1 / 83

Adrian Crenshaw

Module 1: Active Reconnaissance, Scanning, and Introduction to TCP/IP for pen-testers Module 2: Basics of using nmap . Using nmap for host discovery Module 3: Basics of using nmap . Understanding nmap output. Adrian Crenshaw. About Adrian. Twitter: @ Irongeek_ADC. I run Irongeek.com

sona
Download Presentation

Adrian Crenshaw

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 1: Active Reconnaissance, Scanning, and Introduction to TCP/IP for pen-testersModule 2: Basics of using nmap. Using nmap for host discoveryModule 3: Basics of using nmap. Understanding nmap output Adrian Crenshaw

  2. About Adrian Twitter: @Irongeek_ADC I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands Sr. Information Security Consultant at TrustedSec Co-Founder of Derbyconhttp://www.derbycon.com

  3. What and Why of Port Scanning Since ports are fairly standard, if port 80tcp is listening on a host, more than likely it’s running web services By sending packets to these port numbers, you can see what services are running on the host Knowing what services are running lets you know something about the potential attack surface What about finger printing?

  4. Nmap One of the most popular port scanners Started by Gordon Lyon (Fyodor) back in 1997, as an article for Phrack Magazine 51 Started as a fairly simple port scanner, and has suffered some pretty serious feature creep since.  Multiplatform (Linux, Windows, BSD, OS X) Open Source and available from http://nmap.org

  5. TCP/UDP/IP Basics To use an analogy, if IPs are an apartment complex’s address, ports are the apartment number Both UDP and TCP use incoming and outgoing ports Most IP based services listen on standard ports (HTTP 80/TCP, SMTP 25/TCP, SMB 139/445/TCP, DNS port 53/TCP and UDP)

  6. MAC Addresses MAC (Media Access Control) is the address on the NIC (Network Interface Card) Term is user in Ethernet, but the same concept apply elsewhere Burned in address should be unique, and if they ask on the exam it is, but reality is sometimes different

  7. More MAC Addresses 48 bits (6 bytes) long, mostly represented in HEX like this:DE:AD:BE:EF:CA:FE OUI (Organizationally Unique Identifier) is the part in red above, extension identifier is in blue See who is assigned what OUI here:http://standards.ieee.org/develop/regauth/oui/oui.txt 

  8. EUI-64 MAC addresses 64 byte MAC addesses OUI is still 24 Not sure what uses these

  9. IPv4 IPv4 uses 32 bit addresses Unusual represented as 4 octets :(separated into it’s 4 bytes and written in decimal)192.168.1.1 Dec: 3232235777 HEX: C0A80101 Binary: 11000000 10101000 00000001 0000000 232 addresses possible (more or less), so about 4.3 billion Began running out of these, which is one reason for IPv6 and NAT

  10. Important IPv4 Headers Count from 0!

  11. IPv4 Header: Version Version of IP protocols, 4 in this case, bits 0-3.

  12. IPv4 Header: IHL Internet Header Length, bits 4-7

  13. IPv4 Header: Type of Service Set the priority of the packet

  14. IPv4 Header: Total Length Total length of the packet, min 20 max 65,535.

  15. IPv4 Header: ID Field Identification, used for fragmentation

  16. IPv4 Header: Flags Flags, used for fragmentation

  17. IPv4 Header: Fragment Offset Fragment Offset, used for fragmentation

  18. IPv4 Header: Time to Live Should have been called “Hop Count” based on most implementations. Seconds since packet was born by spec.

  19. IPv4 Header: Protocol ICMP=1, TCP=6, UDP=17. Way more at:http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

  20. IPv4 Header: Header Checksum To detect errors in transmission

  21. IPv4 Header: Source Address Where did I come from?

  22. IPv4 Header: Destination Address Where am I going?

  23. IPv4 Header: Options Extra options for the packet. Things like source routing would be here:http://www.networksorcery.com/enp/protocol/ip.htm#Options

  24. IPv4 Header: Padding To make sure data starts on a 32 bit boundry

  25. Fragmentation Networks have a Maximum Transmission Unit (MTU) size, often 1500 bytes Sometimes, packets must be broken up to fit, which can be done by a router IPID and Offset mentioned before are used to put packets back together MTU of the path can be discovered by setting the Do Not Fragment flag and keep trying smaller sizes till you do not get an ICMP “Fragmentation needed and DF set” message back

