SlideShare uma empresa Scribd logo

Enei

Transferir como PPTX, PDF
Tiago Henriques
Tiago Henriques
1 de 127
How to dominate a country An analysis to the Portuguese internet exposition to cyber-attacks
WHAT are you ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook!
Who are you ? • Tiago Henriques • Tiago Martins • Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Jean Figueiredo • Filipe Reis • Network security researcher @ • Programmer @ PTCoreSec PTCoreSec • Intern @ Layer8 • Netsec admin @ Tecnocom • @fjdreis • @klinzter
Who are you ? @balgan • Tiago Henriques • 24 • BSc Software Engineering – University of Brighton • MSc by Research Computer Security and Forensics – University of Bedfordshire • Started a PhD but decided to drop out and go work in the industry... • CEH • CHFI • Team founder @ PTCoreSec • Currently a Pentester/Researcher @ 7Elements • @Balgan
Who are you ?
Topics
We are NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
Causing Chaos. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ? A:This is what we would do, control as many machines in that country, penetrate critical systems and get as much intel/info as possible.
Causing Chaos. And that’s what we are gonna talk about today!
How it all got started We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.
PORT SCANNING….
How it all got started We saw some talks that really inspired us given by two great people HD Moore Fyodor
However… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
What to do ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well….
What to do ? • We went and did the portscans, on passive mode, no system was penetrated in any way what so ever. • We did it slowly, and with plenty of time between scans as to not cause any DoS issues.
Port scanning • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
Port scanning - Process 1. Get Portugal CIDRs 2. Decide on a set of services you consider important 3. Check which ips have those ports open Actual scanning. 4. Check versions running of those services
Port scanning - Process 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
Port scanning - Process 2. Decide on a set of services you consider important Port 11 1900UDP UPNP ID Number TCP/UDP Service 12 2869TCP UPNP 1 80TCP http 13 5353UDP MDNS 2 443TCP https 14 137TCP Netbios 3 8080TCP http alternative 15 25TCP SMTP 4 21TCP FTP 16 110TCP POP3 5 22TCP SSH 17 143TCP IMAP 6 23TCP Telnet 18 3306TCP Mysql 7 53UDP DNS 19 5900TCP VNC Server 8 445TCP Samba 20 17185UDP VoIP 9 139TCP Samba 21 3389TCP Rdesktop 10 161UDP SNMP 22 8082TCP TR 069
Port scanning - Process 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!
Port scanning - Process • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
Port scanning - Process • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
Port scanning - Process • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP - sS -p21 -T5 -PN --host-timeout 1501 – min-hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
Port scanning - Process • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min- parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
Port scanning - Process • However…we still have UDP… and let me tell u….
Port scanning - Process Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
Port scanning - Process Solution ? SCAPY! Server Client Service running on port:11111
Port scanning - Process Result of that script ? On lab testing….
Port scanning - Process Result of that script ? On internet testing….
Port scanning - Process When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
Port scanning - Process So... At this point we can do UDP in 5 minutes. As you can guess... We now love UDP scanning again... Our next objective became to speed up our TCP scanning. For you to understand what we did you need first to understand how nmap works: 25000 20000 15000 Time 10000 Packets per second Nmap 5000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Port scanning - Process What we did, is write our own TCP scanner. And the result is the following: 25000 20000 15000 Time Packets per second 10000 PTCoreSecTCP 5000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
Port scanning - End So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
Port scanning - End Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: PTCoreSec Command Center!
First version
Second version
Third version
Fourth version – Current Stable
Fifth version – Currently Under development
Port scanning - Demo DEMO TIME!
Port scanning – The project While we were preparing for codebits… We received something in the mail….
Port scanning – The project Raspi
Port scanning – The project And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
Port scanning – The project So we decided to create a distributed port scanning project…
Port scanning – The project We grabbed the And added a custom set of scripts to it…
Port scanning – The project
Port scanning – How does it work? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
Part 2
Business When a client asks for a pentest We present them with these
Business
Business
Business
Business And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats
Management Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This gives us, security • Approves every single thing even if it peeps, headaches! doesn’t match security department goals but gets them moneys.
I ask onLY ONE thing of u Leave your whitehats at home, and
SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:
Is the Of these
Now combine this: With these:
And you get a lot of these
Also if you do anything ilegal and get caught, you’ll get one of these:
SHODAN Now its when u ask
Shodan http://www.shodanhq.com/
SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:
SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server
SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012
SHODAN QUERIES + combined country Port: 3306 country:PT
SHODAN QUERIES + combined country? Awesome! Wednesday, 6 th of June 2012
SHODAN QUERIES + combined country BigIP country:PT
SHODAN QUERIES + combined country? Awesome! Tuesday, Marc h 13, 2012
SHODAN QUERIES + combined country port:3389 -allowed country:PT
SHODAN QUERIES + combined country? Awesome!
SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS cisco country:PT
Cisco
Cisco – GRE TUNNELING
SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
SHODAN QUERIES OF AWESOMENESS Hackz
UPNP January 29th 2013!!!!
UPNP 2013 15.000+ devices replied to UPNP in January 2013 in Portugal
Projecto Portugal Seguro - PTCoresec • 29 Janeiro 2013 – released a study which showed new flaws on UPNP and numbers on the devices replying to UPNP. • PTCoreSec under the scope of project Portugal Seguro proceeded to help ISP’s with this problem • We sent an email to all isp’s that resulted in the following
Projecto Portugal Seguro
Projecto Portugal Seguro • Resultado – Some ISP’s we noticed changes in order of 80% in the number of ips that stopped responding to UPNP in less then 1 week. – Quicker and faster response contacts so that we can improve even further on this in case of next event.
SHODAN QUERIES OF AWESOMENESS Hackz
SHODAN QUERIES OF AWESOMENESS UPNP zomg time
SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution
SHODAN QUERIES OF AWESOMENESS Oh and by the way…
SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….
SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER
SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…
A little tip… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
A little tip… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static- i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb
A little tip… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap
A little tip… Then…
A little tip… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
To end…
Open ports!
SCARY SHIT! DEFACE 1 SCARY? NO!
SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
SCARY SHIT!
SCARY SHIT!
SCARY SHIT!
Shodan – the bad part • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+
Shodan – the good part • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West
Requests https://www.facebook.com/ptcoresec
Invite http://www.securitybsides.com/w/page/61778144/BSidesLisbon
Challenge

