Transcription
Reconnaissance & ScanningAPNIC42Colombo, Sri Lanka28 September–5 October 2016Contributor : Shahadat Hossain (GrameenPhone)
Did you ever get hacked?
https://haveibeenpwned.com/
Session Flow Advance Search Technique Google Bing Shodan Search Data Collection Pastebin Zone-H Advance Technique for Network Scanning Nmap Challenges
Live IP Discovery Technique : Google Search What is Google Why Google Basic Feature of Google Automatic & QueryAutomatic Exclusion of Common WordsCapitalizationSpell Checker Google Search Operators Basic Operators Advance Operators
What is Google?
Why Google? Reasons Why Google Search DirectoryTheir Map SearchThe TrustEasy to Use
Basic Features of Google Search Automatic “AND” Queries By default, Google only returns pages that include all of your search terms.There is no need to include “AND” between terms. Automatic Exclusion of Common Words Google ignores common words and characters such as and, or, in, of, be etc.as well as certain single digits and single letters, because they tend to slowdown your search without improving the results. Google will indicate if acommon word has been excluded by displaying details on the results pagebelow the search box.
Basic Features of Google Search Capitalization Google search are NOT case sensitive. For example searches for “APNIC”,“Apnic” and “apnic” will all retrieve the same results. Spell Checker Google’s spell checking software automatically looks at your query to see ifyou are using the most common version of a word’s spelling. If it is likely thatan alternative spelling would retrieve more relevant results, it will as”Did youmean: (more common spelling)?”
Different Search Operators Searches - Searches Searches Phrase Searches Domain Restrict Searches Definition Searches File Type Searches Or Searches Fill in the Blank Currency Conversion Calculator Function Unit Conversion Time Check
Advanced Operators Google advanced operators help refine searches. They are included as part of a standard Google query. Advanced operators use a syntax such as the following:operator:search term There’s no space between the operator, the colon, and the searchterm!
Advanced Operators at a h page titlenumrangeLocate numberallintitleSearch page titledaterangeSearch in date rangeinurlSearch URLauthorGroup author searchallinurlSearch URLgroupGroup name searchfiletypeSearch specific filesinsubjectGroup subject searchallintextSearch text of page onlymsgidGroup msgid searchsiteSearch specific sitelinkSearch for links to pagesinanchorSearch link anchor text
Advanced Google SearchingSITE:Site can not searchport.INURL:Inurl can search thewhole URL, includingport and filetypeFILETYPE:Filetype can only search fileextension, which may be hard todistinguish in long URLs.Some operators search overlapping areas. Consider site, inurl and filetype.
Advanced Google Searching
Exercise : Advanced Google Searching1.2.3.4.How many web servers are live in internet of your organization?Any user login page available in IPs found in exercise-1?Any admin login page available?Any .doc file which contains word “Confidential”?
Bing : What Extra? Virtual Hosting Name Based IP Based Bing can identify Name based virtual hosting Operator:IP
Exercise : Bing Any virtual hosting exist in your organization web server? Why this information is worth to a pen tester?
SHODAN Search Technique What is Shodan Shodan is a search developed by John MatherlyDifferent than content search engine like Google, BingCan identify IP based devices connected to the internetIt uses service bannersIt can identify Operating SystemServicesOpen PortsVersion It can filter search by Country City Firefox add-on is availablehttps://www.shodan.io/
Shodan Basic Search OperatorscountryhostnamenetosportService NameDevice NameFilters results by two letter country codeFilters results by specified text in thehostname or domainFilters results by a specific IP range or subnetSearch for specific operating systemsNarrow the search for specific servicesFilter the result by service nameFilter the results based on the device name
Exercise : Shodan1.2.3.4.5.6.7.8.Find out how many IP is live in your countryFind out how many apache servers are running in your countyFind out how many apache servers running version 2.2.3 in your cityFind out any apache servers are running in .nist.gov and micorsoft.comdomainFind out how many IIS-5.0 servers are running in USA & AUTake google IP block and find how many IPs are live in googleHow many Linux server is running in yahooHow many hosts are live in internet which has telnet open
Pastebin (http://pastebin.com/) A pastebin is a type of web application where users can store plaintext. They are most commonly used to share short source code snippetsfor code review. But people also share confidential data. You can also add alters for specific keyword
Exercise : Pastebin Search for the text/documents related to your organization/domain. Do a search on “.com.au password”. What information you aregetting?
