 This meeting was held at Exciting Las Vegas, Nevada, for July 9th, 2011, 1999. This has been your 224th Introduction to Scanners. How's everyone doing? I'm Modify, I'm part of attrition.org staff. I'm going to be doing intro to scanners, basically showing NMAP and the flags and what shows up in the logs. So I'm going to start off. A scanner is a program that detects weakness in remote or local computer systems. Scanners attack TCPIP ports and servers and record the response from the target host. Hosts, however, attacker must know how to interpret these scans. They're not going to show you what's vulnerable. They're not going to tell you what kind of exploit to use. Ports are monitored by the INATD daemon, which is started at boot time. INATD reads the Etsy INATD comp file at boot time to determine which network services it is supposed to manage. These are all the services. I'm going to comment them out when they want to be started at boot time by putting a pound sign before them. In simple terms, port scanners pro the host and attempt to establish connection. Whenever you're available, port one after another. This provides a roadmap of available services on a certain computer and can be used to launch an attack against the system. We're going to be showing NMAP, which is found at www.insecure.org. This system is running Slackware 3.5 with kernel 2.0.34, as you can see. Port scanning is a very popular reconnaissance tool amongst hackers. Some of the other scanning techniques I'd like to mention is RPC Info and Showmount. It shows the RPC services that are running on a host. As you can see right off the bat, NFS. The other is Showmount. This shows a list of exported file directories and who can mount them. If we did have an export list, it would be shown with the directories and who's allowed to. When it shows it, if they show like a root directory and sometimes you'll see anonymous, you can mount that by doing a mount minus TNFS, target host, colon, whatever directory, space slash mount, you see the end amount and you have controlled the system. Then you probably grab the password file and crack it or add your own entry. We're going to some of the flags of NMAP. You can learn more about NMAP by doing man NMAP or NMAP and pipe it to more. It gives you all the flags and what each one is associated to it. Some of the flags are NMAP minus ST post name is TCP scan. It's not very stealthy. It shows up a lot in the logs. I'll demo that right now. It gives you the port, the state, which all on the open, the protocol TCP and the service. It gets the services by looking at Etsy services, but there's also an NMAP file called NMAP-services. What it does is it scans the ports and then matches those to its file. It's like a database of all the services, the ports. We'll run it again and take a look at the logs. As you can see, it's telling you what port it's connecting to, what services running, and it also has the identification of who's doing the port scanning and where it's coming from. This flag is NMAP minus S, capital S, local host or target. What this is is it's a TCP scan. This technique is often referred to as a half open scanning because you don't open a full TCP connection. In other words, you don't do three-way handshaking. It waits for SINAC from destination. If SINAC is received, then the port is open. If it's not, it's obviously closed. If reset is received, then the port is closed. Rather than AC establish connection, it immediately resets to close the connection. We're getting the same ports here, but if we look into the logs, we get connection from unknown. They can't determine who's port scanning. The next flag is a stealth fin that's minus S, capital F. The fin scan uses a bulk fin packet as the probe. Used on SIN scanning is not stealthy enough. Some programs watch for SIN packets such as SIN logger and Courtney, just to name a few. We'll show that one. It's been planned. I was going to put on some Bee Gees. This is the stealth scan. By the way, I don't have any extended logging on this machine, such as Advicus Century or anything like that. The conventional bar log messages, the scanner won't show up. The next one's a Christmas scan. Christmas scan turns on the fin, urge, and push flags. That's done by a minus S, capital X. You don't get anything coming up in your bar log messages. The next one's a Null scan. Null scan turns off all flags. Don't know. Oh, yeah. I actually wrote that. Oh, this is a fire door, a theater. He wrote an M-map, actually. I just like Christmas scan because you've got almost all the flags there. It's kind of a Christmas packet, heavy deal. You don't have the same packet in there. It's almost a Christmas packet. Sorry. I just said you're almost sending the Christmas packets, Christmas tree, light segment packets where you have all the flags enabled. That's just why I called it that. Sorry, this is kind of impromptu. I thought it was a radio scanning seminar. Someone just said, hey, do you live in that room? I thought