Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Published byBeverly Hubbard Modified over 9 years ago

Similar presentations

Presentation on theme: "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."— Presentation transcript:

1 http://Irongeek.com Adrian Crenshaw

2 http://Irongeek.com  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m just a geek with time on my hands  (ir)Regular on the ISDPodcast http://www.isd-podcast.com/ http://www.isd-podcast.com/

3 http://Irongeek.com For people who’s glasses are not so thick

4 http://Irongeek.com  To use an analogy, if IPs are an apartment complex’s address, ports are the apartment number  Both UDP and TCP use incoming and outgoing ports  Most IP based services listen on standard ports (HTTP 80tcp, SMTP 25tcp, SMB 139/445tcp, DNS port 53tcp and udp)

5 http://Irongeek.com  Since ports are fairly standard, if port 80tcp is listening on a host, more than likely it’s running web services  By sending packets to these port numbers, you can see what services are running on the host  Knowing what services are running lets you know something about the potential attack surface  What about finger printing?

6 http://Irongeek.com

7

8  Wildcards192.168.*.*  Range192.168.0-255.0-255  Mask Notation(CIDR)192.168.0.0/16 Classless Inter-Domain Routing Not all of the above range would be valid DecimalBinary 192.168.1.111000000.10101000.00000001.00000001 /1611111111.11111111.00000000.00000000 Binary AND the above together 11000000.10101000.00000000.00000000 192.168.0.011000000.10101000.00000000.00000000 192.168.255.25511000000.10101000.11111111. 11111111

9 http://Irongeek.com  tcp-syn-connect.swf tcp-syn-connect.swf  Use --packet_trace to see what going on

10 http://Irongeek.com Problems:  Packets to open ports don’t have to be acknowledged  Closed ports may send back ICMP_PORT_UNREACH messages, but don’t have to  RFC 1812 section 4.3.2.8 if implemented may limit ICMP packets returned

11 http://Irongeek.com  One of the most popular port scanners  Started by Gordon Lyon (Fyodor) back in 1997, as an article for Phrack Magazine 51  Started as a fairly simple port scanner, and has suffered some pretty serious feature creep since.  Multiplatform (Linux, Windows, BSD, OS X)  Open Source and available from http://nmap.org/

12 http://Irongeek.com nmap -sS -A 192.168.1.*

13 http://Irongeek.com  Hping http://www.hping.org/ http://www.hping.org/  Unicorn Scan http://www.unicornscan.org/ http://www.unicornscan.org/  AutoScan http://autoscan-network.com/ http://autoscan-network.com/  Netscan http://www.softperfect.com/products/networkscanner/  Metasploit http://www.metasploit.com/ http://www.metasploit.com/  NetworkMiner http://networkminer.sourceforge.net/ http://networkminer.sourceforge.net/

14 http://Irongeek.com  Nice for packet creation  Also good for rolling your own tests, and seeing what returns what  Only for one IP at a time Demo commands: hping –S microsoft.com –c 1 –p 80 hping –S 192.168.1.1 –p ++20

15 http://Irongeek.com  Use CIDR notation  Really not sure about about the logo Demo commands: unicornscan 192.168.1.1:0-100 -z

16 http://Irongeek.com  Nice GUI and Wizard  Intrusion alert  Can be agent based  Nokia N770, N800 or N810 versions Demo: Basic Wizard/GUI Alert

17 http://Irongeek.com  Nice GUI, easy to use  Great at scanning for open SMB file shares Demo: Basic config and scan

18 http://Irongeek.com  More than just point, click, exploit  Lots of Auxiliary modules for extra functionality  Seems to be able to use Nmap style targeting  Don’t forget to use msfupdate use auxiliary/scanner/discovery/arp_sweep set SHOST 192.168.1.1 set SMAC 00:0c:29:e3:39:f5 set RHOSTS 192.168.1.1/24 exploit -j use auxiliary/scanner/smb/smb_version set RHOSTS 192.168.1.1/24 exploit -j use auxiliary/scanner/portscan/syn set THREADS 1000 set RHOSTS 192.168.1.1/24 set TIMEOUT 5 exploit -j

