Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Nmap 9 truth "Nothing to say any more"
Similar to Nmap 9 truth "Nothing to say any more" (20)
More from abend_cve_9999_0001
More from abend_cve_9999_0001 (18)
Recently uploaded
Recently uploaded (20)
Nmap 9 truth "Nothing to say any more"
- 1. Nothing to say any more Nmap 9 truth
- 2. Profile 小河 哲之 Twitter:abend ISOG-WG1 Burp Suite Japan User Group Prosit 2
- 3. Trigger of this presentation I wrote the article about Nmap in Software Design May,2016 issue. Today, I will talk about the things I noticed during writing that article. (In this presentation, no version description means v7.12.) 3
- 4. At first I will introduce 8 hidden options of Nmap, and only one type of malware(worm) that Nmap could detect. And I will also talk about how to utilize Nmap well. 8 hidden option + 1 type of malware = 9 truth 4
- 5. Nmap One of network scanners. Gordon Lyon developed it in 1997. - Portscan - Searching Hosts - Detect OS, Services - Vulnerability Scan 5
- 6. 8 hidden options In Nmap, there are hidden options which are not indicated on Reference Guide and Help. 6
- 8. --noninteractive Nmap is the interactive application. Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-30 23:38 JST Stats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 0.10% done 8
- 9. --noninteractive With this option, we CAN stop interaction with enter-key for watching scan progress. 9
- 10. --noninteractive nmap_tty.cc, line 336-342; "Interactive keyboard commands:n" "? Display this informationn" "v/V Increase/decrease verbosityn" "d/D Increase/decrease debuggingn" "p/P Enable/disable packet tracingn" "anything else Print statusn" "More help: https://nmap.org/book/man-runtime- interaction.htmln"); 10
- 11. --noninteractive Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-30 23:39 JST Packet Tracing enabled. SENT (1.6510s) TCP 192.168.217.130:45411 > 192.168.217.131:8888 S ttl=41 id=54162 iplen=44 seq=1659576208 win=1024 <mss 1460> RCVD (1.6509s) TCP 192.168.217.131:8888 > 192.168.217.130:45411 RA ttl=64 id=0 iplen=40 seq=0 win=0 Packet Tracing disabled. 11 Press ‘p’ Press ‘P’
- 12. --noninteractive We can turn on packet tracing with 'p', and also turn on a forgotten option, turn off a designated option interactively. 12
- 13. --noninteractive Interaction function of Nmap enables us to confirm that Nmap runs properly with some options temporarily in the case of very slow scanning. --noninteractive disables it. 13
- 14. --noninteractive In Japanese reference guide, 14 This option is still not built in Nmap. This item need to be added some contents or deleted.
- 15. --noninteractive This option was added to Nmap at v4.00(2006/1/31), so I guess that Japanese reference guide was written before that version. 15
- 17. --nogcc 17
- 18. --nogcc Nmap send packets to the designated segment(s) all at once. So scan time will be short. Average time of 10 scans(/24, SYN Scan) no option : 9.62sec with --nogcc : 3.73sec 18
- 20. --nogcc Filtered host and the host in which some service running are not detected. no option:9 hosts With --nogcc:7 hosts ※Because of slow response of arp, one host is not detected. --send-ip option resolved the situation. 20
- 21. --nogcc Nmap control congestion, but -- nogcc make the control off, so all packets will be sent at once. 21
- 22. --nogcc scan_engine.cc, line 394-403; /* In case the user specifically asked for no group congestion control */ if (o.nogcc) { if (when) *when = USI->now; return true; } 22
- 23. --nogcc Three points of congestion control in Nmap. • congestion window • exponential backoff • slow start 23
