Null Delhi chapter - Feb 2019

1. Recon with Nmap - Network scanning for noobs & ninjas

3. Home Network 192.168.0.1 192.168.0.102192.168.0.101 192.168.0.103 192.168.0.104

4. Enterprise Network Firewall Router Switch Hosts Private IP Class A : 10.0.0.0 – 10.255.255.255 Class B : 172.16.0.0 – 172.31.255.255 Class C : 192.168.0.0 – 192.168.255.255 Public IP Internet NAT/PAT

5. Find your own IP Public IP Just Google What is my ip address Or, visit http://whatismyip address.com Private IP Open the cmd/terminal and type: # ipconfig (windows) # ifconfig (Unix/Linux)

6. Private IP

7. Public IP

8. Who else is on the network? # ping <target ip>

9. What Services are available? - Each hosts needs to perform multiple networking operations as web, instant messenger, file transfer, video streaming and remote management using RDP or SSH - Can either be TCP or UDP based service associated with unique port number

10. Port Numbers ● Port no exists at Transport Layer ● Size: 16 bits unsigned integer ● Range: 0 – 65535 (Both TCP & UDP) – Well known port ( 0 – 1023 ) – Reserved port ( 1024 – 49151 ) – Dynamic or Private port ( 49152 – 65535 )

11. Common Services & Ports ● Web Services – tcp/80, tcp/8080, tcp/443 ● FTP – tcp/20 & 21 ● SSH – tcp/22 ● Mail – tcp/25 ● Database – Mysql (tcp/3306), Oracle (tcp/1521) ● DNS - udp/53 ● SNMP –udp/161

12. TCP vs UDP • Transmission Control Protocol • Reliable • Connection-oriented (3-way handshake) • Flow control, sequencing and acknowledgement • User Datagram Protocol • Unreliable • Connection less • No retransmission and acknowledgement

13. TCP 3 Way Handshake SYN SYN + ACK ACK Service is listening (Open ) DATA

14. TCP 3 Way Handshake SYN RST Service is listening (Closed)

15. Demo Time

16. Demo with Netcat Start Netcat Listener (Server) # nc -l -p <port> Use Netcat as client # nc <ip> <port> & Inspect traffic in Wireshark

17. Nmap ● Open Source ● Fast and efficient ● Supports multiple platforms ● Active community support ● Popular...Featured in Movies as well :-) ● Can be extended by using its Nmap Scripting Engine

18. Specifying Input Targets # nmap scanme.nmap.org # nmap 192.168.0.1 # nmap 192.168.0.1-200 # nmap 192.168.0.1/24 # nmap –sn –iL <ip_list>

19. Specifying port range # nmap -p 80 192.168.0.1 # nmap –p 21,22,80 192.168.0.1/24 # nmap –p 1-65535 192.168.0.1/24 # nmap --top-ports 200 192.168.0.1/24 # nmap –top-ports 10 192.168.0.1 --reason PS: By default nmap scans only top 1000 most widely used ports which can be changed using –top-ports

20. Nmap – Common Scan Types TCP Connect Scan ( -sT ) - Complete 3-way handshake # nmap -sT <target> TCP SYN Scan ( -sS ) [Default] - Also known as Half-open scan # nmap -sS <target> UDP Scan ( -sU ) - Scan UDP ports, Runs Slow # nmap -sU <target>

21. Nmap Options - If host is not responding to ping probes! # nmap -Pn <target> - Version Detection # nmap -sS -sV <ip> - OS Detection # nmap -sS -O <ip> - Use Timing template for faster scan (noisy) # nmap –sS –T4 <ip> - Aggressive Scan ( version, os and script scan ) # nmap –sS –A <ip>

22. Nmap – Saving Output - Output Format supported: - Normal ( -oN ) - XML ( -oX ) - Grepable ( -oG ) - All Formats ( -oA ) # nmap -sS -sV -p- <ip> -oA <output_file>

23. Nmap scan I − TCP Services # nmap –sS –p- –sV –O –Pn <target> -oA <out_file> - UDP Services # nmap –sU –p U:1-65535 –sV –Pn <target> -oA <out_file> - Combining TCP and UDP Scan # nmap –sU –sS –p U:53,111,137,T:21- 25,80,139,8080 <target> -oA <out_file>

24. Nmap Scripting Engine - Script ends with .nse extension - Located at “/usr/share/nmap/scripts” in kali - Invoked using –sC (default) or –-script switch - Categorised as auth, broadcast, brute, default. discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln - Can be used for enumeration, vulnerability detection, exploitation and more.

25. NSE Scans - Executing Default script scan # nmap –p 21 –sC –sV <ip> - Executing script scan # nmap -p445 –-script=smb-enum-shares <ip> - Execute all smb scripts # nmap –p445 –-script=smb* <ip> - Execute scripts marked as safe and default # nmap –p445 –-script=safe,default <ip>

26. NSE Scans continued - Enumerating services # nmap -p445 –script=smb-enum-shares <ip> - Brute Force Attacks # nmap -p445 --script smb-brute --script-args userdb=users.txt,passdb=passwords.txt <ip> - Vulnerability Scan # nmap -Pn –script=vuln <ip> # nmap -p445 –script=smb-vuln-ms17-010 <ip>

27. NSE Scans - Demo

28. NSE Scans - Demo

29. Demo Time

30. Nmap Scan Types II - Not all systems are RFC compliant - Responds differently on receiving certain TCP flags - Mostly used in *nix based system - FIN Scan (-sF) - Sets the TCP FIN bit. - XMAS (-sX) - Sets the FIN, PSH, and URG flags - Null Scan (-sN) - Does not set any flags

31. Firewalls - Modify source port # nmap –g 80 <ip> - Fragment the packet # nmap –f <ip> -Send packet with bad checksum # nmap –-badsum <ip>

32. Thanks

Null Delhi chapter - Feb 2019

Null Delhi chapter - Feb 2019

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Similar a Null Delhi chapter - Feb 2019

Similar a Null Delhi chapter - Feb 2019(20)

Último

Último(20)

Null Delhi chapter - Feb 2019

Hinweis der Redaktion