.

Scanning techniques

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Fri Jul 30, 2010 9:46 am

Scanning techniques

Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

Also I was thinking of how when you set an IP on a windows machine and if it's taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

Fun...
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jul 30, 2010 11:46 am

Re: Scanning techniques

yatz wrote:Ok so call me weird, but as I was waking up this morning I was thinking about different scanning techniques.  Using nmap or related metasploit scanner modules it is common to send some kind of packet to each possible IP address in a certain subnet.  So I was thinking, why not just pull the list from the router?  I found this tool http://codewiki.wikispaces.com/cammer_c.pl but it relies on SNMP.  Do you know of any way to get the mac address table from a router (such as spoofing a cdp packet?)

Also I was thinking of how when you set an IP on a windows machine and if it's taken then it pops up an error.  What kind of scan is this doing?  Can this be manipulated in any way to get available hosts without having to scan the whole subnet?

Fun...


With nmap the typical/common way to scan each address is as follows:

  Code:
nmap -sS -vvv 192.168.1.0/24
nmap -sS -vvv 192.168.1.0-100


As for getting the router to spit out anything, it boils down to configuration issues. Did the admin of said router properly configure his router?

Two tools I can think of to get around this: Arping: "Broadcasts a who-has ARP packet on the network and prints answers." (http://www.habets.pp.se/synscan/program ... rog=arping) And ARP-SCAN http://www.nta-monitor.com/tools/arp-scan/

If you're on Windows, arp -a helps as does arp | grep ether on Linux as does arp -a on BSD:

OpenBSD (obviously edited my MAC's from you hacker types)

  Code:
# uname -mps
OpenBSD i386 Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class)
# arp -a|awk -F : '{print $1,$2":xx:xx:"$5":"$6}'
00:16:xx:xx:a1:6e
00:1b:xx.xx:29:c4
00:a0:xx.xx:ca:49
00:12:xx.xx:96:01
00:23:xx.xx:d1:80
00:16:xx.xx:5c:47
00:1a:xx.xx:0c:f8
00:14:xx.xx:44:8d
00:80:xx.xx:4b:f0
00:0c:xx.xx:bd:00
00:12:xx.xx:96:00
00:15:xx.xx:b4:90
00:1b:xx.xx:29:c4
00:16:7xx.xx:a1:6e

FreeBSD
$ uname -mps
FreeBSD i386 i386
arp -a|awk '{print $4}'|awk -F : '{print $1":xx:xx:"$4":"$5":"$6}'
64:xx:xx:85:88:47
00:xx:xx:c4:26:2b
00:xx:xx:c4:26:2b
00:xx:xx:c4:26:2b
00:xx:xx:c4:26:2b
00:xx:xx:c4:26:2b
00:xx:xx:c4:26:2b


But that's not what you're interested in, you want to be able to get the IP's off of the network to scan them. I'd use Arping and build from there or you could use good old fashioned ping ;)

# ping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u
WARNING: pinging broadcast address
192.168.1.109:
192.168.1.132:
192.168.1.136:
192.168.1.194:
192.168.1.196:
192.168.1.200:
192.168.1.211:
192.168.1.21:
192.168.1.22:
192.168.1.24:
192.168.1.26:
192.168.1.53:
192.168.1.67:
192.168.1.75:

So what can we do now? Whatever we'd like, we can see what's reachable to a degree... Let's scan these machines WITHOUT NMAP shall we? I'll use hping to evade typical Snort rules (-i 10) and scan ports 80,443,135,139 with pre Win2K parameters (ttl of 32 and Window Size of 5000) while making the recipient think my machine's HTTP port is connecting to them (-s 80)

hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000

On command line:
  Code:
# ping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u|sed 's!:!!g;s:^:hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 :g'


You ready?

  Code:
#hping -c 3 -b 192.168.1.255|awk '/:/{print $4}'|sort -u|sed 's!:!!g;s:^:hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 :g'|tail -n 1
hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75


What do I see from a scan like this?

Let's see:

  Code:
hping -i 10 -8 80,443,135,139 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75
using eth0, addr: 192.168.1.138, MTU: 1500
Scanning 192.168.1.75 (192.168.1.75), port 80,443,135,139
4 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+
|port| serv name |  flags  |ttl| id  | win |
+----+-----------+---------+---+-----+-----+
   80 www        : ..R.A...  64 14716     0
  443 https      : ..R.A...  64 15996     0
  135 loc-srv    : ..R.A...  64 16252     0
  139 netbios-ssn: ..R.A...  64 17532     0
All replies received. Done.
Not responding ports:


Notice: ..R.A... Hrmm... Reset eh?

What about the response for valid ports that ARE opened?

