SlideShare uma empresa Scribd logo

Preso fcul

Transferir como PPTX, PDF
Tiago Henriques
Tiago Henriques
1 de 119
How to dominate a country An analysis to the Portuguese internet exposition to cyber-attacks
WHAT are you ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook!
Who are you ? • Tiago Henriques • Tiago Martins • Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Filipe Reis • Jean Figueiredo • Programmer @ PTCoreSec • Network security researcher @ • Intern @ Layer8 PTCoreSec • @fjdreis • Netsec admin @ Tecnocom • @klinzter • Tomás Lima • Paulo Figueiredo • Security Researcher @ PTCoreSec • Designer @ PTCoreSec • Researcher @ FCCN • CEO @ • @synchroack • @synchroack
Who are you ?
Topics
We are NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
Causing Chaos. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on aboutwhat we would do, A:This is it ? control as many machines in that country, penetrate critical systems and get as much intel/info as
Causing Chaos. And that’s what we are gonna talk about today!
How it all got started We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.
PORT SCANNING….
How it all got started We saw some talks that really inspired us given by two great people HD Moore Fyodor
However… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
What to do ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well….
What to do ? • We and did the portscans, on passive mode, no system was penetrated in any way what so ever. • We did it slowly, and with plenty of time between scans as to not cause any DoS issues.
Port scanning • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
Port scanning - Process 1. Get Portugal’s CIDRs 2. Decide on a set of services you consider important 3. Check which ip’s have those port’s open Actual scanning. 4. Check versions running of those services
Port scanning - Process 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
Port scanning - Process 2. Decide on a set of services you consider important Port 11 1900UDP UPNP ID Number TCP/UDP Service 12 2869TCP UPNP 1 80TCP http 13 5353UDP MDNS 2 443TCP https 14 137TCP Netbios 3 8080TCP http alternative 15 25TCP SMTP 4 21TCP FTP 16 110TCP POP3 5 22TCP SSH 17 143TCP IMAP 6 23TCP Telnet 18 3306TCP Mysql 7 53UDP DNS 19 5900TCP VNC Server 8 445TCP Samba 20 17185UDP VoIP 9 139TCP Samba 21 3389TCP Rdesktop 10 161UDP SNMP 22 8082TCP TR 069
Port scanning - Process 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!
Port scanning - Process • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
Port scanning - Process • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
Port scanning - Process • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -sS - p21 -T5 -PN --host-timeout 1501 –min- hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
Port scanning - Process • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min- parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
Port scanning - Process • However…we still have UDP… and let me tell u….
Port scanning - Process Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
Port scanning - Process Solution ? SCAPY! Server Client Service running on
Port scanning - Process Result of that script ? On lab testing….
Port scanning - Process Result of that script ? On internet testing….
Port scanning - Process When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
Port scanning - End So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
Port scanning - End Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: PTCoreSec Command Center!
First version
Second version
Third version
Fourth version – Current Stable
Fifth version – Currently Under development
Port scanning - Demo DEMO TIME!
Port scanning – The project While we were preparing for codebits… We received something in the mail….
Port scanning – The project Raspi
Port scanning – The project And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
Port scanning – The project So we decided to create a distributed port scanning project…
Port scanning – The project We grabbed the And added a custom set of scripts to it…
Port scanning – The project
Port scanning – How does it work? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
Part 2
Business When a client asks for a pentest We present them with these
Business
Business
Business
Business And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats
Management Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This shit gives us, • Approves every single thing even if it security peeps, doesn’t match security department goals headaches! but gets them moneys.
I ask onLY ONE thing of u Leave your whitehats at home, and
SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:
Is the Of these
Now combine this: With these:
And you get a lot of these
Also if you do anything ilegal and get caught, you’ll get one of these:
SHODAN Now its when u ask
Shodan http://www.shodanhq.com/
SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:
SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server
SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012
SHODAN QUERIES + combined country Port: 3306 country:PT
SHODAN QUERIES + combined country? Awesome! Wednesday, 6th of June 2012
SHODAN QUERIES + combined country BigIP country:PT
SHODAN QUERIES + combined country? Awesome! Tuesday, March 13, 2012
SHODAN QUERIES + combined country port:3389 -allowed country:PT
SHODAN QUERIES + combined country? Awesome!
SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS cisco country:PT
Cisco
Cisco – GRE TUNNELING
SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
SHODAN QUERIES OF AWESOMENESS Hackz
SHODAN QUERIES OF AWESOMENESS Hackz
SHODAN QUERIES OF AWESOMENESS UPNP zomg time
SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution
SHODAN QUERIES OF AWESOMENESS Oh and by the way…
SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….
SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER
SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…
A little tip… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
A little tip… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static- i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb
A little tip… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap
A little tip… Then…
A little tip… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
To end…
Open ports!
SCARY SHIT! DEFACE 1 SCARY? NO!
SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
SCARY SHIT!
SCARY SHIT!
SCARY SHIT!
Shodan – the bad part • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+
Shodan – the good part • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West
Requests https://www.facebook.com/ptcoresec
Invite http://www.securitybsides.com/w/page/61778144/BSidesLisbon
Challenge

