Online Vulnerability Scanners | HackerTarget.com » Tools https://hackertarget.com Security Vulnerability Scanners and Assessments Sat, 22 Aug 2015 22:50:54 +0000 en-US hourly 1 http://wordpress.org/?v=4.3 Exploring the Hacker Tools of Mr Robot https://hackertarget.com/hacker-tools-mr-robot/ https://hackertarget.com/hacker-tools-mr-robot/#comments Fri, 21 Aug 2015 11:51:37 +0000 https://hackertarget.com/?p=7756 The debut season of Mr Robot has received a nod from the security focused twitters for its attempts at trying to keep things for the most part realistic. In the episodes so far we have seen hacker types communicating , there are as far as the eye can see and the main character . Of […]

The post Exploring the Hacker Tools of Mr Robot appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
Over the years the most famous hacking tool that has made it into the movies is Nmap. When producers of a movie actually try to put a dose of reality into the computer hacking scenes Nmap will often flash up on the screen. AFAIK Trinity was the first in the Matrix. Nmap has also appeared in Elysium, The Bourne Ultimatum, Die Hard 4 and many others.

The debut season of Mr Robot has received a nod from the security focused twitters for its attempts at trying to keep things for the most part realistic. In the episodes so far we have seen hacker types communicating using IRC, there are Linux boxes as far as the eye can see and the main character wears a hoodie. Of course it is a television show that has to be entertaining so we have to give them some slack in getting a bit creative. So far they seem to be doing a pretty good job at maintaining a balance between the story and what is technically possible.

Here is a quick overview of some of the tools that have appeared in the show so far.

Kali Linux

In multiple scenes we can see references to the Kali Linux distribution, a complete operating system that has been packaged with configured and ready to use penetration testing (hacking) tools. If you are interested in learning about network security, get a copy of this and start playing! ** Only in your lab network of course! Breaking into computers you do not own is illegal in most parts of the world **.

Wget, Shellshock and John the Ripper

Wget is a terminal program to make HTTP requests, a popular use case is to simply download the source of a web page or grab a file from a web server in a terminal.

Here this handy tool is used to compromise a system using one of the big vulnerabilities of 2014 the shellshock bug. You can see the commands being sent in the User Agent of the request to the web server, the command in the screen shot is simply cat /etc/passwd.

While success was achieved here getting the /etc/passwd file, without the /etc/shadow file that contains the password hashes the next line where John the Ripper is launched is never going to work.

Canbus Hacking

Car hacking has really hit the big time recently after computer security researchers remotely hacked into and took control of a Jeep as it was driving down the freeway. Canbus hacking has been around for a number of years and both car enthusiasts and security researchers have been poking around to gain access to the computers that control the modern car.

In the screen shot from Mr Robot we can see candump, one of the Linux utilities used for viewing the canbus messages.

USB in the car park

We see in this scene one of the few Windows desktops shown - during this scene a security guard inserts a USB drive found in the car park into his system infecting his Windows XP machine with malware. Leaving infected USB flash drives in the car park of the target organization is a well known trick to get code onto a system where network access is limited. In this instance the malware is caught by AVAST anti-virus.

Bluetooth Scanner (btscanner)

btscanner is used here to probe the targets phones for bluetooth capabilities. The tool attempts to extract as much information as possible from a Bluetooth device without having to pair. The btscanner program is included in the Kali Linux distribution and we can see from the title bar of the window that it is the operating system being used here.

Bluesniff

In this screenshot bluesniff can be seen, this is another tool for attacking bluetooth enabled devices. In this screen shot the actual plan here is to perform a man in the middle attack against the targets bluetooth keyboard. With keyboard access the next move is to drop a Meterpreter shell onto the system for access to the target network.

Metasploit Framework (Meterpreter)

In this shot we can see a few lines from a Meterpreter shell. Anyone who has used this tool knows a little bit of Meterpreter goes a long way so there was no need for an extensive shot of this powerful tool. Part of the Metasploit penetration testing framework by Rapid7, a Meterpreter shell gives an attacker full control of the target system as well as the ability to move around the network.

Social Engineer Toolkit (SET)

The Social Engineer Toolkit Social Engineer Toolkit or SET is a framework that makes setting up social engineering attacks easier. Email based spear phishing attacks, fake websites and wireless access points can all be launched through its menu system. In this case they are using the SMS spoofing module.

Netscape Navigator the hackers browser of choice

Windows 95 and Netscape Navigator are mentioned when the lead character is thinking about his first steps as a hacker. In the screen shot you can see the source being viewed... careful if you see someone viewing the source they are no doubt a dangerous hacker. The humble web browser is actually a very useful tool for an attacker whether they are launching web application attacks or researching LinkedIn for social engineering attacks.

There you go a bit of fun for the end of the week. If you are after more information on any of the tools explore the included links or try searching. The great thing about all these open source tools is there are lots of tutorials and documentation available.

It is refreshing to see a television show making an effort to not only highlight capabilities of current hacking techniques but trying to stay reasonably close to reality, unlike the nonsense seen in CSI:Cyber. :)

The post Exploring the Hacker Tools of Mr Robot appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/hacker-tools-mr-robot/feed/ 0
Quietly Mapping the Network Attack Surface https://hackertarget.com/quietly-mapping-the-network-attack-surface/ https://hackertarget.com/quietly-mapping-the-network-attack-surface/#comments Mon, 04 May 2015 11:55:40 +0000 http://hackertarget.com/?p=7377 When assessing the network security of an organization it is important to understand the breadth of the attack surface. A single forgotten host or web application in the network will often become the initial foothold for an attacker. Passively Mapping the Network Attack Surface Using open source intelligence (OSINT) techniques and tools it is possible […]

The post Quietly Mapping the Network Attack Surface appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
When assessing the network security of an organization it is important to understand the breadth of the attack surface. A single forgotten host or web application in the network will often become the initial foothold for an attacker.

Passively Mapping the Network Attack Surface

Using open source intelligence (OSINT) techniques and tools it is possible to map an organizations Internet facing networks and services without actually sending any packets (or just a few standard requests) to the target network.

Open source intelligence (OSINT) is defined as deriving intelligence from publicly available resources.

Looking at this another way an attacker can do a comprehensive analysis and mapping of your network infrastructure and technologies without actually sending you any packets, and therefore without you having any knowledge that this reconnaissance has taken place.

