Fyodor - Nmap: Scanning The Internet - Defcon 16

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
my name is Fyodor from insecure org and the nmap project I'd like to thank you all for coming and of course Def Con for inviting me I'm a big supporter of community conferences like Def Con where people can go if they have a passion for the technology amateur hobbyists who might really love this stuff but don't have a company that will pay thousands of dollars for a ticket for example the DEF CON admissions form has a question saying hey is your willingness to speak contingent on whether blackhat accepts you and I was like hell no this talk was prepared for Def Con and if anything the contingencies are the other way around so thanks anyway I'm very glad to be here and I first want to warn all of you that this talk is not about cross-site scripting attacks on social networks or hijacking Twitter feeds or anything like that it's about port scanning and more port scanning and if you don't like port scanning the next 50 minutes are gonna be your worst nightmare because for me to talk about something else would be sort of like Dan Kaminsky doing a talk which doesn't involve DNS in some way I mean sure I may throw in some OS detection or nmap scripting engine action just as Dan may take his DNS and use it to tunnel YouTube in order to rickroll some poor schmuck but in both cases we're just expanding on our core topics and my topic as you can see from the title slide is about internet scanning I spent a lot of time this summer as scanning tens of millions of hosts on the internet collecting data and when I tell people that they're often like why and to me I think scanning is its own reward and you don't really need any particular reason but in this case I did have some concrete goals for the project one of them is collecting empirical data that I can use to enhance and map and add cool new features and I'm going to talk about some of those features in this presentation a second is I want to show how you can use that data for knowledgeable people to make your scans more effective I basically there are a lot of people who make assumptions on how networks are structured and populated and use those to decide what sort of scans are going to work best but these assumptions are often based on hey how would I set it up and they're not always reflective of other networks so when you can find empirical data that meets what you need then that often works best and if you can't find the data a goal of this talk is to help show you how you can do scans like this and potentially collect it I also wanted to detect and resolve nmap bugs and performance issues the idea is that when you scan tens of millions of hosts you're basically putting nmap through a lot of different situations pretty much any networking situation you can imagine and see how IMAP reacts to it and you know I fixed a crash bug I fixed a deadlock bug there were a number of cases where I was like this is going to slow there's got to be a way to speed it up and so then I looked through and try and figure out why it's slow and improve that I also want to demonstrate techniques that can be good for routine scans as well as the wide scale scanning that you may do the idea is that if a scan works well for twenty five million hosts then surely it'll probably work well for you for just a twenty five thousand or whatever you might be doing now let's look at the challenges to launching such a scan first of all I want to mention that instead of doing one humongous scan I did a lot of smaller but still large targeted scans each of which were designed to you know collect a certain piece of data which would be useful and the question is how should you figure out what IP is to scan I have a lot of options you could take BGP and look at what netbook networks are routable and use those dns zone files registry allocations like errand and ripe but in the end I decided to use n Maps own random IP generation script Fink feature here we take n map we say generate 25 million 200,000 IPs and in this case I did the extra 200,000 because of potential duplicates we say do a list scan so don't actually scan the machines just list them out for me because I'll scan them later - n you know don't do reverse DNS because that would take a long time and we don't need the data I use grep Pinnock to grab the IPS I sort them remove the duplicates grab the first 25 million and then I have a 25 million IP list that I can use for the scans so that's sort of the type of way I use generated the random numbers but once you have what targets you want to scan the next question is what sort of source you're going to use and here I had a lot of ideas some crazier than others the first one was p2p scanning I was going to distribute a client which would be called n map stir and people would download it and it would scan for them and let him know and we upload the results for collection but I decided that a key goal of this was to make n map faster and more efficient for people's normal day-to-day scans and so I decided it was better to focus on just using n map itself rather than building custom software for this project that may get around performance issues than the like another big concern was a legal one I knew that when you're scanning this many hosts is going to raise a few eyebrows and I certainly don't want to get kicked off my ISP again and you know being arrested would be much worse so I thought how can I do this but not collect too much heat and so the solution I decided on was to go through my neighbors open wireless access point no I'm I'm just kidding about that I decided it would be completely unethical and inappropriate