- 24. --nogcc • congestion window → if detect drop, then reduce amount of packets • exponential backoff → if detect drop, then slow down dramatically • slow start → scanning speed up gradually 24
- 25. --nogcc With --nogcc option, Nmap sends scan packets all at once, so possible to increase load. And, no consequences of congestion is provided to lead the precision reduction, which can lead to false negative. The option for naughty people. 25
- 27. --route-dst 27
- 28. --route-dst Option to confirm the IP routing destination specified for each interface # nmap –e eth0 --route-dst 8.8.8.8 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-20 12:41 JST 8.8.8.8 eth0 eth0 srcaddr 192.168.1.209 nexthop 192.168.1.254 28
- 31. -I(uppercase i) ident scan seems not been originally implemented. case 'I': error("WARNING: identscan (- I) no longer supported. Ignoring -I"); break; // o.identscan++; break; 31
- 33. -thc 33
- 34. -thc # nmap -thc !!Greets to Van Hauser, Plasmoid, Skyper and the rest of THC!! It means “Congratulation!” 34
- 36. -oH 36
- 37. The option for output in HTML format. If there is a leak in the escape, it can lead to XSS. 37 -oH
- 38. -oH From 2.30BETA16 to 3.93, } else if (strcmp(long_options[option_index].name, "oH") == 0) { fatal("HTML output is not yet supported"); ※I don't check this in all version. 38
- 39. -oH From 3.94ALPHA1 to 7.12 } else if (strcmp(long_options[option_index].name, "oH") == 0) { fatal("HTML output is not directly supported, though Nmap includes an XSL for transforming XML output into HTML. See the man page."); ※ I don't check this in all version. 39
- 40. -oH This option perhaps have not been implemented yet. I wanted to see XSS of Nmap. 40
- 42. --ff 42
- 43. --ff The option for 16 byte fragmentation. “-f” option in reference is for 8 byte fragmentation. 43
- 44. --ff Both “-f” and “--ff” fragment byte amount will increase. } else if (strcmp(long_options[option_index]. name, "ff") == 0) { o.fragscan += 16; 44
- 45. --ff What happens in this case. 45 nmap -f -f --ff --ff 192.168.1.1
- 46. --ff "-f" equals 8 x 2 byte + "--ff" 16 x 2 byte = 48 byte fragmentation. Same as -v -vv. 46
- 47. --ff You can learn about "How many bytes the fragmentation is?" as elementary school level ;-p nmap -f -f --ff 192.168.1.1 47
- 48. --ff If you want to fragment more simply, you’ve better to use “-mtu XX” option than “-f” or “--ff”. nmap -mtu 24 192.168.1.1 48
- 49. 49 --ff Conclusion: Useless, expect for elementary school children
- 51. --deprecated-xml-osclass This seems to be option for osclass to become child-tag of osmatch of -oX. Unknown option. 51
- 52. --deprecated-xml-osclass There are some options include the symbol like hyphen etc., which option set can be performed for specifying the maximum delay time? ① --max-scan-delay ② --max_scan_delay 52
- 53. --deprecated-xml-osclass Both can be performed. All options of Nmap can be spesified and performed with hyphen or underscore. But, mix of both is absolutely bad way. 53
- 54. --deprecated-xml-osclass nmap.cc, line 597-598. There are definitions of hyphen and underscore. {"max_scan_delay", required_argument, 0, 0}, {"max-scan-delay", required_argument, 0, 0}, deprecated-xml-osclass has both definitions, too. 54
- 55. I introduce the comment of osscan.cc line 1209, befitting my feeling at finding this bug. --deprecated-xml-osclass 55
- 56. char *p, *q; /* OH YEAH!!!! */ --deprecated-xml-osclass 56
- 57. Well, let's read Japanese reference guide. --deprecated-xml-osclass 57
- 59. --deprecated-xml-osclass 59 If you use actually this mixed option, you will watch this. nmap: unrecognized option '-- max_scan-delay' See the output of nmap -h for a summary of options.
