Upload
abendcve99990001
View
382
Download
4
Embed Size (px)
Citation preview
Nothing to say any more
Nmap 9 truth
Profile小河 哲之Twitter : abend
ISOG-WG1Burp Suite Japan User GroupProsit
2
Trigger of this presentation
I wrote the article about Nmap in Software Design May,2016 issue.Today, I will talk about the things I noticed during writing that article.(In this presentation, no version description means v7.12.) 3
At firstI will introduce 8 hidden options of Nmap, and only one type of malware(worm) that Nmap could detect. And I will also talk about how to utilize Nmap well.
8 hidden option + 1 type of malware = 9 truth
4
NmapOne of network scanners. Gordon Lyon developed it in 1997.
- Portscan- Searching Hosts- Detect OS, Services- Vulnerability Scan
5
8 hidden optionsIn Nmap, there are hidden options which are not indicated on Reference Guide and Help.
6
--noninteractive
7
--noninteractiveNmap is the interactive application.
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-30 23:38 JSTStats: 0:00:01 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 0.10% done
8
--noninteractiveWith this option, we CAN stop interaction with enter-key for watching scan progress.
9
--noninteractivenmap_tty.cc, line 336-342;"Interactive keyboard commands:\n""? Display this information\n""v/V Increase/decrease verbosity\n""d/D Increase/decrease debugging\n""p/P Enable/disable packet tracing\n""anything else Print status\n" "More help: https://nmap.org/book/man-runtime-interaction.html\n");
10
--noninteractiveStarting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-30 23:39 JSTPacket Tracing enabled.SENT (1.6510s) TCP 192.168.217.130:45411 > 192.168.217.131:8888 S ttl=41 id=54162 iplen=44 seq=1659576208 win=1024 <mss 1460>RCVD (1.6509s) TCP 192.168.217.131:8888 > 192.168.217.130:45411 RA ttl=64 id=0 iplen=40 seq=0 win=0Packet Tracing disabled.
11
Press ‘p’
Press ‘P’
--noninteractiveWe can turn on packet tracing with 'p', and also turn on a forgotten option, turn off a designated option interactively.
12
--noninteractiveInteraction function of Nmap enables us to confirm that Nmap runs properly with some options temporarily in the case of very slow scanning.
--noninteractive disables it.
13
--noninteractiveIn Japanese reference guide,
14
This option is still not built in Nmap. This item need to be added some contents or deleted.
--noninteractiveThis option was added to Nmap at v4.00(2006/1/31), so I guess that Japanese reference guide was written before that version.
15
16
--noninteractive
Conclusion:Useless
--nogcc
17
--nogccNmap send packets to the designated segment(s) all at once. So scan time will be short.
Average time of 10 scans(/24, SYN Scan)no option : 9.62secwith --nogcc : 3.73sec
18
--nogcc
19
0 0.42 0.84 1.26 1.68 2.1 2.52 2.94 3.36 3.78 4.2 4.62 5.04 5.46 5.88 6.3 6.72 7.14 7.56 7.98 8.4 8.82 9.24 9.6610.0810.510.920
50
100
150
200
250
300
350
pack
et
second
nogcc 1.65secno option 11.06sec
--nogccFiltered host and the host in which some service running are not detected.
no option : 9 hostsWith --nogcc : 7 hosts※Because of slow response of arp, one host is not detected. --send-ip option resolved the situation. 20
--nogccNmap control congestion, but --nogcc make the control off, so all packets will be sent at once.
21
--nogccscan_engine.cc, line 394-403;
/* In case the user specifically asked for no group congestion control */ if (o.nogcc) { if (when) *when = USI->now; return true; }
22
--nogccThree points of congestion control in Nmap.
• congestion window• exponential backoff• slow start
23
--nogcc• congestion window→ if detect drop, then reduce amount of packets• exponential backoff→ if detect drop, then slow down dramatically• slow start→ scanning speed up gradually
24
--nogccWith --nogcc option, Nmap sends scan packets all at once, so possible to increase load. And, no consequences of congestion is provided to lead the precision reduction, which can lead to false negative.