Consider the following graphic; you will notice that as the analysis is progressed, newly discovered items (IP address / host names / net blocks) can open up new areas to explore (and attack).

Identifying all known hosts for an organization allows us to continue to dig deeper for more systems and hosts to target. By examining all discovered IP address blocks (ASN) we can find other hosts within the net block of interest. Identifying related domains will lead to the discovery of more hosts.

Think of a single web server; the actual open services (ssh, http, rdp) are all points of attack; discovering all the virtual hosts running on the server is also important as web applications running on any of the virtual hosts are also an attack vector.

In this overview the focus is the gathering of information specifically related to the organizations network footprint and services. Open source intelligence from social networks, email addresses, search engines and document meta data is often used for the purpose of developing a social engineering attack.

Basic DNS queries

Most domains will have a web site, mail server and dns servers associated with it. These will be our initial point of reference when discovering the attack surface. We can use DNS lookup tools and whois to find where the web (A records), mail (MX records) and DNS (NS records) services are being hosted.

hackertarget.com.	3600	IN	A	178.79.163.23
hackertarget.com.	3600	IN	AAAA	2a01:7e00::f03c:91ff:fe70:d437
hackertarget.com.	3600	IN	MX	10 aspmx.l.google.com.
hackertarget.com.	3600	IN	MX	20 alt1.aspmx.l.google.com.
hackertarget.com.	3600	IN	MX	20 alt2.aspmx.l.google.com.
hackertarget.com.	3600	IN	MX	30 aspmx2.googlemail.com.
hackertarget.com.	3600	IN	NS	ns51.domaincontrol.com.
hackertarget.com.	3600	IN	NS	ns52.domaincontrol.com.

Initial Host discovery (Google, Bing and Netcraft)

A simple search for all host names related to the target domain is also a good starting point. Using search engines such as Google (site:example.com) and Bing (site:example.com) can reveal sub-domains and web hosts that may be of interest.

When searching with Google if there are a large number of results you can remove the known domains with the following query.

site:example.com -site:www.example.com

Google Hacking is a well documented technique that involves getting Google to reveal technical information that is of interest to an attacker. The Google hacking database is the best place to get started if you are not familiar with this technique.

Another handy tool is the netcraft host search. Enter the domain as your search term (be sure to include the . before your domain name to only get sub-domains of your target domain. You can see the Netcraft search provides a quick overview of known web hosts for the domain and the net blocks that they are hosted in. Another interesting piece of information is the historical data, Netcraft have been collecting this data for a long time.

Finding more hosts through data mining DNS records

Passive DNS reconnaissance allows discovery of DNS host records without actively querying the target DNS servers. If DNS monitoring is in place active dns recon could be detected by the target. Techniques that can be classed as active DNS recon include brute forcing common sub-domains of the target or attempting DNS zone transfers (query type=AXFR).

There are many on line resources for passive DNS analysis and searching, rather than sticking to regular DNS lookups we can perform large scale searches using DNS data sets. One such resource is that provided by scans.io.

the scans.io data

Scans.io and Project Sonar gather Internet wide scan data and make it available to researchers and the security community. This data includes port scans and a dump of all the DNS records that they can find.

Using the DNS records dump you can search through over 80GB of DNS data for all entries that match your target domain. If you do not wish to go through the trouble of downloading and extracting such a large chunk of data you can use our free tools to get started with your network reconnaissance.

Name Servers (type=NS)

The location of the DNS servers may be internal to the organization network or as is often the case they be a hosted service. This can be often be determined by simply looking up the net block owner (ASN) of the IP address of the DNS server.

When looking at DNS servers we can not only review the Host (A) records that point to the IP address of the DNS server but also do a reverse search across DNS data for all hosts that use the same DNS server. In a hosted situation this may not be as valuable but if its an internal company DNS server we will quickly identify all related domains for the organization (that are at least using this DNS infrastructure).

targetdomain.com
targetdomain.co.uk
targetdomain.net
forgotten-footy-tipping-site-with-no-security-controls.com
vpn.targetdomain.com
webmail.targetdomain.com

SPF Records (type=TXT)

Sender Policy Framework is configured through the TXT DNS record. If configured this will contain all servers (or networks) that are allowed to send email from the domain. This can often reveal IP addresses (and net blocks) of the organization that you may not have been aware of.

hackertarget.com.	3600	IN	TXT	"v=spf1 include:_spf.google.com ip4:178.79.163.23 ip4:66.228.44.129 ip4:173.255.225.101 ip4:66.175.214.247 ip6:2a01:7e00::f03c:91ff:fe70:d437 ip6:2600:3c03::f03c:91ff:fe6e:d558 include:_spf.google.com ~all"

Reverse DNS across IP blocks of Interest

Once you have a list of all IP addresses and ASN's of interest you can attempt to find more active hosts within those net blocks that the organizations owns or has assets within. A good way of finding more hosts is to perform a reverse DNS search across the full net blocks of interest.

178.79.x.22 host4.example.com
178.79.x.23 targetdomain.com
178.79.x.24 forgotten-unpatched-dev-host.targetdomain.com
178.79.x.25 host6.example.com

Finding Web Servers

When it comes to mapping a network the web servers of an organization open up a wide attack surface. They also contain a wealth of information, not just published but insights into the technologies in use, operating systems and even how well managed the information technology resources of the organization are.

To map the attack surface of a web server it is important to consider the available network services, the virtual hosts (websites) and the web applications in use.

Identifying all virtual web hosts on the web server is an important part of the information gathering process. Different web sites on the same web server will often be managed using different content management systems and web applications. A vulnerability in any of these web applications could allow code execution on the web server.

To identify the virtual web hosts on a particular IP Address there are a number of well known web based tools such as Bing and Robtex. An IP address search using the ip:1.1.1.1 search term on the Bing search engine will reveal all web sites that Bing has in its index that point to that same IP address. Experience shows this is a good starting place but like the Bing search engine in general, can contain stale entries and limited results.

As previously mentioned scans.io regularly compiles all the DNS data it can publicly find, we can use this data to identify the web server hosts (A records). By searching for an IP address in all the known DNS records, we can find all the hosts that resolve to that IP. This is the method we use for the Reverse IP Address Search tool we created and also parts of the dnsdumpster.com project.

