Rich Rines

Ultimate Nmap Scan

I have been doing lots of InfoSec research recently and have been learning quite a bit about nmap (Nmap is an open source security scanner that is used heavily by the pentesting community. Nmap can be used for several types of enumeration including host discovery, OS/version detection, port scanning, and even has its own scripting engine allowing the user to extend its functionality as desired). After reading what I can only describe as the nmap bible  (much the explanations provided for individual flags are heavily based on this book) and talking to some professionals I have a very robust nmap recipe for port scanning. 

sudo nmap --spoof-mac Cisco --data-length 9 \ -f -D 172.168.200.200,RND:5,ME -v -n -O -sS -sV \ -oA /home/rich/metasploit/172.168.1.1 --log-errors \ -append-output -p T:1-1024,1433,2222,2249,7778,8080,9999 \ --randomize-hosts 192.178.1.1 172.168.1.2

Important always run nmap as the root user, running nmap as anything other than the super user with not actually allow you to run a stealth scan on a tcp system because of the layer of abstraction between the regular user and the interface. Also, port scanning is legal in the US, however some of these techniques would be considered intrusive (nearly all of the “aggressive mode” features) so as with all pentesting related things don’t be stupid and only scan what you have permission to scan.

Now for a flag by flag break down:

—spoof-mac Cisco: Spoof your mac address, other valid options would be a complete mac address, 0 for a completely random mac, a vendor’s OUI prefix, or another vendor name

—data-length 9: Appends 9 random bytes to most of the packets it sends

-f: Fragment packets

-D 192.168.200.200,RND:5,ME: Causes decoy scans to run simultaneously with your actual scan to help ids evasion and cause far more traffic in system logs

-v: Increases the verbosity of the output, you can also run -v -v to increase the verbosity to a higher level

-n: No DNS resolution

-O: Enables OS detection, less aggressive than nmap’s advanced OS detection and is usually just as good

-sS: Stealth TCP SYN scan, the most popular scan option. It is both quick and unobtrusive because it never completes any TCP connections.

-sV: Enables version detection

-oA /home/rich/metasploit/172.168.1.1: Output to all formats (normal, greppable, and XML) and where to save the information

—log-errors: Self explanatory 

-append-output: If you prefer to keep scan results in a single file and keep appending new information to it this option is perfect, if you would like to create new files for various reasons leave this flag out 

-p T:1-1024,1433,2222,2249,7778,8080,9999: Specifies which TCP ports to scan. The ports specified in list list are generally the ones that provide the most valuable information. If not interested in specifying each one a similar option is the —top-ports followed by an integer of one or greater. The integer is the N highest ratio of ports found in nmap services. Finally to specify UDP ports you would replace T: with U:

—randomize-hosts 192.178.1.1 172.168.1.2: Randomizes the target host order

Optional:

—traceroute: To trace path to host over various hops

-A: Aggressive mode, this could be used instead of -sV -O —traceroute amongst other things. Helps keep the list of flags one needs to know shorter but would be considered intrusive.

-T paranoid|sneaky|polite|agressive|insane: Various timing controls for your scans

-PN: No Ping, to determine active machines to scan more robustly later

Image Metadata and Social Media

Today many Internet users frequently upload pictures to Facebook, Twitter, G+, Instagram, etc. and this can pose some severe security risks. It has become common practice to whip out your smart phone and upload pictures of your stuff, stupid things you and your friends are doing, etc. What is unknown to many users is that the images you are uploading often times contain potentially threatening metadata, the metadata we are particularly concerned with is descriptive metadata . Descriptive metadata essentially “data about data contents” may contain information such as gps coordinates, phone make and model, etc. This information can be discovered very easily with basic metadata read, writing, and extraction tools such as exiftool (exiftool download) which could provide a would be attacker will several pieces of valuable information. Social media services, in particular Twitter and Facebook also have established practices in which users update their followers/friends with their current activities. If you combine a photo of a desirable object (without removing dangerous metadata) and tell the world your not home you are inviting attackers.

An example of how simple and effective this attack is illustrated through pictures. I simply googled for a blog post about pictures take from mobile phones and ran across some android forums. The first post I viewed was a picture of a user’s new car, and I proceeded to download it.

Thirty seconds later I ran exiftool and as guessed the picture contained lat/long/alt coordinates, phone make and model, the programs he used to edit the photo, etc. (Photo has truncated output)

I could have then plugged the coordinates into google maps and reveal the street address of the vehicle. With this information and the information the user provided about himself like his name, I could do a phone lookup. Now after two minutes I know the users name, wireless carrier, and any listed phone numbers. If desired one could begin to attempt to social engineer their way into finding out the user’s email address or far more harmful information. So the long and short of it, is to be careful what your uploading you are giving out far more information than you think.

Follow @richrines