and she didn't have enough bandwidth to make it reliable so I took I decided to use an ISP I use for colocation and do the scans from there I thought maybe it'd go under the radar but it didn't within like 15 minutes of the first scan they were contacting me frantically saying what the hell are you up to they thought maybe I was infected by one of the most virulent Internet worms they'd ever seen they said your machine is going crazy it's probing thousands of machines per second all over the Internet they were talking about shutting me down and I was like oh no this is this is no good and but then I said hey you know don't worry I'm not affected I'm doing this on purpose and that that didn't help either my face at all basically they figured I must be some sort of spammer or worse if that's even possible so so then I was like oh I'm totally busted I'm gonna have to cancel the project stop the scans write a whole new talk on the cross-site scripting vulnerabilities and get that instead unfortunately though it turned out that they were nmap users so I said hey the scan is to make nmap more efficient and effective and they're like oh then carry on so I was real happy about that I had to slow it down quite a bit so it didn't melt their switches anymore but other than that they were cool unfortunately the US Department of Defense was not quite so accommodating they didn't like my scans at all they said hey you're scanning sensitive military installations this has got to stop and I thought hey you know I'd be happy to use end maps exclude file option to skip those networks but they wouldn't even give me the networks because that's sensitive military information too so whatever the next issue I mean it has been making me a little nervous now they are the military when planes fly overhead but nothing nothing too bad so far the next issue were firewalls for many of these scans just pure Internet results was all I needed but for other ones it would be nice to get a view behind companies firewalls and because they often have you know different ports open the network looks a lot different behind there and I'm happy to say that I was able to get through a number of these firewalls not through some sort of advanced fragmentation attack but I use the technique known as asking them for the data which works pretty well at least with some of them but there are a lot of big companies who scan their networks every day with nmap and we're happy to contribute some data to make it work better another challenge is performance and accuracy and this was different than many other types of the challenges because I wasn't trying to find a quick hack workaround type of thing instead this was a key goal was to improve n Maps performance and so I took this as the challenge to see where I could improve but even so it could be disheartening at times like I did a UDP scan with the 65,000 of ports and I told it to scan 2048 hosts in a group and you can see here it's taken four days it's on the first 2048 and I have negative 688 hours remaining when your time estimate leads to integer overflow and goes negative that's never an encouraging sign this particular scan is still running right now and maybe for a while Def Con 2009 I'll let you know how that one's going but fortunately some of our other scans finished a lot earlier so that's sort of the introduction to the different scans we were doing and why so now let's get to some more practical advice that can be concrete details and let you know how you can use this to help your scans and they're good first place to start is host discovery because the first thing you want to do in network reconnaissance generally is host discovery where you scan the network and try and figure out which hosts are actually available on the internet on the network so that you don't waste a huge amount of time you know scanning IPs that have no host listening on them at all but a challenge there is deciding what methods to use for discovery there was a time when pretty much all the hosts would respond to an ICMP echo request or ping packet unfortunately that time was a decade ago so now a lot more companies blocked those ping packets and you need something more effective now nmap by default will also send an act packet to port 80 which helps in eliciting responses but even with that I don't think it's comprehensive enough if you're scanning the internet or even some sorts of internal scans so let's look at some of the different methods that you can use TCP we have two types of probes we have the syn probe and we have the ACK probe and they're both useful against different types of firewalls the syn probe is likely to get through stateful firewalls when they're configured to allow incoming connections because they'll hey say hey this is a syn packet it's initiating the connection let it through but those same firewalls if you send an act packet they say hey this doesn't correspond to any existing connection it's not acknowledging any legitimate data so they'll just drop it and it'll be effective however against state lists by our walls you have the opposite problem they may try to block incoming packets to certain ports and they look at the syn flag to detect that it's an incoming packet and they'll drop it however you send the Act packet against those ones and they have no way to know they have no state to say whether there's an established connection there or not so they have to let it through so I have a quick example we can do basically let's say we're going to do nmap do a ping scan we're going to do a syn probe to port 80 no reverse DNS and this time we'll just use Sun calm and it responds pretty quickly and says the host is up so we