Other Network Services

In any vulnerability assessment it is essential to identify all listening services. A web server will of course usually have a web server (port 80), an ftp server will have an FTP service (port 21) and a mail server will be listening for mail (smtp on 25, pop3 on 110, imap on 143 and more).

It is important to discover all the listening services in order to determine if they are vulnerable to exploitation or authentication attacks.

Traditionally these services would be identified using Port Scans with tools such as the Nmap Port Scanner. Of course using a port scanner is no longer a passive undertaking, as using a tool such as Nmap involves sending packets to the target systems.

shodan.io search engine

To passively find open services and the banners for the open services we can use the shodan.io search engine. From the banners of services such as web servers, mail and ftp we are able to identify the version of the server software running the service and often the operating system of the server. All without sending any packets to the target organization.

dnsdumspter.com is a Free tool that automagically collates DNS and host data.

Becoming the attacker and the Next Steps

Putting yourself in the shoes of an attacker and attempting to map out an organizations Internet facing systems is a great way to develop an understanding of the attack surface of a network. Start by finding all the public IP addresses of known hosts for a domain, expand this to include net blocks of interest that are hosting these services. Now try to find all virtual host names that are hosted on the IP addresses and from this you can map out the web applications in use.

From this initial passive analysis it may be possible to identify vulnerable or possibly vulnerable points in the network, this can inform your next steps and where to focus your attack or vulnerability assessment.

Moving on from passive analysis the next steps to consider are active information gathering such as DNS zone transfers or sub-domain brute forcing. Followed by active network scanning such as Nmap Port Scans and vulnerability scanning.

Ultimately the next steps will be determined by your scope and purpose for the performing the analysis.

The post Quietly Mapping the Network Attack Surface appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/quietly-mapping-the-network-attack-surface/feed/ 0
tshark tutorial and filter examples https://hackertarget.com/tshark-tutorial-and-filter-examples/ https://hackertarget.com/tshark-tutorial-and-filter-examples/#comments Wed, 22 Apr 2015 13:56:25 +0000 http://hackertarget.com/?p=7337 tshark is a packet capture tool that also has powerful reading and parsing features for pcap analysis. Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, I will focus on providing practical examples for how you can get started using tshark and begin carving valuable information from the […]

The post tshark tutorial and filter examples appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
tshark is a packet capture tool that also has powerful reading and parsing features for pcap analysis.

Rather than repeat the information in the extensive man page and on the wireshark.org documentation archive, I will focus on providing practical examples for how you can get started using tshark and begin carving valuable information from the wire.

tshark examples

Use these as the basis for starting to build your extraction commands. As you can see the syntax is very similar to tcpdump.

tshark -i wlan0 -w capture-output.pcap
tshark -r capture-output.pcap

In the following example you can see that we extract data from any HTTP requests that are seen. Using the -T we specify that we want to extract fields and with the -e options we identify which fields we want to extract.

tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent

searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
1 searchdns.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
ads.netcraft.com	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

The default separator for the fields in the output above is TAB. We could also use the parameter -E seperator=, to change the delimeter to a comma.

Here is an example that extracts both the DNS query and the response address.

tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr

68 campus-map.stanford.edu	171.64.144.142
www.google.com	
itunes.apple.com	104.74.40.29
71 itunes.apple.com	
campus-map.stanford.edu	
admission.stanford.edu	171.67.215.200
74 financialaid.stanford.edu	171.67.215.200
admission.stanford.edu	

Add time and source / destination IP addresses -e frame.time -e ip.src -e ip.dst to your output.

tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr

Apr 22, 2015 23:20:16.922103000 8.8.8.8 192.168.1.7 wprecon.com	198.74.56.127
1 Apr 22, 2015 23:20:17.314244000 8.8.8.8 192.168.1.7 wprecon.com	
2 Apr 22, 2015 23:20:18.090110000 8.8.8.8 192.168.1.7 code.jquery.com
One of the great advantages that tshark has over the wireshark GUI is stdout giving you many options to manipulate and clean the output.

Lets get passwords.... in a HTTP post. By not specifying the fields option as above we will receive the full TCP stream of the HTTP Post. If we add the filter tcp contains "password" and grep for that password we will just get the actual POST data line.

tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password

csrfmiddlewaretoken=VkRzURF2EFYb4Q4qgDusBz0AWMrBXqN3&password=abc123

Hopefully this tutorial has given you a quick taste of the useful features that are available to you when using tshark for extracting data from the wire or from pcaps.

The post tshark tutorial and filter examples appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/tshark-tutorial-and-filter-examples/feed/ 0
WordPress Security Testing with Nmap https://hackertarget.com/wordpress-security-testing-with-nmap/ https://hackertarget.com/wordpress-security-testing-with-nmap/#comments Wed, 04 Feb 2015 11:33:47 +0000 http://hackertarget.com/?p=7225 With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I have developed a couple more that expand the capabilities of using Nmap to […]

The post WordPress Security Testing with Nmap appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
With the popularity of WordPress as a publishing platform, security testing is an important part of ensuring the installation is secure. Nmap has a couple of NSE scripts specifically for the testing of WordPress installations. Using those scripts as a base I have developed a couple more that expand the capabilities of using Nmap to audit WordPress installations.

Looking for the code? Jump over to my github repo for my latest updates.

Nmap comes with two Lua NSE scripts for high level testing of WordPress installations. The scripts allow for brute forcing of the plugins on the system and for enumerating WordPress user accounts that are on the system.

http-wordpress-plugins.nse

In addition to identifying the plugins in use I have added a feature to the http-wordpress-plugins.nse script that will identify the version of the installed plugin and compare that to the latest version that is checked in real time against the WordPress Plugin API.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-plugins:
-- | search amongst the 500 most popular plugins
-- |   akismet 3.0.4 (latest version: 3.0.4)
-- |   wordpress-seo 1.7 (latest version: 1.7.1)
-- |   disqus-comment-system 2.83 (latest version: 2.84)
-- |_  wp-to-twitter 1.2 (latest version: 1.45)

http-wordpress-themes.nse

Based on the NSE script http-wordpress-plugins.nse I cranked out a variation that tests for WordPress themes. One of the often overlooked parts of keeping a secure WordPress installation is ensuring all themes (even inactive ones) are kept up to date or removed if not in use. Security vulnerabilities can be found in WordPress themes and these are often exploitable even if the theme is inactive.

