Nmap

All posts tagged Nmap

POODLE SSLv3 Vulnerability

Posted by R.Dunne on October 20, 2014
Posted in: ISSUES & INFOSEC, POODLE SSLv3 Vulnerability. Tagged: , , , , , , , , , . Leave a comment

POODLE stands for Padding Oracle On Downgraded Legacy Encryption.angry_poodle_with_sharp_teeth_wallpaper

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.

Impact

CVSS v2 Base Score: 4.3 (MEDIUM)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information

97% of SSL web servers are likely to be vulnerable to POODLE. Similar to the ‪Heartbleed vulnerability, ‪POODLE is an information-disclosure bug rather than a code-injection. It leaves encrypted data open to snooping.sslv3-vulnerable6It relies on Web servers and browsers that allow the use of the old SSL version 3 protocol to secure its communications. SSL has been surpassed by Transport Layer Security; it’s still widely supported on both servers and clients, and is still required for compatibility with Internet Explorer 6. SSLv3, unlike TLS 1.0 or newer, omits validation of certain pieces of data that accompany each message. Attackers can use this weakness to decipher an individual byte at time of the encrypted data, and therefore extract the plain text of the message byte by byte.

Nmap

Your servers are vulnerable simply if they support SSLv3. Several options here:

nmap -p 443 –script ssl-enum-ciphers (Target URL)

poodle-3

Acunetix

poodle

Online Checker

If you see a poodle below, then your browser supports SSLv3 via block ciphers, and you maybe vulnerable. If you see a Springfield Terrier below, your browser doesn’t support SSLv3, or only supports SSLv3 using stream ciphers.

https://www.poodletest.com/

Poodle 4Poodle 5End-user Protection

  1. Check to see if SSL 3.0 is disabled on your browser (for example, in Internet Explorer it is under Internet Options, Advanced Settings).Poodle 1
  2. Avoid MITM attacks by making sure “HTTPS” is always on the websites you visit.
  3. Monitor any notices from the vendors you use regarding recommendations to update software or passwords.
  4. Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain.

Server protection:

The easiest and most robust solution to POODLE is to disable SSLv3 support on your server.

 Apache

To disable SSLv3 on your Apache server you can configure it using the following, both in the SSL configuration section and in all SSL-enabled virtual hosts explicitly:

SSLProtocol All -SSLv2 -SSLv3

This will give you support for TLSv1.0, TLSv1.1 and TLSv1.2, but explicitly removes support for SSLv2 and SSLv3. Check the config and then restart Apache.

apachectl configtest

sudo service apache2 restart

NginX

Disabling SSLv3 support on NginX is also really easy.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Similar to the Apache config above, you will get TLSv1.0+ support and no SSL. You can check the config and restart.

sudo nginx -t

sudo service nginx restart

IIS

Involves some registry tweaks and a server reboot. Modify/create a registry DWORD value.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Create an SSL 3.0 key.  Under that create a Server key and inside there a DWORD value called Enabled with value 0. Once that’s done reboot the server for the changes to take effect.h0rcV

Conclusion

As a result of the disclosure of a this critical bug Systems that support only SSL 3.0 are being abandoned as systems operators cease server-side support for the outdated standard.Poodle 2

Advertisements

Nmap & Zenmap

Posted by R.Dunne on March 24, 2014
Posted in: Network, Nmap & Zenmap, Tools. Tagged: , , , . Leave a comment

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan single hosts nmapand large networks.

Zenmap is the official Nmap Security Scanner GUI that aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users.

Nmap is a very powerful utility that can be used to:

  • Detect the live host on the network (host discovery)
  • Detect the open ports on the host (port discovery or enumeration)
  • Detect the software and the version to the respective port (service discovery)
  • Detect the operating system, hardware address, and the software version
  • Detect the vulnerability and security holes (Nmap scripts)

It is available for both the command line interface and the graphical user interface. Once the exe or ZIP file is downloaded from http://nmap.org/download.html during installation there is an option to either install NMAP as a GUI or the command line interface.

Simply deselect GUI if you wish for the command line interface, which is recommended as you are actually writing the commands yourself.

If you are a beginner then the GUI is a great place to start as it helps a lot with writing the desired commands for you as you can simply select what you wish it to do.

