Fyodor - Advanced Network Reconnaissance with Nmap - ShmooCon 2006

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this morning's build-it session Gerard who really doesn't need any introduction I'm gonna talk to you about nmap voted a few years ago one of the top and network security tools so I'll get out of the way thanks Crispin can everyone hear me all right good deal well like he said my name is Fyodor from insecured org I'd like to thank you all for coming and all my friends at shmoo for inviting me I'm a big supporter of sort of community hacker cons I think they allow a lot of the people like the hobbyists and amateur researchers who may have a passion for the technology but maybe not the corporate banking to spend thousands of dollars on a ticket to attend so those are great today I want to talk about advanced network reconnaissance with n man there are a lot of security people who use n map but most many of them don't understand it's full power and n mezu deserves a part of the blame for that for being too helpful for example if you run the scan nmap scan me en masse org you're leaving n map to choose the scan type the timing details the target ports the output formats the source ports and addresses and much more in fact you can even say - ir and let n map choose your targets for you so so this makes n map easy to use by hiding this complexity but also easy to grow complacent with how many people never really explore the literally hundreds of options that n map options for more powerful scanning other than map offers so in this presentation what I hope to do is give three real-life tasks and show how you can use n map effectively to solve them now I kind of chose them to be relevant to your average shmoocon attendee so the tasks are bypassing firewalls a defeating intrusion detection system and scanning for pornography on the net now I'm also going to introduce a new version of nmap a special force mu version 3.97 shmoo is available at this URL here and I'll be talking about the new features shortly also these slides are available at that URL I think I should give fair warning now that this presentation does include real unsanitized IP addresses and host names that's because I trust you guys and not to abuse the information also you know if there are any black hats in the room you know I'm sorry but I'm gonna have to ask you to either leave now or when the IP addresses come on the screen just cover your eyes if you would before I begin it would help to get an idea of how much introductory and matte material I need to cover could I get a show of hands from anyone who's ever used nmap okay I guess we'll skip end map for dummies then and move directly to our first mission which is also the easiest and it's to penetrate SCO's firewall to discern all of the open tcp ports on docks serve caldera comm now I felt kind of bad about picking on schoo here because at one time they sort of seemed like a threat to free software with all their Linux lawsuits and so forth but now they've sort of devolved into a rather pathetic joke and so I feel like I'm kind of beating a dead horse but it's a very fun horse to beat and so I thought I'd give it a try you guys all probably know that caldera changed their name Cisco way back when but apparently changed name server names hasn't happened yet so let's see what we can figure out about this document server that they've got we want to find all the open ports and when you want to find all the open ports the first thing you usually do is a sin scan that's an maps default for good reason because it's usually the most effective so we say nmap do a since can use aggressive options and you give the host name and it chugs away for a little while and it gives us three ports 80 is open five eleven is open and one thirteen is closed well we have some open ports but are we done yet I'm afraid not because if we look up above that it says the sixteen hundred and sixty nine ports scanned but not shown below are in the default state have filtered oh well that's a bummer so we may have gotten three but there are still almost 1700 left over to discover and in fact you know of course there's sixty five thousand ports but sometimes it makes sense to just start out by scanning and maps default port selection until you figure out what worked and then you'll do your big 65,000 port scan so if the sin scan didn't tell us what we need maybe we should branch out and consult the man page a bit and try some other scan types the next one we're gonna try is a fin scan and this is a great one since it doesn't include the sin flag in the TCP header it's able to cut through a lot of stateless firewalls that just try and block a connection initiation attempts so with the fin scan it comes to and it gives us pages of ports many of them had to be cut just to fit on this slide and and here the default state is now closed so it was able to figure out the state of sixteen hundred and thirty two ports but a lot of these interesting ones it doesn't know for sure it says open or filtered because the fin scan if it gets no response back it says well that's what happens with an open port but if there's a firewall somewhere in there blocking our packets and the probe or its response is blocked you'll also get nothing back so we're really not sure and in terms of whether you want to potentially brute-force the port or something it's it's critical to know whether it's filtered or open so we're gonna have to try yet again as something a bit different and this time what we'll try is the ax can we give this one a shot and it's a lot like the fin scan in that you know no syn packet so we can get through the stateless firewalls but it it has advantages in terms of being able to distinguish the filtered for it's from filtered so this time it tells us three ports that are interesting 