The wp-theme.lst was created after I crawled the Alexa top 1 million sites and found around 200000 WordPress sites. By basing the theme list on the in use themes and sorting by popularity this list is a good representation of the most popular themes in being used across the web.

-- Interesting ports on my.woot.blog (123.123.123.123):
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-wordpress-themes:
-- | search amongst the 500 most popular themes 
-- |   twentyfourteen 1.3
-- |   canvas 5.8.7
-- |_  twentytwelve 1.5

http-wordpress-info.nse

Rather than brute forcing paths this script is much more polite and will only download the main page of the WordPress site and examine the theme and plugin paths in the html. The WordPress version will also be identified using the default readme.html file if the meta generator is not present.

http-wordpress-enum.nse

The http-wordpress-enum.nse script comes with default Nmap installation and allows you to attempt to identify users of the WordPress installation. Once you have user names it is possible to brute force the passwords using methods I detailed in the attacking wordpress article.

The post WordPress Security Testing with Nmap appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/wordpress-security-testing-with-nmap/feed/ 0
7 Nmap NSE Scripts for Recon https://hackertarget.com/7-nmap-nse-scripts-recon/ https://hackertarget.com/7-nmap-nse-scripts-recon/#comments Wed, 24 Sep 2014 14:36:09 +0000 http://hackertarget.com/?p=7101 As with any security testing, make sure you fully understand what the script will do and how it might affect a target system. Only test systems you have permission to scan! Information Gathering 1. DNS Brute Force Find sub-domains with this script. Detecting sub-domains associated with an organizations domain can reveal new targets when performing […]

The post 7 Nmap NSE Scripts for Recon appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
These Nmap NSE Scripts are all included in standard installations of Nmap. Use them to gather additional information on the targets you are scanning. The information can both add context to the hosts you are scanning and widen the attack surface of the systems you are assessing.
7 Nmap NSE Scripts for Recon

As with any security testing, make sure you fully understand what the script will do and how it might affect a target system. Only test systems you have permission to scan!

Information Gathering

1. DNS Brute Force

Find sub-domains with this script. Detecting sub-domains associated with an organizations domain can reveal new targets when performing a security assessment. The discovered hosts may be virtual web hosts on a single web server or may be distinct hosts on IP addresses spread across the world in different data centres.

The dns-brute.nse script will find valid DNS (A) records by trying a list of common sub-domains and finding those that successfully resolve.

nmap -p 80 --script dns-brute.nse vulnweb.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:58 EST
Nmap scan report for vulnweb.com (176.28.50.165)
Host is up (0.34s latency).
rDNS record for 176.28.50.165: rs202995.rs.hosteurope.de
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| dns-brute: 
|   DNS Brute-force hostnames: 
|     admin.vulnweb.com - 176.28.50.165
|     firewall.vulnweb.com - 176.28.50.165
|_    dev.vulnweb.com - 176.28.50.165

Nmap done: 1 IP address (1 host up) scanned in 28.41 seconds

2. Find Hosts on IP

Another tactic for expanding an attack surface is to find virtual hosts on an IP address that you are attempting to compromise (or assess). This can be done by using the hostmap-* scripts in the NSE collection. The hostmap-bfk.nse seems to work reasonably well providing a good starting point for your recon (IP to Host services do vary in accuracy).

nmap -p 80 --script hostmap-bfk.nse nmap.org

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 19:47 EST
Nmap scan report for nmap.org (173.255.243.189)
Host is up (0.19s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| hostmap-bfk: 
|   hosts: 
|     www.nmap.org
|     173.255.243.189
|     seclists.org
|     sectools.org
|     svn.nmap.org
|     nmap.org
|     hb.insecure.org
|     insecure.org
|     images.insecure.org
|     189.243.255.173.in-addr.arpa
|_    www.insecure.org

Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
Try our Free IP Tool Host search tool that uses the scans.io DNS data to reverse lookup an IP address to host name. Another option is bing.com that has the ability to search with ip:x.x.x.x however recently the accuracy of this search seems hit and miss.

3. Traceroute Geolocation

Perform a traceroute to your target IP address and have geolocation data plotted for each hop along the way. Makes correlating the reverse dns names of routers in your path with locations much easier.

sudo nmap --traceroute --script traceroute-geolocation.nse -p 80 hackertarget.com

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 21:03 EST
Nmap scan report for hackertarget.com (178.79.163.23)
Host is up (0.31s latency).
PORT   STATE SERVICE
80/tcp open  http

Host script results:
| traceroute-geolocation: 
|   HOP  RTT     ADDRESS                                                GEOLOCATION
|   1    2.09    192.168.1.1                                            - ,- 
|   2    25.55   core-xxxxx.grapevine.net.au (203.xxx.32.20)            -27,133 Australia (Unknown)
|   3    31.61   core-xxxxx.grapevine.net.au (203.xxx.32.25)            -27,133 Australia (Unknown)
|   4    25.02   xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)     -27,133 Australia (Unknown)
|   5    23.48   xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)            -27,133 Australia (Unknown)
|   6    43.45   ae2.br1.syd4.on.ii.net (150.101.33.22)                 -27,133 Australia (Unknown)
|   7    175.24  te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)           -27,133 Australia (Unknown)
|   8    181.29  TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)      38,-97 United States (Unknown)
|   9    310.46  telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)  51,0 United Kingdom (London)
|   10   309.63  212.111.33.238                                         51,0 United Kingdom (Unknown)
|_  11   338.95  hackertarget.com (178.79.163.23)                       51,0 United Kingdom (Unknown)

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   2.09 ms   192.168.1.1
2   25.55 ms  core-xxxxx.grapevine.net.au (203.xxx.32.20)
3   31.61 ms  core-xxxxx.grapevine.net.au (203.xxx.32.25)
4   25.02 ms  xe0-0-0-icr1.cbr2.transact.net.au (202.55.144.117)
5   23.48 ms  xe11-3-0.cr1.cbr2.on.ii.net (150.101.33.62)
6   43.45 ms  ae2.br1.syd4.on.ii.net (150.101.33.22)
7   175.24 ms te0-0-0-1.br1.lax1.on.ii.net (203.16.213.69)
8   181.29 ms TenGE13-2.br02.lax04.pccwbtn.net (206.223.123.93)
9   310.46 ms telecity.ge9-9.br02.ldn01.pccwbtn.net (63.218.13.222)
10  309.63 ms 212.111.33.238
11  338.95 ms hackertarget.com (178.79.163.23)

HTTP Recon

Nmap comes with a wide range of NSE scripts for testing web servers and web applications. An advantage of using the NSE scripts for your HTTP reconnaissance is that you are able to test aspects of a web server against large subnets. This can quickly provide a picture of the types of servers and applications in use within the subnet.