Recomendados

Preso fcul
Preso fculPreso fcul
Preso fculTiago Henriques
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 

Recomendados

Preso fcul
Preso fculPreso fcul
Preso fculTiago Henriques
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
NMap
NMapNMap
NMapPritesh Raka
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Port scanning
Port scanningPort scanning
Port scanningHemanth Pasumarthi
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP AnalyzerSevana Oü
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Nmap
NmapNmap
NmapMegha Sahu
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 

Mais conteúdo relacionado

Mais procurados

Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP AnalyzerSevana Oü
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 

Mais procurados (20)

Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
NMAP
NMAPNMAP
NMAP
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
NMap
NMapNMap
NMap
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Nmap
NmapNmap
Nmap
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
N map presentation
N map presentationN map presentation
N map presentation
 
Port scanning
Port scanningPort scanning
Port scanning
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP Analyzer
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Nmap
NmapNmap
Nmap
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 

Destaque

I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaTiago Henriques
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015Tiago Henriques
 

Destaque (11)

I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
 
Workshop
WorkshopWorkshop
Workshop
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in Switzerland
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
 

Semelhante a Enei

How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 
IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014Leo Jotib
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015Leo Jotib
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015Leo Jotib
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Layer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security ToolLayer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security ToolDamon Small
 
Group Apres
Group ApresGroup Apres
Group Apresramya5a
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceSergeyChernyshev
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationTazdrumm3r
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Harsh Desai
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotA. S. M. Shamim Reza
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Implementing Telematic Services
Implementing Telematic ServicesImplementing Telematic Services
Implementing Telematic ServicesIvan Ortega
 

Semelhante a Enei (20)

How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a country
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
 
IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
Layer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security ToolLayer 8 and Why People are the Most Important Security Tool
Layer 8 and Why People are the Most Important Security Tool
 
Group Apres
Group ApresGroup Apres
Group Apres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentation
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Implementing Telematic Services
Implementing Telematic ServicesImplementing Telematic Services
Implementing Telematic Services
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 

Mais de Tiago Henriques

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfTiago Henriques
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017Tiago Henriques
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshTiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 

Mais de Tiago Henriques (10)

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Booklet
BookletBooklet
Booklet
 