  Code:
# hping -i 10 -8 515,548,631 -s 80 -S -t 32 -W -V -w 5000 192.168.1.75
using eth0, addr: 192.168.1.138, MTU: 1500
Scanning 192.168.1.75 (192.168.1.75), port 515,548,631
3 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+
|port| serv name |  flags  |ttl| id  | win |
+----+-----------+---------+---+-----+-----+
  515 printer    : .S..A...  64 16256 65535
  548 afpovertcp : .S..A...  64 17792 65535
  631 ipp        : .S..A...  64 19072 65535



What differences do you notice? Why? What can you do with this information?

What about a full blow network scanner targeting http made easy?

  Code:
seq 1 254|\
while read topwn
do echo 192.168.1.$topwn | sed 's:^:hping -8 80 -s 80 -t 32 -W -V -w 2000 :g'
done
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jul 30, 2010 11:49 am

Re: Scanning techniques

*looks up in the sky whistling.... pointing to dynamik* :D It's Friday!
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jul 30, 2010 12:28 pm

Re: Scanning techniques

You know... What about curl for a webscanner? Let's try it...

  Code:
# curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I --local-port 666 --no-keepalive http://infiltrated.net/fo0
curl: (22) The requested URL returned error: 404

# curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I --local-port 777 --no-keepalive http://infiltrated.net/
HTTP/1.1 200 OK
Date: Fri, 30 Jul 2010 17:07:07 GMT
Server: Trusted NCIS Apache v.1 OpenSSL/0.9.7e mod_voip/0.1 Python/3.1.3 RBACL/1.0 mod_rbacl/1.0a mod_pimp PIMP/1.0 mod_pwnd PWND/0.1a
Last-Modified: Thu, 01 Apr 2010 20:05:27 GMT
ETag: "1c1f194-252-4bb4fc87"
Accept-Ranges: bytes
Content-Length: 594
Content-Type: text/html



What does my server see, what's in the logfiles?

  Code:
i.just.root.edu - - [30/Jul/2010:12:06:47 -0500] "HEAD /fo0 HTTP/1.1" 404 - "http://www.dont-try-this-at-home.org" "curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8"
i.just.root.edu - - [30/Jul/2010:12:07:07 -0500] "HEAD / HTTP/1.1" 200 0 "http://www.dont-try-this-at-home.org" "curl/7.18.2 (i486-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.8"



Let's fix this and make it seem more "normal"

  Code:
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/


My logs?

  Code:
i.just.root.edu - - [30/Jul/2010:12:08:48 -0500] "HEAD / HTTP/1.1" 200 0 "http://www.dont-try-this-at-home.org" "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"


So think about this for a moment from a "web application scanner" point of view if you didn't have one... Let's assume you wanted to build a bruteforce directory searcher of sorts. Let's use the default mil=dic.php file for an example:

  Code:
# sed -n '65000,65005p' /pentest/exploits/mil-dic.php
tw000314
tw1ne007
tw44623
tw610306
tw76da89
tw7qse5b


The code...

  Code:
for i in ` sed -n '65000,65005p' /pentest/exploits/mil-dic.php`
do echo "curl --connect-timeout 2 -e \"http://www.dont-try-this-at-home.org\" -f -G -I -A \"Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6\" --local-port 2345 --no-keepalive http://infiltrated.net/$i"
done


Results?

  Code:
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw000314
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw1ne007
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw44623
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw610306
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw76da89
curl --connect-timeout 2 -e "http://www.dont-try-this-at-home.org" -f -G -I -A "Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6" --local-port 2345 --no-keepalive http://infiltrated.net/tw7qse5b


I could have added a sleep N and |sh to auto run for me in intervals to evade IDS to a degree, but I'll leave that to your imagination/creativity. So think about these things. There will be some point in time where you MAY not have access to certain tools, what are your work arounds... Much like Tai-Chi, use the system against itself ;)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jul 31, 2010 8:28 pm

Re: Scanning techniques

sil.

That's an awesome writeup.  Thanks!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Sat Jul 31, 2010 10:34 pm

Re: Scanning techniques

Wow, I only got about half of that... guess I need to get busy.

Very nifty!

Have you used this kind of stuff sil in actual pentests or is that not what you do?  Also, for example scanning only certain ports to avoid snort, how could to set up snort to pick up this sort of traffic?  By configuring it that way would you pick up lots of false positives?
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Jul 31, 2010 11:54 pm

Re: Scanning techniques

sil wrote:*looks up in the sky whistling.... pointing to dynamik* :D It's Friday!


