Wednesday 18 May 2011

Nmap nse broadcast scanning in Backtrack 5

One of the more recent developments in nmap, over the past couple of years, is the addition of nmap nse scripts making nmap a much more flexible and expandable network-mapper and vulnerability-scanner (it seems like there are many more scripts being contributed with every release).

There are now over 170 different scripts included by default in nmap. (I've been playing with nmap version 5.51, which comes with Backtrack 5)

One of the more interesting new types of nse scripts are the broadcast discovery scripts, which I feel are certainly very interesting currently. To me, it looks like these new scanning techniques will become much more important in the future, as more IPv6 is deployed and used, and IPv4 gradually wanes. (though I do think some IPv4 could be around for another 15-20 years, these protocols will gradually decrease in importance)

IPv6-only networks mean a lot of changes in the way hosts can be discovered, as scanning entire net-blocks will become much more difficult due to the vast size of the address-space, but broadcast scanning, and passive sniffing can help identify IPv6 systems.

I've seen it reported that "nse broadcast-scans, are stealthy because they are passive". This is not true, they are still active scans. However, they are very low traffic scans, which attempt to discover network services using inbuilt ease-of-use functionality in the target network. (This type of scanning is perhaps something that could be done early in reconnaissance or discovery as a first network scan.)


What are broadcast scans?

Rather than UDP or TCP port-scans or network scans using ICMP or ARP, broadcast scans are a lot less intrusive. Think of broadcast scans as nmap saying:

"Hi there. I'm new on the network. Do any computers out there have any services I might want to use?"

Whilst this sounds a bit dumb from a security perspective, there are lots of computers and various protocols that could respond, even systems that have firewalls enabled with all ports blocked will respond in some cases.

From a network visibility perspective, we are also talking about only a very few packets per protocol, rather than the thousands required for a port-scan, and these "conversations" should be normal on the network, so this is much less likely to be detected by network security software.

I set up a couple of systems in my test network. Broadcast scans don't need an IP address range. They are simply run like this:

nmap -P0 --script=broadcast

..and here is one of my initial results


This shows Universal Plug and Play running on a couple of systems which lets us know of their existence. As you can see from a wireshark capture, this is not a passive scan, but is low bandwidth:



Here is another example with Web Services Dynamic Discovery responding (this is another Windows 7 system on my test network).

nmap -P0 --script=broadcast

Starting Nmap 5.51 ( http://nmap.org ) at 2011-05-18 05:23 EDT
Pre-scan script results:
| broadcast-wsdd-discover:
|   Devices
|     192.168.1.70
|         Message id: c6cf6b9b-834d-4320-85e1-e1a65299ee2f
|         Address: http://192.168.1.70:5357/9a36912c-3560-493e-82d7-eadd95271272/
|_        Type: Device pub:Computer
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 40.08 seconds


The responses

So these responses for the target systems are basically telling us their IP address (in this case with its IPv4 address) the fact that the system has a HTTP service, and a service it might be running. Basically, following the broadcast, these systems are contacting the attacker to the him their addresses.

In both these cases Windows 7 has the firewall enabled (with default "secure" settings, so you be the judge of whether this is a good default behavior or not).

So, in short, I think we will be hearing a lot more about broadcast-based service scans, (and also passive data collection) as IPv6 rolls out in corporate infrastructure.

7 comments:

  1. Would be pretty cool if you showed an example of how this could be used to compromise the machine/network with this method of scanning. How is this a danger?

    ReplyDelete
  2. Hi anonymous,
    This (in itself) is not a direct danger that leads compromise. It's a way of identifying active systems on a network.

    These systems are giving away free information about themselves (information that you would not want to give in a secure environment).

    Using this technique, an attacker can gain information on live systems; often the system version information and some of the services that the system is running.

    This would be part of the reconnaissance and mapping phase of an attack (pre-exploitation).
    Ben

    ReplyDelete
  3. thank you Ben

    your comment helpfull

    ReplyDelete
  4. In hacking scanning has the second phase of all the information gathering. it is a set of procedures for identifying all the live hosts, ports and services. Get more in ethical hacking certification training

    ReplyDelete
  5. ACTIVE & FRESH CC FULLZ WITH BALANCE
    Price $5 per each CC

    US FRESH, TESTED & VERIFIED SSN LEADS
    $1 PER EACH
    $5 FOR PREMIUM

    *Time wasters or cheap questioners please stay away
    *You can buy for your specific states too
    *Payment in advance

    CC DETAILS
    =>CARD TYPE
    =>FIRST NAME & LAST NAME
    =>CC NUMBER
    =>EXPIRY DATE
    =>CVV
    =>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
    =>PHONE NUMBER,DOB,SSN
    =>MOTHER'S MAIDEN NAME
    =>VERIFIED BY VISA
    =>CVV2

    SSN LEADS INFO
    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number | Home Owner | IP Address |MMN | Income

    Contact Us

    -->Whatsapp > +923172721122
    -->Email > leads.sellers1212@gmail.com
    -->Telegram > @leadsupplier
    -->ICQ > 752822040

    *Hope for the long term deal
    *If you buy leads in bulk, I'll definitely negotiate
    *You can ask me for sample of Lead for demo

    US DUMP TRACK 1 & 2 WITH PIN CODES ALSO AVAILABLE

    ReplyDelete
  6. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete