Scanning techniques

This topic contains 11 replies, has 6 voices, and was last updated by  bery 9 years, 1 month ago.

  • Author
    Posts
  • #5408
     yatz 
    Participant

    Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

    Also I was thinking of how when you set an IP on a windows machine and if it’s taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

    Fun…

  • #34187
     sil 
    Participant

    @yatz wrote:

    Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

    Also I was thinking of how when you set an IP on a windows machine and if it’s taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

    Fun…

    With nmap the typical/common way to scan each address is as follows:

    nmap -sS -vvv 192.168.1.0/24
    nmap -sS -vvv 192.168.1.0-100

    As for getting the router to spit out anything, it boils down to configuration issues. Did the admin of said router properly configure his router?

    Two tools I can think of to get around this: Arping: “Broadcasts a who-has ARP packet on the network and prints answers.” (http://www.habets.pp.se/synscan/programs.php?prog=arping) And ARP-SCAN http://www.nta-monitor.com/tools/arp-scan/

    If you’re on Windows, arp -a helps as does arp | grep ether on Linux as does arp -a on BSD:

    OpenBSD (obviously edited my MAC’s from you hacker types)

    # uname -mps
    OpenBSD i386 Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class)
    # arp -a|awk -F : '{print $1,$2":xx:xx:"$5":"$6}'
    00:16:xx:xx:a1:6e
    00:1b:xx.xx:29:c4
    00:a0:xx.xx:ca:49
    00:12:xx.xx:96:01
    00:23:xx.xx:d1:80
    00:16:xx.xx:5c:47
    00:1a:xx.xx:0c:f8
    00:14:xx.xx:44:8d
    00:80:xx.xx:4b:f0
    00:0c:xx.xx:bd:00
    00:12:xx.xx:96:00
    00:15:xx.xx:b4:90
    00:1b:xx.xx:29:c4
    00:16:7xx.xx:a1:6e

    FreeBSD
    $ uname -mps
    FreeBSD i386 i386
    arp -a|awk '{print $4}'|awk -F : '{print $1":xx:xx:"$4":"$5":"$6}'
    64:xx:xx:85:88:47
    00:xx:xx:c4:26:2b
    00:xx:xx:c4:26:2b
    00:xx:xx:c4:26:2b
    00:xx:xx:c4:26:2b
    00:xx:xx:c4:26:2b
    00:xx:xx:c4:26:2b

    But that’s not what you’re interested in, you want to be able to get the IP’s off of the network to scan them. I’d use Arping and build from there or you could use good old fashioned ping 😉

    # ping -c 3 -b 192.168.1.255|awk ‘/:/{print $4}’|sort -u
    WARNING: pinging broadcast address
    192.168.1.109:
    192.168.1.132:
    192.168.1.136:
    192.168.1.194:
    192.168.1.196:
    192.168.1.200:
    192.168.1.211:
    192.168.1.21:
    192.168.1.22:
    192.168.1.24:
    192.168.1.26:
    192.168.1.53:
    192.168.1.67:
    192.168.1.75:

    So what can we do now? Whatever we’d like, we can see what’s reachable to a degree… Let’s scan these machines WITHOUT NMAP shall we? I’ll use hping to evade typical Snort rules (-i 10) and scan ports 80,443,135,139 with pre Win2K parameters (ttl of 32 and Window Size of 5000) while making the recipient think my machine’s HTTP port is connecting to them (-s 80)

    hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000

    On command line:

    # ping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u|sed 's!:!!g;s:^:hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 :g'

    You ready?

    #hping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u|sed 's!:!!g;s:^:hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 :g'|tail -n 1
    hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75

    What do I see from a scan like this?

    Let’s see:

    hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75
    using eth0, addr: 192.168.1.138, MTU: 1500
    Scanning 192.168.1.75 (192.168.1.75), port 80,443,135,139
    4 ports to scan, use -V to see all the replies
    +----+
    +
    +---+
    +
    +
    |port| serv name |  flags  |ttl| id  | win |
    +----+
    +
    +---+
    +
    +
      80 www        : ..R.A...  64 14716    0
      443 https      : ..R.A...  64 15996    0
      135 loc-srv    : ..R.A...  64 16252    0
      139 netbios-ssn: ..R.A...  64 17532    0
    All replies received. Done.
    Not responding ports:

    Notice: ..R.A… Hrmm… Reset eh?

