Nmap and Nping for Blue Teams

NMAP

   ____  _____  ____    ____       _       _______
  |_   \|_   _||_   \  /   _|     / \     |_   __ \
    |   \ | |    |   \/   |      / _ \      | |__) |
    | |\ \| |    | |\  /| |     / ___ \     |  ___/
   _| |_\   |_  _| |_\/_| |_  _/ /   \ \_  _| |_
  |_____|\____||_____||_____||____| |____||_____|

  NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY

Purpose: Why are we using Nmap?

– Scenario 1: Identify all end points (on-going goal)
– Scenario 2: Search for potentially vulnerable hosts: MS17-010

Scenario 1: Identify all end points

Scan details required; targets, scan type, ports, other (OS detection)

Target(s): network range

CIDR notation

Our range will be stored in a file, one IP/range per line

10.10.0.0/16

  [*] subnet: 10.10.0.0/16
  [*] network: 10.10.0.0, broadcast 10.10.255.255
  [*] netmask: 255.255.0.0, hostmask: 0.0.255.255
  [*] total number of hosts: 65536

10.10.0.0/24

  [*] subnet: 191.168.1.0/24
  [*] network: 191.168.1.0, broadcast 191.168.1.255
  [*] netmask: 255.255.255.0, hostmask: 0.0.0.255
  [*] total number of hosts: 256

10.10.10.0/26

  [*] subnet: 10.10.10.0/26
  [*] network: 10.10.10.0, broadcast 10.10.10.63
  [*] netmask: 255.255.255.192, hostmask: 0.0.0.63
  [*] total number of hosts: 64

Ranges are allowed: 192.168.3-5,7.1

file: network-list

192.168.1.0/24
192.168.2.0/24
192.168.3.1-100

Ports of interest

Situational awareness

  • potentially vulnerable
  • existing vulns
  • generally good to be aware of
-p22,53,80,123,443,445,3306,8000,8080,31337

Nmap defines these ports in one of its data files, /usr/share/nmap/nmap-services

Other useful options

-T<0-5>

  Set timing template (higher is faster). Default 3

-Pn

  Treat all hosts as online -- skip host discovery

-A

  Enable OS detection, version detection, script scanning, and traceroute

-sV

  Probe open ports to determine service/version info

--version-intensity 

  Set from 0 (light) to 9 (try all probes)

--version-light
  
  Limit to most likely probes (intensity 2)

--open

  Only show open (or possibly open) ports

Command for Scenario 1

$ nmap -Pn -A --version-light -p22,53,80,123,443,445,3306,8000,8080,31337 -iL network-list --open

Our command is now targeted to our specific need(s).

Scenario 2: Search for MS17-010

Target hosts with port 445 open

  • scan type (defined by our goal)
  • port 445 (TCP/UDP)
  • NSE (Nmap Scripting Engine)

File: smb-vuln-ms17-010.nse

Command for Scenario 2

$ nmap -p445 --script smb-vuln-ms17-010 scanme.nmap.org

Sample output

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Reference: https://nmap.org/nsedoc/scripts/smb-vuln-ms17-010.html

NPING

Nping is a great tool for performing specific probes.

“Nping is an open-source tool for network packet generation, response analysis and response time measurement.
Nping allows users to generate network packets of a wide range of protocols, letting them tune virtually any
field of the protocol headers.” – Nping man page

In many environments ICMP traffic is dropped on host-based firewalls. Such a configuration makes the ping
utility mostly useless. Alternative utilities that could be used include IPv6 options to the ping command and
TCP traceroute. However, Nping is a much more powerful tool.

“Additionally, Nping offers a special mode of operation called the “Echo Mode”, that lets users see how the
generated probes change in transit, revealing the differences between the transmitted packets and the packets
received at the other end. See section “Echo Mode” for details.” – Nping man page

Examples:

Are ports 80,443 listening on scanme.nmap.org and google.com?

$ nping -c 1 --tcp -p 80,443 scanme.nmap.org google.com

Is UDP port 123 (NTPD) open on scanme.nmap.org?

$ nping -c 1 --udp -p 123 scanme.nmap.org

See if the echo server on scanme will respond..

$ nping --echo-client "public" scanme.nmap.org

Resources

https://nmap.org/

https://nmap.org/book/

https://github.com/nmap/nmap

Using Tor without the Tor Browser

First things first, this post is my personal opinion and is being posted on my professional blog. If you are in the information security field and are not aware of the following process, you should be. It is part of our professional responsibility to know how these things work. I’ll be using Fedora, thus the use of dnf. Everything else in this post should be distribution agnostic.

Using Tor as a SOCKS proxy might be a better title for this post. One issue I’d like to resolve using this method is in regard to accessing Tor via a bridge. To do that, using the Tor browser is recommended. Although, it should be possible to do this without requiring the use of the Tor browser. Otherwise, IMHO, that would not be very good software engineering with regard to freedom.


Install required packages, not a complete list.

sudo dnf install libevent libevent-devel asciidoc

Compile and install Tor

git clone https://git.torproject.org/tor.git
cd tor

The default branch is currently master. However, depending on your use case, you will likely want to use a specific version of Tor. To find out what versions are available, the following git commands can be used.

git tag

The Tor repository uses annotated tags. Annotated tags can be used checked out with
git checkout.

git branch

The branches aren’t as granular as the tags. You’ll want to use the tag when running git checkout.

