SlideShare une entreprise Scribd logo

How to dominate a country

Télécharger en tant que PPTX, PDF
Tiago Henriques
Tiago Henriques
1  sur  119
HOW TO DOMINATE A COUNTRY. Codebits 2012 T.H.,J.F.,T.M.,F.R. @PTCoreSec
WHAT ARE YOU ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters • Beer lovers  We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook! • Ok… that depends on the amount of beer involved! 
WHO ARE YOU ? • Tiago Henriques • Tiago Martins • Team founder and leader @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Filipe Reis • Jean Figueiredo • Programmer @ PTCoreSec • Network security researcher @ PTCoreSec • Intern @ Layer8 • Netsec admin @ Tecnocom • @fjdreis • @klinzter
WHO ARE YOU ?
TOPICS
WE ARE NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
CAUSING CHAOS. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ? A:This is what we would do, control as many machines in that country, penetrate critical systems and get as much intel/info as possible.
CAUSING CHAOS. And that’s what we are gonna talk about today!
HOW IT ALL GOT STARTED We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.
PORT SCANNING….
HOW IT ALL GOT STARTED We saw some talks that really inspired us given by two great people HD Moore Fyodor
HOWEVER… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
WHAT TO DO ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well…. But like I said before…we’re hackers, so we hacked the law and rules and bent them to our favor!
WHAT TO DO ? • Port scanning isn’t illegal in 2 nice places! Sweden and USA! • So we got 2 friends of ours who knew nothing of portscanning and wanted to learn, taught them how to portscan the big internets, and then they sent the raw results to us…
PORT SCANNING • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
PORT SCANNING - PROCESS 1. Get Portugal’s CIDRs 2. Decide on a set of services you consider important 3. Check which ip’s have those port’s open Actual scanning. 4. Check versions running of those services
PORT SCANNING - PROCESS 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
PORT SCANNING - PROCESS 2. Decide on a set of services you consider important ID Port Number TCP/UDP Service 11 1900UDP UPNP 1 80TCP http 12 2869TCP UPNP 2 443TCP https 13 5353UDP MDNS 3 8080TCP http alternative 14 137TCP Netbios 4 21TCP FTP 15 25TCP SMTP 5 22TCP SSH 16 110TCP POP3 6 23TCP Telnet 17 143TCP IMAP 7 53UDP DNS 18 3306TCP Mysql 8 445TCP Samba 19 5900TCP VNC Server 9 139TCP Samba 20 17185UDP VoIP 10 161UDP SNMP 21 3389TCP Rdesktop 22 8082TCP TR 069
PORT SCANNING - PROCESS 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!
PORT SCANNING - PROCESS • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
PORT SCANNING - PROCESS • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21 -T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
PORT SCANNING - PROCESS • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -sS -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
PORT SCANNING - PROCESS • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min-parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
PORT SCANNING - PROCESS • However…we still have UDP… and let me tell u….
PORT SCANNING - PROCESS Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
PORT SCANNING - PROCESS Solution ? SCAPY! Server Client Service running on port:11111
PORT SCANNING - PROCESS Result of that script ? On lab testing….
PORT SCANNING - PROCESS Result of that script ? On internet testing….
PORT SCANNING - PROCESS When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
PORT SCANNING - END So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
PORT SCANNING - END Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: Presenting for the first time: Nmap Query Center!
PORT SCANNING - END DEMO TIME!
Store processed Nmap scans scan data run here Socket.io Express NodeJS Nmap Minion Scan Mongo DB NodeJS Importer Process raw nmap data to json so we can better process the Show all the pretty information data to the client
PORT SCANNING - END Well that’s it folks… Thank you for coming
PORT SCANNING – END Just kidding! We did promise a few more things didn’t we ?
PORT SCANNING – THE PROJECT While we were preparing for codebits… We received something in the mail….
PORT SCANNING – THE PROJECT Raspi
PORT SCANNING – THE PROJECT And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
PORT SCANNING – THE PROJECT So we decided to create a distributed port scanning project…
PORT SCANNING – THE PROJECT We grabbed the And added a custom set of scripts to it…
PORT SCANNING – THE PROJECT
PORT SCANNING – HOW DOES IT WORK? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
Part 2
BUSINESS When a client asks for a pentest We present them with these
BUSINESS
BUSINESS
BUSINESS
BUSINESS And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats
MANAGEMENT Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This shit gives us, • Approves every single thing even if it doesn’t security peeps, match security department goals but gets them headaches! moneys.
BLACKHATS I managed to acquire video footage that shows these guys in action and their vision of the world, lets have a sneek peek!
VIDEO - BLACKHATS
I ASK ONLY ONE THING OF U Leave your whitehats at home, and
SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:
Is the Of these
Now combine this: With these:
And you get a lot of these
Also if you do anything ilegal and get caught, you’ll get one of these:
SHODAN Now its when u ask
SHODAN http://www.shodanhq.com/
SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:
SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server
SHODAN QUERIES + COMBINED COUNTRY? AWESOME! Saturday, 9th of June 2012
SHODAN QUERIES + COMBINED COUNTRY Port: 3306 country:PT
SHODAN QUERIES + COMBINED COUNTRY? AWESOME! Wednesday, 6th of June 2012
SHODAN QUERIES + COMBINED COUNTRY BigIP country:PT
SHODAN QUERIES + COMBINED COUNTRY? AWESOME! Tuesday, March 13, 2012
SHODAN QUERIES + COMBINED COUNTRY port:3389 -allowed country:PT
SHODAN QUERIES + COMBINED COUNTRY? AWESOME!
SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
SHODAN QUERIES OF country:PT cisco AWESOMENESS
CISCO
CISCO – GRE TUNNELING
SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
SHODAN QUERIES OF AWESOMENESS Hackz
SHODAN QUERIES OF AWESOMENESS Hackz
SHODAN QUERIES OF AWESOMENESS UPNP zomg time
SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution
SHODAN QUERIES OF AWESOMENESS Oh and by the way…
SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….
SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER
SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…
A LITTLE TIP… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
A LITTLE TIP… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb
A LITTLE TIP… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap
A LITTLE TIP… Then…
A LITTLE TIP… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
To end…
OPEN PORTS!
SCARY SHIT! DEFACE 1 SCARY? NO!
SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
SCARY SHIT!
SCARY SHIT!
SCARY SHIT!
SHODAN – THE BAD PART • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+
SHODAN – THE GOOD PART • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
Kudos Girlfriends / Wives Aaron @f1nux HD Moore Codebits organization
Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West
Requests https://www.facebook.com/ptcoresec Rate our talk @ codebits.eu
Test our tool www.infosec.pt ptcoresec0 jguw8r6msf ptcoresec4 k48fg1wj7t ptcoresec3 35q4lr2wxq ptcoresec2 uhrptvkm28 ptcoresec1 pwqc9azmwl ptcoresec6 dt9onrpnb8 ptcoresec9 l744jjy6g2 ptcoresec7 9on68zqfm5 ptcoresec8 xfw9wqqf6f