13514 34 and 32 777 that are filtered and all of the rest it says are unfiltered well that helps us a bit but what unfiltered really means is that nmap can talk to the port but it doesn't know if it's open or closed so there's still some information is seeing that we want to know but what you can do if you're clever is combine these results a bit and so for example let's look at what happens with the telnet port the fin scan told us that port 23 was open or filtered whereas in the axe scan 23 is up here and unfiltered so if one says open or filtered and the other one says open unfiltered then that leaves you just open as the likely scenario let's do one other example port 135 we see here was also open or filtered but here it says 135 is filtered so instead of being open this one appears to be in the filtered State so sort of by combining the results of several scans you can often divine that more detailed information you're looking for so in this case what looks to be the case is that out of all the 30 some-odd ports that are shown here all of them are actually open except for these three filtered ones so that's quite a bonanza when you're doing a port scan because surely with all these open ports you know you can find one that's exploitable but you know so now we think we have our answer but you can never be so sure if I've learned one thing from you know writing nmap it's that the networks can be tricky and unpredictable and you never really know for positive of what's going on so it's always best if you can to try and try and figure out what you want another way and compare your results and make sure that everything matches up as you expect so we're gonna try yet another scan and that's called the window scan and it's exactly the same as the ax scan in that it sends an ACK packet and it gets a reset back whether the port is open or closed but it takes note of one subtle extra detail that the resets many hosts send back if there's if it's from a closed port they'll send a TCP window header value of zero but for an open port they'll send the same window size that they would have sent if it was a syn ACK you know and you had sent a syn packet and so by looking at those packets carefully and maps actually able to divine which of these ports are open and which ones are filtered and all the rest are in the state closed and so this actually matches up perfectly with what we were expecting from our previous scheme in the vast majority are open way more than there should be and and then there are three of them that are filtered and in this case you see I added - P - to say truly scan every single port so with that I think we've accomplished our mission of finding the open ports on this server and that lets us go on to our next mission which is to sneak past all of the N map related snore IDs rules now before people start throwing shmoo balls at me let me say that it's Nord is a great IDs and you know I like it and it's a fellow open-source tool so I'm actually using it as an example you know for that reason to show you know if it's so easy to get past even a good IDs you know the rest of them are are a piece of cake - and because the reality is you know IDs is do you know a lot of good things for you but a skillful and a dedicated attacker is generally not going to have much trouble getting past them no matter what you're running the good news is that most of your attackers aren't actually skillful and careful so they can still be pretty useful let's start with the end map specific snort rules so I went to source fires website on Thursday to grab their latest rules and see what I could get and it gave me a bunch of grief about required registration blah blah blah I was kind of grumbling and tried to register the name registration sucks and it was like I'm sorry someone's already taken that but eventually I managed to download the goods and uncompressed them and I did a grep in the the rules directory for all of the alerts that contained the string end map now I don't know if you guys in the back can even read this text but I'll try and go over it what each one does and how you would bypass it the first one is an ICMP rule that says if the type is 8 an ICMP echo request or a ping packet and the data size is zero then send an alert ICMP ping and map and truth that's the default and Matt doesn't send any data by default because it's more efficient to just send the Bayer header but if you want to worry are worried about this sort of rule you just add the - - data length option with like 64 and then it'll look like any other ping packet and not flag then we'll take the next one which is a tcp alert with the flags fin push and urge and it says hey and map xmas scan alert alert but really you can use the N map - - scan Flags option and give it the argument fin urge you know omit the push the scan will almost work will work exactly the same in almost every case but you'll avoid the rule the next one is a web attacks rule it says if I see communication to a web server and it contains n Maps space then probably someone's hacks a CGI and is trying to use it to run n map now that doesn't even but involve you know most people who are you doing their normal and map scanning but if you did want to defeat that rule you know rename n map or if it's already on the machining you can't rename it you know you can obviously execute commands in this case so you could use variables or whatever you would like - to mask the actual name so that it doesn't pain those exact five characters in a row the next one is a tcp alert that says if you have a the act flag set but an acknowledgement number of 0 then flag an alarm that it's an nmap max can and that actually was a bug nmap would ascend that sort of strange packet back in like 1999 but if you have a modern version of nmap that's not going to be a