Showing posts with label port scan. Show all posts
Showing posts with label port scan. Show all posts
Monday, March 1, 2010
Nmap using TOR
Got a good video about how to do a scanning using nmap and TOR. It increases the anonymity factor.
Sunday, February 14, 2010
Nullcon Capture The Flag 2010 hacking competition : How did I crack it
Recently I had been to Nullcon, Goa, 2010 - Internation Hacking and Security Conference.Well a lot to say. It was a great experience. My first hacking experience, unforgettable. Here is the details:
Goal : There was a server, we had to shut it down.
Hint: "Its there in the air"
Step 1: I found the wireless network they have configured for the challenge. Definitely the server is inside that network. It was WEP encrypted network. I used aircrack-ng in Backtrack 4. Steps are explained here. Better explanation could be helpful. Still confused!!! then watch this:
Step 2: Once I got the key and connected the network, I started looking for the server. Now here they had configured two network one with 192 series ip that I was connected to and another one with 172 series ip where the server is. Also they have configured the firewall in the router so that no packets could reach to 172 network. So first firwall had to be disabled. But root priviledge was required to do so. So task is, gain root access to the router 192.68.1.1.
fingerprinting using nmap (nmap -O ip) gave the firmware details of the router: it was dd-wrt firmware. Searched for the existing vulnerabilities or exploits for that and foung cgi-bin vulnerability. It could be exploited by command-line approach or using metasploit. I found metasploit easier and faster as well. Once done successfully, I got the root shell in the router.
Step 3: Now disable the firewall.
They had set up iptable rules to drop the packet. So here are the commands:
iptables -L -nv
It showed the configured rule to drop all the packets mentioned earlier.
Now,
iptables -P FORWARD ACCEPT
iptables -F FORWARD
It allowed the connections through. If you want to allow only traffic from your machine then,
iptables -I FORWARD -p all -d
Once this is done. I was able to reach the server which was 172.16.1.2 (I guess).
Step 4: Now I could ping the server. Now I had to get into the server. So did a port scanning on that machine
nmap -sS -PT 172.16.1.2 (requires root privilege)
Found port 445 was open. It was SMB over TCP. Already an exploit was available in metasploit. So just ran that and BINGO... I got the command promt of the server.
Step 5: Shoutdown the server. Since I was already inside the server. Only thing required was to run the following:
SHUTDOWN -s -t 01
And I was done...
Wednesday, January 13, 2010
Invisible Nmap
Nmap is a powerful tool for network scanning. Whether it is good or bad is a different question and that is upto the users' motives to use it. It has a lot of options. Here are some of those options together to get a reasonable amount of information about an ip or network without bothering the owner by telling her about your existence :). Not sure though how efficient it would be considering the latest IDS/IPSes. But that's all I could get out of the options provided by NMAP. The command and its explanation are as follows:
sudo nmap -n -sS -f -A -T1 -S fake_ip -e interface_to_use -D fake_ip1, fake_ip2, fake_ip3 -vvv ip_to_scan -P0
Sudo: You have to have root permission to run it.
-n: Do not resolve host. Show the ips.
-sS: Stealth SYN scan. SUpposed to be less noisy.
-f: fragment the packets before sending to the ip_to_scan. Reduces the chance to get detected. New IDS/IPS can get it still (as per the information I got).
-A : Do OS and version detection, script scanning, and traceroute.
-T1 : Range is T0 (slowest) to T5 (fastest) -speed of execution. Slower packet sending increases your anonymity.
-S fake_ip: Use fake_ip as the source of the packets.
-e interface_to_use: Since source address is spoofed in precious option, you have to give the network interface details to send/receive packets.
D fake_ip1..ME : Decoy option - Use all these fake_ips mentioned and ME, i.e. my ip to create packets to send. More invisibility.
-vvv: very very verbose mode. Explains the output more elaborately.
ip_to_scan: IP/Network to scan.
-P0: Do not ping , do only scan. Saves time and finds more machines.
sudo nmap -n -sS -f -A -T1 -S fake_ip -e interface_to_use -D fake_ip1, fake_ip2, fake_ip3 -vvv ip_to_scan -P0
Sudo: You have to have root permission to run it.
-n: Do not resolve host. Show the ips.
-sS: Stealth SYN scan. SUpposed to be less noisy.
-f: fragment the packets before sending to the ip_to_scan. Reduces the chance to get detected. New IDS/IPS can get it still (as per the information I got).
-A : Do OS and version detection, script scanning, and traceroute.
-T1 : Range is T0 (slowest) to T5 (fastest) -speed of execution. Slower packet sending increases your anonymity.
-S fake_ip: Use fake_ip as the source of the packets.
-e interface_to_use: Since source address is spoofed in precious option, you have to give the network interface details to send/receive packets.
D fake_ip1..ME : Decoy option - Use all these fake_ips mentioned and ME, i.e. my ip to create packets to send. More invisibility.
-vvv: very very verbose mode. Explains the output more elaborately.
ip_to_scan: IP/Network to scan.
-P0: Do not ping , do only scan. Saves time and finds more machines.
Subscribe to:
Posts (Atom)