  26. IPv6 128 bit addressees, 2128 possible addresses (In technical terms: a shit load) 340 undecillion to use Yanks, 340 sextillion to Brits (which sounds like a fancy orgy) In some ways, IPv6 has a simpler header

  27. IPv6 Header 40 bytes, 320 bits

  28. IPv6 Header Version is set to 6 Traffic Class and Flow Control are used for QoS Payload Length is the size of the payload, not including the IP heard itself Next Header, points to the header of the encapsulated protocol Hop Limit, was TTL in old IPv4, this is a better name Source and Destination Addresses

  29. IPv6 Auto Configuration Stateless Auto Configuration eliminates the need for DHCP (though it is still possible with DHCPv6, Stateful Auto Configuration ) IPv6 address is based on MAC address & IPv6 routing advertisements fffeis added on to the MAC if it is 48 bit, can be used as is with EUI-64 MAC address that are already 64 bits Uses : for notation in HEX, :: can substitute for a bunch of 0s (but only once) fe80::60c:ceff:fed7:ed7c One above is a Link-Local address, notice the fe80, and can be used to talk to other IPv6 on host on the network with out the Router Universal/Local (U/L) set to 1 if burned in MAC address is overridden

  30. Classful Networks Size maters

  31. Classless Inter-Domain Routing (CIDR) CIDR allows for less waste by splitting networks up CIDER notation:255.255.255.0 = /24255.255.0.0 = /16255.0.0.0 = /8 Could also be other others

  32. Subnetting Dickins Corp uses IP range 10.*.*.* Assume a an example host is 10.69.69.69 Let’s say they use 255.255.240 (/20) for a subnet.11111111.11111111.11110000.00000000 Red is network section, blue the host section AND with host IP00001010.01000101.01000101.0100010111111111.11111111.11110000.00000000 =00001010.01000101.01000000.00000000 If two different IPs ANDed with the same subnet mask give the same result, they are on the same network

  33. ARP That’s me!My MAC Address is DE:AD:BE:FE:CA:FE Hey, who has IP 192.168.1.2? Address Resolution Protocol allows machines to find the Layer 2 MAC address for a Layer 3 IP If the computer has the IP, it can send a broadcast message asking who has this IP? Then communication can happen RARP (Address Resolution Protocol) is the opposite and is used by diskless workstations Think about static ARP entries

  34. I am Adrianholio, I need TCP for my IP! • TCP = Transmission Control Protocol • Considered a “reliable”, session based protocol (though is is said to be on the Transport layer of OSI, AKA Layer 4) • Starts with the three way handshake of: • Host 1: SYN • Host 2: SYN/ACK • Host 3: ACK • Has the concept of source and destination ports to specify what service to connect to

  35. TCP Headers IP Header is above this

  36. SRC and DST ports Think apartment numbers in a complex

  37. Sequence and Acknowledgement Numbers Keeps connection in sync and allow for knowing what packets got through

  38. Data Offset Gives the size of the TCP header in 32bit words, at least 5, at max is 15

  39. Reserved • Not all used currently, but maybe later? • These were added in 2001 and 2003 for congestion control: • CWR = Congestion Window Reduced • ECE = Explicit Congestion Notification Echo • NS = Nonce Sum

  40. Flags URG = This is important, go look at the urgent field ACK = Says the Acknowledgment field is important. Should be set on all packets after the initial SYN PSH = Asked to push the buffed data to the application RST = Reset the connection SYN = Hey!Synchronize Sequence Numbers! FIN = We done son, tear down the connection

  41. Window Tells how much data you can send for flow control

  42. TCP Headers Used for error checking

  43. Urgent Pointer Offset from the Sequence Number to the last urgent data byte

  44. TCP Headers Size is determined by the Data Offset field, too many to list so see https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml

  45. Padding Makes sure the header stops at a 32bit boundary

  46. DATA Here is the data

  47. Three Way! (Hand Shake That Is) During the SYN, SYN/ACK, ACK handshake, the two parties make up their own sequence numbers to exchange As data is passed, each increments the other’s sequence number and passes it back to acknowledge that a packet was received ACKs are used throughout, and a FIN used at the end to tear down the connections (sometimes a RST)

  48. UDP • UDP=User Datagram Protocol • Considered connectionless, “unreliable”, fire and forget • Meant for when speed and low overhead is more important than reliability, and data passed can be lossy • NTP • VoIP • DNS • Streaming Video

More Related