Scanning techniques

Viewing 11 reply threads
  • Author
    Posts
    • #5408
      yatz
      Participant

      Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

      Also I was thinking of how when you set an IP on a windows machine and if it’s taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

      Fun…

    • #34187
      sil
      Participant

      @yatz wrote:

      Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

      Also I was thinking of how when you set an IP on a windows machine and if it’s taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

      Fun…

      With nmap the typical/common way to scan each address is as follows:

      nmap -sS -vvv 192.168.1.0/24
      nmap -sS -vvv 192.168.1.0-100

      As for getting the router to spit out anything, it boils down to configuration issues. Did the admin of said router properly configure his router?

      Two tools I can think of to get around this: Arping: “Broadcasts a who-has ARP packet on the network and prints answers.” (http://www.habets.pp.se/synscan/programs.php?prog=arping) And ARP-SCAN http://www.nta-monitor.com/tools/arp-scan/

      If you’re on Windows, arp -a helps as does arp | grep ether on Linux as does arp -a on BSD:

      OpenBSD (obviously edited my MAC’s from you hacker types)

      # uname -mps
      OpenBSD i386 Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class)
      # arp -a|awk -F : '{print $1,$2":xx:xx:"$5":"$6}'
      00:16:xx:xx:a1:6e
      00:1b:xx.xx:29:c4
      00:a0:xx.xx:ca:49
      00:12:xx.xx:96:01
      00:23:xx.xx:d1:80
      00:16:xx.xx:5c:47
      00:1a:xx.xx:0c:f8
      00:14:xx.xx:44:8d
      00:80:xx.xx:4b:f0
      00:0c:xx.xx:bd:00
      00:12:xx.xx:96:00
      00:15:xx.xx:b4:90
      00:1b:xx.xx:29:c4
      00:16:7xx.xx:a1:6e

      FreeBSD
      $ uname -mps
      FreeBSD i386 i386
      arp -a|awk '{print $4}'|awk -F : '{print $1":xx:xx:"$4":"$5":"$6}'
      64:xx:xx:85:88:47
      00:xx:xx:c4:26:2b
      00:xx:xx:c4:26:2b
      00:xx:xx:c4:26:2b
      00:xx:xx:c4:26:2b
      00:xx:xx:c4:26:2b
      00:xx:xx:c4:26:2b

      But that’s not what you’re interested in, you want to be able to get the IP’s off of the network to scan them. I’d use Arping and build from there or you could use good old fashioned ping 😉

      # ping -c 3 -b 192.168.1.255|awk ‘/:/{print $4}’|sort -u
      WARNING: pinging broadcast address
      192.168.1.109:
      192.168.1.132:
      192.168.1.136:
      192.168.1.194:
      192.168.1.196:
      192.168.1.200:
      192.168.1.211:
      192.168.1.21:
      192.168.1.22:
      192.168.1.24:
      192.168.1.26:
      192.168.1.53:
      192.168.1.67:
      192.168.1.75:

      So what can we do now? Whatever we’d like, we can see what’s reachable to a degree… Let’s scan these machines WITHOUT NMAP shall we? I’ll use hping to evade typical Snort rules (-i 10) and scan ports 80,443,135,139 with pre Win2K parameters (ttl of 32 and Window Size of 5000) while making the recipient think my machine’s HTTP port is connecting to them (-s 80)

      hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000

      On command line:

      # ping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u|sed 's!:!!g;s:^:hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 :g'

      You ready?

      #hping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u|sed 's!:!!g;s:^:hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 :g'|tail -n 1
      hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75

      What do I see from a scan like this?

      Let’s see:

      hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75
      using eth0, addr: 192.168.1.138, MTU: 1500
      Scanning 192.168.1.75 (192.168.1.75), port 80,443,135,139
      4 ports to scan, use -V to see all the replies
      +----+
      +
      +---+
      +
      +
      |port| serv name |  flags  |ttl| id  | win |
      +----+
      +
      +---+
      +
      +
        80 www        : ..R.A...  64 14716    0
        443 https      : ..R.A...  64 15996    0
        135 loc-srv    : ..R.A...  64 16252    0
        139 netbios-ssn: ..R.A...  64 17532    0
      All replies received. Done.
      Not responding ports:

      Notice: ..R.A… Hrmm… Reset eh?

