포트스캐닝은 와샥으로 패킷을 필터해서 확인하는게 의미가 있음
4.2 Port Scanning
Port scanning is the process of checking for open TCP or UDP ports on a remote machine.
맹목적으로 포트 스캔을 실행하지 마십시오. 스캔의 트래픽 영향과 대상 시스템에 미칠 수있는 영향을 항상 생각하십시오.
4.2.1.1 - Connect Scanning
The simplest TCP port scanning technique, usually called CONNECT scanning, relies on the three-way TCP handshake28 mechanism.
root@kali:~# nc -nvv -w 1 -z 10.0.0.19 3388-3390
(UNKNOWN) [10.0.0.19] 3390 (?) : Connection refused
4.2.1.2 - Stealth / SYN Scanning
SYN scanning, or stealth scanning, is a TCP port scanning method that involves sending
SYN packets to various ports on a target machine without completing a TCP
handshake.
4.2.1.2 - Stealth / SYN Scanning
초기 방화벽에서나 bypass가능했지, 모던 방화벽에서는 탐지됨.. 용어를 믿지말 것 ㅋ
SYN scanning, or stealth scanning, is a TCP port scanning method that involves sending SYN packets to various ports on a target machine without completing a TCP handshake. If a TCP port is open, a SYN-ACK should be sent back from the target machine, informing us that the port is open, without the need to send a final ACK back
to the target machine.
4.2.2 - UDP Scanning
Since UDP is stateless, and does not involve a three-way handshake, the mechanism
behind UDP port scanning is different.
root@kali:~# nc -nv -u -z -w 1 10.0.0.19 160-162
(UNKNOWN) [10.0.0.19] 161 (snmp) open
* An empty UDP packet is sent to a specific port. If the UDP port is open, no reply is sent back from the target machine. If the UDP port is closed, an ICMP port unreachable packet should be sent back from the target machine.
4.2.3 - Common Port Scanning Pitfalls
1. UDP port scanning is often unreliable, as firewalls and routers may drop ICMP packets. This can lead to false positives in your scan, and you will regularly see UDP port scans showing all UDP ports open on a scanned machine.
2. Most port scanners do not scan all available ports, and usually have a preset list of “interesting ports” that are scanned.
3. People often forget to scan for UDP services, and stick only to TCP scanning, thereby seeing only half of the equation.
4.2.4 - Port Scanning with Nmap
4.2.4.1 - Accountability for Your Traffic
A default nmap TCP scan will scan the 1000 most popular ports on a given machine.
Before we start running nmap scans blindly, let’s quickly examine the amount of traffic sent by such a scan.
We’ll scan one of my local machines while monitoring the amount of traffic sent to the specific host using iptables.
root@kali:~# iptables -I INPUT 1 -s 10.0.0.19 -j ACCEPT
root@kali:~# iptables -I OUTPUT 1 -d 10.0.0.19 -j ACCEPT
root@kali:~# iptables -Z
root@kali:~# nmap -sT 10.0.0.19
root@kali:~# iptables -vn -L
풀포트 스캔(65,500) 보다 주요 1000포트 스캔이 2개의 포트를 더 찾아냈음, 원인이 뭘까?
=> 네트워크 트래픽 제한 관련된 이슈임.
이 경우는 B클래스처럼 네트워크가 클수록 해당함. 풀포트 스캔을 할 수 없다면 어떻게 하는게 좋을까?
=> 네트워크 스위핑
Networking Sweeping
To deal with large volumes of hosts, or to otherwise try to conserve network traffic,
we can attempt to probe these machines using Network Sweeping techniques.
nmap option 정리 필요
-sn: Ping Scan - disable port scan
-p: target port
-sT: scan with TCP Connect()
-oG: Nmap’s “greppable” output parameter
--top-ports=20 : top포트 갯수 지정하여 스캔
-A: Enable OS detection, version detection, script scanning, and traceroute
#nmap -sn 192.168.31.200-254
#nmap -sn 192.168.31.200-254 -oG pingsweepNmap
#cat ping-sweep-nmap
#grep Up ping-sweep-namp
#nmap -p 80 192.168.31.200-254 -oG web-sweep.txt
#cat web-sweep.txt
#nmap -sT --top-ports=20 192.168.31.200-250 -oG top-port-sweep.txt
4.2.5 - OS Fingerprinting
#nmap -O 192.168.31.220
-O: OS fingerprinting (-O parameter).