To determine which version to use you can check a few things.

less ReleaseNotes

This files usually contains something similar to the following..

Changes in version 0.3.0.10 - 2017-08-02
   Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
   from the current Tor alpha series. OpenBSD users and TPROXY users
   should upgrade; others are probably okay sticking with 0.3.0.9.

You can also check the ChangeLog file.

I’ll be using Tor as a SOCKS proxy to the internet so I’ll be using 0.3.0.10 in this example.

If you’ll be running a relay or bridge, you’ll want to make sure you compile the recommended release, usually latest stable release. In this example that would be 0.3.0.10 but, as stated in the ReleaseNotes file, others are probably okay sticking with 0.3.0.9. If the word ‘probably’ concerns you then just use 0.3.0.10 and sleep a little bit better.

More information on running a relay is available at the following link.

https://www.torproject.org/docs/tor-doc-relay.html.en

Checking out a tag will put your repo in a detatched HEAD state. This is OK and is to be expected.

I’m going to install Tor into my ~/local/ directory. Modify this to suit your needs by using the

--prefix

option to the configure script.

git checkout tor-0.3.0.10
./autogen.sh
./configure --prefix=/home/$USER/local
make
make install

Confirm the verison that was just installed.

$ ~/local/bin/tor --version
Tor version 0.3.0.10 (git-c33db290a9d8d0f9).

You can configure Tor be editing ~local/etc/tor/torrc, otherwise Tor
will try to use reasonable defaults.

I recommend not using the default port, 9050. An Nmap scan of that port will return the following

..snip..
9050/tcp  filtered tor-socks
..snip..

This is a clear indication that Tor is running on your machine. Using a port such as 8000 might be more acceptable.

cp ~/local/etc/tor/torrc.sample ~/local/etc/tor/torrc
vi ~/local/etc/tor/torrc

Modify the SOCKSPort line.

SOCKSPort 8000

An Nmap scan of port 8000 produces the desired result.

8000/tcp filtered http-alt

Now, configure your browser of choice to use the Tor SOCKS proxy listening at 127.0.0.1:8000

**** Be sure to disable all JavaScript ****

Test your connection using the method of your choice. One option is below.

http://whatsmyip.net/

You can verify IPv6 address by using the host command.

host XXXX:XXX:XXXX:X::X

Enjoy!

Torifying Lynx with Torsocks

This is really just a fun example of using torsocks. However, when doing an malware, phishing, or similar investigation it can be desirable to obscure your location, especially when performing an investigation from the office or after hours from home. Two reasons for this are; 1. not to become a target ourselves and 2. so our networks don’t appear compromised (the individuals behind an attack may already know this.. but there’s no need to make their job any easier). A write-up of a better use case will be in an upcoming post.

Required software:

Tor, https://www.torproject.org/download/download

I chose to compile and install Tor into /opt/tor

Torsocks, https://gitweb.torproject.org/torsocks.git/

Clone
– https://git.torproject.org/torsocks.git
– http://dccbbv6cooddgcrq.onion/torsocks.git

Lynx, http://lynx.browser.org/lynx-resources.html

Once the required software is installed the following steps can be used to torify your lynx session.

– Verify your Tor configuration. Paying attention to SOCKSPort and SOCKSPolicy.

$ less /opt/tor/etc/tor/torrc

– Start Tor

$ /opt/tor/bin/tor

– In another terminal use Torsocks to start Lynx.

$ torsocks lynx –noreferer

Exercise

Create a packet capture of a brief lynx session. Can you verify that all traffic is being sent through the Tor network?

 

hping3 exercise

TCP 3-way Handshake

This exercise demonstrates the Transmission Control Protocol 3-way handshake.

Getting hping3

Fedora/CentOS

$ dnf install hping3

Available on github, https://github.com/antirez/hping

Description

hping3 – send (almost) arbitrary TCP/IP packets to network hosts

hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols.

Using hping3 you are able to perform at least the following:

  • Test firewall rules
  • Advanced port scanning
  • Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
  • Path MTU discovery
  • Transferring files between even really fascist firewall rules.
  • Traceroute-like under different protocols.
  • Firewalk-like usage.
  • Remote OS fingerprinting.
  • TCP/IP stack auditing.
  • Lots more.

Exercise

Start a listener on port 80 using netcat.

$ nc -l 127.0.0.1 80

From a different terminal run the following command.

$ sudo hping3 -I lo -c 3 -S 127.0.0.1 -p 80

Next steps.. your turn.

Note: stop the netcat listener after each question and restart using the appropriate port.

1. Explain what the hping3 command above is doing.

2. What hping3 options would you use to send three ACK packets to port 80?

  • run the command and note the responses.

3. What hping3 options would you use to send four SYN-ACK packets to port 443?

  • run the command and note the responses.

4. What hping3 options would you use to send two RST packets to port 22?

  • run the command and note the responses.

5. Why do we receive the various responses above, i.e., what does each type of response mean?