Informazioni personali

Cerca nel blog

Translate

Visualizzazione post con etichetta Linux. Mostra tutti i post
Visualizzazione post con etichetta Linux. Mostra tutti i post

giovedì 3 aprile 2014

Wireshark, Tools and forensic

English: A portable Tableau forensic write-blo...
English: A portable Tableau forensic write-blocker attached to a hard disk drive (Photo credit: Wikipedia)

 

Intro

 

Making a forensic analysis means to be able to collect and analyze data in order to find out evidence that could led you to a specific break.

 

Although is usually considered a post-mortem activity in the IT realm this aspect is less marked than in other forensic environment. If we are running an investigation on a homicide, as an example, we will be present when everything is already done, and we just have to collect cold evidence. On the other end when we are running a forensic IT investigation we cannot be sure that the event has occurred in the past, some traces and some events related to the break could still be alive and running as the break itself.

 

When performing an IT forensic investigation we should be able to collect cold evidences as hard disks, logs and whatever we could need, as well as live “warm” data.

 

This part of the job require, among other abilities, to be able to sniff and analyze your network, collect packet capture and deep inspect the content in order to find out what is unusual or clearly symptom of a breach.

 

What means forensic

 

Through the history, we have seen a great development of forensic instruments and branches: from pathology to entomology, from engineering to psychology several branches develop and we see new coming out as science and technology evolve.

 

No matter what branch or technique we are using, the aim is always the same: to be able to analyze in detail a crime scene in order to find the truth using any physical available evidence.

 

Since this is a quite new science definition and   rules are not well defined for any field, some areas are still in development, as for the computer and digital forensic, while other are in an advanced stage of development, as pathology for example.

 

Computer Forensic is still a new branch of the Forensic world we have to face some aspects:

 

  • Computer forensics is in its early or development stages
  • It is different from other forensic sciences as digital, and not physical, evidence is examined
  • There is a little theoretical knowledge based up on which empirical hypothesis testing is done
  • Designations are not entirely professional
  • There is a lack of proper training
  • There is no standardization of tools
  • It is still more of an “Art” than a “Science”

 

Working in the Cyber area require, nevertheless a quite standard approach, common to every forensic investigation. There are some “simple” rules that should be followed by any forensic investigator:

 

 

 

Identifying the crime

 

If there is no crime there is no need of a Forensic investigation, although it is always possible to use a forensic approach to proactively find possible areas where a crime can be pursued.

 

In any case, either if proactive or reactive, an investigation has to start with an object, a target, this is necessary in order to define instruments and tools that have to be used. Is quite different to suspect a database manipulation than a use of pornographic material in the work environment and so different will be the tools used to gather evidences.

 

Gathering the evidence

 

This is the core of any forensic activity, evidences are what we will work on, but in Computer Forensic those evidences are partially physical and mostly digital. This require an extra effort in order to no pollute evidences due to our gathering.

 

The process should be non-destructive and should preserve the data collected and the environment we are working on.

 

There are several good reason to be cautious: usually we will work in working environment and the evidence could be stored on production systems. Stopping or harming those environments would be sometimes worse than the crime itself, so it is strongly suggested to not bring home the entire database and related servers of an e-commerce company making them stop the activity, would not be appreciated. Clearly, we will have to find the best tradeoff between the collection of data and the preservation of the work environment.

 

Another good reason to be cautious is due to the fact that

 

Digital data can be easily modified and this could invalidate our effort, trying to not change, modify the evidence is always necessary, but here we need to be extra cautious.

 

We should also consider that sometimes law requirements force us to respect specific policy and rules, we can think of the privacy EU set of laws that makes difficult to handle properly sensitive and personal data even during a forensic investigation.

 

If it is possible we should use as less as possible the original evidences, trying to use when possible duplicate.

 

Building a chain of custody

 

Forensic data usually need to be moved from the crime scene to a safer location where the forensic expert can analyze it.  The chain of custody is fundamental when we’re moving digital data both if they are physical evidence, think of an HDD or USB keys, and digital as logs, scan reports or files. We have to be sure that nobody can tamper our evidences.

 

Analyzing the evidence

 

Finally we can analyze the evidence we gathered. Again most of the consideration of the previous points should be followed; we should never modify the original data, any modification should be reported in detail with any change of status, the analysis should be non-destructive when possible, we should use the appropriate tool and course of action considering the data we’re analyzing.