got a syn ACK or a reset back now we'll do the same one with an act probe against the same host and it takes a bit longer and eventually it times out and says no response was received and so you want to think to yourself hey is there firewall a stateful firewall or is it a stateless firewall and if you think about it for a minute you'll hopefully come to the conclusion that it's a stateful firewall because it was allow it allowed the syn packet in but the act packet it was able to detect hey that's bogus I'm gonna block that sucker so now let's say we've seen this in probes and the AK probes and the question is which one do you want to use because the CIN probes worked against some hosts with the stateful firewalls but the act worked against others and the answer is that hey this is not an either-or situation you should use both probes against various ports to have a maximum chance that at least one of them will get through and generate a response that proves that the host is online so then the next question is what ports should I use you have 65,000 options there and you often don't know which ones are gonna work best so here I did some of that empirical data stuff and I scan hundreds of thousands of machines and I detected the ones that had a heavy firewall the ones that blocked the vast majority of the ports because the ones without a firewall those don't matter because you're gonna be able to detect those anyway with a decent discovery it's the ones that block all but a few ports that are hard to find and so out of those I looked at the most commonly responsive ports they don't have to be open they can be closed and send a reset and that works just as well and you see here many of the normal suspects ACP SMTP SSH some people look at this list and say hey where are the Windows ports 135 139 those are really common but remember that I was only doing this based on heavily firewalled hosts and if you go through the trouble of setting up a firewall you better darn well block the windows ports so what I would advise is use some of these with syn probes and then some of the other ones with ax next we have UDP host discovery and that one's simpler your strategy there is you want to find closed ports because an open UDP port normally won't even respond to the probe it'll just be like well I just got a blank packet don't know what to do with it just ignore it whereas closed ports will generally send a port unreachable packet which discloses that the host is live so I pick a high number close port usually and then sometimes I'll do 53 as well because DNS so popular with UDP that sometimes people allow it into their whole part of parts of their network and so that can be effective as well there's also ICMP host discovery methods offered by nmap and here the thing is some administrators like say google comm will say we're going to explicitly allow echo requests because we don't consider ping packets a threat but only hackers use net mask requests and timestamp requests so we're gonna block those however you also have administrators who kind of do the opposite they say oh I don't want those evil hackers to be able to ping me so they'll block the ping requests but then they'll forget that you can do the same thing with these other two so my suggestion is usually do an echo request plus one of these other two I normally works pretty well we also have a new feature relatively called protocol ping which basically sends IP packets with various protocol headers and tries to expect a protocol unreachable message if the host is live and that can be useful I haven't actually done the test to see which protocols are most commonly useful for this particular type of probe but by default we do ICMP IGMP and IP tunnel deny P so now I've talked about a lot of different discovery techniques and which ones you might want to use but your question might be really how valuable is this it's going to take longer to scan if you add a bunch of discovery techniques and so you have a little magenta make questions and how much of a difference will it really make and again instead of just guessing or making assumptions a good thing to do is test in this example I generate 50,000 IPs and then you can see I use the default ping scan and it chugs along and it finds 3348 hosts up in about 1600 seconds which is about 27 minutes and so that's a lot of machines and you know it looks pretty successful but then I take that exact same list of 50,000 hosts and I add a bunch more discovery techniques we do the echo request the time stamp syn probes to a bunch of ports act probes to a bunch of ports we set the source port 253 in order to masquerade as DNS and it goes through and this time it finds 4473 hosts up but it does take a bit longer so you have to ask yourself you know look at the data here it took almost three times as long but we found 34% more hosts and I think in most cases if you want a comprehensive scan you're going to find that to be worthwhile so now I just have a plea basically about upgrading your end map and part of it is I'm sick of bug reports where it's like yes we fixed that in 2003 there are a lot of people who just don't seem to upgrade all that often and then they complain or they'll say hey the problem with nmap is it's obsolete there's it tells you what port numbers are open but you don't know what services are behind them and nowadays everyone has they'll tunnel everything over HTTP in order to get through firewalls or whatnot and it's like hey we added version detection in 2003 you know just upgrade in addition I made a number of improvements to the performance of the system recently which you'll find a valuable if you upgrade and then the question is