Recommandé

Preso fcul
Preso fculPreso fcul
Preso fculTiago Henriques
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 

Recommandé

Preso fcul
Preso fculPreso fcul
Preso fculTiago Henriques
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Nmap tutorial
Nmap tutorialNmap tutorial
Nmap tutorialVarun Kakumani
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
How to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxHow to bypass an IDS with netcat and linux
How to bypass an IDS with netcat and linuxKirill Shipulin
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Scanning with nmap
Scanning with nmapScanning with nmap
Scanning with nmapcommiebstrd
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
NMap
NMapNMap
NMapPritesh Raka
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP AnalyzerSevana Oü
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Port Scanning
Port ScanningPort Scanning
Port Scanningamiable_indian
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basicsamiable_indian
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Nmap
NmapNmap
NmapMegha Sahu
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Enei
EneiEnei
EneiTiago Henriques
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 

Contenu connexe

Tendances

Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)SSASIT
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
N map presentation
N map presentationN map presentation
N map presentationulirraptor
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP AnalyzerSevana Oü
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)KHNOG
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawRedspin, Inc.
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 

Tendances (20)

Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
NMAP
NMAPNMAP
NMAP
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
NMap
NMapNMap
NMap
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
Nmap
NmapNmap
Nmap
 
N map presentation
N map presentationN map presentation
N map presentation
 
PVQA PCAP Analyzer
PVQA PCAP AnalyzerPVQA PCAP Analyzer
PVQA PCAP Analyzer
 
Network Mapper (NMAP)
Network Mapper (NMAP)Network Mapper (NMAP)
Network Mapper (NMAP)
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Nmap
NmapNmap
Nmap
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 

Similaire à How to dominate a country

Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap DiscoveryTai Pan
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotA. S. M. Shamim Reza
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPRISMA CSI
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!Nathan Gibbs
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocTiago Henriques
 
Group Apres
Group ApresGroup Apres
Group Apresramya5a
 
IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014Leo Jotib
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Harsh Desai
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73APNIC
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationTazdrumm3r
 