I'd stop by. Come on, pull up the screen. The next one I'm going to show is the ping scanning. Ping scanning is used to determine what hosts are on the network. Since an ICMP echo request to every machine on the network, hosts that respond are up. I don't have a network up here, so it's only seeing my local computer here. It sees my one IP address, one host up, scanning in zero seconds. The next one is minus PT, capital pting. It's a TCP ping to determine what hosts are up. Instead of sending the ICMP echo request packets, like in the previous one, and waiting for a response, we send out a TCP act packets throughout the target network. According to a single machine, and then wait for responses to return. Hosts that are up should respond with a reset. To set the destination port, it's NNAP minus PT, and then whatever port you want to scan. The default port is 80, so we'll just leave it at 80. Those are from VARLOG messages. The next scan is minus SU. This is a UDP scan. This method is used to determine which UDP ports are open on a host. Sends a zero byte UDP packet to each port on the target machine. If we receive an ICMP port unreachable message, then the port is closed. The UDP scan takes considerably longer because of the kernel limitations for sending out ICMP error messages. This is defined in RFC 1812, section 4.3.2.8. Yes, it's beautiful to ignore the RFC, that's why. Another send packet, an error response, where the packet you send immediately, there are no recommendations at all. It's beautiful for printing. On Solaris, it takes considerably longer. Linux is, I think, 80 messages, or 80 per 4 seconds. And Solaris is limited to about 2 messages per second. Some of the UDP services you may find are Alt of the deadcals, back worthless, trivial, FTP, NFS, SNMP. What was that? How do you know how to be that sender when you're on the hold? Sorry? How do you know how to be that? Exactly, just put the flag 16 at the end of the, you know, just the IDR, I guess. Yeah, by default, if you don't specify any ports, you can go through 1,000, 24, reserve ones in the services file that comes with NMAP, which is basically your normal, at least, NAP services, plus some backwaters, as in NAP bus, and the other ones you kind of want to keep a watch out for. How do you tag your own services if you want to? It was created by basically taking a shitload of NMAP services and putting them together. But if you find new services and you think to be in there, you know, just drop the email for a human NAP hero and NMAP services file. By default, it only uses the one that's included. As you can see, it took a considerable amount of time, but we had the port, state, and protocol in service for the UDP to scan. The next one is the FTP bounce. In older FTP servers would allow proxy connection. An example, a user could connect to an FTP server and send a file anywhere on the internet from that FTP server. This method uses the FTP proxy to bounce a TCP scan off the server to the victim. So basically, you're scanning from another host. And that's, I'll put up the syntax. And then you put up the FTP bounce host and then the target. And that's how it's run. I don't have two machines connected, so I can't show it to you. The next one is the minus capital O flag. This option activates remote host identification by a TCPIP fingerprinting. It takes advantage of nuances found in each OS's TCPIP stack to determine what OS is running. Send specifically crafted packets to a host. This information is used to generate a fingerprint, which is then used to match from a database of known OS fingerprints. So it shows us all the ports that are available, and then we have TCP sequence prediction. It's truly random. It would be very difficult to hijack. Hijacking using trusted relationship exploitation. Remote operating system gas, Linux 2.0.32 to 3.4. And I am using 0.34, so that is accurate. It shows one IP address and scan in two seconds. The next one is a login option. As they said they can. If you have any proxy, sometimes even those transparent proxies are in between. Anything that rewrites the packet headers is going to screw you up, because we rely on a bunch of real low level details, like the ordering they put TCP options, and the time to lives that they use, and just a ton of those low level flags. If you have anything in between you and them, you can ask a rating host or whatnot, that rewrites the packets, you're in trouble. You can still sometimes figure it out, but it's hard for N-MAP to automatically figure it out. You have to kind of compare the fingerprints you get with the N-MAP fingerprints file. His question is if there's a network device between you and them, a router shouldn't cause you any trouble at all, but mostly it's masquerading hosts, or those IP transparent proxies like Linux has. Anything that rewrites the TCP or IP headers has the potential to screw you up, because it kind of pollutes it. Some of the aspects will then look like the host in between you and