e Insecure.Org Mastering the Nmap Scripting Engine by Fyodor and David Fifield http://insecure.org/presentations/BHDC 10/ Black Hat Briefings Las Vegas Defcon 18 July 28; 4:45 PM; Augustus 546 J uly 30; 5:00 PM; Track OneOutline ¢ NSE Intro & Usage ¢ Large-scale Scan #1: SMB/MSRPC ¢ Large-scale Scan #2: Favicon ¢ Writing NSE Scripts ¢ Live Script Writing Demo ¢ Nmap News ¢ Final Notes & Q/ANmap Scripting Engine # nmap -A -T4 scanme.nmap.org Starting Nmap 5.35DC18 ( http://nmap.org ) Nmap scan report for scanme.nmap.org (64.13.134.52) Host is up (0.0018s latency). Not shown: 995 filtered ports esa STATE SERVICE VERSION 22/tcp (yt) OpenSSH 4.3 (protocol 2.0) on hostkey: 1024 O:ac:4d 185:09:12:16:92:76:1d:5d :6e (DSA) = ye PLene ea ie 60: 4b:c3:3b:18:a2:97:2c:96:7e:28:dc:dd (RSA) 53/tcp open (ele) tan) 80/tcp open http Apache httpd 2.2.3 ((Cent0Ss)) |_html-title: Go ahead and ScanMe! | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods .html 113/tcp closed auth 31337/tcp closed Elite OS details: Linux 2.6.13 - 2.6.31, Linux 2.6.18 Nmap done: 1 IP address (1 host up) scanned in 23.32 secondsInsecure.Org Pre-written Scripts and the NSEDoc Portal http://nmap.org/nsedoc/ INSEDoc Reference Portal - Mozilla Firefox le it View History Bookmarks Tools Hep $@ (© ree sma orainseso INSE Documentation Categories Scripts (show 131) Libraries (show 45) Scripts afp-brute afp-path-vuln afp-serverinfo afp-showmount asn-query Performs password guessing against Apple Filing Protocol (AFP) Detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533. Shows AFP server information. This information includes the server's hostname, IPv4 and IPv6 addresses, and hardware type (for example Macmini or MacBookPro). ‘Shows AFP shares and ACLs. Maps IP addresses to autonomous system (AS) numbers.140 120 100 Script Collection Growth 2007-1 2007-2 2008-1 2008-2 2009-1 2009-2 2010-1 2010-2° Insecure.Org Large Scale Scan #1: SMB/MSRPC Scripts Ron Bowes spent months researching _ SMB/MSRPC protocols and wrote a suite of 13 scripts. Informational: smb-os-discovery, smb- . server-stats, smb-systenrinfo, smb-security- mode Detailed Enumeration: smb-enum-users, smb-enun+domains, smb-enum-groups, smb-enum-processes, smb-enum-sessions, smb-enum+shares More intrusive: smb-brute, smb-check- vulns, smb-psexecWho to test them out on? mucrosont aeMS Scan Details ¢ Step 1: Find target IP addresses. 1,004,632 located in ARIN DB. ¢ Step 2: Start broad version detection scan (nmap -T4 --top-ports 50 -sV -O --osscan- limit --osscan-guess --min-hostgroup 128 --host-timeout 10m -oA ms-vscan -i ms. ips.|st) - Found 74,293 hosts up out of 1M IPs in 26 hours ¢ Step 3: Examine resultsMS SMB Scan Results ¢ Vast majority of MS networks block Windows ports such as 135 and 445 at their gateways. ¢ ... but not all! ¢ New scan: nmap -v -O -sV -T4 --osscan- guess -oA ms-smbscan --script=smb- enun+-domains,smb-enunrprocesses,smb- enum-sessions,smb-enunrshares,smb- enun+users,smb-os-discovery,smb- security-mode,smb-systenrinfo [Target Ips] ¢ ResultsHumble Beginnings: The Story of http-favicon.nse A simple idea: fingerprint web applications by retrieving the favicon. Viatko Kosturjak wrote a script to do it (http://seclists.org/nmap-dev/2008/q4/397) However, the