From time to time people send me questions about the tools that HackerTarget uses to scan internet systems.

Nmap is the best port scanning tool in the world. This is clearly a strong statement. However it is also true. Read on for some interesting tricks you scan do with Nmap scans.

Firstly I would recommend you use a Linux based system to run nmap (not because Windows is for chumps) mostly because running Security tools on Linux is always a more pleasurable experience. If you haven’t used Linux before then try downloading Ubuntu or Knoppix - you dont even have to install it to your hard drive. Run it as a Live distro as it runs straight off the cd.

 Nmap 4.20 ( http://insecure.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
–exclude <host1[,host2][,host3],…>: Exclude hosts/networks
–excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
-sL: List Scan - simply list targets to scan
-sP: Ping Scan - go no further than determining if host is online
-P0: Treat all hosts as online — skip host discovery
-PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
–dns-servers <serv1[,serv2],…>: Specify custom DNS servers
–system-dns: Use OS’s DNS resolver
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
–scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-F: Fast - Scan only the ports listed in the nmap-services file)
-r: Scan ports consecutively - don’t randomize
SERVICE/VERSION DETECTION:
-sV: Probe open ports to determine service/version info
–version-intensity <level>: Set from 0 (light) to 9 (try all probes)
–version-light: Limit to most likely probes (intensity 2)
–version-all: Try every single probe (intensity 9)
–version-trace: Show detailed version scan activity (for debugging)
OS DETECTION:
-O: Enable OS detection (try 2nd generation w/fallback to 1st)
-O2: Only use the new OS detection system (no fallback)
-O1: Only use the old (1st generation) OS detection system
–osscan-limit: Limit OS detection to promising targets
–osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
Options which take <time> are in milliseconds, unless you append ’s’
(seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m).
-T[0-5]: Set timing template (higher is faster)
–min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
–min-parallelism/max-parallelism <time>: Probe parallelization
–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
–max-retries <tries>: Caps number of port scan probe retransmissions.
–host-timeout <time>: Give up on target after this long
–scan-delay/–max-scan-delay <time>: Adjust delay between probes
FIREWALL/IDS EVASION AND SPOOFING:
-f; –mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],…>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/–source-port <portnum>: Use given port number
–data-length <num>: Append random data to sent packets
–ip-options <options>: Send packets with specified ip options
–ttl <val>: Set IP time-to-live field
–spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
–badsum: Send packets with a bogus TCP/UDP checksum
OUTPUT:
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use twice for more effect)
-d[level]: Set or increase debugging level (Up to 9 is meaningful)
–open: Only show open (or possibly open) ports
–packet-trace: Show all packets sent and received
–iflist: Print host interfaces and routes (for debugging)
–log-errors: Log errors/warnings to the normal-format output file
–append-output: Append to rather than clobber specified output files
–resume <filename>: Resume an aborted scan
–stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
–webxml: Reference stylesheet from Insecure.Org for more portable XML
–no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
-6: Enable IPv6 scanning
-A: Enables OS detection and Version detection
–datadir <dirname>: Specify custom Nmap data file location
–send-eth/–send-ip: Send using raw ethernet frames or IP packets
–privileged: Assume that the user is fully privileged
–unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
EXAMPLES:
nmap -v -A scanme.nmap.org
nmap -v -sP 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -P0 -p 80
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

As you can there are a multitude of options available, so let me explain the basics. For an excellent and more indepth guide go to the source http://nmap.org/man/.

As a normal user: nmap 192.168.1.1  — this will scan the specified IP using a TCP connect scan
As a root user: nmap 192.168.1.1  — this will scan the specified IP using a TCP Syn scan

From here you can simply add options to the basic command above to provide different options
such as:
nmap -P0 192.168.1.1  — if the target IP is unpingable then you can do this to tell nmap to ignore the ping check
nmap -p 22 192.168.1.1  — specifiy which ports to scan
nmap -p 22-80 192.168.1.1  — specify a range of ports to scan
nmap -A 192.168.1.1  — scan ports and try to detect the version and service running on the port
nmap -F 192.168.1.1  — a fast scan of common ports

You get the picture, it is not difficult and an excellent tool for security scanning and network diagnosis. Now back to the question of chumps, whether you use Windows or Linux there is no doubt that an nmap gui is for chumps.

A recent trend micro report examines the increasing number of legitimate web sites that are being attacked by cyber criminals. Schools, government and big business are all targets. A compromised web site is then used to deliver malware to any visitor who loads that web page.

According to research from Trend Micro’s TrendLabsSM, hackers are intensifying their attacks on legitimate Web sites. It debunks the adage to “not visit questionable sites” – just because a user visits a gambling or adult-content site doesn’t necessarily mean Web threats are lurking in the shadows; the site with the latest sports news or links in a search engine result, however, could potentially infect visitors with malware.

Article on new trends in web site attacks

HackerTarget.com, the world leader in online open source vulnerability analysis has launched a new online service aimed at webmasters and web hosting companies that utilizes some the worlds best vulnerability analysis tools.

Recently legislation in Germany and proposed legislation in the United Kingdom has been highlighted by HackerTarget.com as detrimental to online security. The laws in a nut shell make it illegal or certainly a grey area to use or operate “hacking tools” even though these tools are clearly used by security researchers, consultants and end users to do vulnerability audits and ensure a high level of internet security.

By providing a remote scanning service HackerTarget.com is able to provide scanning and security analysis anywhere in the world to any legitimate user who has a need for this kind of service.