them, but it shouldn't generally cause extra ports to be shown. Are we going to do that? Yes, it absolutely does. It takes a little bit more effort, and you have to compare the fingerprint, but if you see something like the TCP window size is 0x2297, that gives you a good clue. Look in the N-MAP fingerprints file and see what machines have used that TCP initial window size, and you can often figure out who's at the very end and what's sitting between you and that host. Yes. Yeah, there's actually going to be a presentation by Craig Rowland, I believe, I'm not sure at what time. Okay, at 6pm. And he's been working on the Abacus project, which kind of helps you detect some sorts of scans. Of course N-MAP has a lot of, I don't know what he's shown you so far, but it has a lot of extra features in order to counter-attack those defensive measures. For example, you can spoof the IP address you use, and you can also send decoys out, so they'll say, hey, it looks like 10 different IP addresses scanned me. You know, who was the person actually scanning? You can also sometimes trick port sentry into firewalling the wrong hosts, like if you have it on defensive mode. So you'll fake a port scan as coming from their main gateway, all of a sudden they say, oh no, a port scan. You know, I'm going to drop their packets, but there goes their network connectivity. So you have to be very, very careful in deploying reactive capabilities. Because always remember, the scans could be spoofed, just because you logged a scan, it could be someone scanning you, or it could be someone who wants you to think that someone's scanning you. So take everything in your logs with a grain of salt, of course. Yo. Yeah. You know, there are various things with the network that can in some cases cause it to fluctuate. You know, one of the biggest things is that people have, like I said, a masquerading gateway between them, so you're getting kind of pollution of one system in between. You can also have cases where, hey, you know, if they specially configured it with a kernel parameter that changes, likes less has a parameter, that'll change the TCP sequence predictability. We have that one covered in NMAP, but there are other examples where people can, you know, change their kernel parameters and make it look different. Generally you should, but if you can find a host that doesn't always give you the same response, just send me mail preferably with the IP address if you can, and I'll, you know, see if I can address that. You know, sometimes some, like Windows machines are really bad about this. You know, they're just not deterministic in a lot of ways. You know, you would think, if I send the same packet to them, I'll always get the same packet back, the same type of packet, but no, sometimes you'll get a completely different flag set. You know, it's like, you know, maybe they have some uninitialized memory or whatnot, but I've seen some very bizarre characteristics where a Windows machine will look one way the first time, then you'll scan the same machine, you know, and it'll respond to the same packet differently. But yeah, there are some cases like that. I think so. Um, yeah, it definitely does. If it doesn't detect a host, like if in that example he just did, if it hadn't detected the host, it would have given a URL you can go and enter it in, and then I'll add it to the global database so that, you know, NMAP should be able to scan that sort of system. And we've already, we have hundreds of them in there, you know, from your normal Linux, you know, all the kernels, from VSD OpenBSD to really, really obscure shit, you know, they're special little printers, you know, all sorts of, you know, network cameras. You know, anything with an IP stack is fair game as far as I'm concerned. So send it in and I'll add it. It's just hyphen capital O. Um, the last one I just did was a minus O and then a log file. I called it dc7.txt and it just writes out to a file that I name. It's just like doing NMAP minus lowercase s, uppercase s, localhosts and then direct it to a file with two greater-than-symbols. The next one's port ranges. You can actually set the port ranges you want to scan. And you get the listing of what services are running on those particular ports if they're open. The minus path is a file scan. It only scans for services listed in Etsy services file. You know, it does IO multiplexing through select and such and I found that produces significantly faster results because you don't have to waste kernel time scheduling all the threads. Multiplex the IO. They're actually automatically randomized. The next one is decoy scanning. He mentioned that. It causes a decoy scan to be performed which makes it appear the remote host that the host who specifies decoys are scanning a target network too. IDS might report five to ten port scans from unique IP addresses but they won't know which ones are decoys and which one is the IP scanning them. The syntax for that is... While he's typing it in, let me