4.2.6 - Banner Grabbing/Service Enumeration
root@kali:~# nmap -sV -sT 10.0.0.19
-sV: banner grabbing
NSE Scripts
The Nmap Scripting Engine (NSE)31 is a recent addition to Nmap, which allows users to
write simple scripts, in order to automate various networking tasks
All NSE scripts can be found in the
/usr/share/nmap/scripts directory
#cd /usr/share/nmap/scripts/
#ls -l
Useful scripts
root@kali:~# nmap 10.0.0.19 --script smb-os-discovery.nse
root@kali:~# nmap --script=dns-zone-transfer -p 53 ns2.megacorpone.com
4.2.8 - Exercises
1. Use nmap to conduct a ping sweep of your target IP range and save the output to a file, so that you can grep for hosts that are online.
2. Scan the IPs you found in exercise 1 for open webserver ports. Use nmap to find the web server and operating system versions.
3. Use the NSE scripts to scan the servers in the labs which are running the SMB service.
4. Explore the various command line options that nmap offers while scanning an online host you discovered within your target IP range. Monitor the bandwidth usage changes for the different options. Weigh the use of collecting as much information as possible against the resources it takes to gather it.
SMB Enumeration
The Server Message Block (SMB)32 protocol’s security track record has been poor for over a decade, due to its complex implementation, and open nature Here is a quick list to clarify SMB version numbers, and their related Windows Operating system versions:
o SMB1 – Windows 2000, XP and Windows 2003.
o SMB2 – Windows Vista SP1 and Windows 2008
o SMB2.1 – Windows 7 and Windows 2008 R2
o SMB3 – Windows 8 and Windows 2012.
4.3.1 - Scanning for the NetBIOS Service
#nmap -p139,445 192.168.31.200-254 --open
#nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
There are other, more specialized, tools for specifically identifying NetBIOS information, such as nbtscan
#man nbtscan
#nbtscan 192.168.31.200-254
4.3.2 - Null Session Enumeration.
A null session refers to an unauthenticated NetBIOS session between two computers.
This feature exists to allow unauthenticated machines to obtain browse lists from other Microsoft servers.
2003, xp 통함, 모던서버는 SMB 잘 못 설정한 경우 통함
Enum4Linux
#enum4linux -v 192.168.31.206
#enum4linux -a 10.11.1.227
It is written in Perl and is basically a wrapper around the Samba36 tools smbclient, rpcclient, net and nmblookup
#rpcclient -U "" 192.168.31.206(windows machine)
Enter 's Password:(엔터)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> getdompwinfo
4.3.3 - Nmap SMB NSE Scripts
Nmap contains many useful NSE scripts that can be used to discover and enumerate SMB services.
SMB NSE Scripts
#ls -l /usr/share/nmap/scripts/smb*
#ls -l /usr/share/namp/scripts | grep smb
#nmap -v -p 139, 445 --script=smb-os-discovery 10.11.1.227
#nmap -p 139,445 --script smb-enum-uesrs 192.168.31.206
#namp -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.229
4.3.4 - Exercises
1. Use Nmap to make a list of which SMB servers in the lab are running Windows.
2. Use NSE scripts to scan these systems for SMB vulnerabilities.
3. Use nbtscan and enum4linux against these systems and identify the kinds of data you can obtain from different versions of Windows.
4.4 - SMTP Enumeration
In certain vulnerable configurations, mail servers can also be used to gather information about a host or network. SMTP39 supports several important commands, such as VRFY and EXPN.
A VRFY request asks the server to verify an email address, while EXPN asks the server for the membership of a mailing list. These can often be abused to verify existing users on a mail server, which can later aid the attacker.
- 성공시:250
- 실패시:500
#nc -nv 192.168.31.215 25
(UNKNOWN) [10.11.1.215] 25 (smtp) open
220 redhat.acme.com ESMTP Sendmail 8.12.8/8.12.8; Wed, 12 Jun 2013 07:47:14 +0300
VRFY root
250 2.1.5 root
VRFY idontexist
550 5.1.1 idontexist... User unknown
VRFY Script
cat users.txt
root
backup
bob
dick
apache
mike
joseph
한줄 브루트포스 스크립트
#for users in $(cat users.txt);do echo VRFY $user | nc -nv -w 1 192.168.31.215 25 2>/dev/null | grep ^"250";done
Python Port
파이썬 스크립트
vrfy.py
#!/usr/bin/python
import socket
import sys
if len(sys.argv) != 2:
print "Usage: vefy.py "
sys.exit(0)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.31.215',25))
banner=s.recv(1024)
print banner
s.send('VRFY '+ sys.argv[1] + '\r\n')
result=s.recv(1024)
print result
s.close()
4.4.1 - Exercise
1. Search your target network range, and see if you can identify any systems that respond to the SMTP VRFY command.
4.5 - SNMP Enumeration
- UDP프로토콜 기반
- 암호화 지원 안함, 같은 네트워크에서 스니핑 가능.
