Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS.

Published byKayley Hipps Modified over 10 years ago

Similar presentations

Presentation on theme: "Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS."— Presentation transcript:

1 Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS

2 Finding Vulnerabilities After footprinting a service Need to lookup CVE See if vulnerability is related to running software See if exploits are “in the wild” Tedious and error prone

3 Nessus – vulnerability scanner – CVE database – Highlights weaknesses Saves looking for CVE – Once service is footprinted Database needs constant updates – Commercial service – $1200/yr Was based on nmap http://www.nessus.org/nessus/

4 Nessus license Home use No really fancy features –Virtual appliance –Compliance checks –PCI, NIST, CIS, etc. –Scada plugins –Support Do get real time vulnerability updates

5 OpenVas Vulnerability Assessment Scanner Forked from formally open source Nessus software Open source –Free –Supported by German Federal Office for Information Security (BSI) –And others Daily updated feed of Network Vulnerability Tests

6 Saint Like nessus Also commercial Has free trial and academic license –Without vulnerability database http://www.saintcorporation.com/

7 Retina Another commercial vulnerability scanner Works poorly without credentials More suitable for compliance audit than pentesting http://www.aavextechnology.com/retina.htm

8 Other CVE products http://cve.mitre.org/compatible/compatible.html Mostly commercial Due to cost of maintaining CVE database http://sectools.org/vuln-scanners.html

9 Nitko Another type of vulnerability scanner Nikto Open Source (GPL) web server scanner perl Performs tests for –Over 3500 potentially dangerous files/CGIs, versions on over 900 servers, –Version specific problems on over 250 servers http://www.cirt.net/nikto2

10 w3af http://w3af.sourceforge.net/ Web Application Attack and Audit Framework, Sponsored by Bonsai and Rapid7 Author Andrés Riancho, founder of Bonsai Rapid7 also sponsors Metasploit “find and exploit web application vulnerabilities” Works with plugins, like nessus Has gui interface

11 Tools for this week Going lower level rather than higher Hping2 (3) –Mentioned earlier –A packet crafting tool –Anything nmap can do this can do With more difficulty But more flexibility TCP, UDP or ICMP payloads http://www.hping.org

12 Hping, Hping2, Hping3 Hping –Command-line oriented TCP/IP packet assembler/analyzer –Ping like interface Hping2 –Interactive packet constructor and response analyzer –An upgrade of hping Hping3 –Scriptable with tcl –Some fixes Should use hping3 for latest fixes

13 Hping Header fields can be modified and controlled using the command line -F --fin set FIN flag -S --syn set SYN flag -R --rst set RST flag -P --push set PUSH flag -A --ack set ACK flag -U --urg set URG flag -X --xmas set X unused flag (0x40) -Y --ymas set Y unused flag (0x80)

14 SYN scan [root@localhost root]# hping -I eth0 -S 192.168.10.1 -p ++79 HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 sport=79 flags=RA seq=0 ttl=255 id=17491 win=0 rtt=2.4 ms len=46 ip=192.168.10.1 sport=80 flags=SA DF seq=1 ttl=64 id=17492 win=16080 rtt=3.1 ms len=46 ip=192.168.10.1 sport=81 flags=RA seq=2 ttl=255 id=17493 win=0 rtt=1.7 ms len=46 ip=192.168.10.1 sport=82 flags=RA seq=3 ttl=255 id=17494 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 sport=83 flags=RA seq=4 ttl=255 id=17495 win=0 rtt=1.4 ms len=46 ip=192.168.10.1 sport=84 flags=RA seq=5 ttl=255 id=17496 win=0 rtt=3.6 ms

15 SYN scan Scans hosts for open ports Which were open? An open port is indicated by a SA return packet Closed ports by a RA packets. Remember the 3-way handshake! hping -I eth0 -S 192.168.10.1 -p ++79 | grep SA

16 hping Idle/Zombie Scan First find idle host If IP_ID increases by one after every transmission Host is idle