problem and the snort people finally recognized that and in 2.4 they moved it to to the deleted rules so no one's gonna have that enabled anyway the next one is an OS fingerprint rule that says if you see the sin fin push and urge flag set you know alert that it's an nmap os fingerprinting attempt and first of all that one's also in deleted rules so people aren't going to have it enabled but if they did you know it's just one line of code - to remove that one that's out of the many OS detection tests and you're still gonna get reliable results and so it is a bit more of a pain you have to modify your scans a little bit but if you want to get by them you're not gonna have much difficulty so with these n maps specific rules out of the way you know are we free and clear to scan all we want I'm afraid the answer is no snort like most intrusion detection systems also has a threshold based system to say hey you know if you see a lot of packets that just might be probe packets in a short time flagging alert because someone may be doing a suspicious activity and so let's look at snort has had a lot of different generations of poor scan detectors I'm gonna look at flow port scan which is an interesting one from snort 2.2 and show how that works the first mode it has is called a fixed window a detection and so I grep this North comp and it says if you see 15 packets in 15 seconds then flag an alert that there's a potential port scan and yeah this is just the defaults but the reality is that almost everyone just has the defaults and if they change it it's because they're getting false positives and they're actually going to raise the thresholds to make it more easy to slip by so if you can get the big defaults you're usually fine and you know to defeat this type of rule you know it doesn't take some crazy overlapping IP fragmentation attack buying with TCP cementation things it's just you know don't send 15 packets in 15 seconds you know send 14 every 15 seconds and yeah that slows you down a little bit but they're still like you know thirty thousand seconds while you sleep you know that can allow you to scan many tens of thousands of ports overnight you don't have to sit there and watch it you know just be a little bit patient and nmap actually offers several options to affect that such as - - scandal a it says insert a delay between each packets and nmap sentence and you also have to remember that this rule is for all protective machines on the IDs and so you don't want to be scanning a bunch of hosts in parallel or you'll exceed this number so you would also want to say - - max underscore host group one to say only scan one host at a time and so remember well you can do you know maybe thirty thousand port probes in your sleep if even that's not enough you know this is by source IP address so instead of one per second if you have a Class C suddenly you can scan 250 of ports per second and then you can cut through even a very large network very quickly without breaching the threshold this is just a simple script that anyone could write in three minutes that sort of shows an example of how to do this and it's on the slides if if you want to download them and check it out but unfortunately for port scanning enthusiasts fixed window is not the only Thresh the port scan threshold system that snort has it's definitely a multi-headed Pig of some sort in that it also has a sliding window support and this one's kind of insidious because it's built exactly for that case where you say well forget it I'll just send one packet every few seconds and then I'll never get 15 packets per 15 seconds well what this says is there's I'm gonna look for 40 packets if I see them in a window of 20 seconds then I'll flag but if I whenever I see a packet from a host I'm gonna increase the window size how long I'm going to delete that remaining by 50% of the amount of time that's elapsed since the first packet I saw from this host so even if you were to say well I'm gonna wait 10 seconds between every single packet I send well this would still get you because every time it got one it would increase the window by more and as soon as you reached 40 it would flag well that's sort of a bummer but you don't have to think all that long to see sort of some of the obvious ways to get past it and under the threshold for example if you send just 39 packets just like that the window is hardly going to increase at all because there's been hardly any elapsed time and then you just wait 21 22 seconds until that windows expires so it's like 39 packets 22 seconds 39 packets and so there you're able to actually scan two packets for a second so that's actually twice as fast as the fixed window one problem is that you don't know which one is actually enabled or potentially both of them are enabled but again you don't have to think too long to say hey you know what can I do to defeat both of these at once well send 14 packets all at once so that you don't violate the fixed window then wait 22 seconds so that both fixed and sliding windows have expired and then send you another burst of 14 packets and so yes that's 14 packets every 22 seconds which sounds kind of slow but again that's 50,000 probes a day so you know even a big network if you have a few dozen hosts a few dozen ports that are likely to be interesting you know that's many thousands of hosts you can scan every day for each IP address that you use so this is again just another full script that shows an example of how to do this with nmap another thing is sometimes you say well forget all this timing stuff you know this is too complicated it makes my brain hurt I don't want to even deal with that well you have other options one is to simply exploit the IDs we've seen a lot of security holes sadly in a number of IDS's and hate to pick on snort again but they just had