The option for naughty people.25
26
--nogcc
Conclusion:Useless, expect for naughty people
--route-dst
27
--route-dstOption to confirm the IP routing destination specified for each interface# nmap –e eth0 --route-dst 8.8.8.8Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-20 12:41 JST8.8.8.8eth0 eth0 srcaddr 192.168.1.209 nexthop 192.168.1.254
28
29
--route-dst
Conclusion:Useless
-I(uppercase i)
30
-I(uppercase i)ident scan seems not been originally implemented.case 'I': error("WARNING: identscan (-I) no longer supported. Ignoring -I"); break; // o.identscan++; break;
31
32
-I
Conclusion:Useless
-thc
33
-thc# nmap -thc!!Greets to Van Hauser, Plasmoid, Skyper and the rest of THC!!
It means “Congratulation!”
34
35
-thc
Conclusion:Useless
-oH
36
The option for output in HTML format. If there is a leak in the escape, it can lead to XSS.
37
-oH
-oH From 2.30BETA16 to 3.93,
} else if (strcmp(long_options[option_index].name, "oH") == 0) {
fatal("HTML output is not yet supported");
※I don't check this in all version.
38
-oH From 3.94ALPHA1 to 7.12} else if (strcmp(long_options[option_index].name, "oH") == 0) { fatal("HTML output is not directly supported, though Nmap includes an XSL for transforming XML output into HTML. See the man page.");※ I don't check this in all version.
39
-oHThis option perhaps have not been implemented yet. I wanted to see XSS of Nmap.
40
41
-oH
Conclusion:Useless
--ff
42
--ffThe option for 16 byte fragmentation. “-f” option in reference is for 8 byte fragmentation.
43
--ffBoth “-f” and “--ff” fragment byte amount will increase.
} else if (strcmp(long_options[option_index].name, "ff") == 0) { o.fragscan += 16;
44
--ffWhat happens in this case.
45
nmap -f -f --ff --ff 192.168.1.1
--ff"-f" equals 8 x 2 byte + "--ff" 16 x 2 byte = 48 byte fragmentation. Same as -v -vv.
46
--ffYou can learn about "How many bytes the fragmentation is?" as elementary school level ;-p
nmap -f -f --ff 192.168.1.1
47
--ffIf you want to fragment more simply, you’ve better to use “-mtu XX” option than “-f” or “--ff”.
nmap -mtu 24 192.168.1.1
48
49
--ff
Conclusion:Useless, expect for elementary school children
--deprecated-xml-osclass
50
--deprecated-xml-osclass
This seems to be option for osclass to become child-tag of osmatch of -oX. Unknown option.
51
--deprecated-xml-osclass
There are some options include the symbol like hyphen etc., which option set can be performed for specifying the maximum delay time?① --max-scan-delay② --max_scan_delay
52
--deprecated-xml-osclass
Both can be performed.
All options of Nmap can be spesified and performed with hyphen or underscore. But, mix of both is absolutely bad way.
53
--deprecated-xml-osclass
nmap.cc, line 597-598. There are definitions of hyphen and underscore. {"max_scan_delay", required_argument, 0, 0}, {"max-scan-delay", required_argument, 0, 0},
deprecated-xml-osclass has both definitions, too.
54
I introduce the comment of osscan.cc line 1209, befitting my feeling at finding this bug.
--deprecated-xml-osclass
55
char *p, *q; /* OH YEAH!!!! */
--deprecated-xml-osclass
56
Well, let's read Japanese reference guide.
--deprecated-xml-osclass
57
--deprecated-xml-osclass
58
The mix.
--deprecated-xml-osclass
59
If you use actually this mixed option, you will watch this.
nmap: unrecognized option '--max_scan-delay'See the output of nmap -h for a summary of options.
There is a mistake only in Japanese reference guide!!
--deprecated-xml-osclass
60
--deprecated-xml-osclass
61
max_scan_delay option is ...