Talkj4mshare
Talkj4mshareTalkj4mshare
Talkj4mshare
 

Enei

  • 1. How to dominate a country An analysis to the Portuguese internet exposition to cyber-attacks
  • 2. WHAT are you ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook!
  • 3. Who are you ? • Tiago Henriques • Tiago Martins • Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Jean Figueiredo • Filipe Reis • Network security researcher @ • Programmer @ PTCoreSec PTCoreSec • Intern @ Layer8 • Netsec admin @ Tecnocom • @fjdreis • @klinzter
  • 4. Who are you ? @balgan • Tiago Henriques • 24 • BSc Software Engineering – University of Brighton • MSc by Research Computer Security and Forensics – University of Bedfordshire • Started a PhD but decided to drop out and go work in the industry... • CEH • CHFI • Team founder @ PTCoreSec • Currently a Pentester/Researcher @ 7Elements • @Balgan
  • 7. We are NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
  • 8. Causing Chaos. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ? A:This is what we would do, control as many machines in that country, penetrate critical systems and get as much intel/info as possible.
  • 9. Causing Chaos. And that’s what we are gonna talk about today!
  • 10. How it all got started We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.
  • 12. How it all got started We saw some talks that really inspired us given by two great people HD Moore Fyodor
  • 13. However… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
  • 14. What to do ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well….
  • 15. What to do ? • We went and did the portscans, on passive mode, no system was penetrated in any way what so ever. • We did it slowly, and with plenty of time between scans as to not cause any DoS issues.
  • 16. Port scanning • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
  • 17. Port scanning - Process 1. Get Portugal CIDRs 2. Decide on a set of services you consider important 3. Check which ips have those ports open Actual scanning. 4. Check versions running of those services
  • 18. Port scanning - Process 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
  • 19. Port scanning - Process 2. Decide on a set of services you consider important Port 11 1900UDP UPNP ID Number TCP/UDP Service 12 2869TCP UPNP 1 80TCP http 13 5353UDP MDNS 2 443TCP https 14 137TCP Netbios 3 8080TCP http alternative 15 25TCP SMTP 4 21TCP FTP 16 110TCP POP3 5 22TCP SSH 17 143TCP IMAP 6 23TCP Telnet 18 3306TCP Mysql 7 53UDP DNS 19 5900TCP VNC Server 8 445TCP Samba 20 17185UDP VoIP 9 139TCP Samba 21 3389TCP Rdesktop 10 161UDP SNMP 22 8082TCP TR 069
  • 20. Port scanning - Process 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!
  • 21. Port scanning - Process • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
  • 22. Port scanning - Process • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
  • 23. Port scanning - Process • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP - sS -p21 -T5 -PN --host-timeout 1501 – min-hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
  • 24. Port scanning - Process • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min- parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
  • 25. Port scanning - Process • However…we still have UDP… and let me tell u….
  • 26. Port scanning - Process Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
  • 27. Port scanning - Process Solution ? SCAPY! Server Client Service running on port:11111
  • 28. Port scanning - Process Result of that script ? On lab testing….
  • 29. Port scanning - Process Result of that script ? On internet testing….
  • 30. Port scanning - Process When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
  • 31. Port scanning - Process So... At this point we can do UDP in 5 minutes. As you can guess... We now love UDP scanning again... Our next objective became to speed up our TCP scanning. For you to understand what we did you need first to understand how nmap works: 25000 20000 15000 Time 10000 Packets per second Nmap 5000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
  • 32. Port scanning - Process What we did, is write our own TCP scanner. And the result is the following: 25000 20000 15000 Time Packets per second 10000 PTCoreSecTCP 5000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
  • 33. Port scanning - End So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
  • 34. Port scanning - End Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: PTCoreSec Command Center!
  • 38. Fourth version – Current Stable
  • 39. Fifth version – Currently Under development
  • 40. Port scanning - Demo DEMO TIME!
  • 41. Port scanning – The project While we were preparing for codebits… We received something in the mail….
  • 42. Port scanning – The project Raspi
  • 43. Port scanning – The project And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
  • 44. Port scanning – The project So we decided to create a distributed port scanning project…
  • 45. Port scanning – The project We grabbed the And added a custom set of scripts to it…
  • 46. Port scanning – The project
  • 47. Port scanning – How does it work? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
  • 49. Business When a client asks for a pentest We present them with these
  • 53. Business And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats
  • 54. Management Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This gives us, security • Approves every single thing even if it peeps, headaches! doesn’t match security department goals but gets them moneys.
  • 55. I ask onLY ONE thing of u Leave your whitehats at home, and
  • 56. SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:
  • 58. Now combine this: With these:
  • 59. And you get a lot of these
  • 60. Also if you do anything ilegal and get caught, you’ll get one of these:
  • 63. SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:
  • 64. SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server
  • 65. SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012
  • 66. SHODAN QUERIES + combined country Port: 3306 country:PT
  • 67. SHODAN QUERIES + combined country? Awesome! Wednesday, 6 th of June 2012
  • 68. SHODAN QUERIES + combined country BigIP country:PT
  • 69. SHODAN QUERIES + combined country? Awesome! Tuesday, Marc h 13, 2012
  • 70. SHODAN QUERIES + combined country port:3389 -allowed country:PT
  • 71. SHODAN QUERIES + combined country? Awesome!
  • 72. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
  • 73. SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
  • 74. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
  • 75. SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
  • 76. SHODAN QUERIES OF AWESOMENESS
  • 77. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
  • 78. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
  • 79. SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
  • 80. SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
  • 81. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
  • 82. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
  • 83. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
  • 84. SHODAN QUERIES OF AWESOMENESS
  • 85. SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
  • 86. SHODAN QUERIES OF AWESOMENESS cisco country:PT
  • 87. Cisco
  • 88. Cisco – GRE TUNNELING
  • 89. SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
  • 90. SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
  • 91. SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
  • 92. SHODAN QUERIES OF AWESOMENESS Hackz
  • 93. UPNP January 29th 2013!!!!
  • 94. UPNP 2013 15.000+ devices replied to UPNP in January 2013 in Portugal
  • 95. Projecto Portugal Seguro - PTCoresec • 29 Janeiro 2013 – released a study which showed new flaws on UPNP and numbers on the devices replying to UPNP. • PTCoreSec under the scope of project Portugal Seguro proceeded to help ISP’s with this problem • We sent an email to all isp’s that resulted in the following
  • 97. Projecto Portugal Seguro • Resultado – Some ISP’s we noticed changes in order of 80% in the number of ips that stopped responding to UPNP in less then 1 week. – Quicker and faster response contacts so that we can improve even further on this in case of next event.
  • 98. SHODAN QUERIES OF AWESOMENESS Hackz
  • 99. SHODAN QUERIES OF AWESOMENESS UPNP zomg time
  • 100. SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution
  • 101. SHODAN QUERIES OF AWESOMENESS Oh and by the way…
  • 102. SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….
  • 103. SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER
  • 104. SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
  • 105. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 106. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 107. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 108. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 109. SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…
  • 110. A little tip… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
  • 111. A little tip… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static- i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb
  • 112. A little tip… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap
  • 114. A little tip… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
  • 117. SCARY SHIT! DEFACE 1 SCARY? NO!
  • 118. SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
  • 122. Shodan – the bad part • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+
  • 123. Shodan – the good part • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
  • 124. Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West