Implementing Telematic Services
Implementing Telematic ServicesImplementing Telematic Services
Implementing Telematic ServicesIvan Ortega
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015Leo Jotib
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015Leo Jotib
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioDevOps4Networks
 

Similaire à How to dominate a country (20)

Enei
EneiEnei
Enei
 
Nmap Discovery
Nmap DiscoveryNmap Discovery
Nmap Discovery
 
Adversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC HoneypotAdversary Pattern Analysis - A Journey with APNIC Honeypot
Adversary Pattern Analysis - A Journey with APNIC Honeypot
 
Practical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information GatheringPractical White Hat Hacker Training - Active Information Gathering
Practical White Hat Hacker Training - Active Information Gathering
 
IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!IPLOG? A beginner's IDS for the WIN!
IPLOG? A beginner's IDS for the WIN!
 
Country domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havocCountry domination - Causing chaos and wrecking havoc
Country domination - Causing chaos and wrecking havoc
 
Group Apres
Group ApresGroup Apres
Group Apres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014IPLOG-BSides-DE-2014
IPLOG-BSides-DE-2014
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
 
Honeypots - November 8th Misec presentation
Honeypots - November 8th Misec presentationHoneypots - November 8th Misec presentation
Honeypots - November 8th Misec presentation
 
Implementing Telematic Services
Implementing Telematic ServicesImplementing Telematic Services
Implementing Telematic Services
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015
 
IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015IPLOG-BSidesROC-2015
IPLOG-BSidesROC-2015
 
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.ioWhen DevOps and Networking Intersect by Brent Salisbury of socketplane.io
When DevOps and Networking Intersect by Brent Salisbury of socketplane.io
 

Plus de Tiago Henriques

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfTiago Henriques
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architectureTiago Henriques
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionTiago Henriques
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017Tiago Henriques
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandTiago Henriques
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity Tiago Henriques
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...Tiago Henriques
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015Tiago Henriques
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winTiago Henriques
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecTiago Henriques
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaTiago Henriques
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshTiago Henriques
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesTiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 

Plus de Tiago Henriques (20)

BSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdfBSides Lisbon 2023 - AI in Cybersecurity.pdf
BSides Lisbon 2023 - AI in Cybersecurity.pdf
 
Pixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecturePixels Camp 2017 - Stories from the trenches of building a data architecture
Pixels Camp 2017 - Stories from the trenches of building a data architecture
 
Pixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet versionPixels Camp 2017 - Stranger Things the internet version
Pixels Camp 2017 - Stranger Things the internet version
 
The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017The state of cybersecurity in Switzerland - FinTechDay 2017
The state of cybersecurity in Switzerland - FinTechDay 2017
 
Webzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in SwitzerlandWebzurich - The State of Web Security in Switzerland
Webzurich - The State of Web Security in Switzerland
 
BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity BSides Lisbon - Data science, machine learning and cybersecurity
BSides Lisbon - Data science, machine learning and cybersecurity
 
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
I FOR ONE WELCOME OUR NEW CYBER OVERLORDS! AN INTRODUCTION TO THE USE OF MACH...
 
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
BinaryEdge - Security Data Metrics and Measurements at Scale - BSidesLisbon 2015
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
Presentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresecPresentation Brucon - Anubisnetworks and PTCoresec
Presentation Brucon - Anubisnetworks and PTCoresec
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
Workshop
WorkshopWorkshop
Workshop
 
Confraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redondaConfraria 28-feb-2013 mesa redonda
Confraria 28-feb-2013 mesa redonda
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineering
 