Recomendados

Enei
EneiEnei
EneiTiago Henriques
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!stricaud
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 

Recomendados

Enei
EneiEnei
EneiTiago Henriques
 
How to dominate a country
How to dominate a countryHow to dominate a country
How to dominate a countryTiago Henriques
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!stricaud
 
3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pubCassio Ramos
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP AnalyzerSevana Oü
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamOWASP Delhi
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Nmap
NmapNmap
NmapMegha Sahu
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015Leo Jotib
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgraden|u - The Open Security Community
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinEC-Council
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinatopstavirs
 
project_docs
project_docsproject_docs
project_docsAndrey Lavrinovic
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
Nmap basics
Nmap basicsNmap basics
Nmap basicsn|u - The Open Security Community
 
Rip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarRip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarDeepak Kumar
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 
Confraria do Empreendedor
Confraria do EmpreendedorConfraria do Empreendedor
Confraria do EmpreendedorJoão Kepler Braga ®
 
Talkj4mshare
Talkj4mshareTalkj4mshare
Talkj4mshareTiago Henriques
 
Confraria Rock 2011
Confraria Rock 2011Confraria Rock 2011
Confraria Rock 2011Renato Velho
 

Mais conteúdo relacionado

Mais procurados

N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP AnalyzerSevana Oü
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamOWASP Delhi
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015Leo Jotib
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinEC-Council
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinatopstavirs
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
Rip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarRip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarDeepak Kumar
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 

Mais procurados (19)

2 netcat enum-pub
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pub
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
N map presentation
N map presentationN map presentation
N map presentation
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP Analyzer
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Nmap
NmapNmap
Nmap
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015
 
nullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgradenullcon 2010 - The evil karmetasploit upgrade
nullcon 2010 - The evil karmetasploit upgrade
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS Technologies
 
OSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc NewlinOSINT RF Reverse Engineering by Marc Newlin
OSINT RF Reverse Engineering by Marc Newlin
 
Dpdk accelerated Ostinato
Dpdk accelerated OstinatoDpdk accelerated Ostinato
Dpdk accelerated Ostinato
 
project_docs
project_docsproject_docs
project_docs
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Rip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumarRip 2 docoments version 1.1 by deepak kumar
Rip 2 docoments version 1.1 by deepak kumar
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
 

Destaque

Confraria Rock 2011
Confraria Rock 2011Confraria Rock 2011
Confraria Rock 2011Renato Velho
 
Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.
Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.
Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.Aldeia Coworking
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaTiago Henriques
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshTiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 

Destaque (8)

Confraria do Empreendedor
Confraria do EmpreendedorConfraria do Empreendedor
Confraria do Empreendedor
 
Talkj4mshare
Talkj4mshareTalkj4mshare
Talkj4mshare
 
Confraria Rock 2011
Confraria Rock 2011Confraria Rock 2011
Confraria Rock 2011
 
Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.
Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.
Confraria Aldeia - Aula show para a turma faixa-branca da Confraria.
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

Semelhante a Preso fcul

Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Implementing Telematic Services
Implementing Telematic ServicesImplementing Telematic Services
Implementing Telematic ServicesIvan Ortega
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioDevOps4Networks
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
 
Group Apres
Group ApresGroup Apres
Group Apresramya5a
 
20 QUIC Dissection Megumi Takeshita
20 QUIC Dissection Megumi Takeshita20 QUIC Dissection Megumi Takeshita
20 QUIC Dissection Megumi TakeshitaMegumi Takeshita
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationTazdrumm3r
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Jason Williams
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNnvirters
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014Leo Jotib
 

Semelhante a Preso fcul (20)

Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Implementing Telematic Services
Implementing Telematic ServicesImplementing Telematic Services
Implementing Telematic Services
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
Group Apres
Group ApresGroup Apres
Group Apres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
20 QUIC Dissection Megumi Takeshita
20 QUIC Dissection Megumi Takeshita20 QUIC Dissection Megumi Takeshita
20 QUIC Dissection Megumi Takeshita
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentation
 
Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)Suricata: A Decade Under the Influence (of packet sniffing)
Suricata: A Decade Under the Influence (of packet sniffing)
 
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDNTech Tutorial by Vikram Dham: Let's build MPLS router using SDN
Tech Tutorial by Vikram Dham: Let's build MPLS router using SDN
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014
 

Mais de Tiago Henriques

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfTiago Henriques
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017Tiago Henriques
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015Tiago Henriques
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 

Mais de Tiago Henriques (16)

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in Switzerland
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Workshop
WorkshopWorkshop
Workshop
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Booklet
BookletBooklet
Booklet
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 

Preso fcul

  • 1. How to dominate a country An analysis to the Portuguese internet exposition to cyber-attacks
  • 2. WHAT are you ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook!
  • 3. Who are you ? • Tiago Henriques • Tiago Martins • Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Filipe Reis • Jean Figueiredo • Programmer @ PTCoreSec • Network security researcher @ • Intern @ Layer8 PTCoreSec • @fjdreis • Netsec admin @ Tecnocom • @klinzter • Tomás Lima • Paulo Figueiredo • Security Researcher @ PTCoreSec • Designer @ PTCoreSec • Researcher @ FCCN • CEO @ • @synchroack • @synchroack
  • 6. We are NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
  • 7. Causing Chaos. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on aboutwhat we would do, A:This is it ? control as many machines in that country, penetrate critical systems and get as much intel/info as
  • 8. Causing Chaos. And that’s what we are gonna talk about today!
  • 9. How it all got started We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.
  • 11. How it all got started We saw some talks that really inspired us given by two great people HD Moore Fyodor
  • 12. However… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
  • 13. What to do ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well….
  • 14. What to do ? • We and did the portscans, on passive mode, no system was penetrated in any way what so ever. • We did it slowly, and with plenty of time between scans as to not cause any DoS issues.
  • 15. Port scanning • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
  • 16. Port scanning - Process 1. Get Portugal’s CIDRs 2. Decide on a set of services you consider important 3. Check which ip’s have those port’s open Actual scanning. 4. Check versions running of those services
  • 17. Port scanning - Process 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
  • 18. Port scanning - Process 2. Decide on a set of services you consider important Port 11 1900UDP UPNP ID Number TCP/UDP Service 12 2869TCP UPNP 1 80TCP http 13 5353UDP MDNS 2 443TCP https 14 137TCP Netbios 3 8080TCP http alternative 15 25TCP SMTP 4 21TCP FTP 16 110TCP POP3 5 22TCP SSH 17 143TCP IMAP 6 23TCP Telnet 18 3306TCP Mysql 7 53UDP DNS 19 5900TCP VNC Server 8 445TCP Samba 20 17185UDP VoIP 9 139TCP Samba 21 3389TCP Rdesktop 10 161UDP SNMP 22 8082TCP TR 069
  • 19. Port scanning - Process 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!
  • 20. Port scanning - Process • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
  • 21. Port scanning - Process • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
  • 22. Port scanning - Process • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -sS - p21 -T5 -PN --host-timeout 1501 –min- hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
  • 23. Port scanning - Process • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min- parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
  • 24. Port scanning - Process • However…we still have UDP… and let me tell u….
  • 25. Port scanning - Process Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
  • 26. Port scanning - Process Solution ? SCAPY! Server Client Service running on
  • 27. Port scanning - Process Result of that script ? On lab testing….
  • 28. Port scanning - Process Result of that script ? On internet testing….
  • 29. Port scanning - Process When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
  • 30. Port scanning - End So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
  • 31. Port scanning - End Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: PTCoreSec Command Center!
  • 35. Fourth version – Current Stable
  • 36. Fifth version – Currently Under development
  • 37. Port scanning - Demo DEMO TIME!
  • 38. Port scanning – The project While we were preparing for codebits… We received something in the mail….
  • 39. Port scanning – The project Raspi
  • 40. Port scanning – The project And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
  • 41. Port scanning – The project So we decided to create a distributed port scanning project…
  • 42. Port scanning – The project We grabbed the And added a custom set of scripts to it…
  • 43. Port scanning – The project
  • 44. Port scanning – How does it work? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
  • 46. Business When a client asks for a pentest We present them with these
  • 50. Business And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats
  • 51. Management Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This shit gives us, • Approves every single thing even if it security peeps, doesn’t match security department goals headaches! but gets them moneys.
  • 52. I ask onLY ONE thing of u Leave your whitehats at home, and
  • 53. SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:
  • 55. Now combine this: With these:
  • 56. And you get a lot of these
  • 57. Also if you do anything ilegal and get caught, you’ll get one of these:
  • 60. SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:
  • 61. SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server
  • 62. SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012
  • 63. SHODAN QUERIES + combined country Port: 3306 country:PT
  • 64. SHODAN QUERIES + combined country? Awesome! Wednesday, 6th of June 2012
  • 65. SHODAN QUERIES + combined country BigIP country:PT
  • 66. SHODAN QUERIES + combined country? Awesome! Tuesday, March 13, 2012
  • 67. SHODAN QUERIES + combined country port:3389 -allowed country:PT
  • 68. SHODAN QUERIES + combined country? Awesome!
  • 69. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
  • 70. SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
  • 71. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
  • 72. SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
  • 73. SHODAN QUERIES OF AWESOMENESS
  • 74. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
  • 75. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
  • 76. SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
  • 77. SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
  • 78. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
  • 79. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
  • 80. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
  • 81. SHODAN QUERIES OF AWESOMENESS
  • 82. SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
  • 83. SHODAN QUERIES OF AWESOMENESS cisco country:PT
  • 84. Cisco
  • 85. Cisco – GRE TUNNELING
  • 86. SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
  • 87. SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
  • 88. SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
  • 89. SHODAN QUERIES OF AWESOMENESS Hackz
  • 90. SHODAN QUERIES OF AWESOMENESS Hackz
  • 91. SHODAN QUERIES OF AWESOMENESS UPNP zomg time
  • 92. SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution
  • 93. SHODAN QUERIES OF AWESOMENESS Oh and by the way…
  • 94. SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….
  • 95. SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER
  • 96. SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
  • 97. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 98. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 99. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 100. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 101. SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…
  • 102. A little tip… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
  • 103. A little tip… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static- i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb
  • 104. A little tip… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap
  • 106. A little tip… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
  • 109. SCARY SHIT! DEFACE 1 SCARY? NO!
  • 110. SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
  • 114. Shodan – the bad part • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+
  • 115. Shodan – the good part • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
  • 116. Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West