the huge back orifice preprocessor wait just a few months ago ISS real secure had the big security hole that the sapphire worm exploited ethereal 'z had more holes than I can count basically that's often an option that kills two birds with one stone and don't forget your decoys I won't really talk about them much since they've been an nmap forever hopefully people always already know about them but they can be a nice way to sort of if you do get alerted they get a message like this that shows attacks from dozens of IP addresses and they don't really know you know which ones that these are the decoys and which one if any is the actual attacker you know unfortunately I don't have time to do a whole presentation on IDs evasion but there is a lot more that you can do when you want to get it complex exotic scan flags with the scan Flags option you can manipulate the source port ipv6 IP ID idle scanning fragmentation now has an MTU option that allows you to specify exact where in the packet if fragments socks and HTTP proxies a source routing etc and most of these you know and map has built in support for and while you're doing this I think it's important to have some fun with it this is an old example from good old black ice defender a little program I wrote that would search on the net and find black ice instances and then it would cause a critical alert for them the grid code and then it would say the intruder whatever I want like your mother in this case or assert org or you know whatever I wanted because I really think a lot of sort of network security administrators are kind of bored with their day-to-day you know watching the network at nothing exciting to happening so if you just once in a while insert a flood of critical looking spoofed attacks you know they may panic at first but they'll eventually get the joke and appreciate it alright maybe not but while we're on the topic of having fun let's move to our next topic our next mission is with single service discovery and that's pretty common say there's a new exploit that comes out and you want to check your whole network very quickly to find all instances of the vulnerable service so you can shut them down before the attackers do or say there's a new worm that that like my doom that leaves a backdoor on the ports leaves an open port listening you want to scan and find this before it spreads too far so you can quarantine those systems or maybe you're doing forensics and you find that the attacker who got in left a a backdoor on a certain port you know immediately what you want to do is scan all your machines for that and see if you know he's gotten into any more machines that you didn't realize so for this example we're going to use a sort of less common mission but one that emphasizes the right points so the idea is to locate web servers on the playboy.com network that offer free images I've had this problem where sort of the main web page requires a credit card number but I'm kind of a cheapskate so I was like you know if you scan maybe their corporate network maybe they've got like staging servers development servers that may have free images hosting that you know you can download for free so how are you gonna do this well the first step is to figure out what network you want to scan and I won't bore you with who is because you all know how to do that we do in that block search for Playboy and they have a nought of net ranges but I'm gonna pick two 16.1 six 3.12 eight dot zero slash twenty as an example and so most of you probably and think 4096 IP addresses and that's what we're gonna scan so first we're gonna do sort of the initial in it'll try we say n map do p0 because by default in map does two two pings ICMP and an ACK message and so the two pings it would send to figure out if the host is up would actually potentially take longer than just scanning for the one port and so we say don't worry about peeny just scan port 80 save the results to a file we can grep forward to find the web servers and we give it the URL and map chugs along and scans off words and ninety-six IP addresses and it gives us the answer but it takes 1236 seconds that's more than 20 minutes I'm probably not even going to be interested in the images in 20 minutes so so how can how can we improve that one way you can improve it is to give an map little hints that you can use to to help it along because then map doesn't know as much as you do you know about the network potentially it tries to do a good job of detecting you know Network round-trip times a packet loss and optimizing accordingly but when you're scanning a network that's heavily filtered like this one it's often hard for any map to even get enough responses to base base its statistics on so one way you can help it out is try and figure out some timing information on your own and feed those hints to end map so how do we do that let's find it a couple hosts on the network real quick and just sort of ping them to figure out how long they take their round-trip times and such so first I try the main web server and it gives an IP address that's not in our range well you know we want we want representative IPS so I use the host command to look at their mail servers and it has two of them that are both in the twos and 16.1 63 block that we're looking at normally I might just use one representative host for this initial testing but here I said wait a minute they're far apart on the network you know and the names imply that one of them's in Los Angeles and one of them's in Chicago and we want to give an map a good timing estimate that reflects a worst case scenario so we should try them both since they're far away how do we do that well let's just ping them so I ping both of them five packets each and both team returns five packets transmitted zero received 100% packet loss well that's a