what version should you upgrade to a version 4.60 8 is the latest release on our download page if you want to get even newer we have our subversion source code repository releases and you can find information at this URL or just go to the web page and you can track it down but for all the goods in this presentation you'll want to use the Bhd Co 8 blackhat Def Con release which you can find at this location and that contains the top ports feature and some of the other ones that I'm going to be talking about so speaking of top ports this was another one of my big scams and here I wanted to determine the most commonly open TCP and UDP ports and again I got some data also contributed from organizations to look at representation of internal networks and then I took that data and I augmented the N map services file which lists all the services known by n map and that enabled me to add a number of cool features first let's talk about the default scan ports in n map for dot 68 and map would scan all the ports up to 1024 plus it would scan all the ones that has a name for but the issue is that you know the iaa gave names to a bunch of ports you know many many many years ago many of which aren't even used really anymore and at the same time there are some ports that you see open more often that turned out to not have names so with the new end map since it now has this frequency data it's able to just scan the top 1000 ports for each protocol so you get better results in many cases since it has all these ports that the old one didn't have and it doesn't waste time scanning these ports that don't actually respond generally and at the same time it's a lot faster because it's only scanning a little more than half the ports so you'll find you know a little increasing your scan times from that but what it really makes a difference is the fast scan that's the traditional - capital F option of nmap which used to just say scan all the ports with a name but the major problem with that is hey by default we had 1700 tcp ports with fast scan we had 1200 you know that's not really fast that's kind of a small difference but nothing dramatic but that's all in map could do because it didn't really know what ports were common it only knew which ones it had a name for with the new services file and map just scans the top 100 ports for each protocol and so you get usually an order of magnitude increase in speed which is helpful for TCP but it's even more helpful in many cases for UDP because I've seen a lot people who basically don't even do their UDP scanning because they say oh it takes too long and it's hard to disambiguate the filtered versus the open ports and so they just pretend it doesn't exist but the attackers aren't going to pretend it doesn't exist and so it's really important to figure out what's going on with this protocol and now let's look at an example of the difference that this makes here I'm doing a scan I say su for UDP scan V to do the version detection and that's important for UDP scans because of that open versus filtered problem a normally would end map gets no response it doesn't know if the ports filtered are open and in the case of scan mode nmap org that's the case with all of the ports so it's like great I got a report that said all the ports are either open or filtered that's no good and so with version detection and map has a database of probes it can send to each port and hopefully get a response which proves without a doubt that the port is open I say do a fast scan use aggressive timing against this machine that I maintain for people to scan and with for dot 68 that took an hour in two minutes it did find the right data but that's still a long time to wait with the blackhat Def Con release that same command took 6 minutes and 29 seconds because it was only scanning you know the most important ports and it knew what those were and it did find the open port then I optimized a bit more I said also add the version intensity zero flag which says only send these UDP probes for protocols that you know commonly listen on a certain port so for 53 it'll only try DNS for 161 only SNMP and with that that reduced the time to 13 seconds so the moral of the story is hey if you know what you're doing know what data you really need you can optimize your scan a bit and make it a lot faster in this case we got exactly the same data but instead of waiting an hour we waited 13 seconds which helps a lot tune features which are kind of derivative of those is the top ports feature which says hey you don't want to just have to choose between the default of a thousand ports or a fast scan of a hundred you can specify arbitrarily how many ports you want to scan and that leads you to the question of what will work best of to the top ports option and so I used empirical data again to say out of all these big scans how many of the open ports would I have found with different top ports values so if you just scan the top ten ports which just goes really really lightning-fast you get up almost half the TCP ports with a hundred which is the fast can you get 73% of them whereas with a thousand which is the default you get 93% so that's pretty good to get ninety-three percent of the ports but you're only scanning less than 2% of the total 65,000 port space so what I think a lot of pen testers will do is say hey I'm starting this engagement but I need some data to start with so they'll start a fast scan to scan the top hundred ports really quickly and get that data and start working on it and while they're working on the initial data they'll have their super comprehensive all ports no ping scan going and then at the end of the scan of the big one they can just