scanning · 2017-09-09 · scanning Matsuzaki‘maz’ Yoshinobu Stole slides from ... •File...
Transcript of scanning · 2017-09-09 · scanning Matsuzaki‘maz’ Yoshinobu Stole slides from ... •File...
scanningMatsuzaki ‘maz’Yoshinobu
<[email protected]>Stoleslidesfrom
Fakrul Alam andShahadatHossain
1
BasicFeaturesofGoogleSearch
• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.• Thereisnoneedtoinclude“AND”betweenterms.
• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.
2
BasicFeaturesofGoogleSearch
• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,• “Apnic”and“apnic”willallretrievethesameresults.
• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”
3
DifferentSearchOperators
• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches
• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck
4
AdvancedOperators
• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:
operator:search_term• There’snospacebetweentheoperator,thecolon,andthesearchterm!
5
AdvancedOperatorsataGlance
Operators Purpose
intitle Searchpagetitle
allintitle Searchpagetitle
inurl SearchURL
allinurl SearchURL
filetype Searchspecificfiles
allintext Searchtextofpageonly
site Searchspecificsite
link Searchforlinkstopages
inanchor Searchlinkanchortext
Operators Purpose
numrange Locatenumber
daterange Searchindaterange
author Groupauthorsearch
group Groupnamesearch
insubject Groupsubjectsearch
msgid Groupmsgid search
6
AdvancedGoogleSearching
Someoperatorssearchoverlappingareas.Considersite,inurl andfiletype.
7
Exercise:
1. Findwebserversthatuseyourorganizationaldomainname
2. Anyadminloginpageavailable?3. Any.docfilewhichcontainsword“Confidential”?
8
nmap (https://nmap.org)
• Nmap isafreeandopensourcenetworkexplorationandsecurityauditingtool• Nmap wascreatedbyGordonLyon,a.k.a.FyodorVaskovich,andfirstpublishedin1997.• Workingcross-platformalthoughbestworkingonLinux-typeenvironments• ItusesrawIPpacketstodetermine• Whathostsareavailableonthenetwork• Whatservices(applicationnameandversion)• Guessestheoperationalsystem,uptimeandothercharacteristics
9
EthicalIssue
• Canbeusedforhacking-todiscovervulnerableports• Systemadminscauseittocheckthatsystemsmeetsecuritystandards• UnauthorizeduseofNmap onasystemcouldbeillegal.• Makesureyouhavepermissionbeforeusingthistool.• Thereisnorightwaytodothewrongthings
10
Nmap :Howitworks
• DNSlookup-matchesnamewithIP• Nmap pingstheremotetargetwith0(zero)bytepacketstoeachport• Ifpacketsarenotreceivedback,portisopen• Ifpacketsarereceived,portisclosed• Firewallcaninterferewiththisprocess
11
Nmap :ScanningTechniques
• HostDiscoveryandTargetSpecification• PortScanningTechnique,Specificationandorder• OS,ServiceandVersionDetection• namp ScriptingEngine• TimingandPerformance• Firewall,IDSEvasionandSpoofingTechnique• ScanReport
12
Nmap:Scan
Usage:nmap [ScanType(s)][Options]{targetspecification}
TARGETSPECIFICATION:
Canpasshostnames,IPaddresses,networks,etc.
Ex:scanme.nmap.org,microsoft.com/24,192.168.0.1;10.0.0-255.1-254
-iL <inputfilename>:Inputfromlistofhosts/networks
-iR <num hosts>:Chooserandomtargets
--exclude<host1[,host2][,host3],...>:Excludehosts/networks
--excludefile <exclude_file>:Excludelistfromfile
OSDETECTION:-O:EnableOSdetection--osscan-limit:LimitOSdetectiontopromisingtargets--osscan-guess:GuessOSmoreaggressively
13
Nmap:Scan
HOSTDISCOVERY:
-sL:ListScan- simplylisttargetstoscan
-sn:PingScan- disableportscan
-Pn:Treatallhostsasonline-- skiphostdiscovery
-PS/PA/PU/PY[portlist]:TCPSYN/ACK,UDPorSCTPdiscoverytogivenports
-PE/PP/PM:ICMPecho,timestamp,andnetmaskrequestdiscoveryprobes
-PO[protocollist]:IPProtocolPing
-n/-R:NeverdoDNSresolution/Alwaysresolve[default:sometimes]
--dns-servers<serv1[,serv2],...>:SpecifycustomDNSservers
--system-dns:UseOS'sDNSresolver
--traceroute:Tracehoppathtoeachhost
14
Nmap:Scan
SCANTECHNIQUES:
-sS/sT/sA/sW/sM:TCPSYN/Connect()/ACK/Window/Maimon scans
-sU:UDPScan
-sN/sF/sX:TCPNull,FIN,andXmasscans
--scanflags <flags>:CustomizeTCPscanflags
-sI <zombiehost[:probeport]>:Idlescan
-sY/sZ:SCTPINIT/COOKIE-ECHOscans
-sO:IPprotocolscan
-b<FTPrelayhost>:FTPbouncescan
15
Exercise1:Hostdiscovery
• ssh [email protected]• Note:xisyour group#• Note:password isiij/2497
• $nmap -sP 10.0.2.0/24
16
Exercise1:Hostdiscovery
• ssh [email protected]• Note:xisyour group#• Note:password isiij/2497
• $nmap -sP 10.0.1.0/24
17
Exercise2:OpeningPorts
• ScanthehostfoundinExercise1
• $nmap <$ip>
18
Exercise3:OSFingerprint
• GuesstheOSfoundinExercise1
• $nmap -O<ip>
19
Exercise4:Scanyourclient
• donotscanothers’
• $nmap <yourIP>
• What’skindofservicerunningthere?• Letnmap guessyourOS
20
Exercise5:Version
• $nmap -sV 10.0.2.1
21