 

 The 3 A’s

 

  1. Acquire evidence without modification or corruption
  2. Authenticate that the recovered evidence is same as the originally seized data
  3. Analyze data without any alterations

 

Forensic and the network

 

Computer forensic evidences can be collected form a multitude of sources, data can be found in HDD’s , USB keys, CD\DVD rom, Ram, Rom and Cmos memory and so on. We should also consider that data can be presented in raw form (think of a stream of byte in a drive), as files, as metadata, as process (sql queries for example) and so on. But the complex network environment can present other sources as protocols and the network itself.

 

If the Network can be itself analyzed for a forensic investigation, why we should do this and what can we could find?

 

The network is the communication backbone where our data flow, and thus can be used in a crime to modify, access, copy, tamper data and systems .  Being able to analyze this backbone is mandatory in any forensic investigation.

 

To be able to do so we should be able to understand network protocols and the various objects we can find in a network as:

 

  • Computers
  • Network devices as printer, scanner and so on
  • Mobile computing devices as tablet, phones, laptop …
  • Network equipment‘s such as routers, switches, tappers, WAP (Wireless Access Point), firewalls, proxies, IDS …

 

But we have also to relate them with network protocols at the various level, the operating systems used, application environment, authentication environment, management and security platforms and so on.

 

This is a quite complicated effort since, usually, there is not a complete and clear documentation nor a single source of information. We, as Forensic Investigators, need to create ourselves a map of the environment where we will perform our investigation.

 

Activities like listing all the active process on a machine or all the port currently used are commonly performed with tools or internal command of the various OS and are fundamental to understand and design the environment.

 

Network analysis is fundamental to trails the whole incident how the attack begins, which are the intermediate devices through which it pass and who was the victim.

 

In order to obtain this goal we should collect evidences from log, firewalls, internetworking devices and files, and being able to make a network scan that can depict location and status of every device present on the network itself.

 

Once collected the data we should also be able to analyze that in detail, using the appropriated tools.

 

The first type of analysis is at the physical layer where we usually use:

 

  • Sniffers , which put NICs in promiscuous mode that allow them to be used to collect digital evidence at the physical layer
  • SPANned ports, hardware taps help sniffing in a switched network

 

Sniffers collect traffic from the network and transport layers other than the physical and data-link layer.

 

Investigators should configure sniffers for the size of frames to be captured, the default size of frame that most sniffers capture by default is 68 bytes of Ethernet frame, It is advisable to configure sniffers to collect Ethernet frames of size 65535 bytes

 

The de facto standard of saving the gathered data from the network is in a tcpdump file with “*.dump” extension

 

At the Data-Link Layer we usually check

 

  • MAC address , a part of the data-link layer is associated with the hardware of a computer
  • The ARP table of a router comes handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses
  • The DHCP database also provides as a means for determining the MAC addresses associated with the computer in custody The DHCP server maintains a list of recent queries along with the MAC address and IP Address

 

At the Network and transport layer we usually collect:

 

Authentication logs:

 

  • Shows accounts related to a particular event
  • The IP address of the authenticated user gets stored in this log file

 

Application logs :

 

  • Application logging is meant for the storage of auditing information, which includes information produced by application activity
  • Web server logs help identify the system which was used as a means to commit the crime

 

Operating System logs:

 

  • It maintains log of events such as errors, system reboot, shutdown, security policy changes, user and group management

 

But before enable logging one should bear in mind: what to log otherwise, it can result in over-collection of data making it difficult to trace the critical event

 

Network device logs:

 

  • Network devices such as router and firewalls are configured to send a copy of their logs to remote server as the memory for these devices is low

 

The logs from network devices can be used as evidence for particular investigation on that network

 

Some of those data requires administrative privileges to be collected, some other rely on tools able to help to gather read and analyze data. Since we will have to correlate data coming from different sources in order to reconstruct a process is mandatory to align all timestamps. So if this is not done we should collect all the time setting for each device providing a log and considerate eventual time gaps in order to normalize all the references.

 

Wireshark, the standard tool for deep packet inspection

 

If you search on Google for a network sniffer or protocol analyzer, one of the first hits will be Wireshark (www.wireshark.org).

