Network Scanning with Nmap

Overview

Nmap is a powerful network scanning tool which allows you to discover available hosts and resources. Nmap can be very useful for discovering what open doors exist on your network, including services, ports, operating systems, and other fingerprinting information. You should be aware that scanning a network with nmap, without prior permission, can be considered a form of network attack at worst, or network trespassing at best.

You can download nmap for Linux, Windows or MAC at: http://nmap.org/download.html . Though typically a Linux command line tool, you can install nmap for Windows and run it from the command line, or from a graphical user interface, by installing the Zenmap graphical front end. You can install Zenmap by running the Windows self installer and accepting the installation defaults.

NMAP for Windows

If you are running a Windows desktop operating system and you are new to nmap, I recommend using nmap by running the Zenmap graphical interface. When running nmap from the command line the user has a large array of scanning options and parameters. Zenmap simplifies the use of nmap by limiting the options to a predefined set of pull down options.

 

The image below is taken from the http://nmap.org website, download page

 

Using NMAP and Zenmap

Using nmap with Zenmap is pretty simple. After launching the program, you need to input the target IP address, the IP address range, or the domain name that you want to scan, next you choose the scanning profile, and then run the scan. The different scanning profiles use predefined choices, providing different scanning options and creating differing results. The power of nmap comes from all of the scanning parameters and options that are available. Running nmap from the command line gives you complete access to all of the command options and parameters.

In the scan below, I input the target IP addresses 172.16.11.100-105 which will scan hosts 100 to 105. For the scanning profile, I chose the Intense scan, no ping pull down option. You can see the complete scan, as if it were given from the command line by looking at the command input box.

    nmap -T4 -A -v -Pn 172.16.11.100-105

nmap is the command which launches the program,
The -T4 argument signifies faster execution,
The -A argument enables OS and version detection, script scanning, and traceroute,
The -v argument enables output verbosity
The -Pn argument bypasses the host discovery and for the pupose of the scan treats all hosts as if they were online.

Nmap Scan Types

Looking at nmap from the command line options or parameters There are four major nmap scan types:

  • TCP connect scan (-sT) – this scan performs a tcp three way handshake with the target computer. You can specify which particular ports you want to scan by also using the -p and supplying the range of numbers you want to scan, like -p1-1023 which would scan ports one to one thousand twenty four. This is a reliable scan to identify open ports on a target host, however it is also easily recognizable by intrusion preventions systems, if you are trying to scan anonymously.
  • SYN scan (-sS) – this scan is also called a stealth scan, in that it starts a three way handshake but does not complete. Though harder to detect, it is detectable by current day firewalls.
  • UDP scan (-sU) – this scan will test to see if there are open udp ports on a target computer. Since udp is a connectionless protocol, this scan will simply tell us whether a port is blocked by returning an icmp unreachable message or if it is open by receiving no message. You could receive a false positive because no response could indicate that the ICMP request or reply was blocked by a network firewall and not the target host.
  • ACK scan (-sA) – this scan will simply test to see if a port is block (filtered) or not. The scan sends out ack packets and waits to see if there is either no response (blocked) or if there is a reset packet (RST) response which would signify an open port.

 

 Scan a range of IP addresses

Examining the scan results of a single network host, from the host details tab

The scan results has identified an open port at 3389, and a probable operating system type

How to setup OpenVPN on an Endian Firewall

{loadposition adposition4}

Overview

The ability to remotely connect to networks using a VPN tunnel is a valuable resource. Many networks, companies, and organizations have remote users that need access to the company network. {loadposition adposition5}This is often for database or server access, or possibly to manage the network resources. A VPN tunnel provides security through authentication and encryption and offers the user a lot of flexibility by placing their computer within the remote network. 

Most firewall devices like a Cisco ASA firewall or a Sonicwall firewall, come with a VPN server and client built into the operating system. The Endian Firewall Router uses the OpenVPN server and offers the user easy access to the OpenVPN client which is freely downloadable from the openvpn.net website. The Endian firewall EFW operating system is also freely downloadable from their website.

In the network pictured below, I installed EFW in a Virtualbox virtual machine with two virtual NICs. I am then able to place a Windows XP virtual machine behind the EFW firewall, simulating a multi-network environment. This is a good exercise because I can run tests and play with the entire virtual network from my Windows 7 laptop. In the video tutorials below, I configure and test OpenVPN services on an Endian firewall router using virtual machines. 