4. http-enum.nse

One of the more aggressive tests, this script effectively brute forces a web server path in order to discover web applications in use. Attempts will be made to find valid paths on the web server that match a list of known paths for common web applications. The standard test includes testing of over 2000 paths, meaning that the web server log will have over 2000 entries that are HTTP 404 not found, not a stealthy testing option! This is very similar to the famous Nikto web server testing tool (that performs 6000+ tests).

nmap --script http-enum 192.168.10.55

Nmap scan report for ubuntu-test (192.168.10.55)
Host is up (0.024s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
| http-enum: 
|   /robots.txt: Robots file
|   /readme.html: WordPress version 3.9.2
|   /css/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Additional options:

Specify base path, for example you could specify a base path of /pub/.

nmap --script -http-enum --script-args http-enum.basepath='pub/' 192.168.10.55

Nmap scan report for xbmc (192.168.1.5)
Host is up (0.0012s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-enum: 
|   /pub/: Root directory w/ listing on 'apache/2.2.22 (ubuntu)'
|   /pub/images/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /pub/js/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'

Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds

5. HTTP Title

It is not a difficult thing to find the Title of the web page from a web server, this script just makes it easier to get those title's in one set of results from a range of IP addresses.

Having the title of the page included in the Nmap scan results can provide context to a host, that may identify the primary purpose of the web server and whether that server is a potential attack target.

nmap --script http-title -sV -p 80 192.168.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 20:47 EST
Nmap scan report for 192.168.1.1
Host is up (0.0018s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Linksys wireless-G WAP http config (Name RT-N16)
|_http-title: 401 Unauthorized
Service Info: Device: WAP

Nmap scan report for xbmc (192.168.1.115)
Host is up (0.0022s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).

Nmap scan report for 192.168.1.118
Host is up (0.0035s latency).
PORT   STATE SERVICE VERSION
80/tcp open  upnp    Epson WorkForce 630 printer UPnP (UPnP 1.0; Epson UPnP SDK 1.0)
|_http-title: WorkForce 630
Service Info: Device: printer; CPE: cpe:/h:epson:workforce_630

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (8 hosts up) scanned in 10.17 seconds

Microsoft Windows Network Recon

Find operating systems, users, processes and more from systems within your local windows network with these information gathering scripts. Generally these smb-* scripts will get you a lot more information if you have valid credentials. However, with even Guest or Anonymous access you will usually be able to at least expand your knowledge of the network.

6. smb-os-discovery.nse

Determine operating system, computer name, netbios name and domain with the smb-os-discovery.nse script. An example use case could be to use this script to find all the Windows XP hosts on a large network, so they can be unplugged and thrown out (Windows XP is no longer supported by Microsoft). The key advantage to using Nmap for something like this rather than a Microsoft native tool is that it will find all systems connected to the network not just those attached to a domain.

nmap -p 445 --script smb-os-discovery 192.168.1.0/24

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:32 EST

Nmap scan report for test1 (192.168.1.115)
Host is up (0.0035s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: ubuntu003
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: ubuntu003
|_  System time: 2014-09-24T23:34:41+10:00

Nmap scan report for 192.168.1.101
Host is up (0.018s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   OS CPE: cpe:/o:microsoft:windows_xp::-
|   Computer name: test-xp3
|   NetBIOS computer name: TEST-XP3
|   Workgroup: WORKGROUP
|_  System time: 2014-09-24T23:33:01+01:00

7. smb-brute.nse

Another example of the smb series of NSE scripts is the smb-brute.nse that will attempt to brute force local accounts against the SMB service.

While I would not classify brute forcing accounts as a recon function of the assessment process this script can lead to large amount of recon if we do get valid credentials as there are other smb-* scripts that can be leveraged to retrieve all local user accounts (smb-enum-users.nse), groups (smb-enum-groups.nse), processes (smb-enum-processes.nse) and even execute processes remotely with the smb-psexec.nse script.

nmap -sV -p 445 --script smb-brute 192.168.1.101

Starting Nmap 6.46 ( http://nmap.org ) at 2014-09-24 23:47 EST
Nmap scan report for 192.168.1.101
Host is up (0.060s latency).
PORT    STATE SERVICE      VERSION
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-brute: 
|_  No accounts found

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.04 seconds

As can be seen in the example above we have not found any accounts. So lets take a look at the activity on the wire while the smb-brute.nse script was running.

Nmap NSE SMB Brute Wireshark Capture

It is pretty clear from this Wireshark capture that sessions were being established and a large number of account credentials were being tested.

Digging deeper and finding Gold with Nmap NSE scripts

After this quick skim of the capabilities of a sample of the Nmap NSE scripts. My suggestion is to look a bit deeper. There are literally hundreds of scripts now available and included in a regular Nmap installation. Each of the .nse files comes with pretty good documentation right there in the script or more information can be found on the NSE scripts documentation portal.

Find the NSE scripts location for your Nmap installation (locate nse | grep scripts) and take a look through the included scripts. There are many surprising finds; not only for reconnaissance but also scripts for discovery of exploitable services.

HackerTarget.com offers a hosted version of Nmap for port scanning your Internet perimeter. Simply Convenient.

The post 7 Nmap NSE Scripts for Recon appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/7-nmap-nse-scripts-recon/feed/ 0
Parse Nmap XML to get SSL Certificate details https://hackertarget.com/parse-nmap-xml-ssl-certificate/ https://hackertarget.com/parse-nmap-xml-ssl-certificate/#comments Sat, 24 May 2014 03:33:36 +0000 http://hackertarget.com/?p=6392 Extract SSL certificate details from a range of IP addresses using Nmap XML and a simple python script. The python script parses the Nmap XML output from the ssl-cert.nse script and produces csv output with the target SSL certificate details. When compiling Nmap you will need to have the libssl-dev package installed as Nmap nse […]

The post Parse Nmap XML to get SSL Certificate details appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
Extract SSL certificate details from a range of IP addresses using Nmap XML and a simple python script. The python script parses the Nmap XML output from the ssl-cert.nse script and produces csv output with the target SSL certificate details.