Notas do Editor

  1. Image source:http://us.123rf.com/400wm/400/400/cla78/cla781008/cla78100800263/7655075-an-old-grunge-flag-of-portugal-state.jpg
  2. Everyonehad a different set ofopinions.
  3. http://en.wikipedia.org/wiki/Security_through_obscurity
  4. Althoughnothuge, itsstillnearly 6milipaddrs
  5. -iL – file withips-ao saved output-sSSYN Stealth Scan-sVServiceDetection-p21 port-T5 Supadupa ultra fast-PN dontping
  6. --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  7. --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  8. http://stackoverflow.com/questions/10531618/how-to-retrieve-both-tcp-and-udp-ports-with-nmap
  9. Servernetcatrunningudpport 11111Clientchecks for serviceonport 11111
  10. Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  11. Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  12. Imgsource:http://i.i.com.com/cnwk.1d/i/tim/2012/06/19/Raspberry_Pi_35332544_05_1.jpg
  13. Imgsource: http://elinux.org/R-Pi_Hub
  14. Imgsource: http://elinux.org/R-Pi_Hub
  15. http://www.shodanhq.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)http://www.shodanhq.com/?q=Golden+FTP+Server (REF: http://www.exploit-db.com/exploits/10258)
  16. https://community.rapid7.com/community/metasploit/blog/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploithttps://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell
  17. SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.
  18. SNMP
  19. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  20. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  21. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  22. SNMP
  23. SNMP
  24. SNMP
  25. SNMP
  26. SNMP
  27. UPNP
  28. UPNP
  29. Explain FIREWALL THINGIE
  30. UPNP
  31. UPNP
  32. UPNP
  33. UPNP
  34. UPNP
  35. UPNP
  36. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  37. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  38. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  39. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  40. SNMP
  41. SNMP
  42. SNMP
  43. SNMP
  44. SNMP
  45. SNMP
  46. SNMP