Table of Contents Scan a network Advanced Scans Basic Network Scans Launch A Scan Results Exports Executive Report Technical Report Scan a network Target: 192.168.1.0/24 Nessus provides a set of ready-to-use templates. For general scans, the (1) Advanced Scan and (2) Basic Network Scan would work. The differences are the Advanced Scan supports the Compliance and Plugins which can be used to fine-tune the compliance checks (credentials are required) and plugins.
Table of Contents Introduction nDPI Build and install ndpi-netfilter Realtime capture Iptables/netfilter SSH Youtube Social Networks Introduction Port-independent, P2P, and encrypted protocols and packets have made the conventional network traffics analysis that based on packet header (transport protocol and application ports) obsolete. Deep Packet Inspection (DPI) technology can be used to identify and classify these encrypted, port-independent, P2P protocols.
Table of Contents Scan large IP block Exclude IP blocks of sensitive part of the Internet Include IP blocks for targeted IP blocks Transmission Rates Specify ports and ranges Pull the services and banners Output formats Manage config for different scanning strategies The base system used to perform the scans:
root@192.168.1.11:~# uname -a Linux kali 4.9.0-kali3-amd64 #1 SMP Debian 4.9.13-1kali2 (2017-03-07) x86_64 GNU/Linux Scan large IP block Scan the entire 175.
Table of Contents Introduction Enabling knockd Port-knocking Open the port Close the port Using Hping3 / Nmap Open the port Close the port Alternatives Introduction Port-knocking is a stealth method to open ports that the firewall keeps closed by default. A port-knock server listens to all traffic on an ethernet (or PPP) interface, looking for a special “knock” sequences of port-hits.
In the Nmap Network Scanning book, chapter 15 , section Port Specification and Scan Order , to quote “By default, Nmap scans the most common 1,000 ports for each protocol.” [1]
However, the documentation did not mention the list of 1000 ports.
So, how to identify and show those 1000 ports ?
--top-ports n: the n highest-ratio ports found in nmap-services. n must be 1 or greater -v: verbose level, to print the -oG: grepable output - : output to stdout $ nmap --top-ports 1000 -v -oG - localhost Note: refer to /usr/share/nmap/nmap-services file for the service name and protocol.
Table of Contents Nmap Ndiff Scan and interpret the results/diffs Automation Nmap Ndiff Ndiff is a tool to aid in the comparison of Nmap scans. Ndiff, like the standard diff utility, compares two scans at a time. It takes two Nmap XML output files and prints the differences between them. The differences observed are:
Host states (e.g. up to down) Port states (e.
Table of Contents Scan a Network/Subnet Host Discovery Scan a large public network Scan a private network: 192.168.1.0/24 Scan a Single Target Remote OS and Service Detection Host and Port State Reason List of Examples Scan a Network/Subnet Host Discovery HOST DISCOVERY: -sL: List Scan - simply list targets to scan, without sending any packets to the target hosts, useful to generate list of target hosts and dns resolution.
Table of Contents Scan for vulnerability Create a HTTP request file Scan the target Explore the vulnerable target’s databases and system Dictionary attack against password hashes and dump full credentials OS Shell Access Behind the scene Speedup the process and specify custom injection payloads Capture and decode the payload with Ngrep with Wireshark Decode the payload Scan for vulnerability Create a HTTP request file Use -r option instead of passing long parameters of --url, --user-agent, etc.
Table of Contents Quick peek Sorts out unique User-Agent (devices) Monitor the occurrence of the keywords Monitor HTTP GET | POST traffic by IP addresses DNS Quick peek Monitor activities on device eth0 port 80:
-W byline: linefeeds (LF) are printed as linefeeds, more readable.
-qt: quiet mode and print human-readable timestamp.
# ngrep -d eth0 -W byline -qt port 80 Sorts out unique User-Agent (devices) In corporate environment, desktop/laptop OS build is often standardized.
Table of Contents Tcpxtract Tcpextract Tcpxtract Supports 26 file formats, extensible (/etc/tcpxtract.conf), however it requires the clear start and end markers. Supports only TCP packets, no UDP. Live capture from an interface and extract:
$ mkdir -p /tmp/enp0s3-tcpxtract-output $ sudo tcpxtract -d enp0s3 -o /tmp/enp0s3-tcpxtract-output Extract from the pcap file:
Tcpextract Similar to both tcpflow and tcpxtract, tcpextract extracts all files it recognized from a pcap file or interface.
Table of Contents Introduction Wireshark HTTP objects and files Binary files Tcpflow & Foremost Introduction The process is mostly the same in network packets data-carving, which comprises of:
Gain access and collect the raw bytes Strip the protocol information Extract and write the data to file The differences of these tools are their capabilities i.e., the supported protocols and file formats.
Background The following setup is intended to streamline the column display for effective analysis when looking at HTTP and HTTPS traffic. The default columns are: ‘No (Packet number)’, ‘Time’, ‘Source’, ‘Destination’, ‘Protocol’, ‘Length’, and ‘Info’.
Table of Contents Background Changing the column display Changing the Time Display Format Adding HTTP Server Names Adding HTTPS Server Names Changing the column display To change the default column display, navigate to ‘Preferences’:
Table of Contents DNSCrypt Install Select a resolver Modify resolv.conf Start systemd service Verify the DNS traffic is encrypted DNSCrypt can be used to increase web browsing privacy and thwart DNS traffic sniffing. It enables encryption and authentication on DNS traffic between the local computer and the remote DNS resolver. It helps to mask the domain resolution (sent in clear text) to the DNS server, before the HTTPS connection initiated to the target website.