When compiling Nmap you will need to have the libssl-dev package installed as Nmap nse scripts such as ssl-cert will not work without it being installed. Once this is installed ./configure, make, make install to install the latest version of Nmap.

apt-get install libssl-dev

Once the package is installed go ahead and install Nmap from source. Extract the source into a folder, configure and install.

For a quick test of the SSL cert parse script I grabbed the top 25 computing sites from Alexa. Start Nmap with the ssl-cert nse script. The -iL option loads the list 25 target host names with the -oX producing the Nmap XML results.

nmap -iL top25-tech.txt -sV -p 443 -oX nmap-results-top25 --script=ssl-cert

Once the scan has completed the python script below can be used parse the Nmap XML and produce the csv output. The results can then be loaded into a spreadsheet, or parsed further to depending on your needs.

testuser@ubuntu:~$ python nmap-ssl-certs.py nmap-results-top25.xml
 
150.101.195.240,www.google.com,Google Inc,US,2014-05-07,2014-08-05
31.13.70.17,*.facebook.com,Facebook, Inc.,US,2014-02-28,2015-04-13
150.101.195.212,*.google.com,Google Inc,US,2014-05-07,2014-08-05
74.125.237.149,mail.google.com,Google Inc,US,2014-05-07,2014-08-05
98.139.183.24,www.yahoo.com,Yahoo Inc.,US,2014-04-09,2015-04-09
198.35.26.96,*.wikipedia.org,Wikimedia Foundation, Inc.,US,2012-10-21,2016-01-20
199.59.148.82,twitter.com,Twitter, Inc.,US,2014-04-08,2016-05-09
216.52.242.80,www.linkedin.com,LinkedIn Corporation,US,2013-12-19,2016-12-30
98.136.189.41,*.login.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
65.55.143.19,mail.live.com,Microsoft Corporation,US,2013-05-21,2015-05-22
150.101.195.216,*.google.com,Google Inc,US,2014-05-07,2014-08-05
150.101.195.227,*.google.com,Google Inc,US,2014-05-07,2014-08-05
119.160.243.163,search.yahoo.com,Yahoo Inc.,US,2014-04-08,2015-04-09
192.0.82.252,wordpress.com,Automattic, Inc.,US,2014-04-16,2016-04-16
204.79.197.200,*.bing.com,Microsoft Corporation,US,2014-05-20,2016-05-19
54.225.139.43,*.pinterest.com,Pinterest Inc,US,2014-04-09,2017-04-13
66.235.120.127,,,,,
150.101.195.249,*.google.com,Google Inc,US,2014-05-07,2014-08-05
65.55.206.228,,,,,
66.211.169.66,paypal.com,PayPal, Inc.,US,2013-01-09,2015-01-11
134.170.188.221,microsoft.com,,,2013-06-20,2015-06-20
17.172.224.47,apple.com,Apple Inc.,US,2012-11-13,2014-11-03
23.23.110.81,*.imgur.com,Imgur, Inc.,US,2013-06-25,2016-08-31
198.252.206.140,*.stackexchange.com,Stack Exchange, Inc.,US,2013-07-02,2016-07-06
68.71.220.3,,,,,

Here is the python script. The script is simple but it works, it should be pretty easy to read allowing modification to parse other NSE scripts and results from the Nmap XML output. There are many ways to parse XML data, the xml.dom method used here seems to be one of the more straightforward for parsing the Nmap XML. Another option could include using ElementTree, or even using xmlstarlet in bash as seen on this stack.exchange post.

#!/usr/bin/env python
import xml.dom.minidom
import sys
import getopt
try: 
    scandata = sys.argv[1]
except:
    print "*** You need to supply an Nmap XML file ***"
if scandata:
    doc = xml.dom.minidom.parse(scandata)
    output = []
    for host in doc.getElementsByTagName("host"):
        ip = ''
        commonName = ''
        organizationName = ''
        countryName = ''
        notBefore = ''
        notAfter = ''
        addresses = host.getElementsByTagName("address")
        ip = addresses[0].getAttribute("addr")                         # Get IP address from addr element 
        scripts = host.getElementsByTagName("script")
        for script in scripts:
              for elem in script.getElementsByTagName("elem"):         # Get cert details for each target 
                 try:
                    if elem.getAttribute("key") == 'commonName':
                       if commonName == '':                            # Only get the first commonName 
                           commonName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'organizationName':
                       if organizationName == '': 
                           organizationName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'countryName':
                       countryName =  elem.childNodes[0].nodeValue
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notBefore':
                       notBefore =  elem.childNodes[0].nodeValue
                       notBefore = notBefore.split('T')[0]
                 except:
                    pass
                 try:
                    if elem.getAttribute("key") == 'notAfter':
                       notAfter =  elem.childNodes[0].nodeValue
                       notAfter = notAfter.split('T')[0]
                 except:
                    pass
        output.append(ip + ',' + commonName + ',' + organizationName + ',' + countryName + ',' + notBefore + ',' + notAfter)
    for i in output:
        print i
Wait. There's more. Additional Nmap resources and tips are just a click away or check out the hosted vulnerability scanners

The post Parse Nmap XML to get SSL Certificate details appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/parse-nmap-xml-ssl-certificate/feed/ 0
List all IPs in Subnet with Nmap https://hackertarget.com/list-all-ips-in-subnet-with-nmap/ https://hackertarget.com/list-all-ips-in-subnet-with-nmap/#comments Sat, 17 May 2014 14:41:46 +0000 http://hackertarget.com/?p=6333 testsystem:~$ nmap -sL -n 192.168.1.0/30 Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST Nmap scan report for 192.168.1.0 Nmap scan report for 192.168.1.1 Nmap scan report for 192.168.1.2 Nmap scan report for 192.168.1.3 Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds In the second example the results are piped […]

The post List all IPs in Subnet with Nmap appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
Nmap has a handy feature that allows you to list all IP addresses in a subnet. The option -sL will list all IP's that are the targets on an Nmap command line.

Multiple subnets can be listed as targets for Nmap, so you can for example list 3 subnets as targets to Nmap and using the -sL parameter we will get a list of IPs for all listed subnets.

Another relevant parameter is whether you want a reverse DNS lookup performed on each of the IP addresses being listed. Use the -n option to force no dns lookups.

In this example we have listed the IP addresses in the target subnet with no reverse DNS lookups.

