Tuesday, October 1, 2013

NMAP with Flags and kind of responds

Everybody who ever study for CEH and other books will always find information to do some stealth scan with some flags and what kind of respond, lets do some basic analysis with TCPDUMP. Yes, tcpdump Wireshark is good but we need to be familiar with other tools:

Different scan and responds:

  1. SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST in close ports and SYN/ACK in open ports, mean when we say Hi (between lips without seen the other person they can say Hi too without seen us).
  2. TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK.
  3. FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  4. XMAS - The famous Christmas scan (easy to remember the name), in this scan we send FIN, URG AND PSH all at once. We get the same respond like FIN:  in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking.
  5. ACK  scan use the ICMP, if the scan see Destination Unreachable message will show the if the port is open in the firewall.  Now with this the open port will tell you: Wait a Minute (RST) when we begin to talk. Close ports will ignore you because they are close.
  6. NULL scan is like XMAS but without anything, like just go to a office without saying anything, depending of the OS you will get an answer. Close ports will RST/ACK
Why this type of scan

This type OS scan will help us to find out if the port is open in the firewall and also can help us to avoid detection with the IDS/IPS or any other monitoring software.


Now lest see some examples.

SYN Scan

SYN - half open - with this we only send SYN packets to the machine without going with the complete handshake, it is like we only say: Hi - We expect a RST/ACK

We will scan a device with the port 22 open

root@jojo-pc:~# nmap -sS -p22 192.168.123.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 18:37 CDT
Nmap scan report for 192.168.123.1
Host is up (0.0038s latency).
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 50:3D:E5:3C:68:03 (Cisco Systems)




 Did you notice:

192.168.123.212  to 192.168.123.1 with Flag S (SYN)
192.168.123.1 to 192.168.123.212 with Flag S (SYN) and ACK -- PORT IS OPEN
192.168.123.212 to 192.168.123.1 with Flag F (FIN) - Close the connection

This was half open, the ip .1 wanted to do the full Handshake but we just close the connection with FIN.

We will scan a device with the port 23 close.

root@jojo-pc:~# nmap -sS -p25 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:11 CDT
Nmap scan report for router.Belkin (192.168.1.1)
Host is up (0.0018s latency).
PORT   STATE  SERVICE
25/tcp closed smtp
MAC Address: 08:86:3B:D2:F9:00 (Belkin International)




 Did you notice I got from the router I got the Flag R (Reset), why? Because the port is close in that firewall and there were not any communication, it is like the router tell us: Forget it, I ignore you.

TCP Connect

TCP Connect - This run with the full TCP handshake, it is like we say: Hi and the other person response Hello and look us. This is more reliable because we get the confirmation that the port is open or close - We expect SYN/ACK and RST/ACK. In other words the full handshake.

Scan to port 3389 open

root@jojo-pc:~# nmap -sT -p3389 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:18 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0026s latency).
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)



The full TCP handshake

Now close port, in this case we simulate port 3390, I expect RST, the port is closed.

root@jojo-pc:~# nmap -sT -p3390 192.168.1.100

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:21 CDT
Nmap scan report for 192.168.1.100
Host is up (0.0099s latency).
PORT     STATE  SERVICE
3390/tcp closed dsc
MAC Address: 00:15:17:13:2B:4C (Intel Corporate)


FIN scan

FIN - This is the flag where we expect to close the communication but there was not any communication, in that moment the CLOSED port will answer RST (stop what are you talking about) and OPEN PORTS will ignore you because they KNOW we were not talking - THIS IS ONLY FOR LINUX

I am scanning a port 5800 VNC, it is open but I am sending with the FIN flag,  I got nothing.

root@jojo-pc:~# nmap -sF -p5800 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:27 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0026s latency).
PORT     STATE         SERVICE
5800/tcp open|filtered vnc-http




If I send to a close port I got RESET, mean it is closed.

root@jojo-pc:~# nmap -sF -p5820 192.168.1.24

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-01 23:30 CDT
Nmap scan report for 192.168.1.24
Host is up (0.0033s latency).
PORT     STATE  SERVICE
5820/tcp closed unknown



This could be long blog, just keep testing and testing until you see the flags, it is a good learning process and you will be able to know what to expect with the scan.

Remember, if you have deep knowledge of your target you are increasing your success to own the box, patience is the key.



Monday, September 30, 2013

NMAP Protocol scan results

I am no sure about you guys but studying the NMAP Protocols scan results some times is very confusing.

This is the list of the normal respond recognize for NMAP:

Code 0 - Network Unreachable
Code 1 - Host Unreachable
Code 2 - Protocol Unreachable
Code 3 - Port Unreachable
Code 13 - Communication Administratively Prohibited

Let me give you some examples:

Code 0 - Network Unreachable

 nmap 192.168.14.1


Did you notice Type 13 Code: 0 , I could not reach the network 192.168.14.0 because there is not any route in my firewall to that network and it is not routed through internet.

Code 2 - Protocol Unreachable

In this occasion I will try to scan to a host that doesn't reply to ICMP in internet and we will get two different response, very interesting:

nmap 97.74.215.229


Did you notice Code 2 (Protocol unreachable)

Now at the same time we get this Type 3 Code 13 (Communication Administratively filtered)


Keep testing, nmap and Wireshark and applying filters using ICMP and you will get the types and codes, after you keep testing this will become familiar with you and you will begin to go deep with protocols, and remember the packet never lies.