Increasingly attacks against web hosts are becoming a favorite play ground of online organised crime as they are often poorly secured and monitored. Infected web hosts are popular for spreading malware that makes up botnets, phishing, spamming and illegal repositories for software and media.

Some of the worlds best open source tools utilized by HackerTarget.com include Nessus, Nmap, Nikto and SQLiX. Providing auditing for vulnerabilities that include operating system, web server, web script and sql injection.

Scan options from HackerTarget.com range from a number of free scanning services that provide raw technical output from the tools, to more traditional security consulting services such as full vulnerability audits and penetration testing.

More attacks on high profile web sites. It is clear from this article that the attackers found the victim sites by scanning servers and pouncing on the found vulnerabilities. The compromised servers were then used to serve up malicious code to build a botnet.

It is highly likely regular vulnerability analysis would have saved these web sites.

The attack on the UN Asia Pacific website is believed to originate from the same group responsible for attacks on the US-based Biotechnology Information Organization and the prominent Indian Syndicate Bank.

The financially-motivated incursions, launched from the same remote location, infected a server common to all three websites and downloaded a Trojan to visitor computers via drive-by attacks.

A keylogger and a Trojan were downloaded to visitor computers, flagged by an online scanner as positive to multiple Microsoft vulnerabilities, via hidden Java iFrames which is an old trick to refer visitors to a compromised server.

The Trojan maintains a backdoor, allowing attackers to monitor and hijack user machines to steal valuable user data, and turn the computer into a zombie as part of a botnet horde.

Websense Australia and New Zealand country manager, Joel Camissar, said such attacks exploit remote servers with weak security and typically target common brand names to maximise exposure.

“The groups will target ISPs which don’t have sufficient security, common brands of servers, and servers in locations without tight controls or law enforcement,” Camissar said.

“Typical scanners [used in attacks] only scan for one vulnerability but this looked for multiple exploits.

Computer World Uk - Artcile .

This article over at SecurityFocus has some eye opening comments from the authors of the Mpack exploitation kit. The increasing popularity of compromised websites being used as an exploitation platform against end users is becoming a worrying trend. There are a couple of tongue in cheek comments like these -

Do you feel sorry for the people whose machines are infected by an attack?

Well, I feel that we are just a factory producing ammunition.

How widespread is MPack at this point?

I really don’t know about the number of (download) servers. I suppose it counts in the tens. But if you are talking about the pages containing the IFrame that refers to the server with the pack, that may be in the tens of thousands. (Some security firms’ estimates of hundreds of thousands) sound a bit large but may be true. The clients don’t give us any usage statistics.

Security Focus - Mpack Author Interview

There is some good information to be found at Stopbadware.org on securing a web site and ongoing efforts to eliminate the threat of malware being served up by compromised hosts and rogue web hosting companies.

Some basic steps that can be taken to make your site more secure include the following:

• Use strong passwords.
• Use SSH and SFTP protocols, instead of telnet or FTP. Telnet and FTP are both considered insecure because of their use of plain text protocols. They transmit usernames and passwords in a way that anyone with access to the network can read. SSH and SFTP are based on an encrypted protocol which prevents eavesdropping.
• Scan your site for security vulnerabilities using a vulnerability auditing scanner (both free and commercial versions are available). Use security update management tools to detect missing patches and then apply those patches immediately.
• Keep up to date on news relating to any software you or your host use on your site, and make sure you are always running the most recent versions, including security patches. Subscribe to, and regularly read, any newsletters or alerts offered by your hosting provider and software providers.
• Make sure your hosting provider keeps all software updated, including security patches. If they do not, urge them to do so or switch to a hosting provider that you are confident does its best to keep its clients’ websites secure.

Tips for Cleaning & Securing Your Website

Interesting study by Google on the distribution of malware across different web servers. They took a sample of 70′000 sites so it is a good indication of what is being compromised to serve up malware to the public.

The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise by remote exploits, password theft via keyloggers, etc., some servers are configured to serve up exploits by their administrators.

Google Online Security Blog: Web Server Software and Malware

The first paragraph of this Network Computing Feature should be a wake up call for anyone on the internet who does not take security of their servers seriously.

Following on from the first alarming paragraph is a lengthy 9 page feature on various vulnerability scanners. The article clearly demonstrates that while vulnerability assessment is not a miracle cure, it is an important part of the solution as are security awareness, vigilance and adhered to security procedures.

For the short version - Nessus is the clear cut winner, beating out many of the established commercial offerings.

Consider the facts: Hundreds of new vulnerabilities are being discovered annually, dozens of new patches are being released monthly, and thousands of systems are already behind the security eight ball. Compounding matters, when opening your perimeter for consumers and business partners, system-level security becomes even more critical as it forces an increase in exposure points. Make no mistake, the odds are not in your favor–you have to patch every hole, but an attacker need find only one to get into your environment.

Network Computing | Feature | Security | Vulnerability Assessment Scanners

On 18th of June a large scale attack was uncovered at an Italian based Web Hosting company. Websense reported that over 10′000 sites were compromised and used to serve malware to unsuspecting end users.

SANS Internet Storm Center had some good analysis of the Mpack exploit package that was used with a follow up story containing information from iDefense.

This attack is far from unique and makes an ideal first post for hackertarget.com as it clearly highlights the need for Internet Security Awareness amongst web hosts and web site owners. Criminals use compromised internet servers to distribute Malware as it makes them hard to track and they are so readily available.

Other links of interest:
ArsTechnica Article
Symantec Analysis
PandaLabs Analysis of Mpack from December 2006