830 likes | 1.13k Views
Module 1: Active Reconnaissance, Scanning, and Introduction to TCP/IP for pen-testers Module 2: Basics of using nmap . Using nmap for host discovery Module 3: Basics of using nmap . Understanding nmap output. Adrian Crenshaw. About Adrian. Twitter: @ Irongeek_ADC. I run Irongeek.com
E N D
Module 1: Active Reconnaissance, Scanning, and Introduction to TCP/IP for pen-testersModule 2: Basics of using nmap. Using nmap for host discoveryModule 3: Basics of using nmap. Understanding nmap output Adrian Crenshaw
About Adrian Twitter: @Irongeek_ADC I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands Sr. Information Security Consultant at TrustedSec Co-Founder of Derbyconhttp://www.derbycon.com
What and Why of Port Scanning Since ports are fairly standard, if port 80tcp is listening on a host, more than likely it’s running web services By sending packets to these port numbers, you can see what services are running on the host Knowing what services are running lets you know something about the potential attack surface What about finger printing?
Nmap One of the most popular port scanners Started by Gordon Lyon (Fyodor) back in 1997, as an article for Phrack Magazine 51 Started as a fairly simple port scanner, and has suffered some pretty serious feature creep since. Multiplatform (Linux, Windows, BSD, OS X) Open Source and available from http://nmap.org
TCP/UDP/IP Basics To use an analogy, if IPs are an apartment complex’s address, ports are the apartment number Both UDP and TCP use incoming and outgoing ports Most IP based services listen on standard ports (HTTP 80/TCP, SMTP 25/TCP, SMB 139/445/TCP, DNS port 53/TCP and UDP)
MAC Addresses MAC (Media Access Control) is the address on the NIC (Network Interface Card) Term is user in Ethernet, but the same concept apply elsewhere Burned in address should be unique, and if they ask on the exam it is, but reality is sometimes different
More MAC Addresses 48 bits (6 bytes) long, mostly represented in HEX like this:DE:AD:BE:EF:CA:FE OUI (Organizationally Unique Identifier) is the part in red above, extension identifier is in blue See who is assigned what OUI here:http://standards.ieee.org/develop/regauth/oui/oui.txt
EUI-64 MAC addresses 64 byte MAC addesses OUI is still 24 Not sure what uses these
IPv4 IPv4 uses 32 bit addresses Unusual represented as 4 octets :(separated into it’s 4 bytes and written in decimal)192.168.1.1 Dec: 3232235777 HEX: C0A80101 Binary: 11000000 10101000 00000001 0000000 232 addresses possible (more or less), so about 4.3 billion Began running out of these, which is one reason for IPv6 and NAT
Important IPv4 Headers Count from 0!
IPv4 Header: Version Version of IP protocols, 4 in this case, bits 0-3.
IPv4 Header: IHL Internet Header Length, bits 4-7
IPv4 Header: Type of Service Set the priority of the packet
IPv4 Header: Total Length Total length of the packet, min 20 max 65,535.
IPv4 Header: ID Field Identification, used for fragmentation
IPv4 Header: Flags Flags, used for fragmentation
IPv4 Header: Fragment Offset Fragment Offset, used for fragmentation
IPv4 Header: Time to Live Should have been called “Hop Count” based on most implementations. Seconds since packet was born by spec.
IPv4 Header: Protocol ICMP=1, TCP=6, UDP=17. Way more at:http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
IPv4 Header: Header Checksum To detect errors in transmission
IPv4 Header: Source Address Where did I come from?
IPv4 Header: Destination Address Where am I going?