Monday, August 5, 2013

HTTP Commands for Banner Grabbing

This is a short list of commands for banner grabbing from a Windows web server, you will need to type enter twice after the command

1. Connect using telnet and type: HEAD / HTTP/1.0

telnet www.test.com 80

Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.
HEAD / HTTP/1.0


  HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1777
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBATBQQ=MJOLBPPDBKPANIAKDMLCEOHF; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2013 03:42:18 GMT
Connection: close
Connection closed by foreign host.


2. Let's try the option command, I like this: OPTIONS / HTTP/1.0


Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.
OPTIONS / HTTP/1.0

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.0
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2013 03:47:39 GMT
Connection: close
Content-Length: 0
Connection closed by foreign host.


What happen if I type wrong commands or lower case letters?:

Trying 10.10.10.10...
Connected to www.test.com.
Escape character is '^]'.

options / http/1.0      ---- I typed lower case

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 06 Aug 2013 03:50:08 GMT
Connection: close
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request</h2>
<hr><p>HTTP Error 400. The request is badly formed.</p>
</BODY></HTML>
Connection closed by foreign host.

Sunday, May 19, 2013

How to enable Desktop Sharing in Kali

I have my own pentest lab, I installed a second copy of Kali in Hyper-V to keep running any dictionary attack, directory or files enumeration in a web server, etc, etc. Sure using Kali over Hyper-V is a little slow, so I enabled Desktop Sharing.

So let's have fun:

Open Applications > Internet > Desktop Sharing



 When you open it you will find different options, sure the first thing I recommend is: Require the user to enter this password: ************    You do not want to leave it in blank and somebody take your hacking machine and begin to use it illegally, no.

In my case I selected the following options, you can desire the ones you desire. Look!!! I cleared the option you must confirm each access to this machine, why? Because I am not over the Hypver-V and I will be accessing from my laptop.




Now you will need to download VNC viewer and try to connect from any Windows/Linux (GUI) machine:














 From there you can do what ever you want, second machine is good, because allow you to run tools that require time and processor without slowing down your main laptop/computer.

Happy hacking fun.



Saturday, May 18, 2013

Where are the password or word list in Kali

Last night I was looking for how to enumarate the list of directories in a web site, I was using Kali, normally in Back Track you look for in the /pentest folder and from there the right tool. Kali is a little different:

Location:

/usr/share

check the list 




Now let's see dirbuster: go to cd /usr/share/dirbuster and run ls -l 




Go inside of wordlists: cd wordlists and run ls -l again, you will find the directory list.




This is only for Dirbuster, now go to: /usr/share/wordlists and run ls -l again:



Keep going in the folder /usr/share and you will find your wordlist or list for your tools, happy hacking, remember only in your lab or with permission.
















Friday, May 3, 2013

Attacking Metasploitable. Part 1. Scanning

I downloaded Metasploitable: 2 from this web site http://vulnhub.com/?page=2#top installed in my second computer with Windows 2012 and Hyper-V.

Target machine: 192.168.1.9

Attacker machine 192.168.1.31

I run TCP/UDP scan to try to get everything, it takes time, but remember you spend 95% of the time getting information of your target: reconnaissance, enumeration and scanning.

nmap -sV -sT -sU -p1-5535 -v 192.168.1.9 T5

Did you notice I did aggressive scan?, yes, I am in my own LAN, so I will not lose time, also I will show you in the next picture only the result:



Now the fun begin, lets attack the machine using Metasploit.

How much can I hack?

Every time I go to www.ethicalhacker.com I read the same question, Where to hack? How much to hack? And the answer is:DEPEND.

Yes, you can hack all what you want, practically is "all you can eat", but that's depend how willing you are to try harder and dedicate time to do it.

You have all the tools and they are free, but that not means that it is easy.

Virtualization

You have VMware, Virtualbox (I love it), Hyper-V (I begin to like a lot), etc, etc. All this can help you to create your own virtual lab, yep, you can do it with your laptop or home computer, but I recommend you to get another computer to install your virtual machines, why, because you are becoming a hacker (pentester) and everyday you will add more tools, other resources, will open more windows, will read more, and a little more and eventually your computer will becomes a little slow just running two virtual machines and sometimes Wireshark or IDS to check you attacks.

IDS? Yes, you will need to learn how to skip the alarms (stealth) to avoid detection, if you pass the IDS alarms you are becoming a good hacker.

Virtual Machines

There are plenty of web sites with ISO, VMware and Virtualbox machines where you can download them, install them and begin to play, these are the ones I love a lot:

http://vulnhub.com/    -- A lot of targets

https://pentesterlab.com/exercises -- This is for web applications

Attack Platform

Windows? Really, yes, there are plenty of tools in Windows to attack, just check the CEH training and you will see a lot of them.

http://www.backtrack-linux.org/ -- Yep, this is the gold one.

http://www.kali.org/ - Backtrack replacement

And many more....

How much to hack? Depend how much you want.