More Nmap Tips to get the most of out of this powerful tool.

Nmap Tips

testsystem:~$ nmap -sL -n 192.168.1.0/30

Starting Nmap 6.25 ( http://nmap.org ) at 2014-05-17 23:33 EST
Nmap scan report for 192.168.1.0
Nmap scan report for 192.168.1.1
Nmap scan report for 192.168.1.2
Nmap scan report for 192.168.1.3
Nmap done: 4 IP addresses (0 hosts up) scanned in 0.00 seconds

In the second example the results are piped through grep and cut to extract just the IP addresses we wanted in our list. Additionally a second target range has been added to the target list. The target list can contain hostnames, IP addresses, subnets or a range of IPs such as 192.168.1.1-5.

testsystem:~$ nmap -sL -n 192.168.2.1/32, 192.168.1.0/30 | grep 'Nmap scan report for' | cut -f 5 -d ' '
192.168.2.1
192.168.1.0
192.168.1.1
192.168.1.2
192.168.1.3

Want to list 4 billion IP addresses? Use the very same command to list all possible IPv4 addresses target 0.0.0.0/0.

testsystem:~$ nmap -sL -n 0.0.0.0/0 | grep 'Nmap scan report for' | cut -f 5 -d ' '
0.0.0.0
0.0.0.1
0.0.0.2
0.0.0.3
0.0.0.4
***** ctrl-c, listing all IP addresses will waste a lot of pixels ******

The commands in the above examples send no packets to the target systems, Nmap is simply listing the IP addresses in the subnet. If we however do not use the -n the command will attempt to resolve each IP address, this will take longer and will send dns queries.

Further targeting parameters that may be of use;

  • When selecting a large range of targets you may wish to specifically exclude some IP addresses. For example you could scan a subnet and use the --exclude parameter to not scan an IP within that range.
  • Use a dns server that is different than the default to perform reverse dns lookups --dns-server.
  • Select targets from a file using the -iL option. You can use a file containing a list of IP addresses, subnets and hostnames, one per line to feed into Nmap. From this file we could create a full list of all IP addresses.
Our hosted version of Nmap allows you to scan for open ports on any Internet facing IP address. Let us do the management for you.

The post List all IPs in Subnet with Nmap appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/list-all-ips-in-subnet-with-nmap/feed/ 0
Install OpenVAS 7 on Ubuntu 14.04 https://hackertarget.com/install-openvas-7-ubuntu/ https://hackertarget.com/install-openvas-7-ubuntu/#comments Fri, 09 May 2014 16:14:10 +0000 http://hackertarget.com/?p=6237 Get started with OpenVAS version 7 with this straight forward installation guide. Ubuntu 14.04 is a LTS release meaning it is a good option for any server including an OpenVAS vulnerability scanning server. A nice change in the latest version of OpenVAS is the simplification of the structure. There are now four components that make […]

The post Install OpenVAS 7 on Ubuntu 14.04 appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
Get started with OpenVAS version 7 with this straight forward installation guide. Ubuntu 14.04 is a LTS release meaning it is a good option for any server including an OpenVAS vulnerability scanning server.

A nice change in the latest version of OpenVAS is the simplification of the structure. There are now four components that make up the solution.



All the components rely on having the OpenVAS libraries installed correctly. So that is the first item that will be installed after we use apt-get install to prepare the system for installation. The procedure below builds OpenVAS 7 from source.

OpenVAS Source Installation Steps

First we need to download and extract the required source files for OpenVAS.

mkdir openvas-src
cd openvas-src/
wget http://wald.intevation.org/frs/download.php/1638/openvas-libraries-7.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/1640/openvas-scanner-4.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/1637/openvas-manager-5.0.0.tar.gz
wget http://wald.intevation.org/frs/download.php/1639/greenbone-security-assistant-5.0.0.tar.gz
wget http://wald.intevation.org/frs/download.php/1633/openvas-cli-1.3.0.tar.gz
tar zxvf openvas-{component}.tar.gz

Next step is to install the Ubuntu 14.04 packages that will allow us to compile the code.

apt-get install build-essential bison flex cmake pkg-config libglib libglib2.0-dev libgnutls libgnutls-dev libpcap libpcap0.8-dev libgpgme11 libgpgme11-dev doxygen libuuid1 uuid-dev sqlfairy xmltoman sqlite3 libxml2-dev libxslt1.1 libxslt1-dev xsltproc libmicrohttpd-dev

With necessary packages installed we can move on to compiling and installing the different OpenVAS components. Enter each of the components directories and perform the following steps. The order should not matter as long as openvas-libraries-7.0.1 is installed correctly.

cd {component}
mkdir source
cd source
cmake ..
make
make install

Now we are getting close, a few more steps and you will be able login to the OpenVAS scanner and start testing your system.

openvas-mkcert
ldconfig
openvassd

Check that openvassd has started correctly and is running.

ps -ef | grep openvas

Lets sync NVT plugins and the vulnerability data.

openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync

Nearly there! Create a user account and client certificate.

openvasmd --create-user=admin --role=Admin
openvas-mkcert-client -n -i

Start All the Things! Note you can run the Greenbone Security Assistant Client with gsad --http-only to run it without SSL support, however clear text protocols are for wimps so get on the HTTPS. Then check you have openvassd / openvasmd / gsad running.

openvasmd --rebuild --progress
openvasmd
gsad

ps -ef | grep openvas

And confirm each component is listening on its port.

netstat -anp | grep LISTEN

tcp        0      0 0.0.0.0:9390            0.0.0.0:*               LISTEN      3067/openvasmd  
tcp        0      0 0.0.0.0:9391            0.0.0.0:*               LISTEN      2453/openvassd: Waiting
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2772/sshd       
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3070/gsad

The Web Console

Now that we have OpenVAS up and running its time to look at the web console. From the netstat -anp above we can see that gsad is running on port 443. Loading up a browser we can simply go to HTTPS on the IP of our server.

Our hosted version of OpenVAS allows you to scan for vulnerabilities on any Internet facing IP address. We do the management for you.

