Network Scanning with Nmap

Overview

Nmap is a powerful network scanning tool which allows you to discover available hosts and resources. Nmap can be very useful for discovering what open doors exist on your network, including services, ports, operating systems, and other fingerprinting information. You should be aware that scanning a network with nmap, without prior permission, can be considered a form of network attack at worst, or network trespassing at best.

You can download nmap for Linux, Windows or MAC at: http://nmap.org/download.html . Though typically a Linux command line tool, you can install nmap for Windows and run it from the command line, or from a graphical user interface, by installing the Zenmap graphical front end. You can install Zenmap by running the Windows self installer and accepting the installation defaults.

NMAP for Windows

If you are running a Windows desktop operating system and you are new to nmap, I recommend using nmap by running the Zenmap graphical interface. When running nmap from the command line the user has a large array of scanning options and parameters. Zenmap simplifies the use of nmap by limiting the options to a predefined set of pull down options.

 

The image below is taken from the http://nmap.org website, download page

 

Using NMAP and Zenmap

Using nmap with Zenmap is pretty simple. After launching the program, you need to input the target IP address, the IP address range, or the domain name that you want to scan, next you choose the scanning profile, and then run the scan. The different scanning profiles use predefined choices, providing different scanning options and creating differing results. The power of nmap comes from all of the scanning parameters and options that are available. Running nmap from the command line gives you complete access to all of the command options and parameters.

In the scan below, I input the target IP addresses 172.16.11.100-105 which will scan hosts 100 to 105. For the scanning profile, I chose the Intense scan, no ping pull down option. You can see the complete scan, as if it were given from the command line by looking at the command input box.

    nmap -T4 -A -v -Pn 172.16.11.100-105

nmap is the command which launches the program,
The -T4 argument signifies faster execution,
The -A argument enables OS and version detection, script scanning, and traceroute,
The -v argument enables output verbosity
The -Pn argument bypasses the host discovery and for the pupose of the scan treats all hosts as if they were online.

Nmap Scan Types

Looking at nmap from the command line options or parameters There are four major nmap scan types:

  • TCP connect scan (-sT) – this scan performs a tcp three way handshake with the target computer. You can specify which particular ports you want to scan by also using the -p and supplying the range of numbers you want to scan, like -p1-1023 which would scan ports one to one thousand twenty four. This is a reliable scan to identify open ports on a target host, however it is also easily recognizable by intrusion preventions systems, if you are trying to scan anonymously.
  • SYN scan (-sS) – this scan is also called a stealth scan, in that it starts a three way handshake but does not complete. Though harder to detect, it is detectable by current day firewalls.
  • UDP scan (-sU) – this scan will test to see if there are open udp ports on a target computer. Since udp is a connectionless protocol, this scan will simply tell us whether a port is blocked by returning an icmp unreachable message or if it is open by receiving no message. You could receive a false positive because no response could indicate that the ICMP request or reply was blocked by a network firewall and not the target host.
  • ACK scan (-sA) – this scan will simply test to see if a port is block (filtered) or not. The scan sends out ack packets and waits to see if there is either no response (blocked) or if there is a reset packet (RST) response which would signify an open port.

 

 Scan a range of IP addresses

Examining the scan results of a single network host, from the host details tab

The scan results has identified an open port at 3389, and a probable operating system type

Week 7

Overview

This week we will analyze a hacked website and locate where the intruder has placed malicious code or malicious files. We will discuss how to locate and dissect the problem, how to clean the website, and we will inspect the attack to learn more about how it functions.

How to Dissect a Website Attack -page 3

(Cont.)

I found that a malicious .php file was uploaded to my website, containing what appears to be an exploit. If we examine the long string of text you can see that the beginning of the string is in hexadecimal format. Hexadecimal characters can represent ASCII text characters so this is probably a way of obfuscating a suspicious command. To discover the hidden command you can manually compare the hex characters against an ASCII character chart or copy and paste the hex characters into a quick script too see if a scripting language will interpret the hex codes for you. In the images below, I first copy the leading hex characters from the malicious line of code and then paste them after a print command in the Python command interpreter. After hitting the enter key you can see that Python interprets the hex codes as text.

 

The Base16 Hex code at the beginning of the file is obfuscating a hidden text command

A print command in Python is used to reveal the obfuscated string of Hex codes

You can see from the output above that the leading string of hex characters is actually the front half of a eval function which calls nested commands: first decode some base64 code, then extract it because it is probably gzipped compressed file, then execute it by running it in an eval() function. This obfuscated hex code is attempting to execute something in the Base64 code. Now if we write a Python script that will print the leading Hex code, decode and print the Base64 code, and then print the ending Hex code we can see the program behind this long string of encoded characters.

In the malicious PHP file the long string of characters in the ‘preg_replace’ function has Hex
at the beginning and at the end (not pictured) and a long string of Base64 encoding in the middle

Here is an image of the Python script, quickly put together by Steve in the class, that will decode the Base64, and extract the compressed file, and then run the evaluate() function which will execute the malicious string in the .php file:

The beginning and ending of the Python script which decodes
the “preg_replace” string of Hex and Base64 codes from the malicious .php file

We can run this script in the Python command line in order to print to screen the malicious hidden script. You can see on line 1 below that I call the script with the python command followed by the python script file and then piped to more to see the output one screen at a time. You can see that Python has successfully decoded the Hex and the Base64 and returned the hidden program that was on the .php file. Notice the hex code has been translated on line 2 and you can see the eval() function:

Python decode scripts

One of the more interesting parts of this malicious program is near the bottom of the script you can see there is an additional Base64 encoded exploit that the script is going to decode. From the text in the script (see highlighted) we can gather that the embedded exploit is a backdoor to the webhost written in Perl. Notice the text “Bind port to /bin/sh” which is the Bash Shell on the Linux webserver. Notice that the backdoor is a “bind port” to port “31337”. Many people already will know that the port number 31337 was not chosen randomly, it is a substitution cypher or leetspeak for the word”elite.” This lets us know that the programmer considers himself or herself as an elite hacker (see image below).