      What about the response for valid ports that ARE opened?

      # hping -i 10 -8 515,548,631 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75
      using eth0, addr: 192.168.1.138, MTU: 1500
      Scanning 192.168.1.75 (192.168.1.75), port 515,548,631
      3 ports to scan, use -V to see all the replies
      +----+
      +
      +---+
      +
      +
      |port| serv name |  flags  |ttl| id  | win |
      +----+
      +
      +---+
      +
      +
        515 printer    : .S..A...  64 16256 65535
        548 afpovertcp : .S..A...  64 17792 65535
        631 ipp        : .S..A...  64 19072 65535

      What differences do you notice? Why? What can you do with this information?

      What about a full blow network scanner targeting http made easy?

      seq 1 254|
      while read topwn
      do echo 192.168.1.$topwn | sed 's:^:hping -8 80 -s 80 -t 32 -W -V -w 2000 :g'
      done
    • #34188
      sil
      Participant

      *looks up in the sky whistling…. pointing to dynamik* 😀 It’s Friday!

    • #34189
      sil
      Participant

      You know… What about curl for a webscanner? Let’s try it…

      # curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I --local-port 666 --no-keepalive http://infiltrated.net/fo0
      curl: (22) The requested URL returned error: 404

      # curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I --local-port 777 --no-keepalive http://infiltrated.net/
      HTTP/1.1 200 OK
      Date: Fri, 30 Jul 2010 17:07:07 GMT
      Server: Trusted NCIS Apache v.1 OpenSSL/0.9.7e mod_voip/0.1 Python/3.1.3 RBACL/1.0 mod_rbacl/1.0a mod_pimp PIMP/1.0 mod_pwnd PWND/0.1a
      Last-Modified: Thu, 01 Apr 2010 20:05:27 GMT
      ETag: "1c1f194-252-4bb4fc87"
      Accept-Ranges: bytes
      Content-Length: 594
      Content-Type: text/html

      What does my server see, what’s in the logfiles?

      i.just.root.edu - - [30/Jul/2010:12:06:47 -0500] "HEAD /fo0 HTTP/1.1" 404 - "http://www.dont-try-this-at-home.org" "curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8"
      i.just.root.edu - - [30/Jul/2010:12:07:07 -0500] "HEAD / HTTP/1.1" 200 0 "http://www.dont-try-this-at-home.org" "curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8"

      Let’s fix this and make it seem more “normal”

      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/

      My logs?

      i.just.root.edu - - [30/Jul/2010:12:08:48 -0500] "HEAD / HTTP/1.1" 200 0 "http://www.dont-try-this-at-home.org" "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"

      So think about this for a moment from a “web application scanner” point of view if you didn’t have one… Let’s assume you wanted to build a bruteforce directory searcher of sorts. Let’s use the default mil=dic.php file for an example:

      # sed -n '65000,65005p' /pentest/exploits/mil-dic.php
      tw000314
      tw1ne007
      tw44623
      tw610306
      tw76da89
      tw7qse5b

      The code…

      for i in ` sed -n '65000,65005p' /pentest/exploits/mil-dic.php`
      do echo "curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/$i"
      done

      Results?

      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw000314
      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw1ne007
      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw44623
      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw610306
      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw76da89
      curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw7qse5b

      I could have added a sleep N and |sh to auto run for me in intervals to evade IDS to a degree, but I’ll leave that to your imagination/creativity. So think about these things. There will be some point in time where you MAY not have access to certain tools, what are your work arounds… Much like Tai-Chi, use the system against itself 😉

    • #34190
      hayabusa
      Participant

      sil.

      That’s an awesome writeup.  Thanks!

    • #34191
      yatz
      Participant

      Wow, I only got about half of that… guess I need to get busy.

      Very nifty!

      Have you used this kind of stuff sil in actual pentests or is that not what you do?  Also, for example scanning only certain ports to avoid snort, how could to set up snort to pick up this sort of traffic?  By configuring it that way would you pick up lots of false positives?

    • #34192
      dynamik
      Participant

      @sil wrote:

      *looks up in the sky whistling…. pointing to dynamik* 😀 It’s Friday!