dip the results and see if there were any new ports that the initial quick scan missed just in case you're interested these are the top ten open TCP ports I found this differs from the previous chart because that was just responsive ports that could be open or closed ATS the top no surprise as a security guy it's kind of depressing to see telnet open more often than SSH a lot of that switches and routers and various devices and here of course you do get the Microsoft ports because we're looking at open similarly I have the data for UDP Microsoft dominates this chart although you see some of the other normal suspects like SNMP and NTP and here's the UDP effectiveness of the different top ports values with UDP you get even a greater percentage open with a smaller value so here you get a 90 you know you get 90% with the top hundred ports whereas before we only got 73 with TCP here's another feature that we've added recently that I have to admit I have mixed feelings about you know I'm kind of proud of n Maps congestion control and other technologies to try and figure out what scan speed will work best but there are a lot of people who say hey I just want to specify a certain rate and have you scan at that speed and don't worry about if there are any packet drops or latency issues or whatnot just go with the speed I say so that I know exactly when it will finish and it was basically for that one reason that a lot of people used scan Rand and unicorn scan and that type of scanner so finally I broke down and was like hey it's an easy and easy feature to add and even I found it to be pretty useful at times and in fact I used it during most of my internet scanning and then a feature that's even more new came about when the ISP Cole came saying I was melting their switches and so that's a maximum rate to say nmap don't scan more than 300 packets per second or whatever you specify and so that made the ISP guys a bit happy so here's an example of putting it all together looking at kind of a typical type of the scans that I was doing and what options I was using I would say nmap I would give it the source IP address that I wanted to use for that particular scan I would specify debugging mode although really I found I used the runtime interaction feature more often when nmap is running some people don't know you can press D and the debugging level will increase and press it a few times and you'll really be scrolling the screen but you'll see exactly what n Maps doing right at that time then you can press capital D to turn it down say hey I'm done looking at this I don't want to fill up my log files turn it off for now I specified a low max can delay because I didn't want to wait a long time for hosts that were rate limiting I did the log file feature with the new feature that says use strf time values so that it autumn ethically puts the time and date in there I give it the name of the file I want to read from I say don't do more than one retry for this case since I really want to do a big scan and make it go fast randomize the host in the scan group do all the ports here's the host Discovery options I specified a reasonably Big Macs host group because that's more efficient for large scans here I'm saying scan at at least a hundred and seventy-five packets per second but don't scan at more than 300 so that's sort of an example of a king a man that I sort of changed and changed and improved over time until I found one that worked pretty well so now with the time I have left I saved some to talk about some nmap news because some of these are features that are new and cool that may not reflect exactly relate to the large-scale scanning but they're actually too cool to leave out so there are a few new features in a map that I really wanted to talk about well one is the N map scripting engine which is a thing that modular eise's and map and lets you say hey I want to write a little script that interrogate sports' in a certain way in this case we do the HTML title for the websites it finds and there are now more than 50 script shipped with n map everything from like Whois data to brute-forcing pop3 passwords you know there are all sorts of crazy things you can do with it I do have a quick demo of the IMAP scripting engine let me see if I can find it it's a long command so I kind of cheated and put the actual command here but we're saying n map - V and verbose mode don't ping do a UDP probe for port 53 aggressive timing and we're gonna do three scripts which I thought were kind of timely because they relate to Dan's DNS bug that he'll be talking about on Sunday and so one of them just checks if a DNS server allows recursion the second one checks if it randomizes its source port numbers and the third one checks if it has a transaction ID that's randomized so those are the bugs that that people want to fix in order to reduce the cache poisoning issues and in this case I'm going to run it against one of black hats authoritative nameservers and also one of the authoritative name servers for shmoo comm the guys who put on the great MOOC on conference and so it does the port scan then it does the end map scripting engine it takes it a little while but then it gives you your results right next to the port number it says that the black hat one basically refused recursion in both cases so it wasn't able to to interrogate them further the shmoocon it was recursive but I'm happy to report that it was great in source port randomization and it was great in transaction ID randomization now I was going to show one of the many examples that fail miserably and maybe have a little challenge game to see who can poison the cache first but decided maybe that wouldn't be the