- 약한 인증, default public and private community strigns
Over the years, we have often found that Simple Network Management Protocol (SNMP) is a poorly understood protocol by many network administrators.
This often results in SNMP misconfigurations, which can result in a dramatic information leakage.
4.5.1 - SNMP MIB Tree
The SNMP Management Information Base (MIB) is a database containing information usually related to network management.
For example, the following MIB values correspond to specific Microsoft Windows SNMP parameters.
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
cat mib-values
~~~
~~~
~~~
4.5.2 - Scanning for SNMP
root@kali:~# nmap -sU --open -p 161 10.11.1.1-254 -oG mega-snmp.txt
root@kali:~# nmap -sU -open -p 161 192.168.31.200-254 --open
Alternatively, we can use a tool such as onesixtyone40, which will check for given community strings against an IP list, allowing us to brute force various community strings.
간단한 IP리스트 파일 만들고 onesixyone을 사용하여 community string 브루트포스하기
root@kali:~# for ip in $(seq 200 254);do echo 192.168.31.$ip;done > ips
root@kali:~# echo public > community
root@kali:~# echo private >> community
root@kali:~# echo manager >> community
root@kali:~# for ip in $(seq 1 254);do echo 10.11.1.$ip;done > ips
root@kali:~# onesixtyone -c community -i ips
4.5.3 - Windows SNMP Enumeration Example
SNMPWalk
We can probe and query SNMP values using a tool such as snmpwalk provided we at least know the SNMP read-only community string, which in most cases is “public”.
Using some of the MIB values provided above, we could attempt to enumerate their corresponding values.
Try out the following examples against a known machine in the abs, which has a Windows SNMP port exposed with the community string “public”.
#cat mib-values
#snmpwalk -c public -v1 [타겟ip] [mib]
Enumerating the Entire MIB Tree
root@kali:~# snmpwalk -c public -v1 10.11.1.219
Enumerating Windows Users:
root@kali:~# snmpwalk -c public -v1 10.11.1.204 1.3.6.1.4.1.77.1.2.25
Enumerating Running Windows Processes:
root@kali:~# snmpwalk -c public -v1 10.11.1.204 1.3.6.1.2.1.25.4.2.1.2
Enumerating Open TCP Ports:
root@kali:~# snmpwalk -c public -v1 10.11.1.204 1.3.6.1.2.1.6.13.1.3
Enumerating Installed Software:
root@kali:~# snmpwalk -c public -v1 10.11.1.204 1.3.6.1.2.1.25.6.3.1.2
4.5.4 - Exercises
1. Scan your target network with onesixtyone. Identify any SNMP servers.
2. Use snmpwalk and snmp-check to gather information about the discovered targets.
Vulnerability Scanning
Vulnerability scanning is the process of using automated tools to discover, and identify,
vulnerabilities in a network. Vulnerability scanners come in many different forms, from
simple scripts that identify a single vulnerability, to complex commercial software
engines that scan for thousands of them
5.1 - Vulnerability Scanning with Nmap
More NSE Scripts
root@kali:~# cd /usr/share/nmap/scripts/
root@kali:/usr/share/nmap/scripts# ls -l *vuln*
-rw-r--r-- 1 root root 6960 Dec 13 2012 afp-path-vuln.nse
-rw-r--r-- 1 root root 6190 Dec 13 2012 ftp-vuln-cve2010-4221.nse
...
...
root@kali:~# nmap -v -p 80 --script=http-vuln-cve2010-2861 10.11.1.210
root@kali:~# nmap -v -p 80 --script all 192.168.31.210
OpenVAS#openvas-setup
웹브라우저: 127.0.0.1:9392
admin/생성된 패스워드 입력
configuration > Scan Configs
5.2.2 - Exercises (여기부터 안함)
1. Use nmap scripts and OpenVAS to conduct targeted scans (against single hosts)
against systems in your target network.
2. Account for the traffic using iptables. How many resources does scanning a
single host require, in terms of network bandwidth, and time?
3. Consider the sort of vulnerabilities a scanner will identify. What are the
limitations of the tool? Why?
'OSCP > OSCP Course PDF' 카테고리의 다른 글
| 9. Working with Exploits (0) | 2020.02.27 |
|---|---|
| 10. File Transfers (0) | 2020.02.26 |
| 4. Active Information Scanning - 1 (0) | 2020.02.19 |
| 3. Passive Information Gathering (0) | 2020.02.19 |
| 2. Essential tool - Ncat, Wireshark ,Tcpdump (0) | 2020.02.17 |