Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can...
Transcript of Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can...
![Page 1: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/1.jpg)
Network Mapping
● HUGE security scanner.● From an IP/IP range it can discover:
○ Open ports.○ Running services.○ Operating system.○ Connected clients.○ + more
Nmap / Zenmap
![Page 2: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/2.jpg)
MITM Attacks
MITM
Resources
eg:internet
Victim
Resources
eg:internet
Victim
Man In The Middle
![Page 3: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/3.jpg)
Address Resolution Protocol
→ Simple protocol used to map IP Address of a machine to its MAC address.
(ARP)
![Page 4: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/4.jpg)
ARouter
B
Victim
D
WHO HAS 10.0.2.6
IP: 10.0.2.5MAC: 00:11:22:33:44:44
IP: 10.0.2.6 MAC: 00:11:22:33:44:66
IP: 10.0.2.7 MAC: 00:11:22:33:44:55
IP: 10.0.2.1MAC: 00:11:22:33:44:20
ARP Request
![Page 5: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/5.jpg)
ARouter
B
C
D
IP: 10.0.2.5MAC: 00:11:22:33:44:44
IP: 10.0.2.6 MAC: 00:11:22:33:44:66
IP: 10.0.2.7 MAC: 00:11:22:33:44:55
IP: 10.0.2.1MAC: 00:11:22:33:44:20
I have 10.0.2.6
My MAC is 00:11:22:33:44:66
ARP Response
![Page 6: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/6.jpg)
Typical Network
Hacker Access Point
Resources
eg:internet Victim
Requests
Responses
Requests
Responses
![Page 7: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/7.jpg)
ARP Spoofing
Hacker Access Point
Resources
eg:internet Victim
I have victim’s mac address
I have the router’s mac
address
![Page 8: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/8.jpg)
ARP Spoofing
Hacker Access Point
Resources
eg:internet
Victim
Requests
Responses
Requ
ests
Responses
![Page 9: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/9.jpg)
ARP Spoofing
Hacker Access Point
Resources
eg:internet
Victim
Requests
Responses
Requ
ests
Responses
![Page 10: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/10.jpg)
ARP Spoofing
● arpspoof tool to run arp spoofing attacks.● Simple and reliable.● Ported to most operating systems including Android and iOS.● Usage is always the same.
use:arpspoof -i [interface] -t [clientIP] [gatewayIP]
arpspoof -i [interface] -t [gatewayIP] [clientIP]
Using arpspoof
![Page 11: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/11.jpg)
ARP Spoofing
● Framework to run MITM attacks.● Can be used to :
○ ARP Spoof targets (redirect the flow of packets)○ Sniff data (urls, username passwords).○ Bypass HTTPS.○ Redirect domain requests (DNS Spoofing).○ Inject code in loaded pages.○ And more!
use:mitmf --arp --spoof -i [interface] --target [clientIP] --gateway [gatewayIP]
Using MITMf
![Page 12: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/12.jpg)
Problem:
● Data in HTTP is sent as plain text.● A MITM can read and edit requests and responses.
→ not secure
Solution:
● Use HTTPS.● HTTPS is an adaptation of HTTP.● Encrypt HTTP using TLS (Transport Layer Security) or SSL (Secure Sockets
Layer).
HTTPS
![Page 13: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/13.jpg)
Problem:● Most websites use HTTPS→ Sniffed data will be encrypted.
Solution:● Downgrade HTTPS to HTTP.
Bypassing HTTPS
![Page 14: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/14.jpg)
● DNS → Domain Name System.● Translates domain names to IP addresses.● Eg: links www.google.com to the IP of Google’s server.
DNS Spoofing
bing.com A 204.79.197.200
facebook.com A 195.44.2.1
zsecurity.org A 104.27.153.174
……..etc
![Page 15: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/15.jpg)
UserHacker
live.comlive.com web server
204.79.197.200
facebook.com web server
195.44.2.1
Hacker web server
10.0.2.16DNS server
![Page 16: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/16.jpg)
UserHackerlive.com
live.com web server
204.79.197.200
facebook.com web server
195.44.2.1
Hacker web server
10.0.2.16DNS server
![Page 17: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/17.jpg)
DNS server
User
live.com web server
204.79.197.200
facebook.com web server
195.44.2.1
Hacker10.0.2.16
Hacker web server
10.0.2.16
![Page 18: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/18.jpg)
MITM
● Inject Javascript/HTML code.● Code gets executed by the target browser
→ use the --inject plugin
Code can be1. Stored in a file --js-file or --html-file
2. Stored online --js-url or --html-url3. Supplied through the command line --js-payload or --html-payload
Code Injection
![Page 19: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/19.jpg)
● Tools run rogue access point attacks.● It can:
○ Automatically configure and create fake AP.○ Automatically sniff data.○ Automatically bypass https.○ ….etc
Creating a Fake Access Point
Using Mana-Toolkit
![Page 20: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/20.jpg)
● Tools run rogue access point attacks.● It can:
○ Automatically configure and create fake AP.○ Automatically sniff data.○ Automatically bypass https.○ ….etc
Using Mana-Toolkit
Creating a Fake Access Point
Mana has 3 main start scripts:
1. start-noupstream.sh - starts fake AP with no internet access.2. start-nat-simple.sh - starts fake AP with internet access.3. start-nat-full.sh - starts fake AP with internet access, and automatically
starts sniffing data, bypass https.
![Page 21: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/21.jpg)
ARP Spoofing
Hacker Access Point
Resources
eg:internet
Victim
Requests
Responses
Requ
ests
Responses
![Page 22: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/22.jpg)
Typical Network
Access Point Client 2
Requests
Responses
Requests
Responses
Client 3
Client 1
Requests
Responses
internet
![Page 23: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/23.jpg)
internet
Hacker
Creating a Fake Access Point
Client 2
Requests
Responses
Requests
Responses
Client 3
Client 1
Requests
Responses
![Page 24: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/24.jpg)
internet
Hacker
Creating a Fake Access Point
![Page 25: Nmap / Zenmap - zSecurity · Network Mapping HUGE security scanner. From an IP/IP range it can discover: Open ports. Running services. Operating system. Connected clients. + more](https://reader035.fdocuments.net/reader035/viewer/2022062505/5edb3910ad6a402d6665518e/html5/thumbnails/25.jpg)
internet
Hacker
Creating a Fake Access Point
Wireless adapter that supports AP mode
Any interface with internet access