database was small and of unknown quality. If only we had a tool to do large Intemet scans... and a way to write scripts for it.. (http://seclists.orgnmap-dev/2009/q3/462) The favicon-survey.nse script (not part of the Nmap package) downloads favicons and stores them in the filesystem.Results of the Favicon Survey Scanned the extemal links of * dmoz.org: 5,042,341 * en.wikipedia.org: 3,218,826 * de.wikipedia.org: 832,521 * fr.wikipedia.org: 652,040 * es.wikipedia.org: 532,951 Omitting duplicates, around 8 million domains. ¢ 995,152 unique icons * 799,924 image files * 195,228 non-image files (HTML error pages) “Indeed, | have been scanning ;-)” —Brandon Enright (http:seclists.org/nmap-dev/2009/q3/487)Favicon Visualization A secondary survey: The Alexa oe one million sites. Pack the icons tightly, with the size of each one proportional to its “reach.” ee con/Writing NSE ScriptsIntroduction to Lua & Why We Chose It ¢ Lightweight embeddable scripting language - Easy to leam - Tiny to embed: “Complete distribution (source code, manual, Be binaries for some platforms) fits comfortably on a floppy disk”. ¢ Widely used, known, and debugged - Created in Brazil in 1993, still actively developed - Best known for its use in the game industry: World of Warcraft, Crysis, etc. - Security tools: Nmap, Wireshark, Snort 3.0Why We Chose Lua (Continued) ¢ Extensible - Hooked to Nmap's fast parallel networking libraries ¢ Safe & Secure - No buffer overflows, format string vulns, etc. ¢ Portable - Windows, Linux, Mac, *BSD, etc. ¢ InterpretedCapabilities Added by Nmap ¢ Protocol/helper libraries - 45, including DNS, HTTP, MSRPC, Packet, SNMP, unpwdb, etc. ¢ Protocol brute forcers ¢ Easy SSL ¢ DependenciesScript Example #1: rpcinfoScript Example #2: smb-enun-userse Insecure.Org Live Script Demonstration Problem: Find my webcam on a dynamic IP address. The webcam uses thttod to serve /cam.jpg, So use a script to check those two things.° Insecure.Org Make it a Production Script To tum http-brute into distribution-ready script, | would next * expand the portrule to match more HTTP services, ¢ add script arguments to control the path retrieved and the method used, ¢ add NSEDoc Qusage and @output examples, an ¢ let it cache credentials for other scripts to use.° Insecure.Org What's Coming in NSE? ¢ Prerules & Postules ¢ Target Acquisition Scripts ¢ Lots more scripts! Current queue: - Vnc-info (Patrik Karlsson) - Vnc-brute (Patrik Karlsson) - Svn-brute (Patrik Karlsson) - Hostmap (Ange Gutek) - Http-xst (Eduardo Garcia Melia) - Rmi-dumpregistry (Martin Swende)Zenmap NSE Integration ‘Scan Tools Profle Help irmap aM Profile Scan|ing|Scritin|Terget| Source Other Timi ‘Scan options Targets (optional) Target: [scanme.nmap.org | Profile: [intense scan Command: [map 14 A -v scanme.nmap.t [Fa services| Nmap Output Ports / Hosts | Topology Host Oetils|Sean| TCP scan: Non-TCP scans Timing template: ‘None None ‘Aggressive (74) Enable all advanced/aggressive options (-A) Operating system detection (-0) Camas ~ Host Status ai) state: up > 192.168.0.1 Open ports: 3 © 192.1680.1 Filtered ports: 993 Closed ports: 4 Scanned ports: 1000 Uptime: 2636588 Last boot: Thu Jun 24 22:13:52 2010 ~ Addresses TD Version detection ¢-s¥) Cildle Scan (Zombie) (1) COFTP bounce attack (-b) | -——“ {DDisable reverse ONS resolution (-n) IPV6 support (-6) Pv: 64.13.134.52 Pv6: Not available MAC: Not available =H tnames Name - Type: scanme.nmap.org Name - Type: scanme.nmap.org ~ Operating System Name: Linux2.6.15 -2.6.26 a Accuracy: Filter Hosts PTRNaiff # ndiff facebook-072410.xml facebook-072510.xml 69.63.176.68: PORT STATE SERVICE VERSION -80/tcp open http lighttpd 1.5.0 +80/tcp open http nginx video-ssl-03-06-ashl.fbcdn.net (69.63.186.53): PORT STATE SERVICE VERSION -443/tcp open ssl/http lighttpd 1.5.0 +443/tcp open ssl/http nginx legacymail.thefacebook.com (66.220.144.49): ea STATE SERVICE VERSION 443/tcp open ssl/http Microsoft IIS httpd 6.0 | html-title: Document Moved ad Did not_ follow redirect to https://mail.thefacebook.com/exchange Aa Did not_ follow redirect to https://mail.thefacebook.com/exchange/Simple Ndiff Cron Script #!/bin/sh date="date "+%s" cd /nack/facebook/scripts/ fale a sV -0 --osscan-limit --osscan- guess wa a are ces [netblocks] > /dev/null ndiff facebook-old.xml facebook-${date}.xml > facebook-diff- ESiraca cp facebook-${dat ml facebook-old printf "\n***** NDIFF RESULTS cat facebook-vscan-diff-${date} ole nha BY kK KKK KK SCAN RESULTS alalalallalmanlen | ie cat facebook-vscan-${date}.nmapInsecure.Org Ncat htto://nmap.org/ncat/Modem Networking Features SSL encryption support (client or server) Proxy (act as proxy server, or client chaining through multiple proxies ) Portability TCP/UDP port redirection IPv6 Fine-grained access control Connection brokering Missing featuree Insecure.Org Ncat Chat A slight hack to broker mode enables a very rudimentary chat server. Official chat server for this presentation: ncat --ssl -v chat.nmap.org Server was Started with command: ncat -l --ssl --chat chatnmap.orgRainmap: An Online Scanning Service Seite Soni « Ref Guide + Install Guide Bane Sonny Profile name + Book [Security conferences Security Lists Seer jargetts) Nmap Dev aS eI Iw. securitybsides .com aS Mew. cansecwest . Com Home | Scans | Profile | Logout fyodor Create a new scan profile: SER Here's what Nmap will do for each Tm Cae ees Coron) larget: Pei eas PAO Ue unos ease Peter check responsiveness © Look for open ports « Packet crafters = Detect the Operating System a * More Sn = Detect remote services/versions a OMe) a About/Contact © scan with the default scriptsNmap Script Authors Aaron Leininger Eugene V. Alexeev Michael Schierl Andrew Orr Felix Groebert Patrik Karlsson Ange Gutek Ferdy Riphagen Philip Pickering Arturo Busleiman Jah Richard Sammet Bernd Stroessenreuther J ason DePriest Rob Nicholls Brandon Enright J oao Correa Ron Bowes David Fifield Kris Katterjohn Sven Klemm Diman Todorov Mak Kolybabi Thomas Buchanan Djalal Harouni Marek Majkowski Tom Sellers Doug Hoyte Martin Swende Viladz Duarte Silva Matthew Boyle Viatko Kosturjak Eddie Bell Michael PattrickFinal Notes ¢ Ron Bowes at Black Hat Arsenal - Thursday, Station 5, 8:00 AM - 12:30 PM * Slides to be posted Friday (and video as soon as we get it) to: ; http://insecure.org/presentations/ ¢ Download Nmap from: http://nmap.org ¢ NSEDoc portal: http://nmap.org/nsedoc/ ¢ NSE system docs: http://nmap.org/book/nse.htm|° Insecure.Org Questions?