17 Idle Host root@localhost root]# hping -I eth0 -SA 192.168.10.1 HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 flags=R seq=0 ttl=255 id=18106 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=1 ttl=255 id=18107 win=0 rtt=0.4 ms len=46 ip=192.168.10.1 flags=R seq=2 ttl=255 id=18108 win=0 rtt=0.4 ms Notice id increasing Idea is to send continuous scan While also probing host with spoofed ip Looking for jump in id

18 Zombie Scanning the Target Host Session 1, a spoofed scan of the server by the attacker: [root@localhost root]# hping -I eth0 -a 192.168.10.1 -S 192.168.10.33 - p ++20 HPING 192.168.10.33 (eth0 192.168.10.33): S set, 40 headers + 0 data bytes

19 Results from Zombie [root@localhost docs]# hping -I eth0 -r -S 192.168.10.1 -p 2000 HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data bytes len=46 ip=192.168.10.1 flags=RA seq=86 ttl=255 id=+1 win=0 rtt=1.6 ms len=46 ip=192.168.10.1 flags=RA seq=87 ttl=255 id=+2 win=0 rtt=1.6 ms (port 21) len=46 ip=192.168.10.1 flags=RA seq=88 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=89 ttl=255 id=+1 win=0 rtt=1.7 ms len=46 ip=192.168.10.1 flags=RA seq=90 ttl=255 id=+1 win=0 rtt=1.8 ms len=46 ip=192.168.10.1 flags=RA seq=91 ttl=255 id=+2 win=0 rtt=1.4 ms (port 25)

20 another example [root@illiterate /]# hping2 -1 192.5.5.254 HPING 192.5.5.254 (eth0 192.5.5.254): icmp mode set, 28 headers + 0 data bytes ip=192.5.5.254 ttl=255 id=6241 icmp_seq=0 rtt=0.5 ms len=28 ip=192.5.5.254 ttl=255 id=6242 icmp_seq=1 rtt=0.3 ms len=28 ip=192.5.5.254 ttl=255 id=6425 icmp_seq=2 rtt=0.4 ms len=28 ip=192.5.5.254 ttl=255 id=6427 icmp_seq=3 rtt=0.2 ms len=28 ip=192.5.5.254 ttl=255 id=6428 icmp_seq=4 rtt=0.3 ms len=28 ip=192.5.5.254 ttl=255 id=6429 icmp_seq=5 rtt=0.1 ms len=28 ip=192.5.5.254 ttl=255 id=6433 icmp_seq=6 rtt=0.2 ms

21 Sending a File hping can insert data into packets of any type hping is capable of listening for packets and then extracting the data To do this, a “signature” is inserted into the packet before the data --sign “string” uses “string” as the signature --listen “string” listens for packets and extracts data following”string” –Data are dumped to standard output

22 Sending a file using ping packets hping sender-ip –listen string –safe –icmp --safe re-sends missing packets (like tcp) --icmp sends icmp packets, type ping by default hping receiver-ip –sign string –icmp -d 100 --file filename -d 100 specifies data size --file filename indicates what file to send

23 Man page –http://linux.die.net/man/8/hping2http://linux.die.net/man/8/hping2 Tutorial –http://www.scribd.com/doc/607491/hping2-v1-5http://www.scribd.com/doc/607491/hping2-v1-5 Another –http://www.ethicalhacker.net/content/vi ew/72/24/http://www.ethicalhacker.net/content/vi ew/72/24/ Zombie scan –http://nmap.org/book/idlescan.htmlhttp://nmap.org/book/idlescan.html On kali of course.

24 Coming Soon nping From the nmap team Similar functionality to hping Not yet considered stable Worth wtching

25 This week's lab Duplicate one of the nmap scans using hping Try a zombie scan Send a file using ping packets

Download ppt "Penetration Testing-Wk5 Last Week nmap – scan hosts – footprint find open ports running services determine OS."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Review For Exam 2 March 9, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Review For Exam 2 March 9, 2010 MIS 4600 – MBA © Abdou Illia.
NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar (http://www.insecure.org), it.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.
Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.

Network Security of Labnet ******. Introduction Test the network security of the servers on our Labnet domain Find Potential Weaknesses Find Security.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Penetration Testing.

Penetration Testing.

Similar presentations

Ads by Google