The post Install OpenVAS 7 on Ubuntu 14.04 appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/install-openvas-7-ubuntu/feed/ 10
Testing Heartbleed with the Nmap NSE script https://hackertarget.com/testing-heartbleed-with-the-nmap-nse-script/ https://hackertarget.com/testing-heartbleed-with-the-nmap-nse-script/#comments Thu, 10 Apr 2014 15:03:14 +0000 http://hackertarget.com/?p=5906 Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE […]

The post Testing Heartbleed with the Nmap NSE script appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
Everywhere is buzzing with news of the Heartbleed vulnerability in OpenSSL. If you are living under a rock and have missed it just turn on the mainstream news. Not that you will get much detail there... this is a quick tutorial to show you how to test for the vulnerability using a handy Nmap NSE script (ssl-heartbleed.nse).

First you will need a working version of Nmap (at least version 6.25), this is not difficult to find or install. So lets jump ahead to running an NSE Script to detect the Heartbleed vulnerability.

Update: The latest version of Nmap (6.45 released 14/04/14) has the ssl-heartbleed.nse script included, no need to download it separately.

Download the NSE (ssl-heartbleed.nse) script and the tls.lua library that is required:

ssl-heartbleed.nse tls.lua

Now place the tls.lua in the nselib directory on the system you are running Nmap on. Now keep in mind I have not tested this on Windows, only Ubuntu Linux, however it should just be a matter of dropping it in the nselib folder (C:\program files\nmap\nselib).

Running the actual ssl-heartbleed.nse script is simply a matter of referencing it as a parameter to the Nmap command.

nmap -sV -p 443 --script=ssl-heartbleed.nse 192.168.1.1

It really is as simple as that, point to the nse script with the --script= and you are cooking! Even better because this is using Nmap we can scan entire ranges of IP addresses for the vulnerability.

Here is an example of a test against one of my local systems that was running a vulnerable version of OpenVPN-AS.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0059s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE     VERSION
443/tcp  open  ssl         OpenSSL (SSLv3)
| ssl-heartbleed: 
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|     Description:
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
|       http://www.openssl.org/news/secadv_20140407.txt 
|_      http://cvedetails.com/cve/2014-0160/
Service Info: Host:  firefly003; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Not good looks to be well and truly vulnerable, OpenVPN had advised that upgrades are required, so it was a matter of a quick dpkg -i to upgrade the OpenVPN-AS server on my home network. Now lets try again with another test.

Nmap scan report for mediacentre (192.168.1.5)
Host is up (0.0011s latency).
PORT    STATE SERVICE VERSION
443/tcp open  ssl     OpenSSL (SSLv3)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds

Looks good to me, upgrade successful . For access, a HackerTarget.com membership is all that is required to use the hosted SSL Check. With a current membership additional testing can be undertaken with our OpenVAS scan option that also has a signature for detecting the Heartbleed bug.

The post Testing Heartbleed with the Nmap NSE script appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/testing-heartbleed-with-the-nmap-nse-script/feed/ 15
Remote access granted https://hackertarget.com/remote-access-granted/ https://hackertarget.com/remote-access-granted/#comments Tue, 26 Nov 2013 12:41:34 +0000 http://hackertarget.com/?p=5479 In the beginning there were Google Dorks, by entering specific search queries into Google you can still find thousands of unsecured remotely accessible security cameras and printers. Want to print 500 copies of your butt on a random printer on the other side of the world? This was and still is an entirely feasible party […]

The post Remote access granted appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
In the beginning there were Google Dorks, by entering specific search queries into Google you can still find thousands of unsecured remotely accessible security cameras and printers. Want to print 500 copies of your butt on a random printer on the other side of the world? This was and still is an entirely feasible party trick (note this might get you in trouble, so keep your pants on). Making random printouts is probably the least intrusive example of what can be achieved with these poorly secured devices.

Shodan the Google of network services

Things started to heat up when John Matherly released the Shodan Search Tool. In 2009 John started indexing Internet service banners across the net and made the data available at ShodanHQ. It is now commonly known as the Google of network services, and has made numerous appearances in mainstream media such as CNN and Forbes.

Internet Census 2012

2012 saw the release of the Internet Census, an unknown researcher created a botnet that scanned the entire IPv4 address space - he or she then published the results online. Note that this project was audacious and very much illegal due to the fact that it utilized exploited routers in order to perform the port scanning.

Zmap and Masscan

Zmap was released a few months later by a team of computer scientists at the University of Michigan. The Zmap port scanning tool can scan the entire Internet in 45 minutes (IPv4 address space). You will need a big fat uplink and a fast network card but that is pretty damn quick. Yet another extremely fast port scanner was released soon after known as Masscan.

Project Sonar

Project Sonar was the next big project in the timeline launched by HDMoore of Metasploit fame. At Scans.io the results of Internet scanning from HDMoore's critical.io scanning project, and datasets from the Zmap project have been made available on line for researchers to explore.

VNC pwnage

Most recently a security researcher has scanned a specific TCP port across the IPv4 address space and taken a screenshot of VNC (remote control software) services that have no password. In 16 minutes he found 30000 systems with no password, and some of those systems included 2 hydroelectric plants and surveillance cameras at a casino in the Czech Republic.

Now go Port Scan your Internet facing networks

As seen from the projects, data and articles linked above, all too often networks go untested for services that should not be there or at least not be accessible from anywhere in the world over the Internet.

Here are three steps that will help you stay secure and it might even just make the world a safer place:

1. Port Scan your Internet facing IP addresses with Nmap

  • Nmap is simply the best tool for performing a port scan. You can download Nmap and install it on your operating system of choice.
  • Keep in mind that you want to perform the testing from an external IP address to the network you are testing.
  • Know your network ranges, keep a list of all IP ranges and systems you manage. Ensure all networks and systems are tested.

2. Firewall, block or restrict access to services that should not be accessible from the Internet

  • Make the necessary changes and get it fixed.
  • Implement a change control process for firewall changes and systems on the perimeter.

3. Schedule the port scan to be performed on a regular basis

  • Select a schedule based on your risk model, perhaps weekly, daily or monthly.
  • Changes to the network occur all the time; when new devices are added; changes are made to existing devices; firewall rules are modified; when a change occurs mistakes will happen.
  • Nmap has a tool called ndiff that allows you to compare two port scans, this is handy tool for scripting regular port scans from a VPS or off site location.

Regular port scans are simple to implement and can be incorporated with other regular security tasks. Start now before someone on the other side of the world starts abusing your printer or turns up the heat in your building.

The post Remote access granted appeared first on Online Vulnerability Scanners | HackerTarget.com.

]]>
https://hackertarget.com/remote-access-granted/feed/ 0