If you decode the highlighted base64 encoded characters in the image above, you can see that it is indeed a Perl script and that it is creating a bind shell to a provided socket address (ip address and port number), probably to another computer that the hacker controls. The first image below is the Python script that decodes the Perl script. The second image is the Python script run in the Windows command prompt.

 

*Note: Many thanks to Steven B who helped me with this class and project

<< How to Dissect a Website Attack -Page 2

Learn Website Vulnerability Testing with Mutillidae

Mutillidae Overview

There are many open source projects on the web aimed at teaching website security and the common vulnerabilities that hackers utilize. OWASP is a group that has organized over one hundred web security projects. OWASP stands for the Open Web Applications Security Project. The group is a non-profit organization committed to free, open source, web projects. OWASP has helped advance many great learning projects and tools for learning about website vulnerabilities and web attacks. One useful project is the OWASP Top Ten which is a research project and website that identifies the top ten web application security risks. The OWASP Top Ten was released for 2010 and 2007. Two more great web security learning tools that were OWASP projects are Mutillidae and ZAP.

Mutillidae

Mutillidae is an open source vulnerable web application (i.e. vulnerable web site) that you can download and install in a testing environment. You will need to set up an AMP environment (Apache, MySQL, PHP) on your server in order to run Mutillidae and it can be run on either the Linux, Windows, or OSX platforms. You can find out more information about Mutillidae at their website: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

ZAP (Zed Attack Proxy)

Zap is an attack proxy that works as both a sniffer and a mangler in that it captures packets passing between your computer and the website you are attacking or scanning. ZAP allows you to run scans, scripts, and attacks against a targeted domain or website. ZAP is a testing tool useful for penetration testing and testing your website’s security and vulnerability level. Do not run this tool against a live domain or website without prior permission, it will be seen as a live attack.  

Tips:
•  In Mutillidae: Toggle hints to “Noob” to get great learning information and hints
•  In Firefox disable the “no script” setting
•  In BackTrack ZAP is already installed
•  For ZAP to work correctly you need to configure it as your web proxy in Firefox
•  FoxyProxy is a proxy switcher which is installed as a Firefox plugin. It helps control which domains you want to have proxied and which you don’t.
•  packetstormsecurity.org is a great website for security information and resources

How to Dissect a Website Attack -page 2

(Cont.)

Having discovered that my website had an infected .htaccess file, I replaced it with a clean .htaccess file and felt I was safe to focus on updating my version of Joomla as well as all addon web applications. Unfortunately, I soon discovered that the infected .htaccess file was all of sudden back, and not only that, all of my websites on my web hosting account also had infected .htaccess files. Ouch!

Quickly, I was brought back to reality. My belief that I had removed the website infection was just wishful thinking. It was now time to ask ‘the oracle’ for help, so I decided to do some Google searches using a few of the key words found in the infected file, like “.htaccessfile infected with mod_rewrite.c,” and “.htaccessfile infected with phonesthouguploader.” The Google searches revealed a couple of entries on the Joomla forum, that were posted by people experiencing the same problem. I also discovered a helpful Joomla wiki page with a security checklist in the event of a hacked Joomla website. Once again a technology forum came to the rescue. In this situation, the forum posts gave me the idea to look for specific files and file types, and the directories the malicious files might be hiding in. The forum suggested that I needed to look for a hidden “.php” file (in Linux hidden files start with a ‘.’) in my webhost’s root ‘tmp’ folder or the Joomla website’s ‘images’ folder.

The Malicious PHP File

In the websites joomla ‘images’ directory, two interesting files were found. The files were a text file and a hidden php file:

  • images/stories/error_log
  • images/banners/.cache_m66q99.php

The error_log text file was noticed by a student (Eddie), and the .cache_m66q99.php file, which I believe is the culprit, was found by me. The error_log file points to the php file as you can see below, as well as alerting to the possibility of another malicious file story.php, a known malicious script which was not found.

 The images/stories/error_log text file

Here are screenshots showing portions of the malicious .cache_m66q99.php file. Beside the name of the file looking very suspicious the top of the file seemed normal enough (see below). However, most php files in a Joomla website have the following two lines of code near the top of the file, just below the comments:

// no direct access
defined( ‘_JEXEC’ ) or die( ‘Restricted access’ );

The two lines above ensure that the file cannot be executed directly. These lines will probably be missing from a malicious script uploaded to your webhost . Notice the “defined( ‘_JEXEC’ ) or die( ‘Restricted access’ ); line is missing from the top portion of the file below (see lines 14 and 15).

The top of portion of the .cache_m66q99.php file with a missing line between lines 14 and 15

A few lines down on line  I found a preg_replace() function call which can though a normal function can sometimes be used for malicious purposes (see image below). On a side note, searching online, I found a script that you can download, configure a few settings, and then upload and run on your webserver. The script will examine the contents of all files in a directory of your choice, and output a report alerting you to which files have possible malicious code (http://25yearsofprogramming.com/php/findmaliciouscode.htm).

Suspicious preg_replace function

When I scrolled to the bottom of the PHP file I noticed one long line of code that clearly was not normal, looking instead like an embedded exploit (see image below).

At the bottom of the file there is a long line of obfuscated code, in a preg_replace function, indicative of an embedded exploit

Here is the bottom portion of the exploit

Now that we know there is an exploit in the file we can learn more about what it is doing.

<< Page 2- How to Dissect a Website Attack                      How to Dissect a Website Attack -Page 3 >>