Zone-H (http://zone-h.net/) Zone-H is an archive of defaced websites. It is the largest web intrusions archive. Once a defaced website is submitted to Zone-H, it is mirrored on theZone-H servers, it is then moderated by the Zone-H staff to check ifthe defacement was fake.
Exercise : Zone-H Go to http://www.zone-h.org/ Check with your organization domain name How about www.microsoft.com http://www.zone-h.org/mirror/id/1246363
Nmap (https://nmap.org/) Nmap is a free and open source network exploration and securityauditing tool Nmap was created by Gordon Lyon, a.k.a. Fyodor Vaskovich, and firstpublished in 1997. Working cross-platform although best working on Linux-typeenvironments It uses raw IP packets to determine What hosts are available on the network What services (application name and version) Guesses the operational system, uptime and other characteristics
Nmap in the movieshttps://nmap.org/movies/
Ethical Issue Can be used for hacking-to discover vulnerable ports System admins ca use it to check that systems meet securitystandards Unauthorized use of Nmap on a system could be illegal. Make sure you have permission before using this tool.Remember:There is no right way to do the wrong things
Nmap : How it works DNS lookup-matches name with IP Nmap pings the remote target with 0 (zero) byte packets to each port If packets are not received back, port is open If packets are received, port is closed Firewall can interfere with this process
Nmap : Scanning Techniques Host Discovery and Target Specification Port Scanning Technique, Specification and order OS, Service and Version Detection namp Scripting Engine Timing and Performance Firewall, IDS Evasion and Spoofing Technique Scan ReportGood presentation by Fyodor on “Nmap : Scanning the Internet”https://www.youtube.com/watch?v Hk-21p2m8YY
Nmap : ScanTARGET SPECIFICATION:Can pass hostnames, IP addresses, networks, etc.Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1254-iL inputfilename : Input from list of hosts/networks-iR num hosts : Choose random targets--exclude host1[,host2][,host3],. : Exclude hosts/networks--excludefile exclude file : Exclude list from fileOS DETECTION:-O: Enable OS detection--osscan-limit: Limit OS detection to promising targets--osscan-guess: Guess OS more aggressively
Nmap : ScanHOST DISCOVERY:-sL: List Scan - simply list targets to scan-sn: Ping Scan - disable port scan-Pn: Treat all hosts as online -- skip host discovery-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to givenports-PE/PP/PM: ICMP echo, timestamp, and netmask request discoveryprobes-PO[protocol list]: IP Protocol Ping-n/-R: Never do DNS resolution/Always resolve [default: sometimes]--dns-servers serv1[,serv2],. : Specify custom DNS servers--system-dns: Use OS's DNS resolver--traceroute: Trace hop path to each host
Nmap : ScanSCAN TECHNIQUES:-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sU: UDP Scan-sN/sF/sX: TCP Null, FIN, and Xmas scans--scanflags flags : Customize TCP scan flags-sI zombie host[:probeport] : Idle scan-sY/sZ: SCTP INIT/COOKIE-ECHO scans-sO: IP protocol scan-b FTP relay host : FTP bounce scan
Namp : Timing and Performance --min-parallelism numprobes ; --maxparallelism numprobes Adjust probe parallelization --max-retries numtries Specify the maximum number of port scan probe retransmissions --scan-delay time ; --max-scan-delay time Adjust delay between probes -Tparanoid sneaky polite normal aggressive insane Set a timing template