Booklet
BookletBooklet
Booklet
 
Talkj4mshare
Talkj4mshareTalkj4mshare
Talkj4mshare
 
Codebits 2010
Codebits 2010Codebits 2010
Codebits 2010
 

How to dominate a country

  • 1. HOW TO DOMINATE A COUNTRY. Codebits 2012 T.H.,J.F.,T.M.,F.R. @PTCoreSec
  • 2. WHAT ARE YOU ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters • Beer lovers  We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook! • Ok… that depends on the amount of beer involved! 
  • 3. WHO ARE YOU ? • Tiago Henriques • Tiago Martins • Team founder and leader @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Filipe Reis • Jean Figueiredo • Programmer @ PTCoreSec • Network security researcher @ PTCoreSec • Intern @ Layer8 • Netsec admin @ Tecnocom • @fjdreis • @klinzter
  • 6. WE ARE NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
  • 7. CAUSING CHAOS. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ? A:This is what we would do, control as many machines in that country, penetrate critical systems and get as much intel/info as possible.
  • 8. CAUSING CHAOS. And that’s what we are gonna talk about today!
  • 9. HOW IT ALL GOT STARTED We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.
  • 11. HOW IT ALL GOT STARTED We saw some talks that really inspired us given by two great people HD Moore Fyodor
  • 12. HOWEVER… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
  • 13. WHAT TO DO ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well…. But like I said before…we’re hackers, so we hacked the law and rules and bent them to our favor!
  • 14. WHAT TO DO ? • Port scanning isn’t illegal in 2 nice places! Sweden and USA! • So we got 2 friends of ours who knew nothing of portscanning and wanted to learn, taught them how to portscan the big internets, and then they sent the raw results to us…
  • 15. PORT SCANNING • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
  • 16. PORT SCANNING - PROCESS 1. Get Portugal’s CIDRs 2. Decide on a set of services you consider important 3. Check which ip’s have those port’s open Actual scanning. 4. Check versions running of those services
  • 17. PORT SCANNING - PROCESS 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
  • 18. PORT SCANNING - PROCESS 2. Decide on a set of services you consider important ID Port Number TCP/UDP Service 11 1900UDP UPNP 1 80TCP http 12 2869TCP UPNP 2 443TCP https 13 5353UDP MDNS 3 8080TCP http alternative 14 137TCP Netbios 4 21TCP FTP 15 25TCP SMTP 5 22TCP SSH 16 110TCP POP3 6 23TCP Telnet 17 143TCP IMAP 7 53UDP DNS 18 3306TCP Mysql 8 445TCP Samba 19 5900TCP VNC Server 9 139TCP Samba 20 17185UDP VoIP 10 161UDP SNMP 21 3389TCP Rdesktop 22 8082TCP TR 069
  • 19. PORT SCANNING - PROCESS 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!
  • 20. PORT SCANNING - PROCESS • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
  • 21. PORT SCANNING - PROCESS • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21 -T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
  • 22. PORT SCANNING - PROCESS • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -sS -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
  • 23. PORT SCANNING - PROCESS • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min-parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
  • 24. PORT SCANNING - PROCESS • However…we still have UDP… and let me tell u….
  • 25. PORT SCANNING - PROCESS Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
  • 26. PORT SCANNING - PROCESS Solution ? SCAPY! Server Client Service running on port:11111
  • 27. PORT SCANNING - PROCESS Result of that script ? On lab testing….
  • 28. PORT SCANNING - PROCESS Result of that script ? On internet testing….
  • 29. PORT SCANNING - PROCESS When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
  • 30. PORT SCANNING - END So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
  • 31. PORT SCANNING - END Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: Presenting for the first time: Nmap Query Center!
  • 32. PORT SCANNING - END DEMO TIME!
  • 33. Store processed Nmap scans scan data run here Socket.io Express NodeJS Nmap Minion Scan Mongo DB NodeJS Importer Process raw nmap data to json so we can better process the Show all the pretty information data to the client
  • 34. PORT SCANNING - END Well that’s it folks… Thank you for coming
  • 35. PORT SCANNING – END Just kidding! We did promise a few more things didn’t we ?
  • 36. PORT SCANNING – THE PROJECT While we were preparing for codebits… We received something in the mail….
  • 37. PORT SCANNING – THE PROJECT Raspi
  • 38. PORT SCANNING – THE PROJECT And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
  • 39. PORT SCANNING – THE PROJECT So we decided to create a distributed port scanning project…
  • 40. PORT SCANNING – THE PROJECT We grabbed the And added a custom set of scripts to it…
  • 41. PORT SCANNING – THE PROJECT
  • 42. PORT SCANNING – HOW DOES IT WORK? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
  • 44. BUSINESS When a client asks for a pentest We present them with these
  • 48. BUSINESS And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats
  • 49. MANAGEMENT Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This shit gives us, • Approves every single thing even if it doesn’t security peeps, match security department goals but gets them headaches! moneys.
  • 50. BLACKHATS I managed to acquire video footage that shows these guys in action and their vision of the world, lets have a sneek peek!
  • 52. I ASK ONLY ONE THING OF U Leave your whitehats at home, and
  • 53. SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:
  • 55. Now combine this: With these:
  • 56. And you get a lot of these
  • 57. Also if you do anything ilegal and get caught, you’ll get one of these:
  • 58. SHODAN Now its when u ask
  • 59. SHODAN http://www.shodanhq.com/
  • 60. SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:
  • 61. SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server
  • 62. SHODAN QUERIES + COMBINED COUNTRY? AWESOME! Saturday, 9th of June 2012
  • 63. SHODAN QUERIES + COMBINED COUNTRY Port: 3306 country:PT
  • 64. SHODAN QUERIES + COMBINED COUNTRY? AWESOME! Wednesday, 6th of June 2012
  • 65. SHODAN QUERIES + COMBINED COUNTRY BigIP country:PT
  • 66. SHODAN QUERIES + COMBINED COUNTRY? AWESOME! Tuesday, March 13, 2012
  • 67. SHODAN QUERIES + COMBINED COUNTRY port:3389 -allowed country:PT
  • 68. SHODAN QUERIES + COMBINED COUNTRY? AWESOME!
  • 69. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
  • 70. SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
  • 71. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
  • 72. SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
  • 73. SHODAN QUERIES OF AWESOMENESS
  • 74. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
  • 75. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
  • 76. SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
  • 77. SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
  • 78. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
  • 79. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
  • 80. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
  • 81. SHODAN QUERIES OF AWESOMENESS
  • 82. SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
  • 83. SHODAN QUERIES OF country:PT cisco AWESOMENESS
  • 84. CISCO
  • 85. CISCO – GRE TUNNELING
  • 86. SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
  • 87. SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
  • 88. SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
  • 89. SHODAN QUERIES OF AWESOMENESS Hackz
  • 90. SHODAN QUERIES OF AWESOMENESS Hackz
  • 91. SHODAN QUERIES OF AWESOMENESS UPNP zomg time
  • 92. SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution
  • 93. SHODAN QUERIES OF AWESOMENESS Oh and by the way…
  • 94. SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….
  • 95. SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER
  • 96. SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
  • 97. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 98. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 99. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 100. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • 101. SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…
  • 102. A LITTLE TIP… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
  • 103. A LITTLE TIP… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb
  • 104. A LITTLE TIP… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap
  • 106. A LITTLE TIP… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
  • 109. SCARY SHIT! DEFACE 1 SCARY? NO!
  • 110. SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
  • 114. SHODAN – THE BAD PART • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+
  • 115. SHODAN – THE GOOD PART • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
  • 116. Kudos Girlfriends / Wives Aaron @f1nux HD Moore Codebits organization
  • 117. Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West
  • 119. Test our tool www.infosec.pt ptcoresec0 jguw8r6msf ptcoresec4 k48fg1wj7t ptcoresec3 35q4lr2wxq ptcoresec2 uhrptvkm28 ptcoresec1 pwqc9azmwl ptcoresec6 dt9onrpnb8 ptcoresec9 l744jjy6g2 ptcoresec7 9on68zqfm5 ptcoresec8 xfw9wqqf6f