    What about the response for valid ports that ARE opened?

    # hping -i 10 -8 515,548,631 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75
    using eth0, addr: 192.168.1.138, MTU: 1500
    Scanning 192.168.1.75 (192.168.1.75), port 515,548,631
    3 ports to scan, use -V to see all the replies
    +----+
    +
    +---+
    +
    +
    |port| serv name |  flags  |ttl| id  | win |
    +----+
    +
    +---+
    +
    +
      515 printer    : .S..A...  64 16256 65535
      548 afpovertcp : .S..A...  64 17792 65535
      631 ipp        : .S..A...  64 19072 65535

    What differences do you notice? Why? What can you do with this information?

    What about a full blow network scanner targeting http made easy?

    seq 1 254|
    while read topwn
    do echo 192.168.1.$topwn | sed 's:^:hping -8 80 -s 80 -t 32 -W -V -w 2000 :g'
    done
  • #34188
     sil 
    Participant

    *looks up in the sky whistling…. pointing to dynamik* 😀 It’s Friday!

  • #34189
     sil 
    Participant

    You know… What about curl for a webscanner? Let’s try it…

    # curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I --local-port 666 --no-keepalive http://infiltrated.net/fo0
    curl: (22) The requested URL returned error: 404

    # curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I --local-port 777 --no-keepalive http://infiltrated.net/
    HTTP/1.1 200 OK
    Date: Fri, 30 Jul 2010 17:07:07 GMT
    Server: Trusted NCIS Apache v.1 OpenSSL/0.9.7e mod_voip/0.1 Python/3.1.3 RBACL/1.0 mod_rbacl/1.0a mod_pimp PIMP/1.0 mod_pwnd PWND/0.1a
    Last-Modified: Thu, 01 Apr 2010 20:05:27 GMT
    ETag: "1c1f194-252-4bb4fc87"
    Accept-Ranges: bytes
    Content-Length: 594
    Content-Type: text/html

    What does my server see, what’s in the logfiles?

    i.just.root.edu - - [30/Jul/2010:12:06:47 -0500] "HEAD /fo0 HTTP/1.1" 404 - "http://www.dont-try-this-at-home.org" "curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8"
    i.just.root.edu - - [30/Jul/2010:12:07:07 -0500] "HEAD / HTTP/1.1" 200 0 "http://www.dont-try-this-at-home.org" "curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8"

    Let’s fix this and make it seem more “normal”

    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/

    My logs?

    i.just.root.edu - - [30/Jul/2010:12:08:48 -0500] "HEAD / HTTP/1.1" 200 0 "http://www.dont-try-this-at-home.org" "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"

    So think about this for a moment from a “web application scanner” point of view if you didn’t have one… Let’s assume you wanted to build a bruteforce directory searcher of sorts. Let’s use the default mil=dic.php file for an example:

    # sed -n '65000,65005p' /pentest/exploits/mil-dic.php
    tw000314
    tw1ne007
    tw44623
    tw610306
    tw76da89
    tw7qse5b

    The code…

    for i in ` sed -n '65000,65005p' /pentest/exploits/mil-dic.php`
    do echo "curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/$i"
    done

    Results?

    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw000314
    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw1ne007
    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw44623
    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw610306
    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw76da89
    curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw7qse5b

    I could have added a sleep N and |sh to auto run for me in intervals to evade IDS to a degree, but I’ll leave that to your imagination/creativity. So think about these things. There will be some point in time where you MAY not have access to certain tools, what are your work arounds… Much like Tai-Chi, use the system against itself 😉

  • #34190
     hayabusa 
    Participant

    sil.

    That’s an awesome writeup.  Thanks!

  • #34191
     yatz 
    Participant

    Wow, I only got about half of that… guess I need to get busy.

    Very nifty!

    Have you used this kind of stuff sil in actual pentests or is that not what you do?  Also, for example scanning only certain ports to avoid snort, how could to set up snort to pick up this sort of traffic?  By configuring it that way would you pick up lots of false positives?

  • #34192
     dynamik 
    Participant

    @sil wrote:

    *looks up in the sky whistling…. pointing to dynamik* 😀 It’s Friday!