 

Wireshark is an open source network packet analyzer. Without any special hardware or reconfiguration, it can capture live data going in and out over any of your box’s network interfaces: Ethernet, WiFi, PPP, loopback, even USB. Typically it’s used as a forensics tool for troubleshooting network problems like congestion, high latency, or protocol errors — but you don’t want to wait until your network is in trouble to learn how to use it.

 

Wireshark has some features not found in many of the other free sniffers that are available, such as conversation reassembly and a capture display/filter, syntax that is more advanced than most.

 

Wireshark does require the WinPCap drivers, which are very simple to set up.WinPcap can be downloaded from www.winpcap.org. The WinPcap drivers enable a greater degree of access and control to the network communications at the packet level than is available by going through the Windows network drivers. For this reason, many third-party utilities that do heavy packet manipulation make use of WinPcap.

 

Profile normal network traffic is not the goal of Wireshark — it is a tool to help you recognize aberrant behavior when you are trying to track down the source of a problem. Unfortunately, there is no quick-and-easy path to tracing down the root cause of high latency or slow throughput.

 

Sure, if there is a zombie machine on your network infected by a trojan, you may easily flag it as an infected spam bot when you see it initiate thousands of SMTP connections per hour — and detecting viruses and malware is an important forensic task. But tracking down why one of your database servers is always a little bit slower than the other could involve quite a bit more digging and analysis.

 

That’s why taking some time to profile your network traffic under what we’ll assume are normal operating conditions is valuable. You can get a feel for how often WiFi clients see TCP retransmissions; if the rate doubles or triples, and you have not added any more machines, then you may need to look to see whether any one client is behaving differently than the others, or if you are simply seeing signal degradation. When diagnosing bandwidth woes, if one of your local servers is consistently timing out and dropping connections, it could be an application-level problem. But if Wireshark’s logs reveal that it is the remote server resetting connections, then you need to make a phone call.

 

Here, the tutorials at the Wireshark site are an invaluable aid. The wiki has some basic network troubleshooting pages, as well as links to resources hosted elsewhere.

 

Wireshark includes a lot of features that will help you analyze your network when you are tracking down the source of your problem. For example, you can run statistical comparisons between two saved packet captures; this allows you to perform a capture when you are experiencing the problem, and compare it against a data set you collect as a control group when things are running smooth. Likewise, you can collect and compare captures from two different machines — say, on different network segments or with different configurations.

 

This is also why it is so helpful that there are builds of Wireshark available for the proprietary operating systems: when chasing down a performance problem, you may need to collect data from every source. Last but not least, although Wireshark is always referred to as a network analyzer, the truth is it can analyze other things as well, including USB traffic and even Unix socket connections between applications. So even if you master your TCP/IP traffic this weekend, you may still have room to explore.

 

Capturing wireless control traffic can be done with Wireshark. To capture the control frames, the system must support the monitor mode on the card.

 

Its availablity are platform, driver and libpcap dependent, on most Linux systems it is possible to get the card into monitor mode with iwconfig or more easy with the airmon-ng script, for example, airmon-ng start wlan0, on windows, the AirPcap adapters from Riverbed allows the capture of full raw wireless traffic

 

NOTE

Wireshark is packet-centric (not data-centric)

Wireshark doesn’t work well with large network capture files (you can turn all packet coloring rules off to increase performance).

 

Since Wireshark is so powerful we can wonder if it can do everything we need. The answer is “Almost”. Where wireshark is limited we can find or write expansion in order to allow deeper and further analisys.

 

There are several plugin or addon on the internet related to wireshark, of course the very first can be found on the wireshark site, and are the ones crafted by reverbed technology, main sponsor of the wireshark project.

 

Plugin, addon and collateral software allow the forensic analyst to deep analyze data presented by wireshark. There are, actually, several needs to implement further wireshark astonishing capability.

 

Let’s present some.

 

Deep diving protocols:

 

Although the standard version of wireshark is able to process the most used protocols, there could be some specific areas that are not covered, or where the feature provided by wireshark could not be exhaustive.

 

The basic way to look into this kind of necessity is to find or build a component able to analyze the specific protocol you need.

 

Wireshark is able to capture raw network data and then show you the several component of single packet, it allow you also to create your specific component to read data, those components are called dissector.

 

A dissector is able to read a specific sequence inside your frame and define the type of protocol with its components. Then is able to send  the eventual incapsulated protocol to the appropriated dissector to further analyze.