just mention a couple quick things about decoys. A couple hints that people may have found useful. One, a very popular and very excellent tool for detecting SIN scans and such that I recommend is ScanLogD by Solar Designer. However, you know, you come into denial of service issues, you know, if you try and detect too many scans I mean you don't want me to just give 100,000 fake IPs and fill up your logs. So by default and use all your memory space. So by default ScanLogD only logs the first five addresses that are scanned from. So I recommend always use at least five decoys and you can use ME as a parameter saying my IP in order. Otherwise it randomizes which order is you and which is the decoys. You know, if you have six or seven of them and then you say capital M, capital E, you know, ME, then ScanLogD will only log the first five addresses and you'll generally be home free. Another quick decoy hint is and this is probably obvious to most of you but I've been amazed how many times I get people from, you know, Yahoo and Microsoft. You know, people don't use you know, www.yahoo.com as your decoy. I mean, let's see, I gotta scan from Microsoft.com, yahoo.com and dial up 33.eu.net. You know, you ruin your decoy there. But I've seen that a lot. You know, how did I get caught? I used five decoys. Well, you know, you gotta have a clue. Same with hosts that aren't up, you know. I just made up IP addresses. They don't even route. And you wonder why they figured out who it was doing it. You know, you do have to show a little sense here. The last one is that I'm gonna mention is minus G and that sets the source port number used in the scan. Because many firewalls you'll let through the DNS port or FTP data on port 20 so you can spoof a DNS packet and scan inside. That's minus G and the target and that's the syntax. Yeah, it's a quick note. You know, that's more useful than it even looks. I mean, I'm sure none of you administrators do it. But you'd be amazed how many people just oh crap, he installed the new firewall and DNS isn't working. We gotta let these DNS packets through. Oh, well, let's just anything from source port 53's gotta be DNS, right? You know, just let it through. Oh shit, you know, FTP's not working because you can't make the FTP data connection back. Well, a quick firewall rule. You know, so, you know, I've been completely flabbergasted by how often just adding hyphen G53 for UDP scans or hyphen G20 for TCP scans. You know, suddenly you get straight through. Right, that's a great tool. It's kind of on the lines as fire walk. I don't know if any of you saw that by route. You can check that out at packetfactory.com but does anyone have any questions? Sorry? Oh yeah, let's take ass. A guy, see what's his name? Yeah, it comes with an X version for people who like GUI's. A guy who wrote it. Fuck. He forgot his name right off hand. It's called NmapFE. If you go to the web page, it has links to it. Yeah, if you're into that, it uses GTK and it's a real pretty interface and it allows you to point and click because some people bitch at me saying, hey, you know, there's like 28 options and I have to read the man page every time I use it. So here you can just, you know, they're intuitively placed and you can click your buttons and such to check that out. The last thing I want to mention is really I try to attend Craig Rowan's speak speech. The Abacus Century IDS is really nice. It'll detect port scans and dump them into your host, so they can't even reach you. It's really nice. But does anyone have any questions? You said 6 o'clock. You said 18. 100 hours, 6 o'clock. In the back. Oh, you're talking about like a time-based attack, like slow, so that you know, you know, you know, you know, you know, you know, you know, you know, you know, you know, you know, you know, you know... One thing that would be useful in that respect is like you're really slow scan, you know, that take a week or two and scan port by port so you stay under the thresholds. There's also distributed scans, you know, scans from six machines and coordinate the results. technique is distribute widely available, easy to use tools to do this so that all the script kitties, that way they don't see anything abnormal. They'll say, huh, this looks like the 20 other scans that are in my log from today. So since these tools are so widely available, it allows people are less concerned about seeing a port scan. They see it every day, it's kind of like a trace route. And also you can use the decoys. It's very difficult to trace that back if they see 10 or 20 different IP addresses doing the scanning as long as you've chosen the decoys well, of course. So I am probably going to add the slow scan, but I haven't yet just because I'm not very patient and I don't want to wait a week for my scan results. I think we're going to wrap it up now. CDC is about to start with PO2K. If you need to email either one of us, modify at attrition.org or theodore at insecure.org or dhp.com or dhp.com. Thanks a lot.