Monday, 14 February 2011

Fyodor and nmap videos - annotated

Fyodor is fantastic speaker to have at any hacker conference, as he has many years of experience in network scanning. One of the true greats in the Pentesting and Ethical Hacking world.

Fyodor is most famous for writing the network scanning tool NMAP, but now I know he has a hilariously geeky sense of humor as well.

Here are the three best videos I could find of his presentations at hacker conferences (which I feel are worth watching a couple of times).

I have pulled out the more advanced nmap command line options (ones which I found interesting) which are detailed below each video.

(My notes are pretty raw, just for me more than anything, but I thought I would share them. Watch the videos before you read the notes)

Scanning the internet at Defcon

This is from 3 years ago at Defcon, where Fyodor talks about some huge internet scans that he undertook to help optimise nmap.

Scanning the internet

An nmap line to produce 2.5 million random IP addresses

nmap -iR 25200000 -sL -n | grep "not scanned" | awk '{print $2}' | sort -n | uniq >! tp; head -25000000 >! 25M-IPs; rm tp

A couple of different ping scan options for host discovery

-sP = Run a ping scan
-PS = Syn probe, stateful firewalls

-PA = Ack probe, stateless firewalls

Other useful pingscan options


Comparing host discovery

Generate host list

nmap -n -sL -iR 50000 -oN - | grep "not scanned" | awk '{print $2}' | sort -n > 50k_ips

Basic host discovery on the target list

nmap -sP -T4 -iL 50k_ips

Advanced host discovery on the target list

nmap -sP -PE -PP -PS21,22,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53  -T4 -iL 50k_ips

Fast scan


Version detection (extra probes = more reliable UDP scan)

-sUV -F -T4

Version intensity (only scan the right versions for each port)

--version intensity 0

Top ports, and port ratio


--top-ports 3674 gets almost 100% (TCP)
--top-ports 1017 gets almost 100% (UDP)

Packet control for maximum and minimum rates

nmap -min-rate 500

Fully optimized scan

nmap -S [srcip] -d --max-scan-delay 10 -oA logs/tcp-allports-%T-%D -iL tcp-allports-1M-ips --max-retries 1 --randomize-hosts -p- -PS21,22,23,25,53,80,443 -T4 --min-hostgroup 256 --min-rate 175 -max-rate 300

Checking for DNS bugs

nmap -v -PN -sU -p53 -T4 --script=dns-test-open-recursion,dns-safe-recursion-port,dns-safe-recursion-txid blah

Also he talks briefly about the ndiff and ncat tools, which are worth checking out.

Advanced network reconnaissance at ShmooCon

Here is one from a good while back at ShmooCon, where Fyodor talks about IDS and Firewall evasion.

Bypassing firewalls

Different results from different scans:


Avoiding IDS

Avoiding basic Snort nmap rules

--datalength 64
--scanflags fin,urg

Avoiding thresholds

--max_hostgroup 1

Simple threshold avoidance script

foreach target (a, b, c)
foreach? nmap --scan_delay 1075 --max_retries 0 -max_hostgroup 1 -P0 -p21,22,23,25,53 $ target
foreach? usleep 1075000
foreach? end

Sliding window avoidance script

foreach target (a, b, c)
foreach? nmap --min_parallelism 15 --max_retries 0 -max_hostgroup 1 -P0 -p21,22,23,25,53 $ target
foreach? usleep 23000000
foreach? end

Decoys -D

Finding webservers

Scans could be more effective if you tell nmap about network timings

Using hping to test the delay to a mailserver

hping --syn -p 25 -c 5 hostname

A scan based on those timings.

nmap -T4 --max_rtt_timeout 200ms --initial_rtt_timeout 150ms --min_hostgroup 512 -P0 -p80 -oG output hostnames

Use a large hostgroup if only few ports are being scanned in a large network

--max_retries 0

Runtime interaction keys:
p, P
v, V
d, D

Using nmap NSE scripts (and scanning Microsoft) at Blackhat 2010

Includes some great detail on how to write nmap scripts, and details of some scans he did of the Microsoft networks (don't try this at home).

A useful script for NFS


Microsoft version detection scans

Host detection

nmap -T4 --top-ports 50 -sV -O --osscan-limit --osscan-guess --min-hostgroup 128 --host timeout 10m -oA blah -il blah

Command to sort results

grep " open " ms-vscan.nmap | sed -r 's/ +/ /g' | sort | uniq -c | sort -rn | less

SMB enumeration of hosts (non-invasive)

nmap -v -O -sV -T4 --osscan-guess -oA ms-smbscan --script=smb-enum-domains,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smb-system-info

No comments:

Post a Comment