 

 

 

 

 

Dissectors:

 

Each dissector decodes its part of the protocol, and then hands off decoding to subsequent dissectors for an encapsulated protocol.

 

Every dissection starts with the Frame dissector, which dissects the packet details of the capture file itself (e.g. timestamps). From there it passes the data on to the lowest-level data dissector, e.g. the Ethernet dissector for the Ethernet header. The payload is then passed on to the next dissector (e.g. IP) and so on. At each stage, details of the packet will be decoded and displayed.

 

Dissection can be implemented in two possible ways. One is to have a dissector module compiled into the main program, which means it’s always available. Another way is to make a plugin (a shared library or DLL) that registers itself to handle dissection.

 

There is little difference in having your dissector as either a plugin or built-in. On the Windows platform you have limited function access through the ABI exposed in libwireshark.def, but that is mostly complete.

 

The big plus is that your rebuild cycle for a plugin is much shorter than for a built-in one. So starting with a plugin makes initial development simpler, while the finished code may make more sense as a built-in dissector.

 

Monitoring/tracing tools

 

 

 

The following tools can process the libpcap-format files that Wireshark and TShark produce or can perform network traffic capture and analysis functions complementary to those performed by Wireshark. Some of them are useful for very specific needs or task, sometimes the same results are available with some digging and working by wireshark itself but some of those tools will make your life easier.

 

In brackets you will find the program license and the supported operating systems, in bold the ones we can’t live without.

 

 

 

  • Cap’r Mak’r generates new pcaps for various protocols
  • Chaosreader Extracts data streams from TCP connections and writes each stream to a file (GPL, Windows, various UN*Xes)
  • CloudShark Ability to view and analyze captures in a browser, annotate and tag them, and share them with a URL.
  • Cookie Cadger Helps identify information leakage from applications that utilize insecure HTTP GET requests.
  • Driftnet It is a program which listens to network traffic and picks out images from TCP streams it observes (GPL, Linux)
  • Ettercap Allows for sniffing of machines in a switched network LAN[1] (GPL, BSD/Linux/Solaris)
  • HUNT Allows for sniffing of machines in a switched network LAN as well as providing a very easy to use API to modify the intercepted frames before they are forwarded. Intercept and Modify. (GPL, Linux)

 

We should remember that Wireshark could analyze, in a switched environment, only the traffic presented to the sniffed network interface (direct traffic and broadcast type). To check all the traffic we should use a span-port or use tools like ettercap or hunt to make a classic poison mac sniffing.

 

Both those tools can do a lot of damage on the network so it is strongly suggested to pay a lot of attention mainly if you are collecting data in a live production environment. Although could be of some use to use the router mac address to explore the incoming\outgoing internet traffic, probably the performance of the network would decrease to an unacceptable low rate.

 

  • ipsumdump summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs (uses the Click modular router).

 

This tool is particularly useful when data need to be presented and explained to people that is not so found on the forensic analysis we are performing.

 

  • Moluch Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system.
  • Mu DoS converts any packet into a DoS generator
  • Ntop Network top – tool that lets you analyze network traffic statistics (GPL, FreeBSD/Linux/Unix)
  • Online PCAP to MSC chart Generator generates MSC arrow diagram charts from PCAP files.
  • p0f versatile passive OS fingerprinting and many other tricks (Freeware, BSD/Linux/Win32/…).

 

P0f is a tool that utilizes an array of passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

 

Some of p0f’s capabilities include:

 

Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.

 

Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.

 

Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.

 

Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.

 

The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.

 

Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.

 

  • PacketShark™ A handheld hardware tap for 100% on-field capturing of Ethernet packets at wire speed; store captured data using an external storage device (SD memory card) and analyze using wireshark
  • pcap_diff compares pcap files for received, missing or altered packets.
  • Prelude Another network intrusion detection system (GPL, BSD/Linux/Unix)
  • RRDtool is “a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average)”. (GPL, various UN*Xes) Many RRDtool-based applications are listed on the RRD World page.
  • Snort Network intrusion detection system (GPL, BSD/Linux/Unix/Win32)
  • SplitCap A pcap file splitter.
  • tcpflow Extracts data streams from TCP connections and writes each stream to a file (GPL, UN*X/Windows)
  • Tele Traffic Tapper Graphical traffic-monitoring tool; can also read saved capture files (BSD style?, BSD/Linux)
  • TPCAT will analyze two packet captures (taken on each side of the firewall as an example) and report any packets that were seen on the source capture but didn’t make it to the destination (GPLv2, any OS with Python and pcapy)
  • VisualEther Protocol Analyzer generates sequence diagrams from Wireshark PDML output (Win32)
  • Xplico A network forensic analysis tool (GPL, Linux only)

 

Traffic generators

 

These tools will either generate traffic and transmit it, retransmit traffic from a capture file, perhaps with changes, or permit you to edit traffic in a capture file and retransmit it.