most responsible thing plus I've got a lot more good stuff to cover one of the things I'm excited about is the new Zen map buoy and a lot of people give me crap like what I don't need no GUI I've been using nmap 10 years and I know all of its hundred and thirteen options by heart and I have to admit they have a point when you looked at the old end map Fe which frankly kind of sucked it basically just displayed your end map output and instead of typing SS you press the button for since can whereas n map is a much more powerful interface and I'll give a quick demo of that basically just like an map Fe it could show you your normal output it also has a tab they can say hey show me what each host has open or look at a service level and say show me the ones with HTTP or SSH and then it has a new experimental feature that we're adding and we only have in the subversion right now which basically says hey if you're going to call the dang tool and map network mapper it ought to at least draw you a map yeah thank you this is certainly the best feature for an eye candy perspective and it can be pretty neat it basically takes the scan that you did and it puts it in the center the source host and then it in concentric circles around the center it shows each hop on the network and the machines that you scanned and you can take one and say hey you know show me what more data on this particular scan show me the ports that are open you can scan new machines and they'll get added to the graph and in terms of the biggest eye candy aspect it's if you want to recenter the graph on a certain host that maybe makes it easier to read so maybe once in a while that'll convince people to actual open the the GUI and try it out it also has a side benefit for me which is there are a lot of Windows users out there who have no idea how to do a command-line scan or what command-line even means I get so many mails saying hey I double clicked on nmap dot exe and it put this strange black box on the screen which then disappeared obviously nmap totally broken so maybe this will help them but on the other hand maybe those people shouldn't be using nmap at all we have a second-generation os detection system which basically took all the things I learned with the first seven years of os detection and improved it and we're now up to fifteen hundred signatures with the new system so I'm hoping that'll help in terms of granularity you know it nmap users basically can find every device you can possibly imagine so sure you've got your normal windows and linux versions and the like but they find you know game consoles and PB X's and network power devices and all sorts of crazy things it's always fun to go through the submissions and see what people have version detection you know a lot of people like I said still don't know about it but hopefully the people who go to DEFCON do a feature that is sometimes not known as well as it could be is the reason feature basically if M map tells you say a state is filtered you don't necessarily know is that because it sent me an ICMP host unreachable packet is that because it got no response well the way to figure out what M apps doing more is use - - reason and then you can see hey this one's open because we got a syn ACK this one's closed because we got a reset and that's a really good way to help understand what end maps really doing and when that doesn't give you enough information there's the packet trace option so say in this previous scan I wasn't sure whether port 25 mail and 1:13 is it the destination host that's sending those reset packets and I'm actually reaching it or is it a firewall sending some of them in between or is it a different case for each well by looking at the packet trace option from a quick scan of just those two ports so you don't plug your screen too much you can look at things like the sequence number and windows number what options they use IP id and that can often help figure out if it's the same host in both cases sending the packet which can be useful when you're trying to understand the firewalls and filtering systems in place advanced trace route you know it's trace route which isn't all that exciting but at least it does it better because nmap already knows what sorts of probes are likely to get through and it's also faster because then map can do it in parallel I made a number of performance and accuracy improvements there's a whole section on the man page showing all the different options you can use and what might help TCP and IP header options lets you specify things like source routing the record route option and some of you might be saying source routing maybe that worked 15 years ago but come on there's no way that would ever work nowadays but that's actually proved untrue in a number of cases I was talking to a guy recently who was doing a test of a network and he was I guess in their conference room or the like and he was on a separate VLAN that could only contact one wish a series of servers on their network but he couldn't contact all the client machines for the company just basically a little DMZ they enabled that they allowed access to from the conference room so he basically took one of those servers and said I want to lose source route through that server to the destination machine and he was able to get around that restriction that way which I thought was pretty cool another neat feature is called n cat and I shouldn't call it a feature because it's actually a whole new tool that I hope to ship with nmap and it's basically a modern interpretation of the netcat that we all know and love it basically supports virtually all of neck some 1.10 features except the port scanner because I have