bummer they're blocking our pings but how can we contact them well they're mail servers they've got to have port 25 open so I used one of my favorite tools HP and I say send us in packet to port 25 on each of these hosts and and report back and here it does get TCP responses and are we interested in the minimum time or the average time no it's really the maximum time that we want to know because again we still want to be a bit conservative so the Chicago one takes sixty one point eight milliseconds NLA takes 16 which is not surprising because I was scanning from California so we'll take the 61 milliseconds and we'll say well you know things might slow down when there's a big scan in progress the machines might be busier and so we'll be a little Selma safe side and we'll say set the maximum for nmap as 200 milliseconds a little more than triple what we saw and so we say nmap - do aggressive timing with T 4 set the maximum timeout to 200 milliseconds and set the initial time out to 150 milliseconds and yes it's more than 60 - but it's important to err on the side of a little bit big because if you timeout before the packets are received it can make your nmap scan longer because nmap will be retransmitting needlessly another thing that's if helpful is to tell nmap to scan a bunch of hosts at once so it can do so more efficiently and since there's only one port on each host being scanned we want a huge group so we tell in my scan 512 hosts at once so it'll knock this out in 8/8 individual groups again the rest of the options are basically the same so we run it this time within map 3.8 1 and it takes 868 seconds so yeah that's a bit better it's 15 minutes instead of 20 but you know I think we can still improve on that and how do we do that we run it with 3.97 shmoo which does it in 289 6 seconds so now we're under 5 minutes which is about as long as I last and so the question is why is this one so much faster and there are several reasons one is that you know why did this take so long you know I looked into why it was taking so long and the answer turned out to be DNS resolution when you say - p0 that says yeah don't ping but that means just treat nmap treat the hostess up and port scan them and so forth which also includes DNS reverse resolution and so for each of those 4000 IPS nmap is looking up their DNS names which is actually taking a lot longer than the port scan with 3.97 shmoo one of the nice new features is parallel asynchronous DNS requests so instead of using the system get nine name info call over and over four thousand times one for each host nmap now is able to do a whole bunch of hosts in parallel with its own system which is a lot faster another nice thing is - - Mac's retries by default if nmap doesn't get a response you know it's it's most likely that the port is filtered and a firewall is blocking the probe or the response or the host is down or something like that but it's possible you know networks aren't always so reliable it's possible that the packet was just dropped so to be on the safe side and map will retransmit at least once and if it's detecting dropped packets on the network it'll often retransmitted I'm because the network doesn't seem reliable and in a pen test you certainly want this because you don't want to take any chance of missing you know an important an important port that could be exploitable but for this sort of a mission a speed is more of the essence than reliability so we do max retries a zero but really you know under five minutes good but do we even need that DNS information at all we just want to find web servers and we can then just go to the IP address or just potentially look up those web servers where the port is open so add the - and option to disable DNS and now it does the scan in 46 seconds so hopefully this will kind of demonstrate why it's good to actually read the end map man page you know a scan that took 20 minutes before you know is now down to 46 seconds thanks to you know using the options to speed it up giving it hints about network timing understanding what it's doing so that you can disable other parts that you don't really need up enough enough of this timing stuff let's actually get to the results shall we we found a lot of web servers up here and so I was like alright with this many there's got to be some good ones so of course I open up Firefox and the first one gives me this good old out lock Outlook Web Access now if we were trying to exploit their systems this would be great but it's not very gratifying given our current purchases or our current purposes and it looks like we don't even have a mailbox well that's ok though because we had a lot of a lot of different servers here so I went through them one by one and I was kind of getting disappointed and then I found 130 6.31 that one's a great one let me tell you it has literally gigabytes of images it was a downloading orgy as soon as I found it this is 61 or 31 I don't ok dear yes so it's got Fedora core ISO images here we've got FreeBSD a big directory full of images right here and for people whose keep our little kinkier we've got Sipan a number of these also had sort of more visual type of images but I figured you guys wouldn't be interested in that also version detection which is something that we didn't really need for this particular example but it's also something that you often do want to know because their end map actually interrogate support says hey this is an HTTP server running its Apache this version whatever and that can be useful if there's a new exploit out or something and you want to find a particular version or you want to find the service if it's running on a non default port or whatever and you can even do clever things with it you know the smoke on attendees might be the type to sort of take things in a more creative direction