233 lines
7.7 KiB
Markdown
233 lines
7.7 KiB
Markdown
# Scanning
|
|
|
|
* learn more about targets
|
|
* find potential attack openings
|
|
* addresses of live hosts
|
|
* network topologies
|
|
* OSs of hosts
|
|
* open ports
|
|
* services running on hosts
|
|
|
|
## Network tracing
|
|
|
|
* discover routes that packets take between systems
|
|
* allows constructing network diagrams
|
|
* sends ICMP/UDP/TCP packets with varying TTL
|
|
* requires routers to properly report dropped packets
|
|
* often disabled for performance/security reasons
|
|
* `traceroute` useful tool
|
|
* web-based [tools](https://tools.keycdn.com/traceroute) also available
|
|
|
|
### IPv4 and IPv6
|
|
|
|
* important IPv4 headers
|
|
* **TTL**: time to live
|
|
* tells us how many hops a package needed to make
|
|
* source and destination IP
|
|
* IPv6 properties
|
|
* 128 bit addresses
|
|
* simpler than IPv4
|
|
|
|
|
|
 
|
|
|
|
## Scanning
|
|
|
|
### TCP
|
|
|
|
* 16-bit ports
|
|
* sequence and ack number for reliable in-order delivery
|
|
* control bots track state
|
|
* **URG**: urgent flag
|
|
* **ACK**: acknowledge earlier packets
|
|
* **PSH** (push): data should not be buffered
|
|
* **RST**: reset connection
|
|
* **SYN**: synchronisation, sends initial sequence number
|
|
* **FIN**: indicate session can be closed
|
|
* half-open port scanning
|
|
* only send SYN part of handshake
|
|
* listen for response
|
|
* SYN + ACK: port open
|
|
* RST + ACK: port closed or blocked
|
|
* ICMP port unreachable: likely blocked
|
|
* no response: likely blocked
|
|
* can take a while if no responses are sent
|
|
* large scans are bad
|
|
* limit scope of scan
|
|
* select subset of targets
|
|
* only scan well-known ports initially
|
|
* limit scan based on firewall information
|
|
* temporarily tweak firewall to speed up scans
|
|
* use parallel machines (be careful not to DoS)
|
|
* scanrand & zmap tools
|
|
|
|
|
|
|
|
### UDP
|
|
|
|
* send empty UDP datagram and listen
|
|
* UDP packet response: something is listening on target port
|
|
* ICMP port unreachable: likely blocked
|
|
* no response: multiple options
|
|
* port is blocked by firewall
|
|
* port only responds to specific format
|
|
|
|
### ARP
|
|
|
|
* Address Resolution Protocol
|
|
* data link layer
|
|
* translates IPv4 addresses to MAC addresses
|
|
* scan local subnet for hosts
|
|
* lots of traffic
|
|
* can be detected by network intrusion detection systems (NIDS)
|
|
|
|
### ICMP
|
|
|
|
* Internet Control Message Protocol
|
|
* used for diagnostic purposes
|
|
* error reporting
|
|
* router discovery
|
|
* redirect messages
|
|
* ping sweeps
|
|
* traceroute
|
|
* redirect messages expose network topology
|
|
* ICMP address mask requests: determine subnet used by target host
|
|
|
|
### Nmap
|
|
|
|
* port scanner and all-in toolkit
|
|
* important tool when performing scanning
|
|
* TCP port scanning
|
|
* connect scan
|
|
* complete 3-way handshake
|
|
* can run without root
|
|
* not stealthy (connections can be logged)
|
|
* doesn't use nmap to craft packets
|
|
* syn scan/half-open scan
|
|
* runs as root
|
|
* only send initial SYN and listen for response
|
|
* detectable by firewall/NIDS
|
|
* ACK scan
|
|
* playing with control bits
|
|
* FIN scan: FIN bit of all packets set
|
|
* NULL scan: all bits set to 0
|
|
* Xmas tree scan: FIN, PSH, URG set
|
|
* Maimon scan: FIN and ACK set
|
|
* UDP scanning
|
|
* scans specific UDP ports
|
|
* sends protocol-specific messages to well-known ports
|
|
* firewall spotting
|
|
* generate packets with invalid TCP or UDP checksum
|
|
* targets will drop these
|
|
* firewalls don't always check checksum and will send a RESET/ICMP port
|
|
unreachable instead
|
|
* allows detecting firewalls
|
|
* can also look for varying TTL values
|
|
* TTL on firewall RESET message will be higher as the firewall is
|
|
closer
|
|
* full support for IPv6
|
|
* OS fingerprinting
|
|