- 60. There is a mistake only in Japanese reference guide!! --deprecated-xml-osclass 60
- 61. --deprecated-xml-osclass 61 max_scan_delay option is ... • Added in v3.75(2004/10/18) • Both hyphen and underscore have been possible to use from v3.99(2 006/1/25)
- 62. --deprecated-xml-osclass 62 There are 11 versions between v3.7 5 and v3.99(2006/1/25). All 11 vers ions supported only underscore, the re was no mix. The fact talks that it is merely typo.
- 63. --deprecated-xml-osclass 63 Japanese reference guide is not only o ld but also has a mistake. I introduce the comment of netutil.cc line 4478, befitting my feeling at finding this.
- 64. continue; /* D'oh! */ In Japanese:おいおい、なんてこった --deprecated-xml-osclass 64
- 66. 66 ~Progress on the way~ All 8 option are useless.
- 67. The only one malware that can be detected 67
- 68. One malware(worm) Nmap can find only one malware(and infected host) by service scan. 68
- 69. Service Scan Service Scan(-sV option)have intensity(--version-intensity). Intensity default is 7, but we can specify it 0-9. 69
- 70. Service Scan There are information about port number and finger print in nmap- service-probes. The rarity in this file is intensity. 70
- 71. Service Scan There are 126 patterns in nmap- service-probes. 71 Num Rarity 2 6 0 3 8 9 12 5 50 31 0 10 20 30 40 50 60 None 1 2 3 4 5 6 7 8 9 Not be executed without intensity.
- 72. Service Scan Only with –sV option, you can only take advantage of about 30% this feature. With intensity, we may be able to detect pc-anywhere or JavaRMI better. 72
- 73. Service Scan This is one of rarity 9. Probe TCP mydoom q|x0dx0d| rarity 9 ports 706,3127-3198 match mydoom m|x04x5b000000| p/MyDoom virus backdoor/ v/v012604/ 73
- 74. Service Scan This is one of rarity 9. Probe TCP mydoom q|x0dx0d| rarity 9 ports 706,3127-3198 match mydoom m|x04x5b000000| p/MyDoom virus backdoor/ v/v012604/ 74
- 75. _人人人人人人人人人_ > mydoom !? <  ̄Y^Y^Y^Y^Y^Y^Y ̄ 75
- 77. Mydoom 77 Appeared in 2004. It used e-mail to extend infection, and made attack to www.sco.com etc. in a certain period of time. It listens on a specific port. ※"cho-kimochiii" that means excellent! by Kosuke Kitajima, gold medalist in Beijing Olympic, get the first prize in vogue word prize.
- 78. I tried 78 Infection in Windows XP SP3.
- 80. Without intensity 80 # nmap -p- -sV IP address PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp open smtp Microsoft ESMTP 6.0.2600.5949 80/tcp open http Microsoft IIS httpd 5.1 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC 5424/tcp open unknown
- 81. With intensity 81 # nmap -p- -sV --version-intensity 9 IP address PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp open smtp Microsoft ESMTP 6.0.2600.5949 80/tcp open http Microsoft IIS httpd 5.1 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open msrpc Microsoft Windows RPC 5424/tcp open mydoom MyDoom virus backdoor v012604
- 82. Nmap covered Mydoom!! 82 In Nmap 4.00(released in 31/1/2006), the new probe for Mydoom added over 2 years!!
- 83. Not afraid Mydoom with this probe 83 Only with one option, we can find Mydoom!
- 84. 84 Nothing to say any more
- 85. 85 The only one malware that can be detected Conclusion: Useless, except for the people in trouble with Mydoom
- 86. 86 Summary
- 87. 87 Summary All of 9 truth are useless. It’s natural that they are not in Reference Guide or help.
- 88. Nmap One of network scanners. Gordon Lyon developed it in 1997. - Portscan - Searching Hosts - Detect OS, Services - Vulnerability Scan - Support for naughty - Arithmetic lesson - Detect only one worm 88 New!!
- 89. At last Say good bye to all, watching line 845 in service_scan.cc. 89
- 90. if (newstrlen < 3) return -1; // Have a nice day! 90