit web application vulnerabilities” Works with plugins, like nessus Has gui interface
11
Tools for this week Going lower level rather than higher Hping2 (3) –Mentioned earlier –A packet crafting tool –Anything nmap can do this can do With more difficulty But more flexibility TCP, UDP or ICMP payloads http://www.hping.org
12
Hping, Hping2, Hping3 Hping –Command-line oriented TCP/IP packet assembler/analyzer –Ping like interface Hping2 –Interactive packet constructor and response analyzer –An upgrade of hping Hping3 –Scriptable with tcl –Some fixes Should use hping3 for latest fixes
13
Hping Header fields can be modified and controlled using the command line -F --fin set FIN flag -S --syn set SYN flag -R --rst set RST flag -P --push set PUSH flag -A --ack set ACK flag -U --urg set URG flag -X --xmas set X unused flag (0x40) -Y --ymas set Y unused flag (0x80)
14
SYN scan [root@localhost root]# hping -I eth0 -S 192.168.10.1 -p ++79 HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 sport=79 flags=RA seq=0 ttl=255 id=17491 win=0 rtt=2.4 ms len=46 ip=192.168.10.1 sport=80 flags=SA DF seq=1 ttl=64 id=17492 win=16080 rtt=3.1 ms len=46 ip=192.168.10.1 sport=81 flags=RA seq=2 ttl=255 id=17493 win=0 rtt=1.7 ms len=46 ip=192.168.10.1 sport=82 flags=RA seq=3 ttl=255 id=17494 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 sport=83 flags=RA seq=4 ttl=255 id=17495 win=0 rtt=1.4 ms len=46 ip=192.168.10.1 sport=84 flags=RA seq=5 ttl=255 id=17496 win=0 rtt=3.6 ms
15
SYN scan Scans hosts for open ports Which were open? An open port is indicated by a SA return packet Closed ports by a RA packets. Remember the 3-way handshake! hping -I eth0 -S 192.168.10.1 -p ++79 | grep SA
16
hping Idle/Zombie Scan First find idle host If IP_ID increases by one after every transmission Host is idle
17
Idle Host root@localhost root]# hping -I eth0 -SA 192.168.10.1 HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms Notice id increasing Idea is to send continuous scan While also probing host with spoofed ip Looking for jump in id
18
Zombie Scanning the Target Host Session 1, a spoofed scan of the server by the attacker: [root@localhost root]# hping -I eth0 -a 192.168.10.1 -S 192.168.10.33 - p ++20 HPING 192.168.10.33 (eth0 192.168.10.33): S set, 40 headers + 0 data bytes
19
Results from Zombie [root@localhost docs]# hping -I eth0 -r -S 192.168.10.1 -p 2000 HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms len=46 ip=192.168.10.1 flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms (port 21) len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms (port 25)
20
another example [root@illiterate /]# hping2 -1 192.5.5.254 HPING 192.5.5.254 (eth0 192.5.5.254): icmp mode set, 28 headers + 0 data bytes ip=192.5.5.254 ttl=255 id=6241 icmp_seq=0 rtt=0.5 ms len=28 ip=192.5.5.254 ttl=255 id=6242 icmp_seq=1 rtt=0.3 ms len=28 ip=192.5.5.254 ttl=255 id=6425 icmp_seq=2 rtt=0.4 ms len=28 ip=192.5.5.254 ttl=255 id=6427 icmp_seq=3 rtt=0.2 ms len=28 ip=192.5.5.254 ttl=255 id=6428 icmp_seq=4 rtt=0.3 ms len=28 ip=192.5.5.254 ttl=255 id=6429 icmp_seq=5 rtt=0.1 ms len=28 ip=192.5.5.254 ttl=255 id=6433 icmp_seq=6 rtt=0.2 ms
21
Sending a File hping can insert data into packets of any type hping is capable of listening for packets and then extracting the data To do this, a “signature” is inserted into the packet before the data --sign “string” uses “string” as the signature --listen “string” listens for packets and extracts data following”string” –Data are dumped to standard output
22
Sending a file using ping packets hping sender-ip –listen string –safe –icmp --safe re-sends missing packets (like tcp) --icmp sends icmp packets, type ping by default hping receiver-ip –sign string –icmp -d 100 --file filename -d 100 specifies data size --file filename indicates what file to send
23
Man page –http://linux.die.net/man/8/hping2http://linux.die.net/man/8/hping2 Tutorial –http://www.scribd.com/doc/607491/hping2-v1-5http://www.scribd.com/doc/607491/hping2-v1-5 Another –http://www.ethicalhacker.net/content/vi ew/72/24/http://www.ethicalhacker.net/content/vi ew/72/24/ Zombie scan –http://nmap.org/book/idlescan.htmlhttp://nmap.org/book/idlescan.html On kali of course.
24
Coming Soon nping From the nmap team Similar functionality to hping Not yet considered stable Worth wtching
25
This week's lab Duplicate one of the nmap scans using hping Try a zombie scan Send a file using ping packets
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.