30May/090
Metasploit Quick Tutorial
>: /pentest/exploits/framework3
>: ./msfconsole
msf > use exploit/...
msf > set PAYLOAD ...
msf > set RHOST ...
msf > set RPORT ...
msf > set LHOST ...
msf > set LPORT ...
msf > exploit
BAM
Posted by: Heavymeddler
28May/090
Trying out the new "Email-to-Post" blog feature
In theory, thanks to Google magic... this email will be posted on the blog.
Posted by: Heavymeddler
26May/090
Glass Firefox Extension
Sexy...
http://www.neowin.net/forum/index.php?showtopic=746714
Posted by: Heavymeddler
16May/090
Nmap OS Fingerprinting
Active OS Fingerprinting (Gen1) - Nmap versions <>TCP Sequence Prediction
Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)
- TCP ISN greatest common denominator (GCD)
- TCP ISN counter rate (ISR)
- TCP IP ID sequence generation algorithm (TI)
- ICMP IP ID sequence generation algorithm (II)
- Shared IP ID sequence boolean (SS)
- TCP timestamp option algorithm (TS)
- TCP initial window size (W, W1 - W6)
- IP don’t fragment bit (DF)
- IP initial time-to-live guess (TG)
- Explicit congestion notification (CC)
Posted by: Heavymeddler
16May/090
Nmap Top Port Scan Performance Options
- --host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
- --max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
- --min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
- --min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
- --min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
- --scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)
Posted by: Heavymeddler
16May/090
Nmap Version Scanning (-sV)
- When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
- What about services not on the list?
- What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
- --version-trace (option shows probe details in real time)
Nmap Version Scanning Technique
- NULL probe
- - If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
- - If data is received, it is compared to signatures in nmap-services-probes
- Probable Port probes (share connection from 1.)
- - All UDP ports and TCP ports that failed (or soft-matched) NULL probing
- - Every probe has a list of probable port numbers
- - Probes that match the port send a probe string to the port
- - Responses are compared to regular expressions
- Sequential Probes
- - New connection for each probe (to avoid corrupting next probe)
- - Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
- SSL probes
- - If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
- Nmap RPC Grinder
- - If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers
Posted by: Heavymeddler
16May/090
Nmap UDP Scans (-sU)
- Scans generally slower and more difficult than TCP
- Sends empty (no data) UDP header to target ports
- ICMP response rate-limiting detection
- - Closed ports typically respond ICMP Port Unreachable
- - OS limits ICMP responses (Linux limits to 1/sec)
- - Nmap slows down to avoid wasting packets
- - 65,536-ports @ 1/sec > 18 hours for one host
Posted by: Heavymeddler
16May/090
Nmap Runtime Interaction
- p = turn on packet tracing
- v = increase verbosity
- d = increase debugging level
- Shift + [p,v,d] inverts
- AnyOtherKey = print status message
- - Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
- - % done, ETA remaining
Posted by: Heavymeddler
16May/090
Nmap Timing Options (-T)
- Paranoid (0) - scan serially, wait 5min between packets
- Sneaky (1) - scan serially, wait 15 seconds between packets
- Polite (2) - scan serially, wait .4 seconds between packets
- Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
- Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
- Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-ou
Posted by: Heavymeddler
16May/090
TCP Idle Scan
- 1998…Security researcher Antirez (who also wrote hping2) posted to the Bugtraq mailing list
- One way to determine whether a TCP port is open is to send a SYN packet to the port. The target machine will respond with a SYN/ACK packet if the port is open, and RST if the port is closed.
- A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored.
- Every IP packet on the Internet has a fragment identification number (IPID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.
- Three cases ‘open’, ‘closed’, and ‘filtered’ port
- The actors:
- - The Attacker
- - The Zombie
- - The Target
Case 1: Open Port
Case 2: Closed Port
Case 3: Filtered Port
Nmap Idle Scans (-sI)
- Find a suitable Zombie
- - We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
- Execute the scan
- - Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.
Posted by: Heavymeddler