 

  • Bit-Twist includes bittwist, to retransmit traffic from a capture file, and bittwiste, to edit a capture file and write the result to another file (GPL, BSD/Linux/OSX/Windows)
  • Cat Karat – Easy packet generation tool that allows to build custom packets for firewall or target testing and has integrated scripting ability for automated testing. (Windows)
  • D-ITG – (Distributed Internet Traffic Generator) is a platform capable to produce traffic at packet level accurately replicating appropriate stochastic processes for both IDT (Inter Departure Time) and PS (Packet Size) random variables (exponential, uniform, cauchy, normal, pareto, …).
  • Mausezahn Mausezahn is a free fast traffic generator written in C which allows you to send nearly every possible and impossible packet.
  • Nemesis is a command-line network packet crafting and injection utility. Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. (GPL, BSD/Linux/Solaris/Mac OSX/Win32)
  • Network Expect is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libwireshark for all packet dissection tasks. (GPL, BSD/Linux/OSX)
  • Network Traffic Generator Client/Server based TCP/UDP traffic generator (GPL, BSD/Linux/Win32)
  • Ostinato is a network packet and traffic generator and analyzer with a friendly GUI. It aims to be “Wireshark in Reverse” and thus become complementary to Wireshark. It features custom packet crafting with editing of any field for several protocols: Ethernet, 802.3, LLC SNAP, VLAN (with Q-in-Q), ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunneling, TCP, UDP, ICMP, IGMP, MLD, HTTP, SIP, RTSP, NNTP, etc. It is useful for both functional and performance testing. (GPL, Linux/BSD/OSX/Win32)
  • Scapy Scapy is a powerful interactive packet manipulation program (in Python). It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. (GPL, BSD/Linux/OSX)

 

A more exaustive collection of traffic generators can be found at:

 

 

 

Capture file anonymization

 

These tools can be used to “anonymize” capture files, replacing fields such as IP addresses with randomized values. This is a mandatory requirement when presenting data to not authorized people. We should consider that IP address in many countries are considered “sensitive” data and so processing and showing those data could be ruled by privacy legislation.

 

  • AnonTool from the CRAWDAD archive of wireless traffic.
  • The bittwiste tool from Bit-Twist.
  • The Crypto-PAn tool.
  • The pktanon tool from the Karlsruhe Institute of Technology Institute of Telematics.
  • The SCRUB-tcpdump tool.
  • The tcpdpriv tool from the Internet Traffic Archive.
  • The tcprewrite tool from tcpreplay.
  • The TraceWrangler tool.

 

There’s a categorized list of anonymization tools at the CAIDA site http://www.caida.org/tools/taxonomy/anontaxonomy.xml

 

 

 

Capture file repair

 

These tools attempt to repair damaged capture files as much as can be done.

 

  • pcapfix can repair corrupted or truncated capture files.

 

 

 



[1] We should remember that Wireshark could analyze, in a switched environment, only the traffic presented to the sniffed network interface (direct traffic and broadcast type). To check all the traffic we should use a span-port or use tools like ettercap or hunt to make a classic poison mac sniffing.

 

 

mercoledì 5 giugno 2013

Nmap Guide Revisited – Hakin9 Tutorials | Magazine | Hackers about hacking techniques in our IT Security Magazine

Nmap Guide Revisited – Hakin9 Tutorials | Magazine | Hackers about hacking techniques in our IT Security Magazine