Notes de l'éditeur

  1. Everyonehad a different set ofopinions.
  2. http://en.wikipedia.org/wiki/Security_through_obscurity
  3. Althoughnothuge, itsstillnearly 6milipaddrs
  4. -iL – file withips-ao saved output-sSSYN Stealth Scan-sVServiceDetection-p21 port-T5 Supadupa ultra fast-PN dontping
  5. --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  6. --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  7. http://stackoverflow.com/questions/10531618/how-to-retrieve-both-tcp-and-udp-ports-with-nmap
  8. Servernetcatrunningudpport 11111Clientchecks for serviceonport 11111
  9. Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  10. Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  11. Imgsource:http://i.i.com.com/cnwk.1d/i/tim/2012/06/19/Raspberry_Pi_35332544_05_1.jpg
  12. Imgsource: http://elinux.org/R-Pi_Hub
  13. Imgsource: http://elinux.org/R-Pi_Hub
  14. http://www.youtube.com/watch?v=WUhOnX8qt3I
  15. http://www.shodanhq.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)http://www.shodanhq.com/?q=Golden+FTP+Server (REF: http://www.exploit-db.com/exploits/10258)
  16. https://community.rapid7.com/community/metasploit/blog/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploithttps://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell
  17. SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.
  18. SNMP
  19. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  20. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  21. Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  22. SNMP
  23. SNMP
  24. SNMP
  25. SNMP
  26. SNMP
  27. UPNP
  28. UPNP
  29. Explain FIREWALL THINGIE
  30. UPNP
  31. UPNP
  32. UPNP
  33. UPNP
  34. UPNP
  35. UPNP
  36. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  37. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  38. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  39. Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  40. SNMP
  41. SNMP
  42. SNMP
  43. SNMP
  44. SNMP
  45. SNMP
  46. SNMP