Lets look at some examplesInstall nmap and we can go along with the example
Host Discoveryfakrul@console# nmapStarting Nmap 7.01 (Nmap scan report forHost is up (0.00071sNmap scan report forHost is up (0.00012sNmap scan report forHost is up (0.00048sNmap scan report for.Nmap scan report forHost is up (0.00062s-sP 202.125.96.0/24https://nmap.org ) at 2016-09-20 09:48 ncy).Nmap done: 256 IP addresses (15 hosts up) scanned in 8.61 seconds
Host Discovery with tracerouteroot@console:/home/fakrul# nmap -sP www.apnic.net --tracerouteStarting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 09:52 AESTNmap scan report for www.apnic.net (203.119.102.244)Host is up (0.018s latency).TRACEROUTE (using proto 1/icmp)HOP RTTADDRESS10.15 ms 202.125.96.120.21 ms 202.125.96.22530.30 ms ip-169.232.255.49.VOCUS.net.au (49.255.232.169)414.48 ms as4608.qld.ix.asn.au (218.100.76.36)517.72 ms squiz-proxy.apnic.net (203.119.102.244)Nmap done: 1 IP address (1 host up) scanned in 13.90 seconds
Target Specificationroot@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORTSTATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)Nmap done: 1 IP address (1 host up) scanned in 8.10 secondsTarget IPs can be listed in a text tile separated by space and can be specified using “-iL”root@console:/home/fakrul# nmap -T4 -p 1-1024 –iL iplist.txt
Target Specification with OS Fingerprintroot@console:/home/fakrul# nmap -T4 -p 1-1024 202.125.96.15Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-20 10:05 AESTNmap scan report for 202.125.96.15Host is up (0.00014s latency).Not shown: 1022 closed portsPORTSTATE SERVICE22/tcp open ssh80/tcp open httpMAC Address: 00:1D:09:66:1B:A8 (Dell)Device type: general purposeRunning: Linux 3.X 4.XOS CPE: cpe:/o:linux:linux kernel:3 cpe:/o:linux:linux kernel:4OS details: Linux 3.2 - 4.0Network Distance: 1 hopOS detection performed. Please report any incorrect results athttps://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 10.84 seconds
TCP Three-Way HandshakeSYN [seq A]SYN-ACK [seq B, ack A 1]ACK [seq A 1, ack B 1] Ports are associated at OSI Layer 4 2 main protocols TCP & UDP TCP is connection oriented unlike UDP To Initiate a TCP connection it uses TCP 3WHS TCP has 6 flags (actually 8)
Port State & TCP Behavior If no connection exists between two hosts then SYN is the only validand expected packet all other packets will be considered as invalid. open Will accept connections filtered Firewall or other network obstacle iscovering port unfiltered or closed Determined to be closed with no obstacles orinterferenceSYNSYN/ACKRSTSYNRSTSYNdropped
Check whether host running DNS Serverroot@console:/home/fakrul# nmap -sU -p 53 202.125.96.42Starting Nmap 7.01 ( https://nmap.org ) at 2016-09-2011:08 AESTNmap scan report for 202.125.96.42Host is up (0.00017s latency).PORTSTATE SERVICE53/udp open domainMAC Address: 00:16:3E:25:39:FD (Xensource)Nmap done: 1 IP address (1 host up) scanned in 7.23seconds
Nmap : ExerciseTaskAnswer1. How to scan know open port fornetwork range 192.168.30.0/272. Is there any web service running on IP192.168.30.55. What is the applicationname?3. What is the IP address of Windows2003 Server in the network192.168.30.0/27
Nmap: Scanning Techniques Host Discovery and Target Specification Port Scanning Technique, Specification and order OS, Service and Version Detection nampScripting Engine Timing and Performance Firewall, IDS Evasion and Spoofing Technique Scan Report Good presentation by Fyodor on “
