|Even Trinity has to Scan...|
http://127.0.0.1/CFIDE/administrator/index.cfmOh and make sure you have enough space on your VM, you can expand the space of your VM via the command line vdiskmanager. 15 GB should suffice, 8GB is not enough (I found out the hard way).
So these next few posts will be about scans.I know I know scanning is so -boring- right?! However, what did I say before? If you do not understand the basics and the versatility of your toolkit, you are missing data. Also, it never looks good when someone asks "Why did you try that?" and your response is "Because it was the example in the book and I thought that was good enough." Sorry guys, but you gotta start at the beginning :) I also do not know who my audience is out there in the interwebs, so I figure start small and work my way up to more fun things (its always good for a refresher right?)
Different operating systems respond to scans differently, when Windows XP says 'open' Windows 7 may say filtered. The key is understanding the scan you are running, and then examining the results to determine what it means. The way a machine responds to scan probes is also another way of determining the OS of the host you are scanning against (also known as fingerprinting). That being said, I am not going to go thru all the scans nmap has to offer nor will I break each packet down to every bit and byte, try them on your own networks and see what works!
ICMP ScanningICMP stands for Internet Control Message Protocol. This is generally what you run in your internal network when troubleshooting connectivity problems. This is also why you should never allow ICMP responses going outside your network, as it helps an attacker determine your internal network. Let's see a simple example of ICMP ECHO Request, the most common ICMP packet.
|ICMP ECHO command|
|ICMP Request - Type 8 is highlighted|
|ICMP Reply - Type 0 is highlighted|
Ok so lets go back to our command output, we see a TTL field. What is that? Well TTL stand for Time To Live, and it is required for ICMP packets. What it is is a number which gets decremented by 1 every time the packet goes thru a router (known as a 'hop') to get to its destination. The default TTL for Windows XP is 128 (many OS are different, see here for a list). Our TTL is... 128, so that means the packet did not have to go thru any router to get somewhere, it went straight to the destination (so we are definitely on the same network!). By the way, the TTL is another method to help determine the Operating System.
Let's look at a more 'legitimate' ping.
So here we have an ICMP packet going to www.google.com. As you can see, this took a bit longer then our first request, but more importantly, look at the TTL, its definitely no where near 128! TTL becomes more interesting when trying to map for firewall, internet gateways, and routers as it shows you how packets are routed to hosts on a network (using utilities like tracert).
I am going to briefly touch on ICMP broadcast messages. If you are doing an internal network assessment of a company and you send an ICMP broadcast packet to the broadcast address, what do you do if nothing comes up? Pack up and leave? No! Again, different OS respond differently to different requests. For example Windows by default does not respond to ICMP broadcast requests, however Solaris on a whole does respond. So again, you can't just do one scan and expect to grab everything.
So before I wrap up for today, I am going to touch on a few other ICMP scans:
TimeStampRequest (Type 13) and TimeStamp Reply (Type14): Asks the machine for its current time (based on milliseconds from midnight GMT). If it responds... well you know it is alive AND you know roughly where in the world the IP is. So on my backtrack5 box I ran the following command:
ping -T tsonly 192.168.0.9The '-T' switch specifies the timestamp option, and all I want is timestamps. This gave me the following answer:
64 bytes from 192.168.0.9: icmp_seq=1 ttl=128 time=1.50 msIf you take 74834377 milliseconds and do some maths on it, that gets you the time of about 2047 or 8:47pm, which is what time it is now in GMT :)
TS: 74834377 absolute
AddressMaskRequest (Type 17) and Reply (Type 18): Used when asking for the subnet mask of an interface. Again if it responds, you got a live host (and now know the broadcast address if you didn't already).
So how to get these scans going in nmap? If you just type 'nmap' on the command line you should get a list of all its parameters. However here are the ones I discussed today.
-PE (ICMP Echo), -PP (ICMP Timestamp) and -PM (ICMP Netmask Discovery)
So get out there, fire up you favourite scanning tool and start playing with the different Host Discovery Scans. What can you see? Do some scan miss some things that others pick up on? Why do you think that is? Get wireshark going and look at the packets... the more you know!
- TTL Defaults: Up to WindowsXP
- If you want a great reference of packet headers, SANS has a wonderful one which I have seen adorned on many a nerds cubicle.
- Change your TTL on Win2008 Server and Vista: Just for fun :) XP is here.
- ICMP Usage In Scanning by Ofir Arkin - PDF- Bet you never thought ICMP was this robust?