    Is that a challenge? Sorry, I was up until 1:30AM working on my coworker’s cubicle…

    http://i360.photobucket.com/albums/oo46/adynamik1/cups1.jpg

    http://i360.photobucket.com/albums/oo46/adynamik1/cups2.jpg

    http://i360.photobucket.com/albums/oo46/adynamik1/cups3.jpg

    http://i360.photobucket.com/albums/oo46/adynamik1/cups4.jpg

    There are over 1300 2oz cups there. We put Pinesol in the first couple hundred, but it got overwhelming…

  • #34193
     Xen 
    Participant

    @dynamik
    Nice! Reminds me of your office prank post at TExams.

  • #34194
     sil 
    Participant

    @yatz wrote:

    Have you used this kind of stuff sil in actual pentests or is that not what you do? 

    Yatz, sorry for the delay in responses. I use all sorts of experiments on pentests. Remember, my point of view is, as a pentester, my role is to get in as responsibly as possible. I dictate the tools to use as its my role to be the attacker. In no shape form or fashion is someone ever going to be able to say: “Ok scriptkiddiots, we know you’re out there, if you hit our networks, can you preferably ONLY use metasploit!” The reality is, many tools have different pros and cons.

    In fiddling around with networking, studying, tampering in my labs, on my work network (I do in-house pentesting for my company, SIG audits for ourselves and clients) I’m always playing this strange game with myself called: “I can beat myself!” Where on the one hand I’m attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks… Trial and error.

    Besides, as some have seen on the Metasploit versus Canvas, no one tool fits all and I’ve found when I fiddle with my own tools sometimes, I get more tuned results and I can tinker with parameters more granularly to give me either complete stealth (bounce/idle scans) or complete immunity (decoy + target’s_networks_hosts_in_the_mix)

    As for false positives, again, it depends. Because I know what I’d be targetting, I can focus specifics after it. This is something that many tools don’t do. Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS. False positives are pretty easy to weed out since my attack space is so low when I’m actually attacking.

    Think about the following for a moment. Say I run nmap against a machine which yields 20 services running… I add -sV for version information and in the end, I end up with say 10 potential exploits per service. I now have 200 possibilities. By doing my own tests to validate what nmap or whatever other scanner I’m using, I might be able to find say 2 exploits for only 5 ports. I have 10 exploits to tinker with/test and weed out those fp’s as opposed to wondering what to do with 200.

  • #34195
     yatz 
    Participant

    @sil wrote:

    I’m always playing this strange game with myself called: “I can beat myself!” Where on the one hand I’m attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks… Trial and error.

    This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

    @sil wrote:

    Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS.

    This is what I was thinking about when I initially started this thread, except my thinking was focused on scanning.  Still, the concept is the same.  Why blast packets out when maybe there’s already a list somewhere that can give me a more narrow target surface? 

    I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, “Hey, that’s what sil was talking about!”  I don’t have it handy, but to summarize it said, “Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios.” 

  • #34196
     sil 
    Participant

    [quote author=yatz link=topic=5851.msg31137#msg31137
    This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

    I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, “Hey, that’s what sil was talking about!”  I don’t have it handy, but to summarize it said, “Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios.” 
    [/quote]

    You can always make time 😉 On average, I get on about 5 conference calls and meetings I shouldn’t be at (don’t care to be at per week). Sometimes even 3-4 a day. Vendor meetings, interop conference calls, boring FINRA babbling I have to hear. During this time I always try to keep myself amused and busy. This is while @ work… On the weekends, I try to dedicate at least 2 hours to checking out what’s going on in the world of forensics, malware and “hackerdom” When I see something interesting, I bookmark it so that I can go back the next time I have to get on the phone with a vendor…

    My bosses sort of don’t like it since when I’m at meetings I don’t care to be, my mind is far off in security land wondering what to do next. I do this out of interest a love for it so I’m just lucky to get paid for what I do. However, take note at that statement… “I do this out of interest and love” I believe when you take this approach the burden of things like “making more money via certs, passing a test, going further” are lowered and one’s ability to retain, understand and progress are strengthened.

  • #34197
     bery 
    Participant

    thanks for useful suggestion

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?