Is that a challenge? Sorry, I was up until 1:30AM working on my coworker's cubicle...

http://i360.photobucket.com/albums/oo46 ... /cups1.jpg

http://i360.photobucket.com/albums/oo46 ... /cups2.jpg

http://i360.photobucket.com/albums/oo46 ... /cups3.jpg

http://i360.photobucket.com/albums/oo46 ... /cups4.jpg

There are over 1300 2oz cups there. We put Pinesol in the first couple hundred, but it got overwhelming...
The day you stop learning is the day you start becoming obsolete.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sun Aug 01, 2010 10:25 am

Re: Scanning techniques

@dynamik
Nice! Reminds me of your office prank post at TExams.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 03, 2010 11:23 am

Re: Scanning techniques

yatz wrote:Have you used this kind of stuff sil in actual pentests or is that not what you do? 


Yatz, sorry for the delay in responses. I use all sorts of experiments on pentests. Remember, my point of view is, as a pentester, my role is to get in as responsibly as possible. I dictate the tools to use as its my role to be the attacker. In no shape form or fashion is someone ever going to be able to say: "Ok scriptkiddiots, we know you're out there, if you hit our networks, can you preferably ONLY use metasploit!" The reality is, many tools have different pros and cons.

In fiddling around with networking, studying, tampering in my labs, on my work network (I do in-house pentesting for my company, SIG audits for ourselves and clients) I'm always playing this strange game with myself called: "I can beat myself!" Where on the one hand I'm attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks... Trial and error.

Besides, as some have seen on the Metasploit versus Canvas, no one tool fits all and I've found when I fiddle with my own tools sometimes, I get more tuned results and I can tinker with parameters more granularly to give me either complete stealth (bounce/idle scans) or complete immunity (decoy + target's_networks_hosts_in_the_mix)

As for false positives, again, it depends. Because I know what I'd be targetting, I can focus specifics after it. This is something that many tools don't do. Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS. False positives are pretty easy to weed out since my attack space is so low when I'm actually attacking.

Think about the following for a moment. Say I run nmap against a machine which yields 20 services running... I add -sV for version information and in the end, I end up with say 10 potential exploits per service. I now have 200 possibilities. By doing my own tests to validate what nmap or whatever other scanner I'm using, I might be able to find say 2 exploits for only 5 ports. I have 10 exploits to tinker with/test and weed out those fp's as opposed to wondering what to do with 200.
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Tue Aug 03, 2010 12:19 pm

Re: Scanning techniques

sil wrote:I'm always playing this strange game with myself called: "I can beat myself!" Where on the one hand I'm attacking, the next hand monitoring to see how I would need to defend should the situation arise. This is how many times I come up with oddities in operating systems and networks... Trial and error.


This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

sil wrote:Most will fire and forget say 1000+ exploits at IIS blindly. Why would I waste time and packets sending PHP based attacks to a server running IIS.


This is what I was thinking about when I initially started this thread, except my thinking was focused on scanning.  Still, the concept is the same.  Why blast packets out when maybe there's already a list somewhere that can give me a more narrow target surface? 

I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, "Hey, that's what sil was talking about!"  I don't have it handy, but to summarize it said, "Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios." 
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 03, 2010 12:36 pm

Re: Scanning techniques

[quote author=yatz link=topic=5851.msg31137#msg31137
This makes a lot of sense, that is, if you have the time to play those games.  I would love to do more of those kind of tasks but sadly I barely have time to learn one tool at a time.  Being committed and earnest will take you far, just sometimes it takes more time.

...

I was looking through the CEH material and there was a quote on one page that basically reiterated exactly what you are talking about.  When I saw it I thought to myself, "Hey, that's what sil was talking about!"  I don't have it handy, but to summarize it said, "Hackers rarely rely on existing tools with default configs, they tailor versatile tools to meet specific needs or create new tools for individual scenarios." 
[/quote]

You can always make time ;) On average, I get on about 5 conference calls and meetings I shouldn't be at (don't care to be at per week). Sometimes even 3-4 a day. Vendor meetings, interop conference calls, boring FINRA babbling I have to hear. During this time I always try to keep myself amused and busy. This is while @ work... On the weekends, I try to dedicate at least 2 hours to checking out what's going on in the world of forensics, malware and "hackerdom" When I see something interesting, I bookmark it so that I can go back the next time I have to get on the phone with a vendor...

My bosses sort of don't like it since when I'm at meetings I don't care to be, my mind is far off in security land wondering what to do next. I do this out of interest a love for it so I'm just lucky to get paid for what I do. However, take note at that statement... "I do this out of interest and love" I believe when you take this approach the burden of things like "making more money via certs, passing a test, going further" are lowered and one's ability to retain, understand and progress are strengthened.
<<

bery

Newbie
Newbie

Posts: 5

Joined: Thu Aug 12, 2010 5:56 am

Post Wed Sep 01, 2010 5:37 am

Re: Scanning techniques

thanks for useful suggestion

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software