The Right Tool
NMAP Kung-Fu
By Aamir Lakhani, DCUCD, DCUCI, CCNP, CCDP, Microsoft Certified Systems EngineerIBM Cloud Computing Architect, CISSP, HP Open View Professional
Nmap is a popular tool for network reconnaissance It usually one of the first tools a network penetration tester will use to determine the type of system they are targeting, what ports are open on the target system, and what services may be running on the system. Nmap stands for “network mapper” and is used to scan hosts and services on a network. Nmap has advanced features that can detect different applications running on systems as well as services and OS fingerprinting features.
Map and Network
By Andrew Brooker, CISSP, CRISC Director of Operations Assurity River Group
Network Mapper is a network scanner that is used to discover network hosts and their services. The initial driver forGordon Lyon was to create a utility that could “map the network”, hence nmap. Back in 1997, namp was a Linux only utility, but today is a cross-platform, lightweight network security scanner. Not only can you use nmap on your favorite OS, but you have the option between CLI or GUI.
Introduction to Nmap
By Daniel Renaud, CEO of DJJ Consultants and a Linux specialist since 1994
Nmap (Network Mapper) is a security scanner used to discover information about hosts on a network. To accomplish this, Nmap will send crafted packets to the host and then use the response to get information about it. NMAP can be used to determine the operating system of host, the names and versions of the services, estimated up time, type of device, and presence of a firewall. You are probably thinking that there’s a lot of other scanner that can do that and you’re probably right but Nmap can do it in a different way.
The Bread and Butter of IT Security
By Andrey Mosktvitin, IT Security Professional, Microsoft
Today we are going to talk about bread and butter of every IT security, networking and system professional – Nmap nework scanner.
Initially Nmap was a Linux command-line tool created by Gordon “Fyodor” Lyon in 1997. Nowadays it is a great set of tools with extensible framework, providing opportunity to integrate it with external scripts. There is also a beautiful GUI called ZeNmap and editions for Windows, Mac OS X, most of UNIX OS available. You can get information about all features and a distributive at official www.Nmap.org website.
NMAP Scanning: How a Simple Tool STILL Makes Dramatic Impact
By Nathan Swaim, President, ANRC
In a growing world of network analysis tools to choose from there are a few that remain just as beneficial today as they were when it first came out. NMAP definitely has held its reputation as being a go-to tool when network analyst and security researchers need it. It’s well known that if you don’t at a minimum scan your network defense posture using NMAP at least once after major production changes you are taking an unnecessary gamble and risk by not doing so. While the NMAP tool hasn’t significantly changed in its development lifecycle the emphasis on using it certainly has. In this article we’ll dive into the basics of doing an NMAP scan and explain some of the ways this incredible tool is able to do what it does.
NMAP: A “HACKER TOOL” FOR SECURITY PROFESSIONALS
By Justin Hutchens, CISSP, CEH , ECSA, CHFI
The notion of the “ethical hacker” has always been an ironic one. The developing trends of ethical hacking and offensive security have transformed the information security industry into one of the most self-perpetuating industries in the world. The software and tools that are used to secure vulnerable information assets are the same tools that can be used to exploit them. But perhaps it’s the other way around. Perhaps the tools that were created for the sole purpose of exploiting information assets are now being used to safeguard them. I suppose this is a debate that could go on forever and is really just another instance of “what came first…the chicken or the egg?”
The Swiss Army Knife
Discover What Is Inside The Hard Shell
By Andrew Jones, VMTraining, GSEC, GCIH, CVE5, VMTraining Certified Trainer
Nmap was one of the basic tools we would start students on. It’s open source, so free, and reasonably easy to get using right away for basic network scans. I say nmap is relatively easy to get using, but take that with a grain a salt. As you can see in the screen capture below, by running nmap –help, we are presented with a wealth of option flags for our use.
Nmap – The Tool of Almost Endless Capabilities
By Evan Francen, President, FRSecure LLC & Information Security Evangelist CISSP, CISM, CCSK
Before we start out and dig in, you need to know that Nmap can be a very powerful tool in the hands of someone who knows how to use it AND has an intimate knowledge of how TCP/IP works. If you don’t know some of the TCP/IP basics like IP addressing, routing, ports, and the structure of a TCP packet, it would be good idea to brush up on these skills first. As you unlock your knowledge of TCP/IP, you’ll embrace the beauty of Nmap that much more.
NMAP – Hollywood’s Hacking Tool of Choice
By Jake Wylezek, Solutions/Systems Engineer at Hewlett-Packard