• Added in v3.75(2004/10/18)• Both hyphen and underscore
have been possible to use from v3.99(2006/1/25)
--deprecated-xml-osclass
62
There are 11 versions between v3.75 and v3.99(2006/1/25). All 11 versions supported only under-score, there was no mix.
The fact talks that it is merely typo.
--deprecated-xml-osclass
63
Japanese reference guide is not only old but also has a mistake. I intro-duce the comment of netutil.cc line 4478, befitting my feeling at finding this.
continue; /* D'oh! */In Japanese :おいおい、なんてこった
--deprecated-xml-osclass
64
65
--deprecated-xml-osclass
Conclusion:Useless
66
~ Progress on the way~
All 8 option are useless.
The only one malware that can be detected
67
One malware(worm)Nmap can find only one malware(and infected host) by service scan.
68
Service ScanService Scan(-sV option)have intensity(--version-intensity). Intensity default is 7, but we can specify it 0-9.
69
Service ScanThere are information about port number and finger print in nmap-service-probes. The rarity in this file is intensity.
70
Service ScanThere are 126 patterns in nmap-service-probes.
71
Num
Rarity0
10
20
30
40
50
60
26
03
8 912
5
50
31
None1 2 3 4 5 6 7 8 9
Not be executed without intensity.
Service ScanOnly with –sV option, you can only take advantage of about 30% this feature. With intensity, we may be able to detect pc-anywhere or JavaRMI better.
72
Service ScanThis is one of rarity 9.
Probe TCP mydoom q|\x0d\x0d|rarity 9ports 706,3127-3198match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/
73
Service ScanThis is one of rarity 9.
Probe TCP mydoom q|\x0d\x0d|rarity 9ports 706,3127-3198match mydoom m|\x04\x5b\0\0\0\0\0\0| p/MyDoom virus backdoor/ v/v012604/
74
_人人人人人人人人人_> mydoom !? < ̄ Y^Y^Y^Y^Y^Y^Y  ̄
75
Mydoom
76
https://www.ipa.go.jp/security/topics/newvirus/mydoom.html
Mydoom
77
Appeared in 2004. It used e-mail to extend infection, and made attack to www.sco.com etc. in a certain period of time. It listens on a specific port.
※"cho-kimochiii" that means excellent! by Kosuke Kitajima, gold medalist in Beijing Olympic, get the first prize in vogue word prize.
I tried
78
Infection in Windows XP SP3.
WORM_MYDOOM.BR
79
Without intensity
80
# nmap -p- -sV IP addressPORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd25/tcp open smtp Microsoft ESMTP 6.0.2600.594980/tcp open http Microsoft IIS httpd 5.1135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn443/tcp open https?445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds1025/tcp open msrpc Microsoft Windows RPC5424/tcp open unknown
With intensity
81
# nmap -p- -sV --version-intensity 9 IP addressPORT STATE SERVICE VERSION21/tcp open ftp Microsoft ftpd25/tcp open smtp Microsoft ESMTP 6.0.2600.594980/tcp open http Microsoft IIS httpd 5.1135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn443/tcp open https?445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds1025/tcp open msrpc Microsoft Windows RPC5424/tcp open mydoom MyDoom virus backdoor v012604
Nmap covered Mydoom!!
82
In Nmap 4.00(released in 31/1/2006), the new probe for Mydoom added over 2 years!!
Not afraid Mydoom with this probe
83
Only with one option, we can find Mydoom!
84
Nothing to say any more
85
The only one malware that can be detected
Conclusion:Useless, except for the people in trouble with Mydoom
86
Summary
87
SummaryAll of 9 truth are useless. It’s natural that they are not in Reference Guide or help.
NmapOne of network scanners. Gordon Lyon developed it in 1997.- Portscan- Searching Hosts- Detect OS, Services- Vulnerability Scan- Support for naughty- Arithmetic lesson- Detect only one worm
88
New!!
At lastSay good bye to all, watching line 845 in service_scan.cc.
89
if (newstrlen < 3) return -1; // Have a nice day!
90