another tool I like to use for that but it also suggests supports a lot of other cool new things like SSL both for communicating between netcat instances and to SSL ACP servers it supports ipv6 it works on Mac OS 10 on windows on Linux and Unix it does connection brokering so if you set up a netcat listener in brokering mode then all of your machines behind Nats that want to connect to that neck cat can do so through the broker they can connect to that port and then talk to each other for command and control or whatever port redirection as there are a lot of different tools for doing that now if you look around and get a specific tool but it's something I want to do often enough that I wanted to have it built in it can do proxying either as a client and do your stuff through a series of proxies or it can act as a proxy once you get onto the machine started up as a proxy and then you can proxy through it to other machines shell execution access control because you don't want anyone else connecting to your your netcat and it's something I've wanted for a long time and has been in development since 2005 right now it's currently dev lead is Chris cater John one of the Summer of Code students and I think he may be here are you here Chris hey let's give a hand to Chris chris has also added a lot of the other features I demoed particularly the IP option of ping discovery mode that was his idea and he put that in we have endif which is a simple tool but it does something that a lot of people have wanted for a long time which is taking two scans and dipping them so say I run a company network I scan everyday all the hosts in micron tab I can then call em diff and say mail me that changes since yesterday so any new ports became open any new machines on the network any machines went down this will let you know and we have a Python proof-of-concept right now in our SVN and we're rewriting it in c sense it proved to be useful and people want it the C version will work even better another thing is my M map book which I've been working on for years so long the people have been comparing it to Duke Nukem Forever in the light and greatest vaporware so I was like dang it I'm not gonna go to DEFCON and blackhat empty-handed again especially after last year telling people oh it's almost done so I worked pretty hard to get it ready I'm happy to say that I finally have it now and did a pre-release here thanks I I hope it does a good job at not just telling you what options there are friend map but also how to use them effectively to scan your networks and so I last minute printed 170 copies and brought them here so I could tell people about him in my talk and they could go pick him up but I'm afraid they were sold like after an hour this morning and so they're all gone now but I hope as soon as I can I'm gonna get it on Amazon and the like and also half of it is already available online for free at Denman org slash book and that's also where I'll be putting the details of the launch of the book and you can also join the nmap hackers list if you're not a member it's a pretty low volume list I think I've sent three messages this year as opposed to M app dev which gets thousands of them but MF hackers you can join and I'll sing you the latest news when it's ready I also wanted to do a slide because sometimes I get you know way more credit than I deserve for a map just because I created it way back but it's actually a project that's very fortunate to have tons and tons of contributors and I couldn't do it without them this is an example of just the people who've contributed significantly since version 4.50 which was nine months ago so you can see that the M app project is really lucky to have a lot of volunteers who help out greatly now with that out of the way I think I have time for maybe two or three questions before we'll go to the question room if anyone has more so who's got a question for me yeah I don't feel very good about Germany and the UK and other countries that have put laws which tend to people suggest may ban tools like nmap they can be used for good things even though attackers might use them as well and I think that's really dangerous I mean the typical analogy is banning a hammer you know by blocking it you ensure that the good guys aren't able to use it to improve their networks and personally since I like to give talks in places like Germany and England that that can be a potential issue because I'd hate to get you know busted in Germany and these laws say things like what's it designed for what's the motivation and so how do I convince a judge that my motivation was good and you know I can't even read German to read the law so those are definitely a scary issue and things that I'm glad that groups are trying to fight even though we've had some losses there I do I have another question I can hardly see because of a giant bright light shining at me Oh good point the reason option we sort of always have that field there so it won't have any performance impact at all to add that so in many cases just like - be and like - t4 it becomes one of the things I almost always use alright so if anyone has any other questions I'm gonna be in room 103 which is just across the hall and I'd be happy to answer them there thank you very much
Info
Channel: nmapvideos
Views: 8,422
Rating: 4.8769231 out of 5
Keywords: Nmap, Fyodor, security, hack, hacking, hackers, scan, scanning, Nmap Security Scanner, networking, secure, insecure, Gordon Lyon, Defcon, Black Hat, Black Hat Briefings, tutorial, Zenmap, Ncat
Id: R_vHhEzxYkY
Channel Id: undefined
Length: 45min 22sec (2722 seconds)
Published: Fri Jul 20 2012
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.