      Is that a challenge? Sorry, I was up until 1:30AM working on my coworker’s cubicle…

      http://i360.photobucket.com/albums/oo46/adynamik1/cups1.jpg

      http://i360.photobucket.com/albums/oo46/adynamik1/cups2.jpg

      http://i360.photobucket.com/albums/oo46/adynamik1/cups3.jpg

      http://i360.photobucket.com/albums/oo46/adynamik1/cups4.jpg

      There are over 1300 2oz cups there. We put Pinesol in the first couple hundred, but it got overwhelming…

    • #34193
      Xen
      Participant

      @dynamik
      Nice! Reminds me of your office prank post at TExams.

    • #34194
      sil
      Participant

      @yatz wrote:

      Have you used this kind of stuff sil in actual pentests or is that not what you do? 

      Yatz, sorry for the delay in responses. I use all sorts of experiments on pentests. Remember, my point of view is, as a pentester, my role is to get in as responsibly as possible. I dictate the tools to use as its my role to be the attacker. In no shape form or fashion is someone ever going to be able to say: “Ok scriptkiddiots, we know you’re out there, if you hit our networks, can you preferably ONLY use metasploit!” The reality is, many tools have different pros and cons.

      In fiddling around with networking, studying, tampering in my labs, on my work network (I do in-house pentesting for my company, SIG audits for ourselves and clients) I’m always playing this strange game with myself called: “I can beat myself!” Where on the one hand I’m attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks… Trial and error.

      Besides, as some have seen on the Metasploit versus Canvas, no one tool fits all and I’ve found when I fiddle with my own tools sometimes, I get more tuned results and I can tinker with parameters more granularly to give me either complete stealth (bounce/idle scans) or complete immunity (decoy + target’s_networks_hosts_in_the_mix)

      As for false positives, again, it depends. Because I know what I’d be targetting, I can focus specifics after it. This is something that many tools don’t do. Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS. False positives are pretty easy to weed out since my attack space is so low when I’m actually attacking.

      Think about the following for a moment. Say I run nmap against a machine which yields 20 services running… I add -sV for version information and in the end, I end up with say 10 potential exploits per service. I now have 200 possibilities. By doing my own tests to validate what nmap or whatever other scanner I’m using, I might be able to find say 2 exploits for only 5 ports. I have 10 exploits to tinker with/test and weed out those fp’s as opposed to wondering what to do with 200.

    • #34195
      yatz
      Participant

      @sil wrote:

      I’m always playing this strange game with myself called: “I can beat myself!” Where on the one hand I’m attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks… Trial and error.

      This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

      @sil wrote:

      Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS.

      This is what I was thinking about when I initially started this thread, except my thinking was focused on scanning.  Still, the concept is the same.  Why blast packets out when maybe there’s already a list somewhere that can give me a more narrow target surface? 

      I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, “Hey, that’s what sil was talking about!”  I don’t have it handy, but to summarize it said, “Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios.” 

    • #34196
      sil
      Participant

      [quote author=yatz link=topic=5851.msg31137#msg31137
      This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

      I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, “Hey, that’s what sil was talking about!”  I don’t have it handy, but to summarize it said, “Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios.” 
      [/quote]

      You can always make time 😉 On average, I get on about 5 conference calls and meetings I shouldn’t be at (don’t care to be at per week). Sometimes even 3-4 a day. Vendor meetings, interop conference calls, boring FINRA babbling I have to hear. During this time I always try to keep myself amused and busy. This is while @ work… On the weekends, I try to dedicate at least 2 hours to checking out what’s going on in the world of forensics, malware and “hackerdom” When I see something interesting, I bookmark it so that I can go back the next time I have to get on the phone with a vendor…

      My bosses sort of don’t like it since when I’m at meetings I don’t care to be, my mind is far off in security land wondering what to do next. I do this out of interest a love for it so I’m just lucky to get paid for what I do. However, take note at that statement… “I do this out of interest and love” I believe when you take this approach the burden of things like “making more money via certs, passing a test, going further” are lowered and one’s ability to retain, understand and progress are strengthened.

    • #34197
      bery
      Participant

      thanks for useful suggestion

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?