IPv4 Header: Options Extra options for the packet. Things like source routing would be here:http://www.networksorcery.com/enp/protocol/ip.htm#Options
IPv4 Header: Padding To make sure data starts on a 32 bit boundry
Fragmentation Networks have a Maximum Transmission Unit (MTU) size, often 1500 bytes Sometimes, packets must be broken up to fit, which can be done by a router IPID and Offset mentioned before are used to put packets back together MTU of the path can be discovered by setting the Do Not Fragment flag and keep trying smaller sizes till you do not get an ICMP “Fragmentation needed and DF set” message back
IPv6 128 bit addressees, 2128 possible addresses (In technical terms: a shit load) 340 undecillion to use Yanks, 340 sextillion to Brits (which sounds like a fancy orgy) In some ways, IPv6 has a simpler header
IPv6 Header 40 bytes, 320 bits
IPv6 Header Version is set to 6 Traffic Class and Flow Control are used for QoS Payload Length is the size of the payload, not including the IP heard itself Next Header, points to the header of the encapsulated protocol Hop Limit, was TTL in old IPv4, this is a better name Source and Destination Addresses
IPv6 Auto Configuration Stateless Auto Configuration eliminates the need for DHCP (though it is still possible with DHCPv6, Stateful Auto Configuration ) IPv6 address is based on MAC address & IPv6 routing advertisements fffeis added on to the MAC if it is 48 bit, can be used as is with EUI-64 MAC address that are already 64 bits Uses : for notation in HEX, :: can substitute for a bunch of 0s (but only once) fe80::60c:ceff:fed7:ed7c One above is a Link-Local address, notice the fe80, and can be used to talk to other IPv6 on host on the network with out the Router Universal/Local (U/L) set to 1 if burned in MAC address is overridden
Classful Networks Size maters
Classless Inter-Domain Routing (CIDR) CIDR allows for less waste by splitting networks up CIDER notation:255.255.255.0 = /24255.255.0.0 = /16255.0.0.0 = /8 Could also be other others
Subnetting Dickins Corp uses IP range 10.*.*.* Assume a an example host is 10.69.69.69 Let’s say they use 255.255.240 (/20) for a subnet.11111111.11111111.11110000.00000000 Red is network section, blue the host section AND with host IP00001010.01000101.01000101.0100010111111111.11111111.11110000.00000000 =00001010.01000101.01000000.00000000 If two different IPs ANDed with the same subnet mask give the same result, they are on the same network
ARP That’s me!My MAC Address is DE:AD:BE:FE:CA:FE Hey, who has IP 192.168.1.2? Address Resolution Protocol allows machines to find the Layer 2 MAC address for a Layer 3 IP If the computer has the IP, it can send a broadcast message asking who has this IP? Then communication can happen RARP (Address Resolution Protocol) is the opposite and is used by diskless workstations Think about static ARP entries
I am Adrianholio, I need TCP for my IP! • TCP = Transmission Control Protocol • Considered a “reliable”, session based protocol (though is is said to be on the Transport layer of OSI, AKA Layer 4) • Starts with the three way handshake of: • Host 1: SYN • Host 2: SYN/ACK • Host 3: ACK • Has the concept of source and destination ports to specify what service to connect to
TCP Headers IP Header is above this
SRC and DST ports Think apartment numbers in a complex
Sequence and Acknowledgement Numbers Keeps connection in sync and allow for knowing what packets got through
Data Offset Gives the size of the TCP header in 32bit words, at least 5, at max is 15
Reserved • Not all used currently, but maybe later? • These were added in 2001 and 2003 for congestion control: • CWR = Congestion Window Reduced • ECE = Explicit Congestion Notification Echo • NS = Nonce Sum
Flags URG = This is important, go look at the urgent field ACK = Says the Acknowledgment field is important. Should be set on all packets after the initial SYN PSH = Asked to push the buffed data to the application RST = Reset the connection SYN = Hey!Synchronize Sequence Numbers! FIN = We done son, tear down the connection
Window Tells how much data you can send for flow control
TCP Headers Used for error checking
Urgent Pointer Offset from the Sequence Number to the last urgent data byte
TCP Headers Size is determined by the Data Offset field, too many to list so see https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml
Padding Makes sure the header stops at a 32bit boundary
DATA Here is the data
Three Way! (Hand Shake That Is) During the SYN, SYN/ACK, ACK handshake, the two parties make up their own sequence numbers to exchange As data is passed, each increments the other’s sequence number and passes it back to acknowledge that a packet was received ACKs are used throughout, and a FIN used at the end to tear down the connections (sometimes a RST)
UDP • UDP=User Datagram Protocol • Considered connectionless, “unreliable”, fire and forget • Meant for when speed and low overhead is more important than reliability, and data passed can be lossy • NTP • VoIP • DNS • Streaming Video