 

 

{loadposition adposition9}

Video Tutorials

Note!: In the tutorial, I use the downloaded CA certificate file from the EFW OpenVPN server, make sure you check the file’s file extension. You can rename the file and add the ".pem" file extension to it, which is the file extension reflected in my configuration file’s settings (see videos). 

In part 1, I diagram the virtual network, and the network connections and addressing 

{loadposition adposition4}

In part 2, I configure the OpenVPN server on the EFW firewall

 

 {loadposition adposition10}

In part 3, I configure the OpenVPN client and connect to the EFW OpenVPN server

 

{loadposition adposition8}

 

Cracking Hashes with Rainbow Tables and Ophcrack

You may have heard of dictionary password attacks or brute force attacks but recently a popular way of cracking a Windows password uses a rainbow table. This method was made popular by Philippe Oechslin one of the creators of the program Ophcrack a tool for cracking Windows passwords. {loadposition adposition5}You can use Ophcrack in a few different ways. Firstly, you can download the Ophcrack program and run it on your computer. Used this manner you will need to download the tables separately, save them to your hard drive, install them into the Ophcrack program, and then run the program which compares the hashed password to the hashes in the rainbow table searching for a match. Secondly, you can download an Ophcrack LiveCD .iso file, burn it as a bootable image, and booting to the CD use it to search for a system’s password by comparing hashes in a similar manner. In this method the CD loads the password hashes directly from the Windows SAM (security accounts manager) files. This can be helpful for someone who has forgot their password, and needs to recover it. However, you do not want to use this method to attack a user’s computer. You can download XP, and Vista / Windows 7 versions of Ophcrack.

Ophcrack website: http://ophcrack.sourceforge.net/ (download)
About Ophcrack: http://en.wikipedia.org/wiki/Ophcrack

Hash functions: http://en.wikipedia.org/wiki/Hash_function  

Network Authentication Protocols (one aspect of these protocols is to turn clear text passwords into a hash)

  • Windows LM hash (Lan Manager ) a flawed implementation based on DES, which was particularly easy to crack: http://en.wikipedia.org/wiki/LM_hash
  • Windows NTLM (NT Lan Manager) – little to no improvement over LM hash partially due to backwards compatibility issues allowing the LM hash along with the NTLM hash; http://en.wikipedia.org/wiki/NTLM
  • Windows NTLMv2 – an improvement is still used in Windows Vista and Windows 7 in work group environments
  • Kerberos – Open Source project, MIT – Secure network authentication protocol used in Windows Domains and Active Directory; http://en.wikipedia.org/wiki/Kerberos_%28protocol%29

Ophcrack step by step

  1.  When I installed the program I installed it to my Program Files folder so consequently it was not able to automatically download any rainbow tables. No matter, you can download the tables and install them after installing the program. Go to the Ophcrack.sourceforge.net website click on tables and download the free tables or just click here to go there directly: http://ophcrack.sourceforge.net/tables.php. I downloaded the xp free small and the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I made a folder called "hash-tables" and then made 2 more folders within for each table to unzip to. 
  2. Run the program and click on "Tables" button. Select the table you downloaded and click "Install", navigate to the folder where you unzipped the table, select it and then click "ok." You should see green lights next to the tables you installed.
  3. You need to supply the program with a hash for it to try and crack. For testing purposes you can generate one at this website. Go to http://objectif-securite.ch/en/products.php? scroll to the bottom of the page and submit a password using the web tool. The tool will output a hash that you can copy to a text file or copy to memory by selecting and pressing (Ctrl+C).
  4. On the website, I submitted the password "BlockMe" with the capital letters and I got the hash output: 9d79790fa072b69baad3b435b51404ee:facbe3fa7932e0d024590e0633d28510 
    On the Ophcrack program I clicked "Load" > "Single hash", pasted in the hash, clicked "ok", and then clicked "Crack" to start the process. It took a few minutes but Ophcrack was able to crack the password, from the hash, with the "XP Small Free" table installed and loaded into Ophcrack. I also installed the "Vista free" table but that must have been a non matching table to hash because it was unable to crack the password. One thing I learned was that you need the right kind of table to crack the right kind of hash.
  5. I want you to play with the program get it working and test out 5 different passwords of increasing complexity. Can you find a website that will generate a Vista NTLMv2 hash? 
  6. Post your experience and results using Ophcrack, in a comment at the bottom of this page.
    Note: You have to have a user account in order to login and post comments. You can create a user account on this site by going to the home page, or by clicking here.