NMAP is a network scanner but not a security measure. The main aim of this software is to perform host and services discovery and network recognisance. The initial release written by Gordon Lyon also known as Fyodor Vaskovich (if you watch Defcon talks) was back in September of 1997. Fyodor keeps the NMAP project rolling which today gives us version 6.25 thanks to an active user community. If you are reading this article thinking that you don’t know what NMAP is and you have never seen it before there is a great possibility that you already have seen it and there is even greater possibility that people such as your parents have seen it too. The reason behind it being NMAP featured in many movie hits over the years including Matrix Reloaded, Dredd, Bourne Ultimatum (my personal favourite), Die Hard 4 and several more.
Nmap – The Swiss Army Knife of Network Discovery
By James Tan, BSc Psychology, ISO 27001, CISSP, CCSK, CISA, eCPPT, PMP
Nmap is a popular free and open source port scanner if you have not heard of it. It is mentioned frequently in Hakin9 and other online articles, and also featured as the hacker’s choice of tool in several movies. You can use Nmap to scan entire network with a simple line of command or just an individual host. To the casual observer, Nmap is just a network port scanner. However it is a powerful toolkit comprising of many useful utilities (commands and GUI).
Practical NMAP Scanning
By Joshua Cornutt, CompTIA A+ Certified Professional IT Technician
Network Mapper (Nmap) allows for the discovery of live computers/hosts on a network as well as detects running services and supported communication protocols. It’s one of the most essential tools for any systems/network administrator, IT security professional and/or hacker. This instructional will guide you through using Nmap to effectively scan a subnet for live hosts, determine the status of firewall ports, iterate through running services and identify vulnerabilities.
Advanced Approach
Nmap – The Multitool of Network Discovery
By Branden Paul, Network Administrator, Banking Company
Nmap (Network Mapper) is a free-ware utility for Network scanning and security auditing. It was designed for large networks, but works on single hosts as well. It runs on all major Operating Systems and in addition to the classic command-line Nmap executable, it also includes an advanced GUI and results viewer (Zenmap). Now that you have some background information, let’s jump right in!
Using NMAP for Outbound Traffic Analysis
By Sergio Castro, Managing Director, Qualys Latin America
You wouldn´t let your kids talk with strangers in the street, right? But if you are not analyzing the servers your users are connecting to, that´s exactly what you are doing. We all have our firewalls configured to prevent pretty much all inbound traffic (with a few exceptions), and we know what outbound traffic to allow: http, https, ssh, smtp, pop, etc. And you know that when a hacker manages to land a trojan or install a backdoor in your network, the command and control outbound traffic will be via http or https most of the time. Also, if one of your users falls for a phishing scam, his/her outbound traffic will obviously would be http. You should be doing outbound traffic analysis, but you can.
Refining Your Nmap Scan Strategy
By Tony Lee, Principal security consultant at FireEye
The answer we hear most often is option a. While this may work for small networks, it does not scale for larger networks or more thorough assessments. The astute reader will notice that options a, b, and c, operate identically. Option a provides the network range in CIDR notation and since -sS is the default scan type when no options are supplied–option b is identical to option a. Examining option c, reveals that it is the same as options a and b, except that the target is supplied using a network range instead of CIDR notation. The problem with options a, b, and c is that they will not thoroughly scan the remote class c network as they will only scan the top 1000 TCP ports. Option d is close to what we are looking for since it scans all of the TCP ports; however, it lacks efficiency since we will be scanning all ports on all hosts, including dead IP space.
MCSA
Peter Harmsen
A lot of tutorials deal with nmap scanning and OS fingerprinting especially from the attackers pointof view.I would like to enlighten a quick and dirty aproach to get an portscan detectorup and running to add to your defense in depth.In this tutorial we will install the portscan attack detector deamon.Or psad for short. PSAD is capable of automatically add iptables rules in order toblock all traffic to and from one or more portscanning ip-addresses.There are not that many hands-on websites dealing with psad for a specific linux distro.And the ones who exist miss some essential details to get things working.So i thought ,why not write a quick recepy that quickly gives you both
In Depth Guide To Digital Forensics
Forensic Nmap
By Antonio Ierano, Former Cisco European Security Evangelist & Senior Consultant
Writing an article about Digital Forensic is always a challenge, and the reason are multiple: the complexity of the argument, the level of technology involved, the forensic approach itself.
There are a lot of tools and areas where digital forensic can be applied, and thousands of tools that can be used. But a challenge is always a good thing because let us focus and make think clearer so when I’ve been proposed to write an article on Nmap and forensic I accepted.