Notas do Editor

  1. Image source:http://us.123rf.com/400wm/400/400/cla78/cla781008/cla78100800263/7655075-an-old-grunge-flag-of-portugal-state.jpg
  2. Everyonehad a different set ofopinions.
  3. http://en.wikipedia.org/wiki/Security_through_obscurity
  4. Explain passive mode VS active. Vuln testing vsportscanning
  5. Althoughnothuge, itsstillnearly 6milipaddrs
  6. -iL – file withips-ao saved output-sSSYN Stealth Scan-sVServiceDetection-p21 port-T5 Supadupa ultra fast-PN dontping
  7. --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  8. --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  9. http://stackoverflow.com/questions/10531618/how-to-retrieve-both-tcp-and-udp-ports-with-nmap
  10. Servernetcatrunningudpport 11111Clientchecks for serviceonport 11111
  11. Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  12. Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  13. Lotsofwasted time....
  14. Explainreadingthereplystraightfromsnifferinsteadofwaiting.
  15. Imgsource:http://i.i.com.com/cnwk.1d/i/tim/2012/06/19/Raspberry_Pi_35332544_05_1.jpg
  16. Imgsource: http://elinux.org/R-Pi_Hub
  17. Imgsource: http://elinux.org/R-Pi_Hub
  18. http://www.shodanhq.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)http://www.shodanhq.com/?q=Golden+FTP+Server (REF: http://www.exploit-db.com/exploits/10258)
  19. https://community.rapid7.com/community/metasploit/blog/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploithttps://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell
  20. SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.
  21. SNMP
  22. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  23. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  24. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  25. SNMP
  26. SNMP
  27. SNMP
  28. SNMP
  29. SNMP
  30. UPNP
  31. UPNP
  32. Explain FIREWALL THINGIE
  33. UPNP
  34. UPNP
  35. UPNP
  36. UPNP
  37. UPNP
  38. UPNP
  39. UPNP
  40. UPNP
  41. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  42. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  43. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  44. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  45. SNMP
  46. SNMP
  47. SNMP
  48. SNMP
  49. SNMP
  50. SNMP
  51. SNMP