Video Tutorial

 

Network Vulnerability Scanning

Overview

The ability to scan a network, domain, or individual host or server for vulnerabilities is a useful tool. It is also something that hackers utilize regularly as a form of reconnaissance prior to an attack.

Video Tutorials

In this video, I scan a local computer using the Nessus Vulnerability Scanner

Create a Virtual Router Firewall with Endian UTM

Virtual Router/Firewall with Endian UTM – Overview

The Endian UTM firewall/router is a custom security distribution of Linux created by Endian.com. Endian releases a free, community edition of their Endian UTM (unified threat management system) which can be implemented on a home network or small office environment. The community edition of Endian is also a great way to learn about network security.

Go to their website at Endian.com and download the .iso image file of the community edition distribution. You can now install the Endian UTM community edition on home computer hardware. I recommend using a computer with two Ethernet network interfaces, or you could install it in a virtual machine which gives you a dedicated security device to practice with virtually.

Unified threat management systems or advanced Firewalls have many security tools to play with. It is important to know how to configure port forwarding, static routing, NAT, VPN, Web proxy filtering, DHCP and more. In this lab, you will use Virtualbox and Endian Firewall to create a virtual network firewall and router device that you can use to run network simulation tests.

Install Endian Firewall in Virtualbox – Video Tutorial

In this video I use Virtualbox to install Endian Firewall (EFW) in a virtual machine

EFW initial installation configuration

Configure internal and bridged network interfaces for the virtual firewall

Configure DHCP services on the virtual router for virtual clients to connect to

Connect to a Remote Host using SSH and Private/Public Key Authentication

Using Linux

In the first three videos, I install and configure a SSH server in Ubuntu (Linux). I also have a Windows 7 computer running VirtualBox with another Ubuntu Linux operating system running that I use as a client. I configure the SSH server to authenticate remote users with the private key + passphrase, as opposed to normal SSH username and password authentication. I then demonstrate connecting to the SSH server from another Linux SSH client and from a Windows SSH client using the program Tera Term.

For this assignment, I recommend installing VirtualBox for Windows and then installing Ubuntu in the VirtualBox. I have tutorials on installing VirtualBox and I have tutorials on installing Ubuntu. Look in the Linux Fundamentals class. See the first three videos below…

Using Windows

In the last two videos, I found a Windows SSH solution that doesn’t require Windows Server 2008. You can install freeSSHd SSH server for Windows and then you can use PuTTY or TeraTerm as a SSH Client. For authenticating with a public/private key pair you can create keys using PuTTYgen Watch the 4th and 5th videos below for a full tutorial demonstration. To do the lab you will need: 1) freeSSHd  http://www.freesshd.com; 2) PuTTY and PuTTYgen http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html 3) TeraTerm can be used as a client also http://logmett.com/index.php?/products/teraterm.html 

Video Tutorials

Key pair SSH authentication in Ubuntu – Part 1

Key pair SSH authentication in Ubuntu – Part 2

Key pair SSH authentication using Tera Term

Key pair SSH authentication in Windows using freeSSHd, PuTTY and PuTTYgen – Part 1

Key pair SSH authentication in Windows using freeSSHd, PuTTY and PuTTYgen – Part 2

Cryptography

Cryptography Overview

This week we will discuss Cryptography. We will cover hashing and symmetric and asymmetric Encryption

Here are links to the resources. You should visit these sites, bookmark the links and download the tools:

Use CrypTool to Encrypt and Decrypt messages

1)  Download the CrypTool from the web. You can find it here: http://www.cryptool.org/en/ct1-download-en. (You can see a demonstration of this tool in LabSim 2.3)
2)  Download this file, decrypt it and reveal the hidden message:  Cry-RC4-message.zip

Tip:  You will have to figure out the correct settings for the analysis to work.

Extra Credit: First one who decrypts this message and posts the message in a comment at the bottom of this page gets extra credit:  Encrypted-extra-credit.zip