* detect quirks of protocol behaviors for OS versions
|
|
* **active**: send special packets to detect behavior
|
|
* **passive**: observe patterns of network traffic (stealthy but less
|
|
accurate)
|
|
* version scanning
|
|
* detect versions of services running on host
|
|
* send packets to specific service types that reveal version information
|
|
* useful for crafting exploits
|
|
|
|
### Other stuff
|
|
|
|
* automated monitoring
|
|
* running nmap using cron can reveal changes in network
|
|
* tools like [masscan](https://github.com/robertdavidgraham/masscan) well
|
|
suited for this
|
|
* monitoring web applications also important
|
|
* [HTTPScreenshot](https://github.com/breenmachine/httpscreenshot):
|
|
take screenshots of websites
|
|
* [EyeWitness](https://github.com/RedSiege/EyeWitness): screenshots of
|
|
webpages, RDP and VNC servers, tries to login with default
|
|
credentials
|
|
* scanning cloud infrastructure
|
|
* lots of cloud usage
|
|
* companies often don't configure cloud service correctly
|
|
* very large IP addresses to search through
|
|
* use tools like [Shodan](https://www.shodan.io/) or
|
|
[Censys](https://search.censys.io/)
|
|
* automatically perform scans that can be accessed online
|
|
* allow monitoring target without direct contact
|
|
* badly configured S3
|
|
* buckets that allow writing without authorisation
|
|
* subdomain takeover allows attacker to take over bucket URL
|
|
* packet crafting
|
|
* sometimes very specific/controlled packets are required
|
|
* tools like [Scapy](https://scapy.net/) allow crafting packets for various
|
|
protocols
|
|
* Python tool
|
|
* provides REPL to forge, send and receive packets
|
|
|
|
## Vulnerability scanning
|
|
|
|
* process used to identify security weaknesses and vulnerabilities in a system,
|
|
network or application
|
|
* involves using automated tools to scan systems for known vulnerabilities
|
|
and weaknesses
|
|
* critical component of a robust cybersecurity strategy
|
|
* automated scanning allows detecting problems before they're possibly
|
|
exploited
|
|
* key aspects
|
|
* **goal**: identify and address security flaws before they're exploited
|
|
* **scan types**
|
|
* network scanning
|
|
* web app scanning
|
|
* host scanning
|
|
* **process**
|
|
1. discovery: identify all relevant devices, systems and applications
|
|
2. scanning: use automated tools to scan targets for known
|
|
vulnerabilities
|
|
3. analysis: analyse results for vulnerabilities and prioritize them
|
|
4. reporting: generate report detailing results
|
|
* **frequency**: how often to perform scans
|
|
* **compliance**: many regulatory standards require regular vulnerability scanning
|
|
|
|
### Methods
|
|
|
|
* Nmap Scripting Engine (NSE)
|
|
* allows extending nmap with Lua scripts
|
|
* greatly broadens scope of nmap
|
|
* nmap comes with a ton of ready-to-use scripts
|
|
* perfect for vulnerability scanning
|
|
* [Tenable](https://www.tenable.com/) Nessus
|
|
* modern vulnerability scanner
|
|
* can detect tens of thousands of vulnerabilities
|
|
* free for personal use
|
|
* [OpenVAS](https://github.com/greenbone/)
|
|
* open-source vulnerability scanner
|
|
* less expansive than Nessus
|
|
|
|
### Enumerating users
|
|
|
|
* process of retrieving list of usernames for system
|
|
* numerous methods
|
|
* public sources of information (websites, emails...)
|
|
* pentest: ask for list of users (grey box)
|
|
* Linux
|
|
* local: `/etc/passwd`
|
|
* remotely
|
|
* `finger @IP`
|
|
* query NIS or LDAP server if present
|
|
* `enum4linux` tool
|
|
* Windows
|
|
* list users using SMB session
|
|
* possible anonymously on older versions of Windows
|
|
* if single user is known, listing all users is possible
|
|
|
|
### Netcat
|
|
|
|
* netcat is useful
|
|
* general purpose TCP and UDP network tool
|
|
* installed basically everywhere
|
|
* used for setting up reverse shells among other things
|
|
* it's just a useful network tunnel
|