Pic 2

Once the command line version is download and installed open up the Cmd navigate to the folder like below. This is were all the command will then be carried out.

Pic 1

Nmap Help

  • nmap –help

Lists all the possible commands to help with the following;

  • TARGET SPECIFICATION
  • HOST DISCOVERY
  • SCAN TECHNIQUES
  • PORT SPECIFICATION AND SCAN ORDER
  • SERVICE/VERSION DETECTION
  • SCRIPT SCAN
  • OS DETECTION
  • TIMING AND PERFORMANCE
  • FIREWALL/IDS EVASION AND SPOOFING
  • OUTPUT
  • MISC
  • EXAMPLES

Pic 7

Export to File

-help is just an example this can be used for any scan.

  • nmap –help > C:\namp.txt

Pic 8

Target address URL or IP Address.

  • nmap  Target

Results will outline the following:

Pic 6

Scan a number of specific ports

  • nmap -p80,21,23 Target

Multiple Targets

  • nmap -O Target1 Target2

Enable OS and version detection

Script scanning, and traceroute; -T4 for faster execution

  •  nmap -A -T4 Target

Find if host/network is protected by a firewall

  • nmap -sA Target

Scan a host when protected by the firewall

  • nmap -PN Target

Scan a range of IP address using a wildcard

  • nmap 192.168.1.*

Entire subnet

  • nmap 192.168.1.0/24

Exclude hosts from a scan

  • nmap 192.168.1.0/24 –exclude 192.168.1.5
  • nmap 192.168.1.0/24 –exclude 192.168.1.5,192.168.1.254

Some Examples of Scans

-sS TCP SYN scan

Half-open scanning because this technique allows Nmap to get information from the remote host without the complete TCP handshake process, Nmap sends SYN packets to the destination, but it does not create any sessions, As a result, the target computer can’t create any log of the interaction because no session was initiated, making this feature an advantage of the TCP SYN scan.

  • onmap -sS Target

-sT (TCP connect scan)

Is the default TCP scan type when SYN scan is not an option?

Instead of writing raw packets as most other scan types do, Nmap asks the underlying operating system to establish a connection with the target machine and port by issuing the connect system call. Rather than read raw packet responses off the wire, Nmap uses this API to obtain status information on each connection attempt.

  • nmap -sT Target

-sU (UDP scans)

Sends a UDP packet to every targeted port and a service will respond with a UDP packet, proving that it is open. Common ports such as 53 and 161. Possibilities to speed up UDP scans up include scanning more hosts in parallel, doing a quick scan of just the popular ports first, scanning from behind the firewall, and using –host-timeout to skip slow hosts.

  • nmap -sU Target

Alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming.

  • nmap -sY Target

-sA (TCP ACK scan)

Used to map out firewall rulesets, determining whether they are stateful or not and which ports are filtered.

  • nmap -sA Target

-sO (IP protocol scan)

Allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines.

  • -sO (IP protocol scan)

Zenmap GUI Interface

Zenmap allows interactive creation of Nmap command lines by select the different point and click approach.

Running a scan is as simple as typing the target in the “Target” field, selecting the “Intense scan” profile, and clicking the “Scan” button.

Pic 4

Once the Target and the Profile is selected the Command text-area will outline the Nmap command that is about to be run. This command could also be copied out and used in the Nmap command line interface.

Intense Scan

nmap -T4 -A -v testSite.com

Slow comprehensive scan

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” testSite.com

Pic 5

The Profile Editor

Possible to use the profile editor as an Nmap command editor. Select “New Profile or Command” from under the “Profile” menu or use the ctrl+P keyboard shortcut. The profile editor will appear, displaying whatever command was shown in the main window.

Pic 10Within the Scripting Tab its possible to Scroll the list on the left to see all the scripts that are installed in the script.db, Scripts can be selected or deselected individually by clicking the check-box next to the script name.

Pic 13

To save the Profile 1st go to the “Profile” tab and give a name to the profile. Then click “Save Changes” to save the new profile.

Pic 11

The newly created Profile will then be saved and can then be selected as a scan option in future.

Pic 12

Conclusion

Nmap is a must have tool for Network Security Experts. It supports many of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. Ability to scan huge networks containing hundreds of thousands of machines and most importantly it allows for both the traditional command line and graphical (GUI) versions.