.

Enumerating the 'hidden' IP addresses using port 0?

<<

bobby_here

Newbie
Newbie

Posts: 14

Joined: Sat Jun 02, 2012 4:04 pm

Post Wed Jun 13, 2012 2:37 pm

Enumerating the 'hidden' IP addresses using port 0?

I recently ran a Nessus scan against my outward-facing IP. 

Its information gathering tools discovered a lot of pertinent data.

It correctly identified:

my eth0 MAC.
my wlan0 MAC.
my firewall rules (using iptables -L -n -v -t filter).
my operating system (using uname -a).
the name of my computer (but not the user name).
my programs listed as ESTABLISHED or LISTENING (using netstat)

For example:

"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates network interfaces configured with IPv4 addresses."

- 127.0.0.1 (on interface lo)

- 93.xxx.xxx.xxx (on interface ppp0)
-
- 128.xxx.xxx.xxx (on interface wlan0)

Nessus gathers this information by sending the queries mentioned earlier (like uname -a) to port 0.

I first assumed that this would be an excellent tool to identify a person as it reveals their real IP (if they are 'hiding' behind a VPN) assuming that wlan0 is not a 192.168.x.x address).

However, I then thought that the 'real' IP address can only be gathered as I was scanning myself.

I need to test this but am I correct to think that if one outward-facing IP uses Nessus to scan a different outward-facing IP then they would not get the 'real' IP addresses like I did when I scanned myself. 

I don't see, for example, how commands like uname and iptables can be run on remote machines across the Internet because, if so, the whole idea of VPNs is rendered pointless.

Thanks!
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Jun 13, 2012 2:45 pm

Re: Enumerating the 'hidden' IP addresses using port 0?

Nessus reports local information as port 0.  Are you scanning this machine remotely or are you running Nessus from the target machine? 

Port 0 is reserved and not used by any (legit) TCP/UDP services.  On Unix, a program can request a dynamic port by specifying port 0; this will tell the API call to select a port.
BS in IT, CISSP, MS in IS Management (in progress)
<<

bobby_here

Newbie
Newbie

Posts: 14

Joined: Sat Jun 02, 2012 4:04 pm

Post Wed Jun 13, 2012 4:17 pm

Re: Enumerating the 'hidden' IP addresses using port 0?

Nessus reports local information as port 0.  Are you scanning this machine remotely or are you running Nessus from the target machine? 


I think this answers my question.

I am running Nessus from the target machine.

Hence, if I understand correctly, your point is that the information collected is "local".

And therefore if I was scanning the same machine remotely I would not be able to obtain such "local" information.

Correct?
<<

unicityd

User avatar

Full Member
Full Member

Posts: 170

Joined: Wed Sep 03, 2008 5:33 pm

Post Wed Jun 13, 2012 5:23 pm

Re: Enumerating the 'hidden' IP addresses using port 0?

Correct.
BS in IT, CISSP, MS in IS Management (in progress)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Jun 14, 2012 8:54 am

Re: Enumerating the 'hidden' IP addresses using port 0?

But you can obtain some information about the remote system by sending packets over ICMP which doesn't use ports. Ping (ICMP ECHO) is one of the common ones, but there's also "timestamp" (if that's the right name), netmask, and more.
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Jun 17, 2012 7:14 pm

Re: Enumerating the 'hidden' IP addresses using port 0?

You can also run credentialed scans and pull in this type of information via SSH (if the circumstances permit).
The day you stop learning is the day you start becoming obsolete.
<<

bobby_here

Newbie
Newbie

Posts: 14

Joined: Sat Jun 02, 2012 4:04 pm

Post Sat Jun 23, 2012 1:48 pm

Re: Enumerating the 'hidden' IP addresses using port 0?

The Nessus reports says:

"By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates MAC addresses."

Two questions:

First, as this scan is done on the "port" 0 presumably it can only be done when the scanned machine and the scanning machine are on the same LAN?

Second, I don't understand what the "supplied credentials" mean?  I did not supply any such credentials but the SSH tool obtained my internal IP address and MAC addresses.  How?

Thanks as always.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Jun 25, 2012 8:13 pm

Re: Enumerating the 'hidden' IP addresses using port 0?

The Nessus plugins have a number of custom configurations you can change to suit your environment.  The initial safe scan done by Nessus checks only what is available.  It will not brute force or log into any of the services found.  It will scan ports and try to enumerate the services on those ports.  It will then try to determine versions.  From there it will pull the possible vulnerabilities associated with those services and their versions.  If a system is properly locked down, there may be very little for Nessus to find, at which point you will need to gain access to the system.  If you are running Nessus in an enterprise for vulnerability management, you can supply credentials for the various services.  This allows you to get a better idea of the vulnerable services.
Certs: GCWN
(@)Dewser

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software