and so really all version detection is is a system for sending probes to a whole bunch of different ports looking at responses comparing them and so it's actually real easy well by default end map just uses it for service detection and trying to get the version numbers and so forth you can really do whatever you want with it this is one someone wrote to scan his network for the mydoom a virus like the day that worm came out you could do one pretty easily that looks for open proxies by sending like a proxy request I'm looking at the response you could do one to exploit a vulnerability to you know truly test you know some of the vulnerability scanners may just test for version numbers if you really want to check this exploit you could run it that does something innocuous on every machine on your network to try and find any that are actually vulnerable so that completes that mission and so now I get to the code and and the new version is called 3.97 shmoo and what it actually is as you can probably guess from the version number is we're getting pretty close to version 4.0 I hope to in the next two weeks you know with nmap it's not due to marketing reasons that we pick our version numbers it's because I just ran out of new version numbers to give so this is kind of a pre-release that I'm hoping you guys might want to try it out and let me know if you find any problems or bugs and let me show you some of the new features the first one run time interaction is something that I can basically demo basically if you do what happens to me a lot is all say nmap do a sin scan on these machines and then I'll wait a little while and nothing will happen and I'll say you know I want to know when it's done I should have done verbose mode dang it and then I'll have to cancel and restart it again and it's a pain but with run time interaction and map is actually watching so if you press ENTER it'll give you an idea of how close it is to being done how much time remaining apparently people like that and there's more if you really want to know what I'm apps doing right now you know P will enable packet tracing a capital P I'll turn it off a V to increase for basa T capital V to decrease it D will increase debugging level and tell us truly scrolling the screen and anything else will just give you the statistics so that's one that people may find handy there's the parallel reverse DNS that we talked about corrupt TCP and UDP checksums this is one that I didn't have time to really go into unfortunately during the talk but it's a new feature that says nmap whenever you send a port probe ask or just send a bogus tcp or UDP checksum with it and that can be very useful because pretty much any end destination host even a Windows machine will check the checksum and not respond if it's bogus but there are a lot of firewalls and IDs is out there well you'll put a rule to say responder with a reset to this type of packet and they'll just respond anyway without even checking the checksum so this is a good way to say am I really talking to the host here or is this just a firewall that's spoofing these responses and there's really no host or none can get - and there's also the max retries option that I mentioned I'll just very very quickly I mention the features since 3.50 which was the last a major release two years ago and so this is what's gonna go in for dotto and what's in 3.97 shmoo ARP scanning and spoofing can be really useful like if you're in a conference room and like they're a bunch of ThinkPad users and one guy with a Mac you can say - - spoof Mac Apple and map will use apples Oh UI and Mac prefix and make up a MAC address and if someone sees the scan you can just point to that guy it's an Apple Mac I rewrote the pork core port scanning engine to be more efficient a diet end map was version 3.95 effort to reduce memory consumption and very large scans I wrote a brand new man page and reference guide that's already been translated to seven languages and there are 23 more languages in the works it takes them a while because it's 30 printed pages long but I think it's more comprehensive in that it actually includes most of the end map options except for the super super secret ones and it's better organized there's a huge version detection database update 3.50 had a thousand signatures whereas this one's has 3000 signatures for literally hundreds of different protocols from you know FTP and SMTP and other common ones to you know very obscure things a version detection can now gather the OS and device type and hostname so if it says hey this is the Linksys your web 54g administrative web page and that can tell you hey it's a wireless ap the vendor is Linksys and so forth and you can use that in addition to traditional stack fingerprinting version detection rarity allows you to control how invasive version detection is so you can do a real light fast scan or you can say use every probe you know of even when it's unlikely to work the OS detection 50% to sixteen hundred and eighty for fingerprints performance improvements on windows were substantial the rat it's from Redmond actually or I might they yes and recorded they're not going to help me anymore now but they blocked they blocked with Windows XP sp2 raw sockets which nmap had used which was a shame because it was kind of a nice API that you know UNIX and Mac OS 10 and other operating systems had but for whatever reason Microsoft decided it was a security hole they blocked it there was a workaround pretty quick but but then I wrote a faster one this summer that uses an N disk driver that's part of WinPcap descent and also a Doug songs excellent live Dena to send raw ARP packets on Windows or UNIX if you select that which is actually much faster than the old system was anyway so I like to think of this code as sort of giving the finger to Microsoft in