19 http://Irongeek.com  More Metasploit than you can stand, with instructors David "ReL1K" Kennedy, Martin "PureHate" Bos, Elliott "Nullthreat" Cutright, Pwrcycle and Adrian "Irongeek" Crenshaw. http://www.irongeek.com/i.php?page=videos/metasploit-class http://www.irongeek.com/i.php?page=videos/metasploit-class

20 http://Irongeek.com Nmap NSE/LUA Scripts  -sC Performs a script scan using the default set of scripts.  --script | | |all  Categories: safe, intrusive, malware, version, discovery, vuln, auth, default  Fyodor did a talk at Defcon 18 on the subject Metasploit  If you can learn Ruby, write your own script and add it to auxiliary

21 http://Irongeek.com description = [[ Let's try to print something. Based this on the pptp script ]] -- rev 0.1 (08-23-2010) author = "Adrian Crenshaw" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {“safe"} require "comm" require "shortport" portrule = shortport.version_port_or_service(9100) action = function(host, port) local payload = "Did I print?\n\n\027"; -- Just print this comm.exchange(host, port, payload, {timeout=5000}) return ("Hope for the best") end Test with: nmap --script printsomething localhost ncat -l -p 9100 NSE docs: http://nmap.org/nsedoc/http://nmap.org/nsedoc/

22 http://Irongeek.com  Not a scanner, but great for OS detection  NetworkMiner + application = less suspicious finger printing Demo: Simple, semi-passive fingerprinting  More info: http://www.irongeek.com/i.php?page=videos/networkminer-for-network-forensics http://www.irongeek.com/i.php?page=videos/networkminer-for-network-forensics

23 http://Irongeek.com  Nmap http://nmap.org/ http://nmap.org/  Nmap Videos http://irongeek.com/i.php?page=videos/nmap-louisville-issa http://irongeek.com/i.php?page=videos/nmap1 http://irongeek.com/i.php?page=videos/nmap2 http://irongeek.com/i.php?page=videos/nmap-louisville-issa http://irongeek.com/i.php?page=videos/nmap1 http://irongeek.com/i.php?page=videos/nmap2  BackTrack Live CD and VM http://www.backtrack-linux.org http://www.backtrack-linux.org

24 http://Irongeek.com  Hping http://www.hping.org/ http://www.hping.org/  Unicorn Scan http://www.unicornscan.org/ http://www.unicornscan.org/  AutoScan http://autoscan-network.com/ http://autoscan-network.com/  Netscan http://www.softperfect.com/products/networkscanner/  Metasploit http://www.metasploit.com/ http://www.metasploit.com/  NetworkMiner http://networkminer.sourceforge.net/ http://networkminer.sourceforge.net/

25 http://Irongeek.com  Louisville Infosec http://www.louisvilleinfosec.com/ http://www.louisvilleinfosec.com/  DerbyCon 2011, Louisville Ky http://derbycon.com/ http://derbycon.com/  Skydogcon/Hack3rcon/Phreaknic/Notacon/Outerz0ne http://www.skydogcon.com/ http://www.hack3rcon.org/ http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/ http://www.skydogcon.com/ http://www.hack3rcon.org/ http://phreaknic.info http://notacon.org/ http://www.outerz0ne.org/

26 http://Irongeek.com 42

Download ppt "Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m."

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
FIRST 2002 John Kristoff - DePaul University 1 UDP Scanning John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

FIRST 2002 John Kristoff - DePaul University 1 UDP Scanning John Kristoff DePaul University Chicago, IL
Computer Security and Penetration Testing

Computer Security and Penetration Testing
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Port Scanning.

Port Scanning.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.

Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room 345 05/11/10.

4/13/2010.  CSS Meeting  Stephen Crane on Programming Contests  1pm  Building 8 room /11/10.

Similar presentations

Ads by Google