Table of Contents Tcpkill GDB Tcpkill enables priviledged user to kill TCP connections, it uses the tcpdump expression. It’s part of the dsniff package. The default degree of brute force to use in killing a connection is 3, fast connections may require a higher number in order to land a RST in the moving receive window.
tcpkill [-i interface] [-1...9] expression For example, to kill the established and also to prevent any connections from 192.
Table of Contents Nettop Google Transparency Report: Safe Browsing Tool Netstat Flowtop Nettop Assuming an unknown/suspicious output (i.e., no chat client is being used, but random chat domain appeared: vmp.boldchat.com) is spotted from a DNS monitoring such as in previous post titled - Sniff DNS queries:
Under macOS, the nettop util provides list of sockets and routes in details that help to trace down the process that established the connection to the unknown domain:
Table of Contents Dnstop Tcpdump Wireshark / Tshark Dnstop is a console libpcap application that displays various tables of DNS traffic on a network including:
Source IP addresses Destination IP addresses Query types Top level domains Second level domains # dnstop enp0s3 -l 3 Use ctrl-r to reset the counter/refresh the history to get the latest queries.
Tcpdump Capture packets from port 53 (DNS):
Table of Contents MacOS’s Airport Wireshark MacOS’s Airport is a built-in wireless utility comes preinstalled in MacOS.
$ ll /usr/local/bin/airport lrwxr-xr-x 1 root wheel 89 Jun 22 2016 /usr/local/bin/airport@ -> /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport Perform a wireless broadcast scan to get the list of access points in the neighborhood:
Sniff 802.11 frames on channel 1, the output is in pcap format and can be opened with tcpdump/wireshark:
$ airport en0 sniff 1 Capturing 802.
mtr Often times, troublesome networks won’t show up in the results of a few packets. mtr combines the functionality of the traceroute and ping utils and enables user to constantly poll a remote server to see the latency and performance changes over time. It’s not installed by default on most linux systems, simply get it from the distribution and package manager of choice:
$ sudo apt-get install mtr To debug remotely over ssh where no GUI is available, use the --curses or -t option:
This post extends the discussion on traceroute in previous post Traceroute, Firewalls & Geo-IP, and focused on intepreting the traceroute report.
Output format explanation: v--- the router/ip-addr traversed by the packet [Hop] [Hostname/(IP-addr)] [RTT1] [RTT2] [RTT3] ^--- transit no. of the route ^---- round-trip time The round-trip time (RTT) is the latency (delay between sending the packet and getting the response).
By default, traceroute sends 3 packets per TTL increment.
Table of Contents Traceroute ICMP mode UDP mode TCP mode Output format explanation Hping3 InTrace Nmap: traceroute-geolocation script Traceroute Traceroute is useful for diagnosing networking problems, e.g., end-to-end connectivty, complement with ping. It can also be used to pinpoint the location of devices, routers and firewalls. The tracerouting tools fundamentally rely on the IP packet’s field - TTL (Time-To-Live, decremented at each hop, dies at 0), they send short-life IP packets and wait for Time Exceeded ICMP packets reporting the death of these packets from a router, consequently reveal the route.
Table of Contents List of online and web-based tools Text-mode based Utility VirusTotalApi List of online and web-based tools https://www.virustotal.com: by VirusTotal, a subsidiary of Google https://exchange.xforce.ibmcloud.com: by IBM http://safeweb.norton.com: by Norton, Symantec http://www.avgthreatlabs.com/ww-en/website-safety-reports: by AVG ThreatLabs https://cymon.io: by https://eSentire.com http://www.reputationauthority.org: by WatchGuard Technologies http://isitphishing.org: by https://vadesecure.com Text-mode based Utility VirusTotalApi $ git clone https://github.com/doomedraven/VirusTotalApi.git It is an utility to search on VirusTotal databases [1] for malicious URLs and hashes of known malware.
Digital cameras (including smartphones) and computers (screenshots) embed technical metadata into image files. It serves great purpose to record image profiles but it could exposed some private information i.e., device profiles, GPS coordinates, etc and thus caused privacy issues.
Before share images online, strip clean the image EXIF (Exchangeable Image File) metadata. The libimage-exiftool-perl package contains the library and program to read and write meta information in multimedia files.
$ sudo apt-get install libimage-exiftool-perl To view the exif metadata:
Table of Contents hping3 and the firewall ICMP mode TCP mode UDP mode SCAN mode hping3 and the firewall Mode default mode TCP -0 --rawip RAW IP mode -1 --icmp ICMP mode -2 --udp UDP mode -8 --scan SCAN mode. Example: hping --scan 1-30,70-90 -S www.target.host -9 --listen listen mode ICMP mode The typical ping utility and the hping3 equivalent, sending ICMP-echo and receiving ICMP-reply:
Table of Contents Iptables UFW Manage ufw by predefined service names Extended syntax Reorders firewall rules Iptables List the configured rules:
# iptables -L # iptables -L -t nat iptables contains 5 tables, (-t, --tables): raw, filter, nat, mangle and security. In common use cases, filter and nat is used, where filter is associated with the firewall and nat is used for network address translation such as port forwarding.
My examples are in JS, on PhantomJS headless browser, it could be easily adapted to other languages. The script traverses a webpage and harvests all the URLs therein to check for malware/malicious sites through the Google Safe Browsing API.
192.168.1.9:~$ phantomjs chk-malinks.js http://some.malware.site 1: hshd.io 2: sourceforge.net 3: popup.taboola.com 4: www.geeksvip.com 5: my.hear.com ... 159: nba1001.net 160: www.pressroomvip.com 161: tracking.lifestylejournal.com 162: dsct2.com 163: www.historynut.com 164: www.buro247.my gsafe response json:{ "matches": [ { "threatType": "MALWARE", "platformType": "ANY_PLATFORM", "threat": { "url": "nba1001.