C++ it now does MAC address printing so if it detects that you're on a local network it'll tell you that hey this is a you know a Linksys device or this is a cisco owns the MAC address prefix it's got leet ASCII art in the configurator so when you do dot slash configure it gives you a cool ASCII art like a map and it's other competitors it now has SL style sheet that lets you take the XML output and convert that to X to HTML there's the open fill or filtered and closed or filtered States which make things a lot easier for people to understand what's really going on there's the completion time estimates if you're in verbose mode and of course the interactive ones now as well and then nmap Fe has finally reached the the sort of 21st century and been ported to GT k2 so those are kind of the new features I do have another thing I wanted to talk about very briefly cuz I'm almost out of time and that's I won't mention any names but a certain other vulnerability scanner popular vendor has I decided to close source their software for various reasons and one of the big reasons that they stated was that open-source users hadn't been contributing much to their engine anyway so why bother keep it open source and so I was a little concerned about that thought so I sort of took a look at end map and made a list you know you know who's been contributing to n map you know there's been andylou Damir ski has done great stuff with the the windows work dug Hoyt and Martin made chunk has done a great service detection work mad hat here has done also a lot of great patches to end map and so I started to make my list and I really realized you know there really is a major problem how am I gonna fit them all on one slide and so I'm happy yes these people that deserve a lot of appreciation because they've really helped make nmap what it is and I'm gratified that they've you know continued to help out and bring new things to nmap it wouldn't be what it is without them and so you know when you try the nmap photo or 3.97 you know it's thanks in a large part to their work and now I only have about four more minutes so I'll just leave this up while I answer a few questions that you may have oh the book yes why did I even put that in the demo or in the I send these to conferences and then I come back and look at them and think oh man why did I put that but it's actually almost done it's called nmap network scanning and I don't know if I'm the only one who's going to be interested on 350 pages on port scanning but we'll see the problem is that I keep changing nmap so fast that as soon as I get one chapter done I have to totally rewrite another chapter but hopefully you know I'll finish the last chapter remaining soon and then get that all published to massively distribute an exploit because you could scan across a whole bunch of IPs and do the version scan and pass the exploit as part of it have you thought about that's that's definitely a possibility and for your own networks you know you can sort of use that in a good way because that's that's truly the best way to test well it's one of the good ways to test whether you're affected is to just try the exploit against a wide range of your network and so hopefully people will take that in the positive direction and say hey a simple rule I can put in my a map configuration so that it can actually look for that vulnerability yeah that's an interesting question there are a lot of good like HTTP fingerprinting fingerprint and other tools that out there for sort of checking services in novel ways you know a bunch of different tests to try and define what's really running for nmap mostly you know if it gets a banner it usually uses that middle use version ii tection probes if the service supports one or if not you know it'll try and deduce things based on error messages and so forth but it doesn't go in a huge amount of depth for a couple reasons one it's a huge database with 3,000 signatures another is that sort of if I put some cool super-secret hack in there who deduce a certain version number the next day someone will have a patch to that service that fakes it out so to some degree it's even it's more effective to use sort of the smaller tools more obscure tools if you want to do really really deep testing and you think that their spoofing you but this tells you what the service appears to be but like anything you get back from nmap for the most part it's coming from the remote host and so you should always take it with a grain of salt and maybe try that exploit anyway but if your standing your own network hopefully you know what you're actually running or you have bigger problems I'll take one more question um yeah it would be nice to to support more I have an example I use in some presentations where I do I scan came net which is a big ipv6 proponent with ipv4 and then I scan the same host with ipv6 and a lot of the previously firewalled ports are now available with ipv6 so it's definitely powerful and as soon as I see sort of more support and usage of ipv6 it's definitely something that I would like to extend when the demand warrants it but for now I try and make sure that nmap works for the basic stuff so you can do a TCP connect scan with ipv6 a version detection works with ipv6 host enumeration works on ipv6 but for like you know IP ID scanning and some of the scans they're not supported yet but I definitely will when we see more usage of the protocol alright thank you very much hey there

Info

Channel: nmapvideos

Views: 10,766

Rating: 5 out of 5

Keywords: Nmap, Fyodor, security, hack, hacking, hackers, scan, scanning, Nmap Security Scanner, networking, network, port scan, port scanning, secure, insecure, Gordon Lyon, ShmooCon, Shmoo, tutorial

Id: OdpgbzsK_5E

Channel Id: undefined

Length: 47min 3sec (2823 seconds)

Published: Fri Jul 20 2012